SecureDrop Community: horizontal and independent

April 6, 2018

We’ve never been equipped with better tools to enable multiple organizations or individuals to produce and distribute quality releases and cooperate together. And yet, there hardly are any Free Software project where this happens in a decentralized way. Think about the Linux kernel for instance: a well documented pyramidal and centralized distribution. Or even the Debian GNU/Linux distribution: it is a democracy, which is extremely rare, and has many other distributions derived from it. But Debian GNU/Linux is not derived from other distributions, it is the central point from which all other distributions are derived.

Even tools that are distributed by nature (such as git) reflect this centralized bias. Just think about the wealth of tools at the disposal of someone who wants to contribute to a central repository: pull requests supported by sophisticated web interfaces to review, rebase, visualize the differences etc. And compare that to the lack of tools to track forks, to harvest the diffs that are unique to the forks of a given repository, to find the stalled but potentially interesting contributions.

It is assumed that having a single organization to support and develop a Free Software project is the best (if not the only) way to go. When a new organization is created it is often because something went horribly wrong: LineageOS vs CyanogenMod, OwnCloud vs NextCloud etc. In the best case scenario they agree to cooperate under the umbrella of a foundation (OpenStack etc.) that becomes the next central point everybody is expected to turn to.

The advantages of having a centralized organization are well known: it is easier to get funding and development is faster when people work together, when they make the effort to set aside their differences and find a middle ground to move forward as one instead of going their separate ways. But there are also downsides: people who have ideas/projects for which no consensus can be found are excluded (LibreSignal etc.) and when the organization is discontinued the project is abandoned (OpenSolaris etc.).

Before 2017 SecureDrop was a Free Software project depending exclusively on the Freedom of the Press Foundation staff to keep going. Under the impulse of Conor Schaefer and Jennifer Helsby and with the support of everyone else at Freedom of the Press Foundation, development tools were put in place to enable external contributors. The daily standups and the weekly engineering meetings are now open to the public so we can understand the larger context in which the technical decisions are made. And this effort paid off: a year later the communication channels that were once silent are busy with dozens of volunteer contributors, conferences are spontaneously organized and the number of commits authored by community members grew by an order of magnitude.

I believe we (the SecureDrop community including both volunteers and paid staff) are ready to move to the next step and turn SecureDrop into a decentralized project supported by two organizations and hopefully more in the near future. To make it more resilient and also more welcoming to diverse ideas. It won’t be easy because we don’t have a good example to follow. But it is worth the effort because NGOs, journalists and sources who depend on SecureDrop deserve it. I also hope our work will help other Free Software projects find a way to break free from their own centralized model.

The first step toward decentralization is this declaration of intention and the discussion that will follow. I fully expect push back, ranging from a polite this may not be the best idea to a blunt this will be harmful to SecureDrop, don’t do that. And yes, based on how other projects did in the past, it sounds like an horrible idea. But we can do better. To make things a little more concrete, here is the new organization I have in mind.

The existing community of SecureDrop individual developers, localizers, the UX team etc. becomes a de-facto organization (i.e. not incorporated). It is organized horizontally, agrees on a set of goals and makes its own decisions, produces SecureDrop releases, provides support, controls its own communications channels and web site etc. And every participant further their own agenda, seeking consensus when it has an impact on others and resorting to vote when someone asks for it. My motivation is to see a community composed of a majority of unpaid volunteers, with some money to do their work but a fraction of what their accumulated hourly rate would be if they were paid staff. And I will work to keep maintaining a Free Software and self-hosted infrastructure because that’s my thing ;-) But that is just me and the organization will be the sum of all of us.

The difficult part is to ensure this new organization will not drift away from the Freedom of the Press Foundation and vice versa. But it’s a communication problem that can be addressed. I will alternate roles: acting as if I was a paid staff member of the Freedom of the Press Foundation; reaching out to the new organization and get the best of what it has to offer. And I will also act as a volunteer in the new organization; reaching out to the Freedom of the Press Foundation to do the same. There will be differences and divergences, there is no way to avoid it, nor should we. But there will also be a continuous efforts to understand these differences, find ways to resolve them when it makes sense or acknowledge they are part of a healthy diversity when they are legitimately unique to a given organization.

Loïc Dachary