CartoDrop: secure mapping and reporting over Tor

CartoDrop

mapping and reporting over Tor !

Nick Doiron - @mapmeld

My background: maps

Carto and Crypto

At first glance, very different fields

Six months in, still different ¯\_(ツ)_/¯

Who needs crypto?

Not just NSA and USA

NSA gets capabilities through contractors

Software is resold to many countries

Government-run ISPs

With maps like these…

Human rights violations

Poaching and pollution

Systemic bribery

Political uncertainty

Voter suppression

Disease outbreaks

HTTPS?

HTTPS reveals

you and your domain

size of downloaded tiles

can’t read messages…

… unless someone gives up the key (ever)

build on Uncensorable Twitter

only protects distributor

Decentralize?

What does work?

Sounds tricky…?

Looks like Firefox

Orbot for Android

Disclaimer

Do use public WiFi

Don’t sign into your account

Don’t do illegal stuff

Don’t allow JavaScript

-> SecureDropDemo.org <- !

Designed for journalists, already on FirstLook and WildLeaks

Good and bad newsJavaScript? NO

APIs NO

Secure passwords YES

PGP encryption YES

Air gap docs YES

Maps break SecureDrop!Journalist needs to look up each coordinate:

without a visual

without software (can’t install on Tails)

without the web

Can we build crypto?

Building CartoDrop

OSM + NaturalEarth

Mapnik Python

Messages stay encrypted

Source’s identity stays protected

The <way/> forward

Speak Freely@mapmeldon Twitter & Keybase