Free App Lets the Next Snowden Send Big Files Securely and Anonymously

Onionshare is simple, free software designed to let anyone send files securely and anonymously.
Micah Lee. Image Courtesy of Micah Lee
Onionshare creator Micah Lee, who works as a staff technologist and crypto guru for Glenn Greenwald's news site The Intercept.Image: Courtesy of Micah Lee

When Glenn Greenwald discovered last year that some of the NSA documents he'd received from Edward Snowden had been corrupted, he needed to retrieve copies from fellow journalist Laura Poitras in Berlin. They decided the safest way to transfer the sizable cache was to use a USB drive carried by hand to Greenwald's home in Brazil. As a result, Greenwald’s partner David Miranda was detained at Heathrow, searched, and questioned for nine hours.

That's exactly the sort of ordeal Micah Lee, the staff technologist and resident crypto expert at Greenwald’s investigative news site The Intercept, hopes to render obsolete. On Tuesday he released Onionshare—simple, free software designed to let anyone send files securely and anonymously. After reading about Greenwald’s file transfer problem in Greenwald's new book, Lee created the program as a way of sharing big data dumps via a direct channel encrypted and protected by the anonymity software Tor, making it far more difficult for eavesdroppers to determine who is sending what to whom.

“If you use a filesharing service like Dropbox or Mega or whatever, you basically have to trust them. The file could end up in the hands of law enforcement,” Lee says. “This lets you bypass all third parties, so that the file goes from one person to another over the Tor network completely anonymously.

“It’s basically 100 percent darknet.”

When Onionshare users want to send files, the program creates a password-protected, temporary website hosted on the Tor network—what’s known as a Tor Hidden Service—that runs on their computer. They provide the recipient with the URL and password for that site, preferably via a message encrypted with a tool like PGP or Off-The-Record encrypted instant messaging. The recipient visits that URL in a Tor Browser and downloads the file from that temporary, untraceable website, without needing to have a copy of Onionshare.

“As soon as the person has downloaded the file, you can just cancel the web server and the file is no longer accessible to anyone,” Lee says.

Lee hopes to have others examine Onionshare’s code to suss out flaws. For now it only runs as a bare-bones command-line tool on the Tor-based operating system Tails, which can be launched on Windows or Mac machines. He plans to add a version that runs directly on Windows and Mac computers soon.

Onionshare can be particularly useful when someone sending a file wants to remain anonymous even to the recipient, Lee says. If whistleblowers can securely send an Onionshare URL and password to a journalist, they potentially could use it to leak secrets anonymously without being exposed. That flips the model of how Tor enables leaks: Sites like WikiLeaks and news organizations using the anonymous leak software SecureDrop host their own Tor Hidden Services. Onionshare could put more power in whistleblowers' hands, helping them send secrets to journalists who don’t have that sort of anonymous submission system in place.

But Lee also sees Onionshare being used for more common file-sharing situations where everyone involved knows each other but require utmost secrecy. It’s a safe bet that Greenwald and Miranda will be fans.

“The internet is amazing in that it doesn’t have borders,” Lee says. “If you need to send files that are very sensitive, better to use the internet to send them rather than to travel and get searched at the border.”

“Actually, everything on the internet is searched,” he corrects himself a moment later. “That’s why we need encryption.”