The following text contains terms also described in [GlobaLeaks Glossary] (https://github.com/globaleaks/GlobaLeaks/wiki/Glossary).

GlobaLeaks (GL) software enables everyone, even if not technically skilled, to set up whistleblowing platforms.

The main characteristics GL is based on are: flexibility, security and privacy.

GL is enough flexible to fit most use cases having different security requirements, and is extendable and easily upgraded by pluggable additions, called Plugins.

Users who submit materials are the Whistleblowers, and users receiving the submitted materials are the Receivers. A submission is composed by Fields and Files. When a submission enter the software, the backend instantiates one Tip for each Receiver; it also generate an additional private Tip for the Whistleblower. Tips have a limited lifetime, during which, the Node stores the submitted Files.

A WhistleBlower select a Context and start a Submission, by completing the Fields and uploading Files. The completed Submission is then transformed in a Tip. The software crafts a Receipt which is served to the the Whistleblower, in order to him being able to follow up his Submission. In fact, the Receipt works like a password, allowing the Whistleblower to access the Tip, to upload new Files related to it, to write and read Comments. All the Receivers configured for the specific Context receive a Notificaton about the new Tip, and they can download the Files associated to the it. Receivers can also write comments in the Tip, that will be visibile to all the elements accessing to the same Tip.

This component exposes an HTTP API interface that enables communication between Wistleblowers and Receivers.

Here reside the logic for handling new submissions from Whistleblowers, the notification of such submission to the Receivers and the interaction between Receivers and Whistleblowers. Such HTTP API give access Node Administrators to the configuration of the GL node.

The backend will make available such server as a Tor Hidden Service and will communicate only through Tor, guaranteeing location anonymity of the exposed service.

The backend exposes a REST interface that allows applications to interact with it. The functionality of Submission, Tip page, Administrative services, overview services, Notification settings. The backend should be flexible enough to properly run also if some components are removed (e.g., if a Notification or Delivery component is disabled).

This is the client interface to GlobaLeaks. It is a client side web application that talks to the backend via HTTP requests. This is the user interface available for Whistleblowers, Receivers and Node Administrators interacting with GlobaLeaks.

A Node is the instance.
Three different user roles exist in a Node: the WhistleBlowers, Receivers and NodeAdmin.

Node duties are the following:

• exposing a RESTfull interface
• waiting for Submissions of some material by some user
• further notifying the submission to configured recipients.

A Node can serve one or more Contexts. A Context represents the logical description of the topic managed by the Receivers. Every Context has different internal configurations, associated statistics, and a list of receivers. Usually the NodeAdmin chooses a Context (e.g., "corruption in Gotham city" or "enviromental pollution in Atlantis"), provides a description that identifies the initiative, configures the expected data format (a combo like: "headline-description-location-date", defines if a submissions requires a file attachment, and configures the Receiver list. The NodeAdmin also sets some properties for the Context, like the Notification method available to Receivers, the expiration time for the Tip, and the kind of data/files expected.

Also known as source, is the person running a globaleaks client and having some data to submit in an appropriate Context. A Whistleblower performs a Submission by compiling a Form including all the required data and eventually attaching some evidence files. Once the Submission is completed, the Whistleblower receives a Receipt that he could use to access the Submission to further modify and update it. The interface provided by the backend to the Whistleblower to update and modify the submission is called Tip, and it enables the Whistleblower to interact (anonymously) with its Receivers by permitting communication by means of Submission's Comments.

The NodeAdmin is responsible for the maintainence and control of the Node.

It manage the service in the Linux system where it run, and manage the application using the Node Administrative interface.

Receiver is the final recipient of the submission process. He would be either someone competent and skilled about whistleblowing or just an interested person in the context; it depends on the respective initiative working model.

A Receiver receives a communication about the presence of a new Tip available on the Node and ready to be consulted. This communication is called Notification, and if the Tip is locally delivered, the Receiver using a globaleaks client can read the Tip. Through his personal Tip, a Receiver is enabled to comment submitted material. The Comments are available in the Tip, for the whistleblower and for the Receivers related to the tip, this action may helps collaborative review and feedback exchange about the submitted infos.

A Receiver uses the client to access the Node and their Preferences page.

We believe it is important to choose Receiver recognized for their knowledge in the Context.

This interface enables a client to load a submission onto the GL node. Through this component the client application learns what fields are supported by a Node and its properties.

The submission system has anti-spam features allowing to configure a CAPTCHA protection that is activated once a certain submission/time threshold is reached.

Every context has defined some input fields (like a WEB FORM input), are the fields expected to be filled in the submission procedure, and those fields aim to extract at best the whistleblower's information.

Is a secret possessed by the Whistleblower that enables him to access the Tip. It is needed whenever the Whistleblower wants to modify or update the submission material or anonymously interact with Receivers. Receipt is automatically generated by the Node upon Submission and rendered to the Wistleblower.

A Receipt is generated with safe random source and the format is specify by a reverse regular expression.

This is the contextual data associated with a submission. Fields are provided through an API that enables the client to render them with a name and a description. Clients can optionally provide an additional Field with a submission identifier client-side generated during the Files upload phase.

This is the page that keeps track of a Whistelblower's submission. It enables both Receivers and Whistleblowers to access a submission that is present in a Node. This interface will return the list of Fields with their values.

This interface allows the Receiver to comment the submission fields and to download the uploaded files by the Whistleblower. Every Receiver has one personal Tip, expressed by a "GlobaLeaks unique string" (GUS), a random token generated by the Node and possessed by the Receiver. The GUS enables its possessor to access and identify himself to the Node. Tips expire after a certain defined time; this time is configurable in the Context.

Each Tip also has a comment board that allows secure communication between Receivers and the Whistleblowers. Receivers can use this to get extra information on the submission and ask the Whistelblower to upload new material.

Comments contain the name of the Author (Receiver name, or the more generic "Whistleblower")

An Administrator configure using the web interface: Node texts, capabilities, contexts, receivers and Notification settings.

The text configurable by the Admin interface are:

• Node Name (used in the notification template, and in every page)
• Node Description (used in the starting page)

Other texts represented in the UI are writted in the HTML pages of the webapp, therefore, need to update the client code to customize them.

The capabilities at the moment are not expored in the Admin configuration page, but only with a low level modification of the settings.py the security capabilites can be changed, and some static values like the time to live of an uncomplete submission, of a Tip, and the maximum available size of file upload.

Contexts represent the topics managed by the Node, and need to be present one or more Context for a Node, to permit submission.

Contexts are defined by a name, a description and a list of receivers.

Receivers are the users present in the node, they can be associated to one or more context,receive notification, and login in to the Node in order to check their available tips.

Notification is the procedure of notifying a Receiver that a new Tip is available. The update of the Tip status may also be notified (new comment, new folder, tip soon to expire, etc). Notification by default is an email, so to support this, the node administrator need to configure a SMTP server with a username and password in the notification module. Every notification module may support different communication systems.

Node Administrator can configure the mail templates, using appropriate keyword.

The notification, are send anonymously using Tor, and optionally may be encrypted with the public key of the Receiver.

The keyword available are described in the [Customization Guide(https://github.com/globaleaks/GlobaLeaks/wiki/Customization-guide/), and they permit the assembling of email contents.

This is the machine that is running the globaleaks backend software. Such machine will be exposed to the internet as a Tor Hidden Service and all outgoing connections will be proxyed over Tor. This means that this server will have location anonymity.

It will be the responsibility of such machine to process the incoming submissions from whistleblowers and notify the receivers of said submissions.

The submitted data will be stored on this node for a configurable amount of time.

A user of GlobaLeaks interested in being anonymous will access it through its Tor Hidden Service address. The person running a GlobaLeaks node can optionally setup their own Tor2web instance or use the publicly available tor2web nodes.

If you decide to run your own instance you will need to acquire an SSL certificate.

The user of GlobaLeaks that accesses it through a tor2web node will not be anonymous, unless they are protecting themselves through other means. This means that the Tor2web node knows the IP address of the client.

This is the public website of the initiative. It will be through such website that the Whistleblower will discover of the initiative, get directions on how to stay safe and get delivered a copy of the globaleaks client software.