December 22, 2020 • by Josh

The Year in CDR Tech

This year was difficult in so many ways, for so many people. We at CDR are grateful that during this hard time we were able to continue to serve our core communities by fielding requests for digital security assistance, providing crucial information about staying safe online, and building upon and improving CDR Link, our flagship helpdesk platform.

We’ve made great progress with CDR tech projects in the last 12 months. The Waterbear project – enabling dis- and misinformation data researchers to gather, aggregate, and analyze evidence of online disinformation campaigns – was used by a coalition of dozens of U.S. civil society organizations during the course of the 2020 U.S. elections. Work begins in earnest on the Leafcutter project – a dashboard of regional and global digital security data – in early 2021. And of course, CDR Link itself is being adopted by more and more responders seeking an integrated, flexible, secure, and privacy-protecting helpdesk platform.

See below for details on the work we’ve done in 2020 and what we’re looking forward to in 2021.

After deciding to build CDR Link on top of the open source Zammad platform, we immediately embarked on building an extension to enable the submission of tickets and responses via Signal. This extension, called Sigarillo, laid the foundation of a lot of our future work, including QuePasa, our WhatsApp extension and now Grabadora, an extension enabling voicemail attachments as tickets.

The most recent release of CDR Link (2020.12.1) includes updates for Sigarillo and the introduction of Grabadora. Sigarillo (and soon, QuePasa) can now handle multiple attachments, and all three extensions will be updated to use the new Amigo framework for building extensions (see below), making them more stable, more unified in their structure, and easier to maintain and administer.

We’ve just begun work on a new extension adding PGP encryption to CDR Link’s email channel, offering community members another secure option for creating tickets. We expect the PGP extension to go live in mid-2021. We’ll also be transitioning our core instances to a new setup that takes advantage of automation tools and, when possible, uses Cloudflare Access and Google OAuth to add multiple layers of protection to the platform.


A year ago we were just getting started on what became the Waterbear project, a platform that helps researchers crowdsource and analyze evidence of online mis- and disinformation campaigns. Using CDR Link as a foundation, we built a robust input form, customizable for any taxonomy structure and unique data submission needs, that researchers and trusted sources can use to submit screenshots, links, and anecdotal evidence. That form pipes into CDR Link, where it can be further classified and organized, then it’s sent on to another tool for final review before being added to a core dataset for analysis.

This platform, first built to accommodate the needs of dozens of U.S. civil society organizations seeking to combat the effects of disinformation in the runup to the 2020 election, is now being deployed in Europe and beyond. If you would like to hear more about Waterbear or are interested in seeing a demo, please contact us at [email protected].


Development of the Leafcutter project, first conceived during the spring of 2019, is now underway. Leafcutter is similar to Waterbear in that it builds on CDR Link to provide inputs and analysis tools that help trusted researchers and analysts create a core dataset. In this case, the dataset comes from CDR Link tickets generated by partners running regional digital security helpdesks. Leafcutter will aggregate data from these tickets – detailing types of attacks, location, time, region, and more – and make that data accessible to trusted rapid responders and analysts via the the MISP platform and an easy-to-use dashboard (likely using Shiny). The end result will help regional helpdesk teams respond to digital attacks and implement preventative measures more efficiently and with greater insight.


As CDR’s tech projects have been adopted by more users, the need for documentation has grown. That’s why, in 2020, we built an in-depth documentation site featuring guides on setting up and using CDR Link and Waterbear, our Privacy Policy, and the End-User License Agreement for CDR Link. This resource is a big step toward making CDR tech projects more accessible to current and future users, establishing CDR Link, Waterbear, and Leafcutter as community resources for years to come.

Zammad audit

As we noted above, the core of CDR Link is built upon the open-source project Zammad. Since the Zammad platform is so central to our work at CDR and the work of our partners, it’s essential that we verify the integrity and security of the code. With the support of Open Technology Fund our partners at Guardian Project put the platform through a detailed security audit. The results were released and many of our recommendations were incorporated into Zammad’s 3.3.0 release.

Under the hood!

A lot of the improvements we’ve made to CDR Link over the last 12 months are “under the hood,” meaning that while users may not initially see them, they’ve improved the usability of the platform and enabled us to quickly deploy it and maintain it for communities in need. These improvements include:

The work we’ve done both “under the hood” and in more recognizable ways points to an exciting 2021 for the project and CDR as an organization. We’re proud of how far CDR Link has come, and we’re looking forward to making it available to more communities, in more ways, in 2021.

Finally: A big, big thank you to our partners and friends at Guardian Project and Okthanks, who work with CDR to develop, deploy, design, and maintain all of this work. We could never do it without them.

And a big thanks to our community who helped us make it through 2020. We can’t wait to toss out 2020 and ring in a new, better year.