Some of the most important stories in journalism begin with tips from the public. Whether it is a whistleblower exposing corporate malfeasance, a government employee revealing regulatory failures, or a concerned individual sharing documents, tips provide the raw material for investigations that can change laws, hold power accountable, and improve lives. However, the act of tipping is not without risk. Sources who come forward may face reprisals, legal threats, or social ostracism. Therefore, understanding how to securely and anonymously share information with journalists is critical. This article provides a comprehensive guide on how to send tips using email and Signal, along with broader security practices to protect your identity and the information you share.
Before diving into the technical details, it is important to understand what makes a tip valuable. Journalists are inundated with information, so the most effective tips are those backed by evidence. Firsthand experience—being an eyewitness to an event or directly involved in a process—is highly compelling. Similarly, revealing documents such as internal reports, emails, contracts, or data sets can provide concrete proof. Hunches or secondhand rumors are less useful. If you have encountered something that the public should know about, and you have evidence to support it, then you are in a strong position to help uncover a story. The next step is to reach out securely.
Email: The Standard but Risky Method
Email remains the most straightforward way to contact a journalist or news organization. Many outlets provide general tip email addresses, often found on their websites. For example, you might find a generic address like tips@example.com. However, standard email is not secure. Messages travel in plaintext across the internet, meaning they can be intercepted by internet service providers, hackers, or government surveillance programs. Even if you use a personal email account, the metadata—who you are communicating with, the subject line, the time and date—is often easier to obtain than the content itself. This can be dangerous if you are at risk of reprisals.
To enhance security when using email, consider the following best practices. First, do not use your work email, device, or Wi-Fi network. Your employer often monitors both, and any communication regarding a tip could be flagged. Use a personal email address from a privacy-focused provider like ProtonMail or Tutanota, which offer end-to-end encryption by default. Alternatively, you can use PGP (Pretty Good Privacy) encryption to encrypt messages before sending them, but this requires the recipient to have a public key. Many journalists publish their PGP keys on their social media or websites. Encrypting the message body prevents anyone from reading it except the intended recipient. However, subject lines are often not encrypted, so leave them blank or use something innocuous.
Another critical point is to avoid using your home IP address or real name. Consider using a VPN (Virtual Private Network) to mask your IP address, and create a pseudonymous email account that does not reveal your identity. Do not include any identifying details in the email itself—stick to the evidence and a brief description of why it matters. If you must send attachments, compress them into a password-protected archive and share the password through a separate secure channel. Remember that even with encryption, the act of sending an email leaves traces. For maximum anonymity, some sources prefer to use more advanced tools.
Signal: Encrypted Messaging for Text and Calls
Signal is a free, open-source messaging app that provides end-to-end encryption for text messages, voice calls, and video calls. It is widely considered one of the most secure communication tools available, used by journalists, activists, and security experts around the world. Signal encrypts your messages so that only the participants can read them; not even Signal’s servers can access the content. The app also offers features like disappearing messages, which can automatically delete chats after a set period, and screen security that blocks notification previews on your lock screen.
Signal was originally developed by Open Whisper Systems and later maintained by the Signal Foundation, a non-profit organization. It is free and relies on donations. Unlike some other messaging apps, Signal does not collect user data for advertising or other purposes. The app stores your phone number and the last time you accessed the app, but it does not store who you communicate with. This is a significant privacy advantage over many alternatives. However, you should still take precautions. If you are a potential source, do not use your work phone to download Signal—use a personal device that is not linked to your employer. Ideally, use a separate “burner” device or a secondary phone that is not associated with your daily life.
To begin using Signal for tipping, you need to download the app from the official website or app store. When setting up an account, you will be asked to provide a phone number. This is the main weakness of Signal: it requires a phone number for registration, which could potentially be traced back to you. To mitigate this, you can use a temporary phone number from services like Google Voice or a prepaid SIM card. Note that some virtual numbers may be blocked by Signal. Once you have an account, you need to add the journalist’s Signal number as a contact before starting a conversation. After the conversation has begun, you can delete the contact from your phonebook to reduce traces. It is advisable to enable disappearing messages from the start and to avoid sending images or files that contain embedded metadata, such as GPS coordinates or camera details. You can strip metadata using tools like EXIF removers before sharing.
Signal also allows you to create a “Sealed Sender” feature, which hides your identity from the server during message delivery. However, this feature is enabled by default for messages sent to contacts that have saved your number. For maximum security, consider using Signal in conjunction with other anonymity tools like Tor. The Freedom of the Press Foundation offers detailed guidelines for locking down Signal, such as disabling previews, using a passphrase to encrypt your local database, and regularly reviewing your security settings.
Additional Security Practices for Whistleblowers
Beyond choosing the right communication channel, there are several broader practices that can protect you. First, always assume that your digital footprint can be tracked. Use a VPN to hide your internet activity, and consider browsing via Tor Browser if you need to research topics or access news sites without leaving traces. Avoid logging into personal accounts (email, social media, banking) on the same device you use for tipping. This prevents correlation of your identities.
Second, be mindful of metadata. Even if your message content is encrypted, metadata such as the time of communication, the length of a call, or the size of a file can reveal patterns. For example, if you always send a long message at 9 PM on Tuesdays, an adversary might deduce that you are communicating with a journalist. To break this pattern, vary your timing and use public Wi-Fi or mobile data rather than your home network. You can also use tools like OnionShare or Telegram (with caution) for sharing large files, but Signal is generally preferred for its privacy improvements.
Third, do not share everything in one go. If you have multiple documents, consider sending them in parts over several days to minimize the risk of a single interception compromising all evidence. Use strong passwords and two-factor authentication on your devices and accounts. If possible, store sensitive files on encrypted USB drives or in password-protected cloud storage that you only access via VPN. The key is to minimize the number of digital breadcrumbs that lead back to you.
Journalists themselves often publish guides for sources. Many news organizations have dedicated security teams or point to resources like the Freedom of the Press Foundation’s “Digital Security for Journalists” series. These guides cover everything from op-sec (operational security) to legal considerations. If you are considering becoming a source, it is wise to read several such guides and choose the methods that best fit your risk profile.
What Makes a Good Tip?
While security is paramount, the quality of the tip itself cannot be overlooked. Journalists are more likely to pursue a tip that is specific, well-documented, and relevant to their beat. Before reaching out, gather all available evidence: documents, screenshots, recordings (check local laws regarding consent), and a clear narrative of what you know. Include contextual information such as dates, names (if not identifying you), and internal references. However, do not include your own personal information unless you are prepared to be identified. Many journalists respect anonymity, but some stories may require on-the-record sources for credibility. You can discuss this with the journalist after establishing a secure channel.
It is also important to understand that not every tip leads to a story. Editors and reporters receive hundreds of tips per week. If you do not get a response, it may be because the tip did not fit their editorial focus or because they are investigating it quietly. You can follow up after a reasonable period—maybe two weeks—using the same secure method. If you have evidence that is time-sensitive, make that clear in your initial message. Always be polite and professional.
Finally
Security is an ongoing process, not a one-time checklist. As technology evolves, so do surveillance techniques. Stay informed about new threats and update your methods accordingly. For example, some sources now use SecureDrop, a platform designed specifically for secure and anonymous document submission. SecureDrop is used by many major news organizations and integrates Tor, encryption, and instructions for sources. If a news outlet offers SecureDrop, that is often the most secure option. However, the principles discussed here—encryption, metadata awareness, and operational security—apply broadly.
Whether you choose email or Signal, remember that the safety of the source is the first priority. If at any point you feel your identity is at risk, stop all communication and reassess. Trust your instincts. Journalism thrives on tips from brave individuals who refuse to stay silent. By taking these precautions, you can help expose wrongdoing while protecting yourself.
Source: The Verge News