Many of the most impactful stories in technology journalism begin with a tip from an insider, whistleblower, or an individual with first-hand knowledge. These sources often risk their careers or personal safety to reveal information that the public has a right to know. Ensuring that these tips reach journalists securely and anonymously is a critical responsibility for any reputable news organization. This article outlines the best practices for submitting tips to a major technology publication, emphasizing the tools and precautions that protect sources from retaliation.
Why Secure Tipping Matters
The relationship between a journalist and their source is built on trust. In the digital age, that trust must extend to the communication channels used. Unencrypted emails, calls on unsecured lines, and messages sent over standard SMS can be intercepted by employers, governments, or hackers. The consequences for a source can be severe, including job loss, legal action, or even physical danger. Major newsrooms have therefore established specific protocols to minimize risk. Understanding these protocols is the first step for anyone considering providing a tip.
Historically, tips were delivered in person, by postal mail, or through secure drop boxes. Today, the standard for secure communication is end-to-end encryption. This technology ensures that only the sender and the intended recipient can read the contents of a message. Even if the data is intercepted in transit or stored on a server, it remains unreadable. The two most widely recommended tools for this purpose are encrypted email (using PGP or a service like ProtonMail) and the Signal messaging app.
The Recommended Channels
Email remains the most accessible method for reaching a newsroom. For general tips, many publications maintain a dedicated address such as tips@example.com (replace with a generic placeholder). However, standard email is not encrypted by default. To protect a source, the newsroom should provide a way to send encrypted email, typically through PGP (Pretty Good Privacy) or by using a secure webmail provider that supports zero-access encryption, like ProtonMail. If a source is at risk of reprisals, they must avoid using their work email or any device issued by their employer. Using a personal device and a new, anonymous email account is recommended. The subject line should be generic to avoid raising suspicion, and the body should include only essential information without revealing the source's identity.
Signal
Signal is the gold standard for secure messaging among journalists and sources. It uses the Signal Protocol to provide end-to-end encryption for text messages, voice calls, and video calls. Crucially, Signal stores minimal metadata—only the phone number used to register and the last time the app was active. It does not store who you communicate with, the content of messages, or the frequency of interactions. This makes it far more private than WhatsApp or traditional SMS. To use Signal safely, a source should ideally acquire a prepaid phone or a phone number not linked to their identity. The app can be installed on an old device or a secondary smartphone used only for communication. After starting a conversation, the contact can be deleted from the phone’s address book to further obscure the link between the source and the journalist. The Freedom of the Press Foundation provides extensive guidelines for locking down Signal’s security settings, such as enabling disappearing messages and disabling link previews.
Alternative Methods
While email and Signal are the most common, some sources prefer other encrypted messaging apps like Wire or Telegram’s Secret Chat mode. However, Signal is widely considered the most secure because of its open-source protocol and minimal data collection. Some news organizations also accept tips through dedicated web portals located on their sites, but these portals may be vulnerable to traffic analysis. In cases where a source possesses sensitive documents, they may be directed to use SecureDrop, a platform specifically designed for anonymous document submission that uses Tor to hide the source’s IP address. The key is to follow the instructions provided by the publication and to verify the authenticity of the contact information—often listed on the publication’s staff page under a journalist’s profile.
Key Facts and Precautions for Sources
- Never use work devices or networks. Your employer may monitor all traffic, keystrokes, and emails. Use a personal device or a public Wi-Fi network (like a library) to avoid detection.
- Create an anonymous email account. Services like ProtonMail or Tutanota allow registration without providing a real name or phone number. Use that account exclusively for communication with the newsroom.
- Encrypt your messages. If the journalist provides a PGP public key, use it. For Signal, ensure the safety number is verified in person or via a secondary channel.
- Be concise and include evidence. Journalists appreciate firsthand accounts, documents, or screenshots. Vague hunches are less helpful. If you have documents, describe them or provide a secure way to share them (e.g., through a password-protected link sent via separate channels).
- Avoid placing calls when possible. Phone calls can be triangulated or recorded. If you must call, use a burner phone or a VoIP service with encryption.
- Check for legal protections. Whistleblower laws vary by country and industry. While journalistic shield laws protect reporters in many jurisdictions, sources may not share the same protections. Consulting a lawyer before leaking sensitive information is advisable.
Historical Context: How Tipping Has Evolved
The practice of leaking information to the press is as old as journalism itself. In the early 20th century, sources would drop off envelopes at newspaper offices. The famous Pentagon Papers were photocopied and handed over to The New York Times. With the advent of the internet, email became the first great tipping channel, but it was fraught with security risks. The 2013 revelations by Edward Snowden (as a general example of a high-profile leak) brought the importance of encryption to the forefront. Snowden used encrypted email and messaging apps to communicate with journalists, and his case demonstrated how critical secure channels are for protecting sources. Since then, news organizations have invested heavily in digital security training for their staff and in providing secure infrastructure for tipsters. The rise of metadata tracking—where even if content is encrypted, the fact that two people communicated can be detected—has led to the adoption of tools like Signal, which minimizes metadata retention.
Best Practices from the Freedom of the Press Foundation
The Freedom of the Press Foundation (FPF) has been instrumental in establishing guidelines for secure communications between journalists and sources. Their recommendations include using Tor to browse the publication’s tips page, enabling disappearing messages on Signal, and never sharing personal identifiers in initial contact. They also emphasize the importance of verifying that the journalist you are contacting is indeed who they claim to be—check their bio on the publication’s site for a publicly listed Signal number or email domain. The FPF’s “Press Freedom Handbook” is a valuable resource for both journalists and potential sources. By following these guidelines, a tipster can dramatically reduce the risk of exposure.
The Role of the Newsroom
On the receiving end, newsrooms have a duty to protect their sources. They should encrypt sensitive communications, store documents offline, and use secure file-sharing services. They must also be transparent about their tip policies; for instance, many publication now serve their tips pages over HTTPS without third-party analytics or ad trackers, ensuring that a visit to the page does not generate a record of interest. Editors typically vet tips thoroughly before assigning a reporter, and they often work with legal counsel to assess the legality of publishing certain information. The entire process relies on a chain of trust, with the source taking the first step by choosing a secure channel.
Ultimately, the effectiveness of a tip depends not only on the quality of the information but also on the security with which it is delivered. A source who understands the tools and the risks is far more likely to succeed in bringing important stories to light. By using encrypted email or Signal, avoiding employer-provided devices, and following the steps outlined above, anyone with critical information can contact a major technology news outlet safely. The goal is to ensure that the story—not the source—becomes the center of attention.
Source: The Verge News