The goal of source protection is that a person who provides information to a journalist cannot be identified from the journalist's communications, files, or devices. That goal encompasses at least three separate threat surfaces: the content of communications (what was said), the metadata of communications (who communicated with whom, when, and how often), and the physical or operational trail (who was seen where, who accessed what building, whose phone was near which cell tower).
End-to-end encryption addresses the first. It does relatively little for the second, and nothing for the third. Effective source protection requires thinking across all three.
The Threat Model Is Different from Ordinary Privacy
Most privacy advice is calibrated for a threat model that involves data brokers, advertising networks, and the occasional opportunistic account compromise. Journalists covering national security, organized crime, or corporate misconduct may face adversaries with substantially greater capabilities:
- Signals intelligence collection: State agencies can collect metadata at a national or international scale. Even without decrypting content, call records, account linkages, and connection timing can identify sources.
- Legal process: In many jurisdictions, journalists can be subpoenaed to reveal sources. Shield laws exist in most US states and some federal contexts, but federal shield protections are incomplete. News organizations routinely receive national security letters and FISA orders with accompanying gag provisions.
- Device forensics: A journalist's devices, if seized or examined, may contain communications they believed were deleted. Forensic tools can recover deleted messages, metadata logs, and application artifacts.
- Social engineering: Sources have been identified not through cryptography but through a phone call to the newsroom, a leaked email thread, or a leak investigation that cross-referenced building access logs.
Tiered Communication for Different Sensitivity Levels
Not every source interaction requires the same level of precaution. Treating everything at the highest sensitivity level is operationally unsustainable and likely to lead to inconsistent practice. A tiered approach is more realistic:
| Sensitivity Tier | Examples | Appropriate Channels |
|---|---|---|
| Tier 1 — Routine | Confirmed officials, on-record sources, background interviews | Standard encrypted email, Signal, phone |
| Tier 2 — Sensitive | Confidential sources with some risk, document requests | Signal with disappearing messages, encrypted email, news org VPN |
| Tier 3 — High-risk | Whistleblowers in surveillance states, leakers in law enforcement or intelligence | SecureDrop, air-gapped devices, in-person meetings, no digital trail |
The tier determination should be based on the worst-case consequence if the source is identified — job loss, criminal prosecution, physical danger — rather than on your assessment of how likely exposure is.
SecureDrop for Anonymous Initial Contact
SecureDrop, developed and maintained by the Freedom of the Press Foundation, is the most widely adopted system for anonymous document submission to news organizations. The architecture provides strong protections for sources who need to make initial contact without revealing their identity:
- Sources access the organization's SecureDrop instance via Tor Browser — this provides network-level anonymity by routing traffic through the Tor network, preventing the news organization's server from seeing the source's IP address
- Documents and messages are encrypted before transmission
- Communications use a codename system rather than any account linked to the source's real identity
- The server infrastructure is operated by the news organization, not a third-party service provider with its own legal obligations
SecureDrop has significant operational security requirements: sources must use Tor Browser (not a regular browser or VPN), ideally from a network not associated with them (not their home or work WiFi), and ideally from a device not associated with their daily use. These requirements are not incidental — they're what provides the protection.
Signal for Ongoing Source Communication
Signal is appropriate for ongoing communication with sources where you've already established contact and verified identity. Signal's end-to-end encryption means Signal Inc. cannot read message contents — but several characteristics affect how it should be used:
Enable disappearing messages. The default should be set based on sensitivity. For Tier 2 sources, one week is a reasonable default. For Tier 3, one day or less. Disappearing messages ensure that a device compromise or search some months later doesn't expose communications from before.
Verify safety numbers in person. Signal's safety number verification confirms that your communication is with the person you think it is and that no one is performing a man-in-the-middle attack. For sources whose identity matters, verify safety numbers through a second channel — ideally in person — before trusting sensitive conversations.
The phone number requirement is a real limitation. Signal requires a phone number for account registration. A source in a repressive environment may be identified from the mere fact that they have your phone number, or that a phone number in your contacts was in contact with a journalist. Consider using Signal with numbers obtained specifically for this purpose, registered to devices not linked to your main identity or the source's.
In 2021, ProtonMail complied with a Swiss court order to log the IP address of a climate activist who had contacted journalists. Encryption protected the message contents; it did not protect the source's network identity. End-to-end encryption and legal compulsion of metadata are separate threat surfaces, and the marketing doesn't always distinguish them clearly.
Email When You Must Use It
Email is a hostile environment for source protection. Even with end-to-end encryption (PGP), the following are typically available to anyone with legal process served on the email provider:
- Sender and recipient email addresses
- Timestamps of when messages were sent and received
- IP addresses at the time of connection (in many cases)
- Subject lines (often unencrypted even when body is PGP-encrypted)
For initial contact from a source who doesn't know your SecureDrop address, email is worse than SecureDrop in almost every dimension. For ongoing communication with a source already known to you, encrypted email — using a provider that stores minimal metadata and under a jurisdiction you trust — is workable at Tier 2, not Tier 3.
Haven provides encrypted email and chat under the same identity, which reduces the number of separate communication channels to manage — relevant for journalists who want their sources' encrypted email contacts and encrypted chat contacts to be the same address space rather than fragmented across multiple apps.
Device Security and Legal Compulsion
Physical device security has two relevant dimensions: what happens if the device is lost or stolen, and what happens if it's seized by authorities.
Full-disk encryption is non-negotiable. Every journalist's device should have full-disk encryption enabled with a strong passphrase. On modern iPhones and Android devices, full-disk encryption is on by default and tied to the lock screen PIN.
The PIN/passphrase versus biometric distinction matters significantly in legal contexts (see also our piece on biometric authentication risks). In most US jurisdictions, law enforcement can compel you to unlock a device with a fingerprint or face scan but cannot compel you to reveal a PIN or passphrase. For journalists who may be detained or whose devices may be seized, PIN-only unlock provides materially stronger protection.
Assume any device that crosses an international border may be examined. US Customs and Border Protection has broad authority to search devices at ports of entry without a warrant and without articulating suspicion. Some journalists travel internationally with clean devices and restore from a secure backup after crossing.
The Operational Security Gap
The most common source identification failures don't involve breaking encryption. They involve operational mistakes that the encryption never protected against:
- A source who emailed from a work account, which was accessible to their employer's IT department
- A source who met a journalist in a building with badge-access logs
- A source whose phone appeared near the journalist's home on the day documents were handed over, per carrier cell tower records
- A journalist who mentioned the source by implied description in a conversation with another colleague
- A document that contained metadata — an author field, a print-to-PDF timestamp, tracked changes — identifying the source's machine or identity
Technical security is a necessary condition for source protection, not a sufficient one. The threat model must account for the full context: who knew the meeting was happening, what physical traces were created, what metadata is embedded in any documents received, and who at the news organization knows the source's identity or enough to narrow it.
The Freedom of the Press Foundation publishes detailed operational security guides for journalists and news organizations. These are worth reading in full for anyone working with Tier 3 sources. This post is a starting framework, not a complete operational security playbook.