9 min read
Source protection is the foundation of investigative journalism. But the technical side of secure communications is often left to individual reporters to figure out on their own — leading to inconsistent practices, fragmented tools, and gaps that a motivated adversary could exploit.
This guide covers the practical steps newsrooms can take to protect source communications at an organizational level, not just an individual one.
Before choosing tools, you need to understand what you're protecting against. The security needs of a local newspaper covering city hall corruption are different from an investigative unit producing stories about state surveillance programs.
A useful threat model for newsrooms answers three questions:
Your security measures should be proportionate to these answers. Over-engineering creates friction that reporters won't sustain; under-engineering creates risks that could endanger people.
End-to-end encrypted messaging should be the default for all source communications — not an exception for "sensitive" conversations. Signal is the gold standard for individual source contacts: it's end-to-end encrypted, doesn't store message content on servers, and supports disappearing messages.
But Signal has limitations for organizational use. It's tied to personal phone numbers, there's no organizational control over accounts, and if a reporter leaves, their Signal conversations go with them. For internal newsroom communications, a self-hosted Matrix/Element deployment provides the same encryption with organizational user management, device verification, and retention controls.
Not every source will know how to contact a reporter securely. An anonymous tip line — accessible over Tor — gives sources a way to reach you without revealing their identity, even to you. SecureDrop, developed by the Freedom of the Press Foundation, is the most widely deployed solution for this purpose. It requires dedicated hardware and careful operational procedures, but it provides a level of source protection that no other tool matches.
If a full SecureDrop deployment isn't feasible, at minimum publish a clear and findable page on your website explaining how sources can reach you securely, including your reporters' Signal contact information and PGP keys.
Email is fundamentally insecure for source communications. Even with PGP encryption, metadata (who emailed whom, when, and how often) is visible to email providers, network observers, and anyone with legal process authority. PGP also has significant usability problems that lead to mistakes — unencrypted replies, key management failures, and expired keys.
The practical guidance: don't use email for source communications if you can avoid it. If you must, use PGP with a clear understanding of its limitations — and never for first contact with a source whose identity needs to remain confidential.
The most common mistake newsrooms make is treating secure communications as an individual reporter responsibility. This leads to:
Secure communications should be an organizational capability with standards, supported tools, training, and someone responsible for maintaining it. This doesn't mean centralized surveillance of reporter communications — it means providing the infrastructure and training so that every reporter has access to secure tools and knows how to use them.
Secure communications don't exist in isolation. They sit on top of infrastructure — and if that infrastructure is compromised, the encryption doesn't help much.
For newsrooms handling genuinely sensitive material, the infrastructure question is as important as the encryption question. Self-hosted communications and file storage — on infrastructure in a jurisdiction with strong press freedom protections — removes entire categories of risk.
Need help securing your newsroom's communications?
We help newsrooms deploy encrypted communications infrastructure and validate their security against the threats they actually face.
Schedule a call