Source protection in a Digital Age

Published Categorized as Tips & Tricks

Welcome to the third installment of ExpressVPN’s whistleblowing guide. In this segment, we delve into the critical aspect of safeguarding your sources. As a journalist, regulator, or watchdog, it’s not just a responsibility but a duty to ensure the protection of those who provide valuable information. Join us as we explore various strategies, tools, and considerations to keep your sources secure and maintain the integrity of your work.

Understanding Legal Protections for Sources

Before we dive into the technical aspects, let’s address the legal landscape. While sources may be granted legal protection in certain sectors or countries, it’s essential to recognize that these protections might not cover every instance. Knowing the specific laws related to whistleblowing in your area is crucial. The difference in legal frameworks could mean the contrast between a source’s freedom and potential repercussions.

Weighing the Worth of Legal Protections

Despite legal safeguards, it’s prudent to remember that they might not be foolproof. In addition to our information security advice, understanding the intricacies of whistleblowing laws is paramount. A misstep in how you communicate or handle documents could have far-reaching consequences for your source.

Making Yourself Reachable to a Source

Establishing open communication with your sources is fundamental. Recognize that each potential source will have a different level of understanding regarding technology, the law, and your organization. Your role is not just to be a passive receiver of information but an active participant in making yourself reachable and educating your sources about secure communications.

The Gold Standard: SecureDrop

SecureDrop, developed by Aaron Swartz and Kevin Poulson, stands out as a digital mailbox for sensitive material. It’s utilized by numerous news organizations globally for its secure and anonymous file submissions. Here’s how it works:

  1. The whistleblower uses the Tor Browser to access SecureDrop’s .onion address.
  2. Documents are uploaded, and the source receives a passcode for checking replies.
  3. Files are encrypted with your PGP key, ensuring only you can access them.

While considered the gold standard, setting up SecureDrop can be challenging for individuals. Using a laptop with the TAILS operating system for document inspection adds an extra layer of security.

Free india vpn

Jabber/XMPP with OTR Encryption

Jabber, or XMPP, offers an alternative. Despite being less common, it’s relatively easy to set up anonymously, especially when routed through the Tor network. Here’s a brief overview:

  • Create anonymous Jabber accounts communicating through Tor with OTR encryption.
  • Low chance of discovery, even through metadata.
  • Not widely used, challenging on mobile devices.

Signal: Encrypted Messaging

Signal, an encrypted messaging app, provides a secure platform for exchanging messages with minimal metadata. Here’s what you need to know:

  • Available for Android and iOS.
  • Allows encrypted voice calls.
  • Widely endorsed by the information security community.

Postal Address: Traditional but Effective

Sending physical mail might seem outdated, but it’s still a viable option. Here are some considerations:

  • Physical mail can be sent anonymously.
  • Be cautious with hand-written envelopes.
  • Legal protections still exist for mail.

Telephone and E-mail: Use with Caution

While email and telephone communication are easy, they can be intercepted. Here are some precautions:

  • Encrypted emails with PGP leave metadata.
  • Be mindful of vast metadata production.

Ensuring Source Verification

Making sure your sources can verify your identity is crucial for trust-building. Consider these steps:

Send Pictures of Yourself

In case of in-person meetings, provide your source with pictures to prevent impostors.

Use Cryptographic Keys

Utilize your social media presence to host your public keys, making it easier to verify your identity.

Be Available on Reputable, Encrypted Channels

Make your correspondence easily verifiable by being present on secure communication channels.


Securing your sources is not just about technology; it’s a holistic approach that involves legal awareness, technical proficiency, and personal connections. By understanding the legal landscape, adopting secure communication tools, and ensuring source verification, you not only protect your sources but also uphold the integrity of your work.


  1. What legal protections exist for whistleblowers?
    • Legal protections vary by country and sector. It’s crucial to research and understand the specific laws applicable to your situation.
  2. How do I set up SecureDrop for individual use?
    • While SecureDrop is robust, it can be challenging for individuals. Consider seeking technical assistance or exploring alternative secure communication methods.
  3. Is physical mail still a secure option?
    • Yes, physical mail can be a secure option, especially when sent anonymously. However, be aware of potential risks and legal considerations.
  4. Why is metadata important in secure communication?
    • Metadata can reveal information about communication patterns, potentially compromising the anonymity of sources. It’s crucial to minimize metadata exposure.
  5. How can I ensure source verification in online communications?
    • Utilize cryptographic keys, share pictures of yourself, and be present on reputable, encrypted channels to ensure source verification.

Fastest Online Security with ForestVPN