How to communicate with confidential sources safely in 2026.

The security of a confidential source is determined by the weakest link in the communication chain. That weakest link is almost never the encryption algorithm. It’s the decision the source made before they knew they were a source.

Before first contact

The most dangerous moment in a source relationship is the first one. Before any communication channel is established, before any secure tool is used, there is usually an initial contact. That contact creates a record. The question is what kind of record, and where it lives.

If a source contacts you through your public email address on Gmail, using their work email, from their office Wi-Fi, on a device managed by their employer: every detail of that contact is potentially accessible to four different parties who are not you. (See: A journalist was arrested because of an email.)

Publishing a clear, specific guide to how sources can make initial contact securely is not optional. It’s the most important thing a journalist covering sensitive topics can do. It should be on your website. It should specify exactly which tools, which addresses, and what not to do.

The channel hierarchy

Tier 1 (highest sensitivity): Signal with disappearing messages, from a device and number the source hasn’t used for anything else.

Tier 2 (high sensitivity): Proton Mail with end-to-end encryption, from a Proton address created specifically for this contact.

Tier 3 (moderate sensitivity): Any encrypted channel where both parties control the keys and the provider cannot read content.

Never: Gmail. Regular SMS. WhatsApp without reviewing backup settings. Your organisation’s Slack. Any platform where a third party holds the keys.

Signal: what it protects and what it doesn’t

Signal encrypts message content end-to-end. The Signal servers cannot read your messages. Law enforcement requests to Signal produce almost nothing because almost nothing is stored.

What Signal doesn’t protect: the phone number associated with the account. If a source’s phone number is known, their Signal account is identifiable. Note numbers are now available as an alternative to phone numbers in Signal. worth setting up for high-risk source relationships.

Disappearing messages: enable them. Always. For every conversation involving a source. The message history that doesn’t exist cannot be compelled, extracted, or used as evidence.

Email: the metadata problem

Even with end-to-end encryption, email creates metadata. Who sent to whom. When. How often. From what IP address. These records exist at the provider level and are accessible under legal process even when content is encrypted.

Proton Mail with end-to-end encryption between two Proton addresses protects content. It does not eliminate the metadata record that two specific accounts corresponded at specific times.

The source’s security is not your responsibility. But it’s your problem.

You cannot control what decisions a source makes before they contact you. You cannot force them to use Signal. You cannot erase the records they created before they understood the risk.

What you can control: what you add to the record from your side. Your device. Your email provider. Your communication practices. Your backup settings. Your location metadata.

A source who takes no precautions and a journalist who takes all of them has a communication chain that is only as secure as the source’s end. Understanding this clearly is the beginning of a real security practice, not the end of one.

Frequently asked questions

What is the safest way for sources to contact journalists?

Signal, from a device and phone number not linked to their identity. If Signal isn’t possible, Proton Mail from a dedicated address created for this contact. Never from a work device, work email, or a device managed by their employer.

Is WhatsApp safe for source communications?

The messages are end-to-end encrypted in transit. The backup is the vulnerability. If WhatsApp backup is enabled to iCloud or Google Drive, the full message history is stored unencrypted in the cloud. For sensitive source communications, Signal with disappearing messages is the correct tool.

The security of a source communication is determined before the first message is sent. Not by the encryption you chose. By the decisions both parties made about everything else.

Affiliate disclosure: this article contains a link to Proton. We only affiliate with tools we use and trust.

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.