How to communicate with confidential sources safely

How to communicate with confidential sources safely in 2026.

Short answer

The weakest link is almost never the encryption. It is the decision the source made before they knew they were a source by contacting you from a work email, on a work device, from an office network. The channel hierarchy: Signal with disappearing messages first, Proton Mail second, any other encrypted channel third. Gmail, SMS, and WhatsApp without reviewed backup settings: never.

The security of a confidential source is determined by the weakest link in the communication chain. That weakest link is almost never the encryption algorithm. It’s the decision the source made before they knew they were a source. The journalist who was arrested because of an email is the case that anchors this point. The encryption was working. The metadata wasn’t.

Before first contact

The most dangerous moment in a source relationship is the first one. Before any communication channel is established, before any secure tool is used, there is usually an initial contact. That contact creates a record. The question is what kind of record, and where it lives.

If a source contacts you through your public email address on Gmail, using their work email, from their office Wi-Fi, on a device managed by their employer: every detail of that contact is potentially accessible to four different parties who are not you.

Publishing a clear, specific guide to how sources can make initial contact securely is not optional. It’s the most important thing a journalist covering sensitive topics can do. It should be on your website. It should specify exactly which tools, which addresses, and what not to do.

The channel hierarchy

Tier 1 (highest sensitivity): Signal with disappearing messages, from a device and number the source hasn’t used for anything else.

Tier 2 (high sensitivity): Proton Mail with end-to-end encryption, from a Proton address created specifically for this contact.

Tier 3 (moderate sensitivity): Any encrypted channel where both parties control the keys and the provider cannot read content. The full comparison is in Signal versus ProtonMail versus Wire for source contact. The threat model decides which tier wins, not the marketing.

Never: Gmail. Regular SMS. WhatsApp without reviewing backup settings. Your organisation’s Slack. Any platform where a third party holds the keys.

Signal: what it protects and what it doesn’t

Signal encrypts message content end-to-end. The Signal servers cannot read your messages. Law enforcement requests to Signal produce almost nothing because almost nothing is stored.

What Signal doesn’t protect: the phone number associated with the account. If a source’s phone number is known, their Signal account is identifiable. Signal usernames are now available as an alternative to phone numbers, which is worth setting up for high-risk source relationships. The source’s account becomes addressable without exposing their phone number to the journalist.

Disappearing messages: enable them. Always. For every conversation involving a source. The message history that doesn’t exist cannot be compelled, extracted, or used as evidence.

Email: the metadata problem

Even with end-to-end encryption, email creates metadata. Who sent to whom. When. How often. From what IP address. These records exist at the provider level and are accessible under legal process even when content is encrypted.

Proton Mail with end-to-end encryption between two Proton addresses protects content. It does not eliminate the metadata record that two specific accounts corresponded at specific times.

What you can and cannot control

You cannot control what decisions a source makes before they contact you. You cannot force them to use Signal. You cannot erase the records they created before they understood the risk. If the source’s device ends up in someone else’s hands, what forensic tools can extract from a seized device documents what survives, including conversations the source thought were gone.

What you can control: what you add to the record from your side. Your device. Your email provider. Your communication practices. Your backup settings. Your location metadata.

A source who takes no precautions and a journalist who takes all of them has a communication chain that is only as secure as the source’s end. Understanding this clearly is the beginning of a real security practice, not the end of one.

Frequently asked questions

What is the safest way for sources to contact journalists?

Signal, from a device and phone number not linked to their identity. If Signal isn’t possible, Proton Mail from a dedicated address created for this contact. Never from a work device, work email, or a device managed by their employer.

Is WhatsApp safe for source communications?

The messages are end-to-end encrypted in transit. The backup is the vulnerability. If WhatsApp backup is enabled to iCloud or Google Drive, the full message history is stored unencrypted in the cloud. For sensitive source communications, Signal with disappearing messages is the correct tool.

What should journalists publish on their website to enable secure source contact?

A clear, named contact page that lists at minimum: a Signal number or username, a Proton Mail address dedicated to source intake, and explicit instructions on what not to do. Not to use a work device, not to use a work email, not to contact from an office network. The page should also state which platforms are not monitored, so a source does not assume Twitter DMs or LinkedIn messages count as secure intake.

Should journalists use a separate phone for source communications?

For high-sensitivity beats, yes. A dedicated device with no personal accounts, no biometric unlock, and a strong alphanumeric passcode reduces what a single seizure or compromise exposes. The economics are favourable. A refurbished Pixel running GrapheneOS sits well under 200 euros, and the cost of a single source being identified is not measurable in euros.

The security of a source communication is determined before the first message is sent. Not by the encryption you chose. By the decisions both parties made about everything else.

Proton Unlimited is the tool we recommend for encrypted email, VPN and secure storage. It’s what we’d use ourselves.


There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.

Similar Posts