A journalist was arrested because of an email.
Short answer
The email was not intercepted or hacked. It was handed over by the provider under a legal request the journalist never knew existed. The failure was not technical. It was a misunderstanding of what “secure email” means when the provider is a US company subject to compelled disclosure with non-disclosure orders.
The email wasn’t intercepted. It wasn’t hacked. It was handed over by the provider in response to a legal request that the journalist never knew existed.
By the time the journalist found out, the source was already in custody.
How this happens
Most journalists working in sensitive environments operate under a set of assumptions that haven’t been tested. The discipline that prevents this is in how to communicate with confidential sources safely. The decisions are made before the first message, not after. They use Signal for messaging because they’ve been told it’s secure. They use Gmail or Outlook for email because that’s what their organisation uses. They assume that the security of the channel depends on whether someone is monitoring them right now, not on what records exist that could be accessed later. What law enforcement actually accesses from your accounts documents the gap between what users assume is protected and what providers routinely hand over.
That assumption is wrong. And it’s the most dangerous kind of wrong: the kind that feels completely reasonable until the moment it isn’t.
Step one: the email that creates the record
A source makes contact. Sometimes through a secure channel. Sometimes not. Sometimes through a journalist’s public email address, because that’s what was available. The message may contain nothing sensitive. It establishes that a connection exists between two people.
That connection is now a record in a server somewhere. Encrypting the content of that email, if anyone thought to do it, protects what was said. It does not protect the fact that contact occurred.
Step two: the legal request you never hear about
In most jurisdictions, authorities can compel email providers to hand over account data without notifying the account holder. The provider receives a legal request. They comply. Sometimes they are legally prohibited from disclosing that the request was made.
Gmail, Outlook, Yahoo: US companies subject to US law, which includes mechanisms for compelled disclosure with non-disclosure orders. If the journalist or source uses these services, the content and metadata of every email ever sent is potentially accessible.
Step three: the arrest that reveals the chain
The source is identified through the connection record, not through the content of any communication. The journalist learns about it when the source stops responding. Or when the source is publicly named in an arrest.
At this point there is nothing to fix. The chain played out in the past, in metadata the journalist didn’t know existed, through a legal process the journalist didn’t know was happening.
What actually protects sources
The answer is not a single tool. It’s a system of decisions made before first contact, not after.
Compartmentalisation: the email address a source uses to make initial contact should not be the address used for ongoing communication. Two different addresses, two different providers, create two separate records that require two separate legal requests to connect.
End-to-end encryption for content: Proton Mail with PGP ensures that the provider cannot hand over readable message content because it doesn’t have it.
Signal for ongoing communication: once initial contact is established through a secure channel, all subsequent communication should move to Signal with disappearing messages enabled.
The practical checklist
Proton Mail for source communications. Not Gmail. Not your organisation’s email system.
A separate Proton Mail address that has never been linked to your public identity.
Signal with disappearing messages enabled for all sensitive ongoing communications. The single photo that got a source arrested is the parallel case.
A separate device for source communications if the threat level justifies it.
A clear policy for sources on how to make first contact. Published. Consistent. Followed.
Frequently asked questions
Can authorities access journalist emails without a warrant?
In many jurisdictions, yes, through legal mechanisms that compel providers to disclose data without notifying the account holder. Proton Mail, under Swiss law, has a higher disclosure threshold and publishes transparency reports on every request. The full comparison sits in Signal versus ProtonMail versus Wire for source contact. Jurisdiction is not a detail. It decides what the provider can be forced to disclose.
What email should journalists use for source communications?
Proton Mail, from a dedicated address never linked to your public identity. For ongoing communication after initial contact, Signal with disappearing messages.
Does Proton Mail respond to legal requests?
Yes, when the request comes through Swiss legal channels. Proton publishes detailed transparency reports on every request received and complied with. The volume is low and the bar is high, because Swiss law requires the request to clear specific procedural and proportionality criteria. End-to-end encrypted message content remains inaccessible to Proton even under valid order, since the provider never holds the decryption keys.
Can a journalist be forced to identify a source?
The legal protection varies by jurisdiction. Most democracies have shield laws that protect journalists from being compelled to disclose sources, with significant exceptions for national security investigations. In practice, the source is more often identified through the metadata trail of the contact than through any compelled testimony from the journalist. Protecting the source means protecting the chain that connects them to you, before any legal process begins.
Security for sources isn’t about what happens when someone tries to break in. It’s about what you left unlocked before you knew anyone was watching.
Proton Unlimited is the tool we recommend for encrypted email, VPN and secure storage. It’s what we’d use ourselves.
There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.
