Journalism source protection is one of the highest-stakes privacy use cases. The legal regimes vary, the adversaries can be state-level, and the cost of getting it wrong can be a source’s livelihood or freedom. This guide assembles a practical stack from the directory’s entries plus a small number of journalism-specific tools.
It is not exhaustive and it does not replace operational training. The Freedom of the Press Foundation runs that training; this is a starting reference.
The threat model#
The default threat model for a journalist handling a sensitive source is:
- The source’s employer / opponent: corporate compliance, internal-affairs investigators, or state security services with legal-process reach.
- The publishing organization: editors and legal counsel who need to see the work but should not need to see source identities until publication.
- External observers: anyone who could intercept communications between journalist and source — ISP, network operators, intermediate platforms.
A useful frame is to assume the source’s adversary has subpoena power over any operator and packet visibility on any network the source touches. The defensive posture is to give that adversary nothing to subpoena and nothing to correlate.
The stack#
Device#
A dedicated device for source work, separate from your day-to-day machine. Two practical options:
- Tails — Linux live OS booted from a USB key. No data persists to disk between sessions. All network traffic forced through Tor. Default choice when “no persistent state” is the binding requirement.
- Qubes OS — Compartmentalized desktop OS where each task runs in an isolated VM. Steeper learning curve; useful when you need both source work and routine work on the same physical machine without crossover.
For users who can’t run either, a dedicated laptop with VeraCrypt full-disk encryption and strict-use discipline is the floor. Never log into real-name accounts on it.
Network#
- Tor Browser for research and for accessing onion services. The default for any browsing that could compromise a source.
- Mullvad VPN when Tor is too slow or geofenced. Cash-by-mail or crypto payment, account-number-only signup.
- For routine work, your normal connection. Threat-model the leg, not every leg.
Messenger#
Three options depending on the source’s threat model:
- Signal — for sources who can register a phone (often a burner). Disappearing messages on, screen-lock on, view-once attachments where available. The default.
- SimpleX — for sources who specifically cannot or will not register a phone. Per-contact invitation links; no global identifier. Onboarding is more friction.
- Cwtch — when no central server is acceptable. Tor-onion-service-only.
Avoid: WhatsApp (Meta operator, phone number, group metadata visible), Telegram (default chats not E2E), iMessage (Apple ID binding), Slack/Teams/email-on-domain (employer-visible).
Document intake#
- SecureDrop — the reference Tor-onion-service-based intake system. The Guardian, NYT, ProPublica, WaPo, and others run instances. If your organization has SecureDrop, that is the default channel for any document transfer from sources.
- OnionShare — for ad-hoc one-off transfers. Runs a temporary Tor hidden service on your own machine; recipient fetches over Tor.
- Signal attachments — for small files via an already-established Signal contact. Disappearing on.
Avoid: attachments via standard email (transit metadata visible), shared cloud links (operator-visible), in-person USB handoffs (physical-trail risk for the source).
Email and accounts#
- Proton Mail — signup over Tor, E2E to other Proton accounts, mainstream and high-volume. Default for working email.
- Tuta — when subject-line metadata also matters. No IMAP.
- Posteo — when cash-payment de-binding matters.
- SimpleLogin or addy.io — for per-service aliases.
Password and key management#
- KeePassXC — local-first vault on the dedicated device. No cloud sync component to subpoena.
- Backup the vault to a VeraCrypt container on a USB drive.
- A strong master password plus a passphrase modifier you remember mentally; never write down both.
Crypto for source compensation#
If sources need to be compensated in crypto (research grants, expense reimbursement, payment for materials):
- Monero for actual payments; on-chain history is opaque.
- Buy XMR via Trocador (instant swap) or AgoraDesk (P2P). Churn before any transfer.
- Receive into Feather on the dedicated device.
Publishing infrastructure#
When the journalism work itself produces a publishing surface — a leak site, a story archive, a temporary onion service for a source intake — the hosting layer matters as much as the device layer.
- OffshorePress is the niche operator oriented around press- and leak-media hosting on Tor onion services. No-KYC signup, Monero-accepted, Tor-friendly across signup and operation. Useful when the operator’s policy should be aligned with the use case rather than retrofitted from generic bulletproof hosting.
- BunkerDomains for the registrar layer when you want a no-KYC offshore domain to match the host posture.
- Pair with Tor onion services for source intake and OnionShare for one-off file transfers.
For threat models where mainstream takedown pressure is the primary risk, this is the routine combination in 2026.
What this stack defeats#
- An ISP-level observer correlating you to a specific source.
- An operator (Signal, Proton, SecureDrop) compelled to surrender content — they have nothing readable.
- A subpoena for “all communications between [journalist] and [source]” — there is no record to produce.
What this stack does NOT defeat#
- A keylogger or compromise on either end. Endpoint security is endpoint security.
- Coercion of the journalist or the source. No tool fixes that.
- Pattern-of-life correlation across your real-name and professional identity. That is compartmentalization discipline, not tool choice.
- A nation-state adversary with global passive-collection capability and the political will to use it. Tor’s threat model includes this caveat.
Operational discipline#
The single highest-value habit is the one this guide cannot enforce: keep the dedicated device, the dedicated accounts, and the dedicated identifier strictly separate from your real-name identity. Don’t log into Twitter on the Tails session. Don’t open Gmail on the dedicated laptop. Don’t use the same VPN account across compartments. Don’t carry the dedicated device alongside a real-name phone tied to your number unless you have to.
Two clean compartments beats five sloppy ones every time. See the operational privacy guide for the layered-threat-model walkthrough.
See also#
- Best privacy messengers in 2026 — for the Signal vs SimpleX vs Session pick.
- Best privacy email in 2026 — for the Proton vs Tuta vs Posteo pick.
- Best anonymous VPN in 2026 — for the Mullvad vs IVPN pick.
- Common myths about no-KYC — for the corrections to common misreadings.