How to communicate securely with whistleblowers

Journalists could not have reported many of the past century’s biggest news stories without whistleblowers’ cooperation and expert testimony. They also play a vital role in uncovering and tackling fraud, corruption, and public safety threats. They often risk their careers — and sometimes their freedom — to bring the truth to light.

For journalists, ensuring secure whistleblower communications is a serious responsibility. This is easier said than done, especially for reporters at local news outlets or freelancers. But there are well-established best practices and trusted tools that help remove much of the risk.

This guide distills the essentials of secure whistleblower communication, drawing on resources like the Whistleblower Journalism Guide(new window) and practical experience as an encryption company with over 100 million accounts, including thousands of journalists and activists.

• What is a whistleblower?
• Why secure whistleblower communication matters
• Essential tools for whistleblower communication
• Best practices for journalists
• Legal and jurisdictional risks
• Whistleblowers and journalists help keep power accountable

What is a whistleblower?

A whistleblower is typically an insider, often a current or former employee, who witnesses wrongdoing within an organization and decides to speak up rather than stay silent. Their disclosures typically concern legal violations, safety threats, or breaches of the public trust.

Whistleblowers have played a crucial part in uncovering history’s worst cases of fraud and abuse. Some famous whistleblowers and the scandals they uncovered include:

• Mark Felt (Deep Throat)(new window) – The Watergate scandal
• Sharron Watkins(new window) – The collapse of Enron
• Edward Snowden(new window) – The NSA’s mass surveillance program

The vast majority — roughly 75%(new window) — of whistleblowers first report the problems or abuse they discover internally. They often only turn to the press as a last resort after they’ve been ignored, dismissed, or threatened with retaliation. This makes their decision to reach out to journalists even more risky, as their organization might already be monitoring them. Therefore, secure, trustworthy communication is a journalist’s first duty.

Why secure whistleblower communication matters

Whistleblowers are almost never thanked or rewarded for reporting misconduct to their superiors. According to Protect, a UK-based charity that encourages safe whistleblowing, roughly 40% of whistleblowers(new window) say their concerns were ignored.

Retaliation against whistleblowers is pervasive across industries and the public sphere. A survey of US and UK financial professionals(new window) said that:

• 59% have seen whistleblowers subsequently left out of important decisions 
• 33% have seen whistleblowers moved to a different team
• 32% have heard whistleblowers called derogatory names behind their backs or directly to their face

In 2024, it was reported that Boeing retaliated against at least 32 whistleblowers(new window) between 2020 and 2024.

Starting with former President Obama, the US government has begun charging record numbers of whistleblowers under the US Espionage Act(new window).

Journalists can also be pressured(new window) to reveal their sources or reporting. If journalists fail to use secure communication, surveillance and metadata could expose the whistleblower’s identity, putting them at risk and preventing the story from coming out.

The fact that so many people still try to alert the public of wrongdoing in the face of losing their job, lawsuits, or jail time is commendable. This is why journalists must do their utmost to ensure their communications with whistleblowers are secure. Secure communication isn’t paranoia — it’s protection for both source and reporter.

Essential tools for whistleblower communication

Modern technology offers powerful tools that make it much safer to communicate with whistleblowers. Every journalist working with sensitive sources should have a toolkit of secure communication methods. Here are some of the best ways to securely communicate with whistleblowers:

• Proton Mail: Standard email like Gmail or Outlook isn’t private. Proton Mail uses end-to-end encryption, meaning only you and your source can read it, even if it’s intercepted. Based in Switzerland, it offers strong legal protections and is safe from secret US warrants. If you need to communicate with a whistleblower who doesn’t use Proton Mail, you can send Password-protected Emails, which let you send end-to-end encrypted emails to external email services.
• Signal: Signal(new window) is a secure, open-source messaging app that encrypts texts, calls, and attachments by default. It stores minimal metadata and includes disappearing messages — ideal for sensitive conversations. It’s simple to use and trusted by privacy advocates worldwide.
• Tor Browser: Tor(new window) hides your IP address and online activity by routing traffic through a network of encrypted relays. It’s essential for accessing secure tip portals, protecting source anonymity, and avoiding workplace surveillance. For higher-risk situations, pair it with a system like Tails.
• VPN: Another way to hide your IP address is by using a VPN. The key difference between Tor and a VPN is that the VPN company, like Proton VPN(new window), will know your true IP address. But other websites you visit will not.
• SecureDrop: SecureDrop(new window) is a Tor-based submission system for receiving sensitive documents anonymously. Everything is encrypted, and neither party knows the other’s identity. While setup can be complex, it’s one of the most secure ways to share files anonymously.
• Proton Drive: If you don’t need Tor-level anonymity, Proton Drive lets you send and receive any sized file via email or sharing link with end-to-end encryption. So your documents and folders remain secure against data breaches and private, even from Proton.

Each tool protects a different part of the communication chain. Used together, they build a strong foundation of privacy.

To counteract unprecedented attacks on press freedom, Proton is offering media organizations discounted access to our secure business suite, which includes Proton Mail, Proton Drive, Proton VPN, and Proton Pass. Learn more here.

Best practices for journalists

Security relies as much on you as on the apps you use. Below, we list the essential best practices for communicating with whistleblowers safely:

1. Never let whistleblowers use work devices: Never let whistleblowers use work email, phones, or office networks. Employers monitor activity, and traces can be logged. Encourage sources to use personal, secure devices away from employer control.
2. Give whistleblowers a way to contact you securely: Don’t wait for a leak to set up safe channels. Share a Proton Mail address or Signal number publicly. For example, CNN shares its Proton Mail address(new window) and SecureDrop instructions on its website. If a source reaches out, confirm they’re using a secure device and network. Avoid calling their personal phone unless you know it’s safe — use Signal when possible.
3. Encrypt everything: Use encryption for all messages, files, and calls. Stick to Proton Mail, Signal, and tools with end-to-end encryption. Remember, encryption protects content but not always metadata — use Tor or VPNs to reduce exposure.
4. Meet carefully, and only if you must: In-person meetings can be safe if discreet. Choose a public, quiet spot, and leave your phones behind. Avoid locations tied to the source. Meet only when necessary.
5. Request evidence ethically: Don’t ask for classified files or information. Instead, ask if documentation exists. Let the whistleblower decide what to share. Always scrub metadata from files and photos before transmission.
6. Handle documents securely: Avoid cloud services tied to your identity. Store files offline, encrypted, and share only through secure channels. Printouts should be safeguarded. Clean digital copies may be safer than originals.
7. Keep sensitive information secure: Keep your source’s identity on a need-to-know basis. Use code names, lock away notes, and switch to Tails or clean devices if you suspect yours is compromised. Be cautious at borders — travel with clean hardware or delete apps and data from your device.

Legal and jurisdictional risks

There are laws intended to protect whistleblowers, but the legal landscape is complicated. Whistleblower protection laws vary by country and by the type of whistleblower. It’s beyond the scope of this article to cover all laws, but here are some key points and protections to be aware of:

US Whistleblower Protection Act (WPA)
The WPA(new window) protects most federal employees from retaliation when reporting government wrongdoing. It does not apply to intelligence agencies or cover classified leaks to the media. It also excludes private, state, or local workers.

Other US laws
Whistleblower protections in the US vary widely. Over 60 federal laws(new window) and many state laws protect workers in sectors like finance, health, and the environment. Some prominent examples of industry-specific whistleblower laws include the Sarbanes-Oxley Act(new window) and Dodd-Frank Act(new window), which even provides monetary rewards for whistleblowers in the securities and finance sector. Legal coverage depends on the industry, employer type, and what was disclosed.

Classified information
Leaking classified material to the press isn’t protected under whistleblower laws. Whistleblowers who share national security information in the US risk prosecution under laws like the Espionage Act, similar to Edward Snowden or Reality Winner(new window). Journalists covering such disclosures should seek legal guidance and avoid exposing identifying details unnecessarily.

Global protections
Whistleblowing protections can vary depending on the country and industry your source is operating in.

• The EU’s 2019 EU Whistleblower Protection Directive(new window) strengthened whistleblower laws across the EU, and many countries now prohibit retaliation for both public and private sector disclosures. Still, protections vary between countries.
• The UK’s Public Interest Disclosure Act(new window) of 1998 was a pioneering law when it was passed, but now faces calls for reform.
• Australia is currently considering creating an agency(new window) to enforce its various whistleblower protection laws.
• Canada is generally considered to have weak whistleblowing protections(new window).

Cross-border cases are even more complex and require additional care. NGOs like Transparency International(new window) can be helpful in advising journalists in such cases.

Journalist legal risk
Reporters in the US aren’t protected by a federal shield law, though most states do provide these protections. You may be compelled to reveal a source in court, especially in federal or national security cases. You can minimize your exposure by limiting records, using secure channels, and consulting legal experts when needed.

Whistleblowers and journalists help keep power accountable

Secure whistleblower communication protects truth-tellers and enables impactful journalism. By combining encrypted tools like Proton Mail and Signal with strong habits and legal awareness, journalists can offer real safety to their sources. For freelancers and local reporters without institutional backing, these practices are essential. Security is not an afterthought — it’s your source’s lifeline.

For more detailed information, go to the Government Accountability Project(new window).