Last reviewed: Next review due:
Why tool choice matters for journalists
Choosing the wrong digital tool can expose a source's identity even when messages are deleted. Metadata — who communicated with whom, when, and from where — can be as revealing as content. The NCSC, the Electronic Frontier Foundation (EFF), and the Freedom of the Press Foundation (FPF) all publish tool guidance specifically for high-risk communicators. This page distils their recommendations for UK journalists.
See also: Threat Modelling for UK Journalists and Encrypted Messaging Guide.
Messaging apps compared
| App | E2E encryption | Metadata stored | Open-source | FPF recommended |
|---|---|---|---|---|
| Signal | Yes (always) | Minimal | Yes | Yes |
| Wire | Yes (always) | More than Signal | Yes | Partial |
| ProtonMail | Yes (end-to-end with other Proton users) | IP logged unless VPN used | Partial | Yes (email) |
| Yes | Significant (Meta) | No | No | |
| Telegram | Optional (Secret Chats only) | Significant | Partial | No |
Password managers compared
KeePassXC
Pros: Local storage only, offline, free, open-source, audited
Cons: No built-in sync; requires manual backup
Best for: Journalists who want maximum local control
https://keepassxc.orgBitwarden
Pros: Open-source, free tier, cloud-synced, independently audited
Cons: Relies on cloud servers (self-host option available)
Best for: Most journalists — best balance of security and convenience
https://bitwarden.com1Password
Pros: Polished UX, widely used by newsrooms, Teams plan
Cons: Commercial/closed-source core, subscription cost
Best for: Teams and newsrooms wanting managed deployment
https://1password.comVPNs: ProtonVPN vs Mullvad
ProtonVPN
- ✓Swiss jurisdiction (strong privacy laws)
- ✓No-logs policy independently audited
- ✓Open-source clients
- ✓Free tier available (slower)
- ✓Integrated with ProtonMail ecosystem
Mullvad
- ✓No account required — pay anonymously
- ✓No-logs policy audited
- ✓Open-source clients
- ✓Flat-rate pricing (no upsell tiers)
- ✓Recommended by EFF and FPF
The NCSC recommends using a reputable VPN when on untrusted networks. Neither Mullvad nor ProtonVPN have complied with government data requests, based on published transparency reports.
Tor Browser and Tails OS
Tor Browser
Routes traffic through three volunteer relays, masking your IP from websites you visit. Download from the official Tor Project site only (torproject.org). Use for: anonymous OSINT research, accessing .onion versions of news sites, and reaching SecureDrop instances.
Not suitable for: high-bandwidth activities or general browsing — it is significantly slower than a standard browser.
Tails OS
A live operating system booted from USB. Routes all traffic through Tor, leaves no trace on the host computer, and wipes memory on shutdown. Recommended by the FPF and EFF for journalists handling very sensitive documents or communicating with high-risk sources. Download from tails.boum.org and verify the cryptographic signature.
Best for: receiving documents from whistleblowers, working with SecureDrop, and situations where you cannot trust the device or environment.
Quick-pick guide by risk level
- Low risk (standard beat reporting):Signal + Bitwarden or 1Password + ProtonVPN on public Wi-Fi
- Medium risk (sensitive investigations, named sources):Signal with disappearing messages + KeePassXC or Bitwarden + ProtonVPN or Mullvad + ProtonMail for encrypted email
- High risk (whistleblowers, foreign-sourced documents, surveillance risk):SecureDrop or Tails OS + Signal + Mullvad + air-gapped device for document handling
Common mistakes
- ⚠Using Telegram default chats (not Secret Chats) for source communications — they are not end-to-end encrypted.
- ⚠Running Tor Browser through a VPN tunnel without understanding the trust implications — read the Tor Project guidance first.
- ⚠Downloading Tails or Tor from unofficial mirrors — always verify signatures from official sources.
- ⚠Using SMS-based two-factor authentication — SIM-swap attacks are well documented; use an authenticator app.
- ⚠Storing all passwords in a cloud document or email — use a dedicated password manager.
Frequently asked questions
Is Signal safe enough for journalist-source communications in the UK?
Do I need a VPN if I already use Signal?
What is the difference between Tor Browser and a VPN?
Should I use KeePassXC, Bitwarden, or 1Password?
What is Tails OS and when should I use it?
Related guides
Primary sources
- NCSC — Using Password Managers— National Cyber Security Centre
- EFF — Surveillance Self-Defence— Electronic Frontier Foundation
- FPF — Journalist Guide to Secure Communication— Freedom of the Press Foundation
- Tor Project — Tor Browser— Tor Project
- Tails — The Amnesic Incognito Live System— Tails Project
- Mullvad VPN — No-logs VPN— Mullvad