Skip to main content

Digital Security Tools Comparison for Journalists

Signal vs Wire vs ProtonMail, password managers, VPNs, Tor Browser, and Tails OS — compared for UK journalists who need to protect sources and communications.

Last reviewed: Next review due:

Why tool choice matters for journalists

Choosing the wrong digital tool can expose a source's identity even when messages are deleted. Metadata — who communicated with whom, when, and from where — can be as revealing as content. The NCSC, the Electronic Frontier Foundation (EFF), and the Freedom of the Press Foundation (FPF) all publish tool guidance specifically for high-risk communicators. This page distils their recommendations for UK journalists.

See also: Threat Modelling for UK Journalists and Encrypted Messaging Guide.

Messaging apps compared

AppE2E encryptionMetadata storedOpen-sourceFPF recommended
SignalYes (always)MinimalYesYes
WireYes (always)More than SignalYesPartial
ProtonMailYes (end-to-end with other Proton users)IP logged unless VPN usedPartialYes (email)
WhatsAppYesSignificant (Meta)NoNo
TelegramOptional (Secret Chats only)SignificantPartialNo

Password managers compared

KeePassXC

Pros: Local storage only, offline, free, open-source, audited

Cons: No built-in sync; requires manual backup

Best for: Journalists who want maximum local control

https://keepassxc.org

Bitwarden

Pros: Open-source, free tier, cloud-synced, independently audited

Cons: Relies on cloud servers (self-host option available)

Best for: Most journalists — best balance of security and convenience

https://bitwarden.com

1Password

Pros: Polished UX, widely used by newsrooms, Teams plan

Cons: Commercial/closed-source core, subscription cost

Best for: Teams and newsrooms wanting managed deployment

https://1password.com

VPNs: ProtonVPN vs Mullvad

ProtonVPN

  • Swiss jurisdiction (strong privacy laws)
  • No-logs policy independently audited
  • Open-source clients
  • Free tier available (slower)
  • Integrated with ProtonMail ecosystem
https://protonvpn.com

Mullvad

  • No account required — pay anonymously
  • No-logs policy audited
  • Open-source clients
  • Flat-rate pricing (no upsell tiers)
  • Recommended by EFF and FPF
https://mullvad.net

The NCSC recommends using a reputable VPN when on untrusted networks. Neither Mullvad nor ProtonVPN have complied with government data requests, based on published transparency reports.

Tor Browser and Tails OS

Tor Browser

Routes traffic through three volunteer relays, masking your IP from websites you visit. Download from the official Tor Project site only (torproject.org). Use for: anonymous OSINT research, accessing .onion versions of news sites, and reaching SecureDrop instances.

Not suitable for: high-bandwidth activities or general browsing — it is significantly slower than a standard browser.

Tails OS

A live operating system booted from USB. Routes all traffic through Tor, leaves no trace on the host computer, and wipes memory on shutdown. Recommended by the FPF and EFF for journalists handling very sensitive documents or communicating with high-risk sources. Download from tails.boum.org and verify the cryptographic signature.

Best for: receiving documents from whistleblowers, working with SecureDrop, and situations where you cannot trust the device or environment.

Quick-pick guide by risk level

  • Low risk (standard beat reporting):Signal + Bitwarden or 1Password + ProtonVPN on public Wi-Fi
  • Medium risk (sensitive investigations, named sources):Signal with disappearing messages + KeePassXC or Bitwarden + ProtonVPN or Mullvad + ProtonMail for encrypted email
  • High risk (whistleblowers, foreign-sourced documents, surveillance risk):SecureDrop or Tails OS + Signal + Mullvad + air-gapped device for document handling

Common mistakes

  • Using Telegram default chats (not Secret Chats) for source communications — they are not end-to-end encrypted.
  • Running Tor Browser through a VPN tunnel without understanding the trust implications — read the Tor Project guidance first.
  • Downloading Tails or Tor from unofficial mirrors — always verify signatures from official sources.
  • Using SMS-based two-factor authentication — SIM-swap attacks are well documented; use an authenticator app.
  • Storing all passwords in a cloud document or email — use a dedicated password manager.

Frequently asked questions

Is Signal safe enough for journalist-source communications in the UK?
Signal is considered the gold standard for encrypted messaging. It uses end-to-end encryption for all messages and calls, stores minimal metadata, and is open-source. For most journalist-source communications it is sufficient. For very high-risk communications with whistleblowers, supplement Signal with SecureDrop or Tails OS.
Do I need a VPN if I already use Signal?
Yes. Signal encrypts message content, but a VPN masks your IP address and network activity from your ISP and network operators. Use a VPN on public or untrusted networks. Choose a no-logs VPN: Mullvad and ProtonVPN are recommended by the EFF and Freedom of the Press Foundation.
What is the difference between Tor Browser and a VPN?
A VPN routes your traffic through one encrypted server, hiding it from your ISP but not from the VPN provider. Tor routes your traffic through at least three volunteer-operated relays, making it much harder to trace. Tor is slower but provides stronger anonymity for research. Use Tor Browser for sensitive OSINT research; use a VPN for general day-to-day privacy.
Should I use KeePassXC, Bitwarden, or 1Password?
All three are reputable. KeePassXC stores your password database locally (maximum control, offline, no subscription). Bitwarden is open-source and cloud-synced (audited, free tier available). 1Password is commercial and widely used by newsrooms. The NCSC recommends using any reputable password manager over reusing passwords.
What is Tails OS and when should I use it?
Tails is a live operating system you run from a USB drive. It routes all internet traffic through Tor and leaves no trace on the computer you use it on. It is recommended for high-risk source communications, whistleblower document handling, and situations where you cannot trust the device you are using. Guidance from the Freedom of the Press Foundation and Tails project explains how to set it up safely.