The Intercept Welcomes Whistleblowers



At the Intercept, we are strongly committed to publishing stories based on sensitive material when it is newsworthy and serves the public interest. One of our founding principles is that whistleblowing is vital to holding powerful institutions accountable; in fact, we were launched in part as a platform for journalism arising from disclosures by former NSA contractor Edward Snowden.

So whether you are in government or the private sector, if you become aware of behavior that you believe is unethical, illegal, or damaging to the public interest, consider sharing your information with us.

Our reporters work closely with our technologists on our most sensitive stories to maximize data security. No method is guaranteed to be completely secure but below are some suggestions for how to communicate with The Intercept’s reporters. What method you should use depends on your personal circumstances, the type of information you are sharing, and the level of risk it entails.

SecureDrop

If you wish to communicate with us anonymously, you can use a method called SecureDrop. With our SecureDrop server, you can send messages or sensitive materials to our reporters without disclosing your identity, and we can send messages back to you. Because the metadata of our correspondence – the information about who is sending and receiving messages, and the timing of those exchanges – is not available to any third party, this method is highly secure.

Here’s how to use SecureDrop.

Begin by bringing your personal computer to a Wi-Fi network that isn’t associated with you or your employer, like one at a coffee shop. Download the Tor Browser. (Tor allows you to go online while concealing your IP address from the websites you visit.)

You can access our SecureDrop server by going to http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion/ in the Tor Browser. This is a special kind of URL that only works in Tor. (Do not type this URL into a non-Tor Browser. It won’t work — and it will leave a record.)

From there, follow the instructions to send your message or upload documents.

On April 1, 2019, we upgraded our SecureDrop server and deleted accounts that were inactive for the prior 30 days. If you can't login to your account, it may have been removed. To resume communicating with our newsroom, please create a new account.

Signal

Another good option for sharing information is to contact us on Signal, a secure voice and messaging app. You can download Signal for Android or iPhone.

Using Signal to reach us is pretty easy. Here’s how:

Open the Signal app and tap the pen icon (in the top-right on an iPhone, in the bottom-right on Android) to start a new message. Type our phone number in the search box, 202-802-0482. From there, you can send us an encrypted Signal message.

Follow this guide to help lock down your phone and make sure what happens in your Signal app is more private.

If you use your phone to send us a message or call us on Signal, we will learn your phone number. It is always better for our reporting process to know a source's identity, but we can agree to keep it confidential. The Signal service will also know that you contacted us, but they promise to never log this metadata.

Email

If you do not need this level of security, you can reach our journalists by email, either by contacting a reporter individually or submitting tips at tips@theintercept.com. If you want to, you can send your email using PGP encryption (every journalist’s PGP public key is listed on their staff profile page) but keep in mind that there will still be metadata created by your communication with us, because your email server will record the exchange.

Postal

If you don’t wish to engage in back-and-forth communication with us, you can choose to send us your information via postal mail.

Keep in mind that USPS monitors the packaging of everything sent through the postal system. This includes the location from which you send your parcel, and it might include a sample of your handwriting. If law enforcement searches your parcel before it reaches us, they’ll be able to see whatever you’re sending, which could include your fingerprints, as well as tracking information embedded in documents, such as printer tracking dots.

Send letters or packages to:

The Intercept
114 Fifth Avenue
New York, New York, 10011

Drop it in a public mailbox (do not send it from home, work or a post office) with no return address.

What not to do if you want to remain anonymous

Don’t contact us from work. Most corporate and government networks log traffic. Even if you’re using Tor, being the only Tor user at work could make you stand out.

Don’t email us, call us, or contact us on social media. From the standpoint of someone investigating a leak, who you communicate with, and when, is all it takes to make you a prime suspect.

Consider carefully whether you should share your decision to become a journalistic source with anyone, and specifically whether those people can be trusted to keep your information confidential. If you decide to let others know, tell them face to face.

Other things to think about

Before deciding to bring your story to a journalist, consider consulting with an attorney to better understand your options and risks. If you do this, be careful not to write any details in emails, and try to discuss everything face to face.

When you access documents at work, there is a good chance that this access is logged and associated with your account. If only a small number of people have access to the document you’re accessing, maintaining your anonymity may be harder. In August 2019, The Intercept looked at all indictments related to alleged leaks of restricted government documents since Donald Trump became president — seven at the time — and analyzed how the government identified its targets. In these cases, the government’s evidence was gathered from, among other sources, computers in the defendants’ workplaces; search logs and access logs from restricted databases; personal emails and Google search histories; metadata of text messages and phone calls; and data taken from searches of defendants’ personal computers and phones, including Signal and WhatsApp messages that they had not deleted.

Be aware of your habits. If you have had access to sensitive information that has been published, your activities on the internet could come under scrutiny, including what sites you have visited or shared to social media. Logs of your activity on internal networks at your workplace could be examined. Tools like Tor (see above) can help protect the anonymity of your surfing.

Compartmentalize. Keep your whistleblowing activity as separate as possible from the rest of what you do. Don’t use your pre-existing social media, email, or other online accounts; instead, make new accounts for this purpose, and don’t login to them from networks you normally connect to.

Sanitize. Make sure to clean up after yourself as best as you can. Avoid leaving traces related to whistleblowing lying around your personal or work computers or phones (in your Documents folder, in your web browser history, in Signal messages that you haven’t deleted yet, etc.). If you realize you did a Google search related to whistleblowing while logged into your Google account, delete your search history. Consider using Tor Browser or incognito or private browsing windows in your web browser to be sure you aren’t accidentally logged into any of your accounts and so that your browser history won’t be recorded. Consider keeping all related files on an encrypted USB stick rather than on your computer and only plug it in when you need to work with them.

Consider using a completely separate computer or operating system for all of your whistleblowing activity. Even if you’re using the Tor browser, for instance, if someone has hacked into your computer, they’ll be able to spy on everything you do. Tails is a separate operating system that you can install on a USB stick and use to boot your computer. Tails is engineered to leave no traces behind. It’s not intuitive to use, but if you are serious about your cybersecurity, it’s probably worth the effort. You can find instructions for downloading and installing Tails here.

It is important to understand that no communication method is guaranteed to be completely secure. Becoming a whistleblower carries risks, but they can be minimized if you’re careful, and sometimes it’s the right thing to do.

Last Updated: January 15, 2020