Blow That Whistle! (but be safe)

I just noticed on the Washington Post newspaper web page a nice collection of ways to confidentially communicate between journalists and tipsters.   One of them is SecureDrop, which was already discussed earlier.   It’s probably a good idea to just become familiar with these channels of communication, even practice it before you need it.  Think of it as becoming familiar with your word processor or spreadsheet before you have to write your termpaper with footnotes and tables, or tabulate the results from your survey.  Be a scout, and be prepared.

It is interesting to see that US Postal Service (snailmail) is still considered a safe and secure way to communicate.

Share news tips with us confidentially

Do you have information the public should know? Here are some ways you can securely send information and documents to Post journalists.

Learn more

SignalThis is a free, end-to-end encrypted messaging app, which allows you to communicate directly with The Post. You can send text messages, images and video. It also allows you to talk securely with a reporter by calling them via the Signal app. No metadata is retained by Signal. It can be downloaded from the app store. Signal can be configured to delete messages automatically at a designated time interval.

The Post’s Signal phone number: 202-580-5265

Download Signal from iTunes

Download Signal from Google Play

PeerioThis is a free, end-to-end encrypted messaging app, which allows you to communicate directly with The Post. Peerio provides fully encrypted cloud storage for files. You can transfer files to The Post as large as 400 megabytes.

Our Peerio user name: wplockbox

Download Peerio

WhatsAppThis is a free messaging app with end-to-end encryption that also allows the transfer of documents, photos and videos. WhatsApp can be used to make secure phone calls. It is owned by Facebook. Some data is retained by WhatsApp.

The Post’s WhatsApp phone number: 202-580-5265

Download WhatsApp

PidginThis is a secure, desktop messaging app. When used with the OTR (off-the-record) plug-in, it can be used to send encrypted messages. We recommend you also turn off logging for added security. Pidgin also supports encrypted file transfers.

Our Pidgin user name is:

*also install OTR plugin

Download Pidgin

Encrypted EmailIf you use PGP encryption, here is our fingerprint and link to our public key. If you use our public key with a mail encryption plugin, for example Mailvelope or Enigmail, this encrypts the contents of your message but not the subject line or the name of the sender.

Fingerprint: 88D9 812E D074 7AEA EA1E C219 DC81 6CC4 FE3D 535C


The Post’s public key

SecureDropSecureDrop is an open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources. SecureDrop submissions are entirely encrypted and do not include any identifying metadata.

Learn how to use SecureDrop

Postal mailYou can drop a letter or package in the mail to reporters at The Post. To maintain anonymity, it is recommended that you use a mailbox rather than going into a post office.

Please send to:
News Lockbox
The Washington Post
1301 K St. NW
Washington, DC 20071


One thought on “Blow That Whistle! (but be safe)

  1. The information below is from a pop-up window on a HuffPost article, which made it hard to create a link to it.

    How To Leak To The Huffington Post

    We tell big stories on difficult subjects. We’ve reported on the inequities of the drug treatment system, deaths in police custody, and a massive bribery scandal involving some of the world’s biggest corporations. To tell these stories, we must work with people who know what is really going on inside government and private institutions. That’s where you come in.

    Are you getting new directives that flout established practice? Are new rules making you uncomfortable? Is an important program on the chopping block? Are you being asked to do something unethical? We want to see whatever evidence and documentation you can provide.

    Your employer, hackers and the government can all read your emails (or at least see that you contacted us). But if that doesn’t bother you, email us at

    Need privacy?
    If you’re concerned that being a source for a story poses a significant risk, take precautions:

    Know your risks. No form of communication is 100 percent safe from all observers. Make a plan about what you’ll do if the wrong person finds out you contacted us.
    Do not contact us from your work computer or phone. Your bosses can track your use of these devices. The same goes for your personal mobile phone, if you’ve ever installed apps from your employer — even if you later uninstalled them.

    Consider using postal mail. We’re at “Huffington Post, PO Box 28154, Washington, DC 20038-8154.” Send from a public mailbox and don’t write a return address. Only we can read your message (unless a court provides a warrant).

    Use the same encrypted email service we do. Create a new account — separate from your other email accounts — and use it to write us at As long as you write to our Protonmail address from your Protonmail address, only we or someone who knows your password can read your message. Read more about Protonmail.

    Use your browser’s “incognito” or “private browsing” mode. Some sites (including, potentially, your employer’s) can access your browser history and see what websites you’ve visited. An incognito window masks this data.

    Open a new incognito browser window to contact us, and close it immediately afterward. If you don’t, your browser can display your online history to sites that ask for it.

    Do not contact us during work hours. You could get into trouble if your employer found out.

    If you are concerned you are under active surveillance, do not contact us from home and do not contact us from your regular phone. Public wifi hotspots can help keep you anonymous. Use the Tails operating system to access ProtonMail at https://protonirockerxow.onion/ instead of the normal address. Start your Tails session immediately before contacting us, and close it immediately afterward.

    Do not tell others that you are a source, and do not contact us on social media.

    If you email us documents, strip document metadata. Metadata can include evidence of where a document originated and who has handled it. Here are removal instructions.

    In most cases, our reporters or editors will need to know your identity so we can verify and authenticate the information you provide to us. Your identity will only be shared with HuffPost staff who absolutely need to know it.

    We will do everything we can to protect your identity, but if you feel you must remain completely anonymous, we will ask you to provide us with sources or contacts who can corroborate the information you send us.


Comments are closed.