At the Intercept, we are strongly committed to publishing stories based on confidential material when it is newsworthy and serves the public interest. One of our founding principles is that whistleblowing is vital to holding powerful institutions accountable; in fact, we were launched in part as a platform for journalism arising from unauthorized disclosures by NSA contractor Edward Snowden.
So whether you are in government or the private sector, if you become aware of behavior that you believe is unethical, illegal, or damaging to the public interest, consider sharing your information securely with us.
Our reporters work closely with our internet security specialists on our most sensitive stories to minimize the risk of exposure. Below are guidelines for whistleblowers seeking to communicate with The Intercept’s reporters. What method you should use depends on your personal circumstances, the type of information you are sharing and the level of risk it entails.
If you wish to communicate with us anonymously, you can use a method called SecureDrop. With our SecureDrop server, you can send messages or sensitive materials to our reporters without disclosing your identity, and we can send messages back to you. Because the metadata of our correspondence – the information about who is sending and receiving messages, and the timing of those exchanges – is not available to any third party, this method is highly secure.
Here’s how to use SecureDrop.
Begin by bringing your personal computer to a Wi-Fi network that isn’t associated with you or your employer, like one at a coffee shop. Download the Tor Browser. (Tor allows you to go online while concealing your IP address from the websites you visit.)
You can access our SecureDrop server by going to http://intrcept32ncblef.onion/ in the Tor Browser. This is a special kind of URL that only works in Tor. (Do not type this URL into a non-Tor Browser. It won’t work — and it will leave a record.)
From there, follow the instructions to send your message or upload documents.
On 2017-10-24 the onion address for our SecureDrop server changed. You can read more about this on The Intercept.
Using Signal to reach us is pretty easy. Here’s how:
Open the Signal app and tap the pen icon (in the top-right on an iPhone, in the bottom-right on Android) to start a new message. Type our phone number in the search box, 202-802-0482. From there, you can send us an encrypted Signal message.
Follow this guide to help lock down your phone and make sure what happens in your Signal app is more private.
If you use your phone to send us a message or call us on Signal, we will learn your phone number. It is always better for our reporting process to know a source's identity, but we can agree to keep it confidential. The Signal service will also know that you contacted us, but they promise to never log this metadata.
If you have no reason to be concerned about anyone knowing that you are a source, you can reach our journalists by email, either by contacting a reporter individually or submitting tips at email@example.com. If you want to, you can send your email using PGP encryption (every journalist’s PGP public key is listed on their staff profile page) but keep in mind that there will still be metadata created by your communication with us, because your email server will record the exchange.
If you don’t wish to engage in back-and-forth communication with us, you can choose to send us your information via postal mail.
Keep in mind that USPS monitors the packaging of everything sent through the postal system. This includes the location from which you send your parcel, and it might include a sample of your handwriting. If law enforcement searches your parcel before it reaches us, they’ll be able to see whatever you’re sending, which could include your fingerprints, as well as tracking information embedded in documents, such as printer tracking dots.
Send letters or packages to:
P.O. Box 65679
Washington, D.C., 20035
114 Fifth Avenue, 18th Floor
New York, New York, 10011
Drop it in a public mailbox (do not send it from home, work or a post office) with no return address.
What not to do if you want to remain anonymous
Don’t contact us from work. Most corporate and government networks log traffic. Even if you’re using Tor, being the only Tor user at work could make you stand out.
Don’t email us, call us, or contact us on social media. From the standpoint of someone investigating a leak, who you communicate with, and when, is all it takes to make you a prime suspect.
Don’t tell anyone that you’re a source.
Other things to think about
Before deciding to bring your story to a journalist, you might want to consult an attorney to better understand your options and risks. If you do, be careful not to write any details in emails, and try to discuss everything face to face.
If you are thinking about providing us with particularly sensitive documents, consider these additional tips:
Be aware of your habits. If you have had access to secret information that has been published, your activities on the internet are likely to come under scrutiny, including what sites (such as The Intercept) you have visited or shared to social media. Investigators may also examine logs of your activity on internal networks at your workplace. Make sure you’re aware of this before sending information to us, and adjust your habits as needed well before you decide to become our source. Tools like Tor (see above) can help protect the anonymity of your surfing.
Compartmentalize. Keep your whistleblowing activity as separate as possible from the rest of what you do. Don’t use your normal accounts that are connected to you. Instead, make new accounts for this purpose, and don’t log in to them from networks you normally connect to.
Sanitize. Make sure to clean up after yourself as best as you can. Avoid leaving traces related to whistleblowing lying around your personal or work computer (in your Documents folder, in your web browser history, etc.). If you realize you did a Google search related to whistleblowing while logged into your Google account, delete your search history. Consider keeping all related files on an encrypted USB stick rather than on your computer, and only plug it in when you need to work with them.
Consider using a completely separate computer or operating system for all of your whistleblowing activity so that a forensics search of your normal computer won’t reveal anything. Even if you’re using the Tor browser, for instance, if someone has hacked into your computer, they’ll be able to spy on everything you do. Tails is a separate operating system that you can install on a USB stick and boot your computer to. Tails is engineered to leave no traces behind. It’s not intuitive to use, but if you’re risking a lot, it’s probably worth the effort. You can find instructions for downloading and installing Tails here.
It is important to understand that no communication method is guaranteed to be completely secure. Becoming a whistleblower carries risks, but they can be minimized if you’re careful, and sometimes it’s the right thing to do.
Last Updated: October 24, 2017