Secure Email for Journalists, Activists and Whistleblowers

Why Standard Email Security Is Not Enough

A journalist using a major email provider with two-factor authentication is not secure. A human rights worker using end-to-end encryption but accessing it from a personal device linked to their identity is not secure. Security for high-risk users requires thinking through every link in the chain.

Real-world examples of security failures are instructive:

• Sources have been identified through email metadata even when message content was encrypted
• Journalists have had accounts compromised through phishing after their providers were legally compelled to provide access
• Activists have been arrested after email providers in their home country were ordered to disclose account information

The Threat Model: Who Are You Protecting Against?

Effective security requires a clear threat model. The measures needed to protect against a corporate competitor differ from those needed against a nation-state intelligence service.

• Casual surveillance / data brokers — basic E2EE resolves this
• Criminal actors / phishing — strong passwords, 2FA, E2EE
• Law enforcement in democratic states — zero-knowledge provider in a strong jurisdiction, minimal metadata
• Authoritarian governments — all of the above plus Tor, no accounts linked to real identity, physical security
• Nation-state intelligence — maximum technical measures plus extreme operational security; no email system is completely reliable at this level

Choosing the Right Email Provider

For high-risk users, the email provider choice is the most important single decision. Requirements:

• End-to-end encryption — mandatory, non-negotiable
• Zero-knowledge architecture — the provider must be technically unable to hand over readable email content
• Jurisdiction & physical infrastructure — avoid US-based providers; enemail runs on dedicated Evolushost servers in Frankfurt, Berlin and Vienna — physically within the EU, subject only to European law
• Anonymous registration — no phone number, no recovery email required
• Minimal logging — IP addresses and metadata should be minimised or anonymised
• Transparency — the provider should publish a transparency report and have had independent security audits

Protecting Your Sources

Journalists have a professional and ethical obligation to protect their sources. This extends to digital communications. Practical measures:

• Never communicate with a sensitive source using your regular work or personal email
• Use a separate, anonymously registered account accessed only via Tor or a trusted VPN
• Encourage sources to use encrypted email or a secure drop system (like SecureDrop)
• Never store source contact information in your main email account
• Be aware that email metadata (who you emailed, when) may be more dangerous than the content

Device and Account Hygiene

Secure email is undermined by an insecure device. Basic measures every high-risk user must take:

• Use full-disk encryption on all devices (FileVault on Mac, BitLocker or VeraCrypt on Windows, built-in on Linux)
• Keep software and operating systems updated — most breaches exploit known vulnerabilities
• Use unique, strong passwords with a password manager
• Enable hardware security keys (FIDO2) for two-factor authentication where possible
• Regularly review what apps have access to your email account
• Be extremely cautious about phishing — the human is usually the weakest link

When Email Is Not Enough

For the most sensitive communications, email may not be appropriate at all — regardless of security measures. Alternatives:

• Signal — end-to-end encrypted messaging with disappearing messages
• In-person meetings — for the most sensitive information, leave all devices at home
• SecureDrop — for whistleblower document submission