Contact us securely
It is concerning to think that the government and private corporations may be able to access our emails and other communications. Understandably, such threats to privacy (whether perceived or real) significantly hinder the work of a free press.
There are also valid safety concerns for individuals wanting to publicise hidden or illegal practices within organisations. We at the Centre for Investigative Journalism want to make it easy and safe for people to tell the stories that need to be told.
One of the safest methods of delivering information without it being tracked is to send us a physical letter. This is easy, cheap and requires no knowledge of internet security. Send letters to:
The Centre for Investigative Journalism, 37 Laurie Grove, London SE14 6NH.
On our website we do not harvest visitors’ information and sell it to third parties. However, at present we do use Google email accounts.. Find our email addresses on our team page.
If you would like to send us an encrypted email, one way is to use the Mailvelope addon, which can encrypt and decrypt emails using your chosen email provider. Our team page includes a list of CIJ contacts and their corresponding PGP fingerprints (so you can be sure any replies are coming from the right person).
If you are going down this route, it would be a good idea to use a system like Tails or at the least TorBrowser when setting up your new email account. And consider using an encrypted email server, as mentioned earlier.
A quick guide to PGP
All email communication should be viewed as analogous to postcards, in that any message sent through electronic means is entirely open to be read by anyone who intercepts the message. Within this analogy, encryption is the equivalent of placing your message into a sealed envelope, making it much more difficult for anyone but the intended recipient to read the content of the communication.
The vast majority of email is encrypted to some extent, but the encryption offered by Gmail or Outlook is all handled by the email provider (Google, Microsoft, etc.) and they will generally have a quick look at each ‘postcard’ that comes through their mail depot, for reasons of your convenience – so they can check for spam, phishing scams or offer auto-reply suggestions, for instance.
For most purposes this is secure enough, but when you’re sending or receiving sensitive information, especially in a journalistic capacity, it’s worth considering taking responsibility for the encryption into your own hands. This is where PGP comes in and if you use a plug-in or extension (and with a bit of getting used to) it’s not as technically complicated as you might think. Many people use Thunderbird (Mozilla’s email client, through which you can access a Gmail or Outlook account) and a Thunderbird plugin called Enigmail, which handles the PGP encryption.
Essentially, PGP provides you with a lockable ‘envelope’ for each ‘postcard’ you send. However, these ‘envelopes’ have one key for locking them and a different key for unlocking them. The key for locking (or encrypting) the message is your public PGP key and anyone who wants to send you a locked message will need a copy of this key. So we make infinite copies of this key (the public PGP key) and make it as easy as possible for people to get hold of a copy. Many people put their public key on a personal website from which people can quickly and easily download a copy. There are also publicly hosted servers which keep libraries of public keys and can be searched for the email account you want to send an encrypted email to. It’s also very easy (using Enigmail/Thunderbird) to attach a copy of your public PGP key to an email you send to a contact, so that they can encrypt their reply to you.
The other key (your private PGP key) is the only one that can unlock ‘envelopes’ that have been locked with a copy of your public PGP key. You should have only one copy of this key (or at most two if you need a back up, but both should be kept safely and securely) which you keep to yourself somewhere safe and secure. Once someone encrypts a message with a copy of your public PGP key and you receive it, Thunderbird/Enigmail will use your private key to decrypt it, once you enter a password that you set when you first generate the pair of keys.