How journalists can encrypt their email

Journalists, and their sources, have a lot to lose.

And several recent cases have made clear just how easy it is for the government to access electronic communications, with or without a subpoena.

Thankfully, there are a host of free, relatively easy-to-use tools at your disposal to help protect your privacy when sending and receiving emails, as well as browsing the Internet and chatting.

“Encryption technology is like putting your message in an envelope before you send it,” said Susan E. McGregor, assistant director of the Tow Center for Digital Journalism at Columbia University, in a phone interview.

One of the benefits of using “crypto,” McGregor said, is the government must notify you if pursuing your communications as a means of having them decrypted.

But because the use of these programs is not yet widespread, email encryption is a “cumbersome” process that requires multiple programs, she said.

Still, McGregor added, “there are so many people out there who really want to help journalists do this and do this right.”

One of the best resources I found is a tip sheet produced by Mike Tigas, a 2013 Knight-Mozilla OpenNews Fellow at ProPublica, who, like McGregor, presented on the subject at an Online News Association conference.

“Most journalists should at least understand that [encryption] is an option,” Tigas said by phone. “With time and effort, most people can understand it.”

The first question is an easy but important one: Which operating system are you running?

For creating encrypted emails and texts, Tigas recommends GPG4Win for PC and GPG Tools for Macs. And for sending and receiving encrypted email, he recommends email clients Thunderbird and Enigmail (as opposed to sending encrypted communications via Web browser).

(This how-to guide, from Security In-A-Box, also comes recommended. And an organization called CryptoParty hosts how-to events throughout the U.S. and the world.)

PGP, which stands for Pretty Good Privacy, is a popular tool that allows users to both encrypt and decrypt emails. It’s been around for 15 years and “nobody has the impression that its been broken yet,” Tigas said.

Part of the process of using encrypted email is generating a PGP Key, or keypair.

The system can also be used to verify the sender’s identity and ensure that the received message has not been changed, according to several guides.

You will also need to pick a “passphrase,” which is really just an industry term for a long, tough-to-break password, according to a white paper written by Micah Lee for the Freedom of the Press Foundation.

Once set up, users must make their public key, well, public — by publishing it on a website or to a “keyserver,” which Lee says “is basically an email directory that shows if there are GPG keys available for a given email address” — before they can be contacted through the system by other crypto communicators.

Their other key, the secret key, is required for actually decrypting the message sent to you.

Many journalists — including Glenn Greenwald, who understands the importance of crypto perhaps more than anyone else — link to their PGP Key (or include their shorter PGP fingerprint) in their bios on Twitter, in addition to more conventional contact information like an email address or phone number. I spoke with a few of them.

Matt Sledge, a reporter for The Huffington Post, said he hasn’t used email encryption very often. “But I want potential sources to have the option,” he wrote in an email.

Prashant Rao, Baghdad bureau chief for Agence France-Presse, echoed this sentiment. “If it encourages one person to get in touch with me who wouldn’t have otherwise, then it’s worth it,” he wrote, adding that he will “need regular practice and integration to really be comfortable” with crypto communication technologies.

Brian Fung, a technology reporter for The Washington Post, said he is rarely contacted using his PGP key but occasionally partakes in encrypted chats. “It’s pretty easy to do, and handy to turn on and off whenever you need it,” he wrote.

McGregor says installing and familiarizing yourself with encrypted communications “is not something you can do in 20 minutes,” and should not be done while in a last-minute story crunch.

Email encryption technology should become easier to use in the future, both Tigas and McGregor say, once it becomes more mainstream and gets more designer attention and resources.

In addition to encrypting your email, many web security experts recommend using Tor to browse anonymously, encrypting your hard drive and setting up a Virtual Private Network to help protect your identity. McGregor recommends some options for doing so.

While these tools can up your privacy game, nothing is foolproof, especially when your communications are pursued by the government.

In September, ProPublica ran an in-depth story — based on documents released by Edward Snowden — about long-standing government efforts to systematically weaken and break encryption technologies.

But to quote a presentation given by The Wall Street Journal’s Jennifer Valentino-DeVries, “For most reporters, the big issues with surveillance are not the NSA but leak investigations, subpoenas, accidental disclosure, and [the] chilling effects on sources.”


We have made it easy to comment on posts, however we require civility and encourage full names to that end (first initial, last name is OK). Please read our guidelines here before commenting.

  • munden

    GPG encryption is a very good idea but if you are really concerned about privacy, the first and easiest thing to do is move away from Windows. Many more practical tips on computer security and email privacy can be found at

  • abiquu

    Agen Bola

    During one of the most climatic moments in Texas political history, The Texas Tribune owned the story, buoyed by its live YouTube stream
    of the Texas Senate in a tense countdown to the midnight end of a
    special session that included a 10-hour filibuster by new social media
    darling Sen. Wendy Davis and the debate about a controversial abortion

    Taruhan bola
    More than 180,000 people were watching the live stream, taken from
    the Senate feed, when raucous pro-choice supporters verbally overcame
    senators as the session came to a close and Tuesday turned to Wednesday. – See more at:


  • bertinanth764

    my Aunty Amelia got a new blue Land
    Rover LR4 only from working part time off a home computer… helpful hints

  • rbruce20

    The NSA can easily break any commercial encryption software. Encrypting electronic messages will spark NSA interest. If one wants security, then keep it to yourself. If one wants high security, then tell only one person. Tell more than one person, then nothing is secret.

  • takawalk

    Thanks for the reply, enjoy the holidays.

  • mrtt

    There are many explanations on how Tor helps (or doesn’t) you maintain your privacy. I am not an expert on all things related to online privacy. What I do know is that there is a very small percentage of the population that cares enough about online privacy to change the apps they use or the drival they share.

  • takawalk

    But for those who are not savy to how these programs work. Can it be a false sense of security? I have no interest in encrypting any thing but am curious about things. Since you seem to be informed about things, can or will you give a layman’s explanation as to how something like Tor works. It is my understanding that this is a browser or server. Since the use of it would mostly be a need for security, or things in need of secrecy, wouldn’t that make it a prime target for authorities? How does that work or is it explainable to the average person?

  • mrtt

    My experience has been that the majority of people that consider using encrypted electronic communications need help setting it up and getting others to participate in their chosen solution. I created a site called ThreadThat to address the most common barriers to adoption of encryption. The problem is ease-of-use is directly proportion to increased risk. It is a tough balancing act. Users of this service are typically non-technical and need something that gives them the amount of protection they believe is adequate at a risk level they are willing to accept.