Encrypted communications for journalists and their sources.

For a reporter, the promise of confidentiality to a source is not a feature — it's the foundation the whole profession rests on. A source who is identified can lose their job, their freedom, or worse, and a reporter who cannot keep a promise of protection cannot do the work. Encryption is part of how that promise is kept, but only part. This is a practical, honest field guide to communications for journalists and sources: what to protect, why metadata matters more than message content, how no-account identity and disappearing messages help, and — critically — a clear-eyed account of where the threat model has real limits no app can erase.

1. What you're actually protecting

It helps to be precise about the asset. A reporter is rarely trying to hide the content of a story — that gets published. What must stay protected is the relationship: the fact that a particular source spoke to a particular journalist, when, how often, and from where. Even a perfectly encrypted conversation fails the source if an adversary can prove the conversation happened. The goal of operational security for journalism is therefore to protect the existence and pattern of contact at least as much as its contents — and that reorders almost everything about how you choose your tools.

2. Metadata is the threat, not the message

End-to-end encryption is now common and good; it reliably hides what was said. But an adversary investigating a leak usually doesn't need what was said. They start from the other end: who in the organization was in contact with a reporter known to cover this beat? Call-detail records, app contact graphs, building access logs, and timing correlation can identify a source without anyone ever reading a single message. This is why a messenger that ties identity to a phone number is dangerous for source work — it hands the adversary the exact metadata thread they're looking for. The defense is to minimize and de-link the metadata your communications generate in the first place.

3. Why "no account, no phone number" matters

The strongest single improvement a journalist can make is to communicate over a channel that requires no phone number and no real-name account. A phone-number identity links the conversation to a carrier record and a named person; a no-account, unlinkable-identifier system gives an investigator nothing to subpoena from a carrier and no directory entry to correlate. A source can be handed an identifier out-of-band, talk to the reporter, and leave behind no telephone-record thread connecting the two. This is the same principle we cover for high-risk users in our Signal-alternative guide — for source protection it is not a nicety, it is the core of the design.

4. Disappearing messages and minimal retention

What is never stored cannot be seized later. Disappearing messages — content that auto-deletes from both ends after a set interval — mean that a device seized or compromised weeks after a conversation yields nothing of that conversation. Combined with on-device-only storage (no provider cloud backup), this dramatically shrinks the window in which a source's words exist to be taken. Keep what you must for the story in a separate, secured place under your control; let the live channel forget by default. For asynchronous handoffs where two parties are never online at once, encrypted dead drops let a source leave a sealed payload for later pickup without a live, correlatable session.

5. The first-contact problem

The most dangerous moment is the first one. A source reaching out for the first time often does so over whatever they have — a work email, a personal number, a DM — and that initial, unprotected contact can be the very record that burns them, no matter how careful everything after it is. Good practice is to publish secure-contact instructions in advance (most serious newsrooms now do), so a source's first move is already over a protected channel. Verify identities out-of-band before trusting them, use a verification mechanism to confirm you're talking to who you think, and never let the convenience of the first message undo the security of all the rest.

6. The device decides everything

Here is the part no messenger can wish away: if either endpoint is compromised, the encryption is irrelevant. Mercenary spyware reads the message after it's decrypted on screen and can turn the phone into a live microphone — and journalists are among the most heavily targeted groups for exactly this tooling. So device security is not optional context; it is the spine of source protection. That means watching for mercenary-spyware indicators, a mic and camera monitor against eavesdropping, evil-twin Wi-Fi detection in the field, and a real border mode for crossings where devices are searched. The safest conversation in the world fails if the phone in your pocket is already owned.

7. Where Helix fits

Helix is built around the relationship, not just the message. There is no phone number and no real-name account — unlinkable identifiers mean an investigator has no carrier record or directory entry tying source to reporter. Messaging runs on Helix's own closed network with bespoke post-quantum protocols, so a recording captured today stays unreadable even against a future quantum attacker. Disappearing messages and on-device-only storage are the default; encrypted dead drops handle asynchronous handoffs. And because the endpoint is the real battleground, Helix runs live spyware detection, mic and camera monitoring, evil-twin detection, border mode, and a one-tap remote wipe — on the standard iOS, Android, Windows, macOS, or Linux device a reporter or source already carries.

$199/month Core · $499/month Operator · $999/month Sovereign — or 30% off paid annually; lifetime VIP $12,500.

8. The honest threat-model limits

This matters more here than anywhere, because the stakes are a person's safety. Source protection is a discipline, not an app: the strongest channel in the world is undone by a sloppy first message, an unprotected device, or a detail in the story that points to only one possible person. Use the tools to remove the structural risks — the phone-number thread, the retained content, the silent device compromise — and treat the rest with the seriousness a source's trust deserves. Honesty about the limits is itself part of protecting them.

9. The bottom line

Encrypted communications for journalists are about protecting the relationship, not just the words. The tooling that does this drops the phone-number identity, requires no real-name account, forgets by default through disappearing messages, and — above all — protects the device where the conversation actually happens. No app makes a source safe on its own; discipline and an honest threat model do the rest. But removing the structural ways a source gets burned is exactly what good tools are for, and that is precisely what Helix is built to do.

Three tiers, fixed and published. Core, Operator, Sovereign — or 30% off annually, lifetime VIP $12,500. Buy it or don't; no negotiation, no surprises.