Secure communication – how to reach me confidentially

The most important stories rely on trust. If you want to share sensitive information with me, this page lays out the channels – sorted by sensitivity.

Secure communication – how to reach me confidentially
Image: AI-generated illustration

First written on 10 October 2019, last updated on 20 April 2026. The technical recommendations have been brought up to date – Signal is now widely deployed, metadata has moved into focus, some services have disappeared and others have arrived. The underlying thinking has not changed.

Why this page exists

As a journalist I depend on people telling me things they can't tell anyone else. Internal company decisions, political mistakes, hints of wrongdoing. Without that trust there are no important stories. I have, on several occasions, decided not to publish reporting because the identification of a source – even after anonymisation – could not be ruled out. Source protection comes before the story.

The Deutsche Telekom surveillance scandal – why this isn't theoretical

How vulnerable journalistic communication can be in Germany was exposed by the Deutsche Telekom surveillance scandal, which became public from 2008 onwards. For months, the company systematically analysed phone connection data – explicitly including data from journalists. The aim was to find out who inside Deutsche Telekom was passing internal information to the press. According to the company, around 50 people were affected: members of the supervisory board, journalists, contacts. Among them were colleagues from our own newsroom at Handelsblatt.

A then-editor at the magazine Capital, Reinhard Kowalewsky, became the chronicler of the scandal after it broke – his phone contacts had been monitored for around a year. The former head of Deutsche Telekom's corporate security was convicted of breaching telecommunications secrecy and embezzlement; the German Federal Court of Justice upheld the verdict in 2013. The manager had spent close to 700,000 euros of company money analysing the data; he had also pocketed a further 175,000 euros in advances for covert investigations.

This case is not the new normal. But it shows what becomes possible when resources, motivation and internal structures align. The technology has moved on since then – the underlying threat to sensitive communication has not. Anyone passing on delicate information should do so deliberately.

What you can rely on from me

Three points that matter to me – in this order.

Source protection comes before the story. I have, more than once, not written a piece because a path back to the source could not be reliably ruled out. That remains my standard.

Clarity before publication. We agree in advance how I handle what you tell me: whether and how I quote you, whether on background only, with or without attribution, with or without indirect reference. I stick to that. The final decision about whether and when to publish lies with the newsroom – that's part of being honest about the process. What I can promise: if your identity can no longer be reliably protected, I will not publish.

No technical convenience at your expense. If you consider one channel safe and another unsafe, I follow your judgement. I adapt to your protection needs, not the other way around.

How to get in touch – sorted by sensitivity

The more delicate the content, the more it pays off to break the digital chain. A letter or a face-to-face meeting simply cannot be replicated digitally – that is an underestimated advantage.

Signal – the best entry point in most cases

Signal is an end-to-end encrypted messenger, funded by a non-profit foundation, with no advertising-driven business model. Everything runs encrypted: messages, voice and video calls, image and document transfers. Even the provider sees no content. Switch on disappearing messages in the chat (24 hours, say) and your messages will delete themselves automatically on both devices.

2026: Signal is now the most robust everyday recommendation. The user experience is barely different from WhatsApp; adoption has grown so much that most people either already have the app or can install it within minutes.

You can request my Signal number via the Handelsblatt newsroom or via a brief e-mail in which you tell me how I can write back to you safely.

PGP-encrypted e-mail – for technically experienced senders

GnuPG encrypts the body of e-mails so that only the recipients can read them. Important: only the message body and the attachments are encrypted – not the subject line, not the sender, not the recipient, not the timestamp. Anyone watching the metadata flow will see that you wrote to me, even if they don't see what you wrote.

2026: PGP is still useful, especially when you are sending long documents or working with it anyway. For first contact, Signal is usually the better option – fewer things can go wrong, and the metadata is less revealing. PGP only really pays off when both sides handle the software confidently.

My current public key and its fingerprint will be added here. Until then, please request the key via a short channel (Signal or the newsroom); I'll send it to you verified.

Letter by post – discreet and underestimated

A handwritten or internet-café-printed letter leaves no digital trace. It is one of the oldest and at the same time most robust forms of secure communication. Particularly suitable for an initial contact, in which you give me a safe channel to reply on – for example a Signal number, an anonymous e-mail account or a suggestion for a meeting.

If your return address could lead back to you, leave it off. Don't drop the letter in the postbox closest to home, but at a different location – ideally without cameras nearby.

Postal address (please address to me personally):

Stephan Scheuer
Handelsblatt GmbH
Toulouser Allee 27
40211 Düsseldorf
Germany

Meeting in person – for the most sensitive conversations

Possible at any time. We agree on location, time and setting in advance, in a way that protects your anonymity as well as possible – on request without smartphones, without entries in calendars, without names in chat histories. I have experience organising such meetings discreetly. They can be set up via any of the channels above.

What I advise against

Unencrypted e-mail. Sits on multiple servers and routes through hosters, network nodes and administrative systems. Fine for everyday exchanges, unsuitable for sensitive content.

SMS. Unencrypted, never fully deleted, easy to intercept. Mobile operators store connection data.

WhatsApp for highly sensitive content. Content is end-to-end encrypted, but metadata flows to Meta. Who contacted whom and when is visible to the provider – and Meta cooperates with law enforcement on request.

Telegram. Standard chats run unencrypted on Telegram's servers. Only explicit "secret chats" are end-to-end encrypted – and even those don't offer all the security properties Signal provides by default.

Work devices. Employers can often read along on work laptops and smartphones. For first contact, you should communicate privately and bring your professional infrastructure into the loop only later, if at all.

One thought before you reach out

Before you make contact, consider: who else, besides you, could know the information you want to share? The smaller that circle, the easier the trail back – regardless of which channel you choose. That is the most uncomfortable side-effect of digitisation: even with perfect encryption, the question remains whether your sheer existence as a possible informant is itself revealing.

You are welcome to raise this with me if you are unsure. Sometimes the best advice is to pursue a story not from your direction but from a different one. Not writing a story is always better than putting a source at risk.

What has changed since 2019?

When I wrote the original text in 2019, the day-to-day of secure communication in Germany was clunkier. Signal was a niche tool, PGP the standard recommendation, WhatsApp had only just switched to end-to-end encryption. Today the picture is different.

  • Signal has gone mainstream. That is the biggest practical step forward. I now recommend Signal almost always as the first move.
  • Metadata has moved into the crosshairs. The Pegasus affair and similar cases have shown that it is rarely the content of a message that proves fatal, but the question of who communicated with whom and when. That makes the analogue break – letter, meeting, anonymisation of the access path – more valuable.
  • Device compromise must be taken more seriously. Modern smartphone spyware works without a click – a crafted iMessage text can be enough. That affects supposedly "secure" apps, too, because encryption is no help if someone is reading directly off the screen.
  • Editorial whistleblower portals. Outlets like the New York Times, The Guardian and the Süddeutsche Zeitung run their own SecureDrop platforms. At Handelsblatt we are evaluating a comparable system; until then, Signal is the practical replacement.

The basic recommendation still stays simple: Signal to start, letter or meeting for the most sensitive conversations, PGP for tech-savvy edge cases. And always ask: do I really need this channel, or is there a simpler route that doesn't expose you?

More on Notes

All stories