{
  "version": "v1",
  "slug": "privacy-for-journalists-activists",
  "title": "Privacy for journalists and activists",
  "description": "Operational privacy stack for people whose adversary may include state actors, employer pressure, or coordinated harassment. Identity-protective email, money flow, source contact, and hosting — the four pillars where most leaks happen.",
  "intro": "Journalists, activists, and dissidents face a different threat model from the average user. The adversary may be well-funded, persistent, and willing to pivot from one identifier to another. The defense isn't a single magic tool — it's compartmentalisation across four pillars: identity-protective email, untraceable funding, source-side contact, and hosting that can't be unmasked under subpoena. Below: a concrete stack with picks from the directory and the operational habits that hold it together.",
  "body_plain": "Threat model assumptions This guide assumes you face one or more of: State or quasi-state actors with legal-process access to centralised providers (your bank, your domain registrar, your email host). Persistent harassment networks capable of pivoting from one identifier to the next — your email gets your wallet gets your IP gets your address. Employer or institutional pressure on the platforms hosting your work (Twitter ban, Stripe deplatform, Substack pressure). If your threat model is gentler — just nosy advertisers, casual ISP logging — see privacy without paranoia instead. This guide deliberately over-provisions for actors who don't give up. Pillar 1 — identity-protective email Every workflow ties back to email. If your email provider can be served a subpoena and your messages aren't end-to-end encrypted at rest, your entire investigation is on a timer. The rule: No-KYC signup. Don't hand your real-name phone number to your work email host. See pick a no-KYC email for the criteria. E2E-encrypted at rest. The host can't decrypt your inbox even if compelled. Tuta and Proton both meet this bar with caveats; Mailfence + Disroot fall short on encryption posture but win on jurisdiction. Aliases for source contact. Anonaddy / SimpleLogin / addy.io. One alias per investigation. Burn the alias when the story closes. Separate identity for source intake. Public-facing tip address (PGP keyed) must be different from your day-to-day mail. Pillar 2 — money flow Following the money is the most reliable de-anonymisation method. The pillars: Monero for source payments + sensitive purchases. If you ever need to pay a source, a domain registrar, a VPS provider, or anything else where the trail matters — XMR is the only chain where unrelated transactions don't link. See how to buy Monero without KYC . Two-hop swaps when going from KYC fiat → on-chain spend. Buy XMR with a no-KYC P2P (RoboSats / Bisq / Haveno), use kyc.rip/ghost for the XMR-detour rotation when you need to land in USDT/USDC for a vendor that doesn't accept XMR. The two hops break chain-analysis link reliably. Cash for the easy ones. Not everything needs crypto. If you can pay in cash for a USB stick, do. Prepaid card from XMR for online purchases that need a \"card\". See no-KYC prepaid card . Pillar 3 — source-side contact Your sources may be more at risk than you are. Build the stack from their side, not yours: SecureDrop or Hush Line for source-side anonymous tips. Standard journalism tooling; runs as a hidden service. Signal-with-username for ongoing contact once a source has chosen to identify (no phone number required since 2024). OnionShare for file transfer that doesn't touch a cloud — peer-to-peer over Tor hidden service. Both sides keep deniability. Burn the channel when the story publishes. Aliases retired, Signal username rotated, SecureDrop landing page taken down. Pillar 4 — hosting that can't be unmasked Where you publish matters as much as how. The rule: assume your hosting provider receives a subpoena and acts on it. No-KYC VPS for any infrastructure you control. See /hosting — A-grade picks accept XMR + don't require a name. Domain registered anonymously. See buy a domain anonymously . Pick a registrar that supports WHOIS privacy + accepts XMR. Tor hidden service mirror. Both for reader-side circumvention and as a fallback if your clearnet domain gets pulled. See host a Tor hidden service . Backups outside your jurisdiction. Encrypted with a key you control, not a provider-managed key. Static publishing where possible. Less surface area for a forced shutdown than a CMS with login. Operational habits that tie it together Compartmentalisation. One identity per investigation. Don't reuse aliases, wallets, or hosting across topics. The work isn't to be \"anonymous\"; it's to keep adjacent identities unlinked. Threat-model review when the story changes. Stories grow. If your low-stakes corruption story turns into national-security territory, the stack you built for the original threat is no longer enough. Practice the failure modes. If your laptop is seized, what's on it? If your VPS is compromised, what's there? Rehearse the \"what now?\" — see recover from a privacy mistake . Don't reinvent OPSEC norms. SecureDrop, Freedom of the Press Foundation, and EFF publish playbooks specific to investigative work. Read those first; this guide is the directory-of-tools layer underneath. The directory stack at a glance",
  "body_html": "\n      <section>\n        <h2 class=\"section-h\">Threat model assumptions</h2>\n        <p>This guide assumes you face one or more of:</p>\n        <ul class=\"bullet-list\">\n          <li><strong>State or quasi-state actors</strong> with legal-process access to centralised providers (your bank, your domain registrar, your email host).</li>\n          <li><strong>Persistent harassment networks</strong> capable of pivoting from one identifier to the next — your email gets your wallet gets your IP gets your address.</li>\n          <li><strong>Employer or institutional pressure</strong> on the platforms hosting your work (Twitter ban, Stripe deplatform, Substack pressure).</li>\n        </ul>\n        <p>If your threat model is gentler — just nosy advertisers, casual ISP logging — see <a href=\"/guides/privacy-without-paranoia\">privacy without paranoia</a> instead. This guide deliberately over-provisions for actors who don't give up.</p>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">Pillar 1 — identity-protective email</h2>\n        <p>Every workflow ties back to email. If your email provider can be served a subpoena and your messages aren't end-to-end encrypted at rest, your entire investigation is on a timer. The rule:</p>\n        <ul class=\"bullet-list\">\n          <li><strong>No-KYC signup.</strong> Don't hand your real-name phone number to your work email host. See <a href=\"/guides/pick-a-no-kyc-email\">pick a no-KYC email</a> for the criteria.</li>\n          <li><strong>E2E-encrypted at rest.</strong> The host can't decrypt your inbox even if compelled. Tuta and Proton both meet this bar with caveats; Mailfence + Disroot fall short on encryption posture but win on jurisdiction.</li>\n          <li><strong>Aliases for source contact.</strong> Anonaddy / SimpleLogin / addy.io. One alias per investigation. Burn the alias when the story closes.</li>\n          <li><strong>Separate identity for source intake.</strong> Public-facing tip address (PGP keyed) must be different from your day-to-day mail.</li>\n        </ul>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">Pillar 2 — money flow</h2>\n        <p>Following the money is the most reliable de-anonymisation method. The pillars:</p>\n        <ul class=\"bullet-list\">\n          <li><strong>Monero for source payments + sensitive purchases.</strong> If you ever need to pay a source, a domain registrar, a VPS provider, or anything else where the trail matters — XMR is the only chain where unrelated transactions don't link. See <a href=\"/guides/how-to-buy-monero-no-kyc\">how to buy Monero without KYC</a>.</li>\n          <li><strong>Two-hop swaps when going from KYC fiat → on-chain spend.</strong> Buy XMR with a no-KYC P2P (RoboSats / Bisq / Haveno), use <a href=\"/exchanges/kyc-rip-ghost\">kyc.rip/ghost</a> for the XMR-detour rotation when you need to land in USDT/USDC for a vendor that doesn't accept XMR. The two hops break chain-analysis link reliably.</li>\n          <li><strong>Cash for the easy ones.</strong> Not everything needs crypto. If you can pay in cash for a USB stick, do.</li>\n          <li><strong>Prepaid card from XMR for online purchases that need a \"card\".</strong> See <a href=\"/guides/no-kyc-prepaid-card\">no-KYC prepaid card</a>.</li>\n        </ul>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">Pillar 3 — source-side contact</h2>\n        <p>Your sources may be more at risk than you are. Build the stack from their side, not yours:</p>\n        <ul class=\"bullet-list\">\n          <li><strong>SecureDrop or Hush Line</strong> for source-side anonymous tips. Standard journalism tooling; runs as a hidden service.</li>\n          <li><strong>Signal-with-username</strong> for ongoing contact once a source has chosen to identify (no phone number required since 2024).</li>\n          <li><strong>OnionShare</strong> for file transfer that doesn't touch a cloud — peer-to-peer over Tor hidden service. Both sides keep deniability.</li>\n          <li><strong>Burn the channel when the story publishes.</strong> Aliases retired, Signal username rotated, SecureDrop landing page taken down.</li>\n        </ul>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">Pillar 4 — hosting that can't be unmasked</h2>\n        <p>Where you publish matters as much as how. The rule: assume your hosting provider receives a subpoena and acts on it.</p>\n        <ul class=\"bullet-list\">\n          <li><strong>No-KYC VPS for any infrastructure you control.</strong> See <a href=\"/hosting\">/hosting</a> — A-grade picks accept XMR + don't require a name.</li>\n          <li><strong>Domain registered anonymously.</strong> See <a href=\"/guides/buy-domain-anonymously\">buy a domain anonymously</a>. Pick a registrar that supports WHOIS privacy + accepts XMR.</li>\n          <li><strong>Tor hidden service mirror.</strong> Both for reader-side circumvention and as a fallback if your clearnet domain gets pulled. See <a href=\"/guides/host-a-tor-hidden-service\">host a Tor hidden service</a>.</li>\n          <li><strong>Backups outside your jurisdiction.</strong> Encrypted with a key you control, not a provider-managed key.</li>\n          <li><strong>Static publishing where possible.</strong> Less surface area for a forced shutdown than a CMS with login.</li>\n        </ul>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">Operational habits that tie it together</h2>\n        <ul class=\"bullet-list\">\n          <li><strong>Compartmentalisation.</strong> One identity per investigation. Don't reuse aliases, wallets, or hosting across topics. The work isn't to be \"anonymous\"; it's to keep adjacent identities unlinked.</li>\n          <li><strong>Threat-model review when the story changes.</strong> Stories grow. If your low-stakes corruption story turns into national-security territory, the stack you built for the original threat is no longer enough.</li>\n          <li><strong>Practice the failure modes.</strong> If your laptop is seized, what's on it? If your VPS is compromised, what's there? Rehearse the \"what now?\" — see <a href=\"/guides/recover-from-privacy-mistake\">recover from a privacy mistake</a>.</li>\n          <li><strong>Don't reinvent OPSEC norms.</strong> SecureDrop, Freedom of the Press Foundation, and EFF publish playbooks specific to investigative work. Read those first; this guide is the directory-of-tools layer underneath.</li>\n        </ul>\n      </section>\n\n      <section>\n        <h2 class=\"section-h\">The directory stack at a glance</h2>\n      </section>\n    ",
  "picks": [
    {
      "category": "email",
      "id": "tutanota",
      "name": "Tuta Mail",
      "url": "https://xmr.club/email/tutanota",
      "markdown_twin": "https://xmr.club/llm/email/tutanota.txt",
      "why": "No-phone signup + E2E inbox. Pair with aliases for source contact."
    },
    {
      "category": "exchanges",
      "id": "kyc-rip-ghost",
      "name": "kyc.rip / ghost",
      "url": "https://xmr.club/exchanges/kyc-rip-ghost",
      "markdown_twin": "https://xmr.club/llm/exchanges/kyc-rip-ghost.txt",
      "why": "Two-hop XMR detour for clean source payments + sensitive on-chain spend."
    },
    {
      "category": "vpns",
      "id": "mullvad",
      "name": "Mullvad",
      "url": "https://xmr.club/vpns/mullvad",
      "markdown_twin": "https://xmr.club/llm/vpns/mullvad.txt",
      "why": "Account number, not email. Cash-by-mail accepted. Doesn't know who you are."
    },
    {
      "category": "hosting",
      "id": "incognet",
      "name": "Incognet",
      "url": "https://xmr.club/hosting/incognet",
      "markdown_twin": "https://xmr.club/llm/hosting/incognet.txt",
      "why": "No-KYC VPS that accepts XMR. Reasonable jurisdiction."
    },
    {
      "category": "wallets",
      "id": "feather",
      "name": "Feather",
      "url": "https://xmr.club/wallets/feather",
      "markdown_twin": "https://xmr.club/llm/wallets/feather.txt",
      "why": "Offline-signing capable Monero wallet for source payment workflows."
    },
    {
      "category": "tools",
      "id": "tor-browser",
      "name": "Tor Browser",
      "url": "https://xmr.club/tools/tor-browser",
      "markdown_twin": "https://xmr.club/llm/tools/tor-browser.txt",
      "why": "Default browser for investigation work. Compartmentalise via separate profiles."
    }
  ],
  "url": "https://xmr.club/guides/privacy-for-journalists-activists",
  "markdown_twin": "https://xmr.club/llm/guides/privacy-for-journalists-activists.txt"
}