Journalism & Secure Tip Lines
Source tips, whistleblower submissions, document drops, and reader contact forms — built for newsrooms, investigative desks, and freelance journalists who need a channel that genuinely protects sources. Zero-knowledge encryption, Swiss hosting, and an architecture where the platform itself cannot identify who wrote to you.
Investigative journalism depends on a single, fragile property: a source needs to be able to reach a reporter without being identified. That property has never been purely technical — it has always combined legal privilege, editorial practice, and the physical precautions the source and the reporter take together. But the channel itself matters. A tip submitted through a form whose vendor can read it is a tip that exists, in plain text, on someone else's server before the reporter has even opened it.
Schweizerform is built on the opposite premise. Every submission — a short tip, a long memo, an uploaded document — is encrypted in the sender's browser before it reaches our servers. We physically cannot read it. For investigative desks, public-interest reporters, editors at small outlets, and freelance journalists, that property is the difference between a tip line that can be taken seriously and one that can only receive non-sensitive messages.
Who this page is for
Investigative and political desks at established outlets, local newspapers taking public-interest reports, small independent magazines, podcast and documentary teams, freelance journalists who accept tips directly, and press-freedom and watchdog NGOs that run secure intake channels. This page is about a technical control — it does not replace legal, editorial, or source-protection advice specific to your jurisdiction and story.
Why Most Contact Forms Are Unsafe for Sources
Most online form tools operate on a conventional SaaS model: the sender's browser sends plain-text data over HTTPS, and the provider's server stores it. That server can read everything. So can the provider's staff, their integration partners, anyone who compromises their infrastructure, and any authority that serves a lawful order on the provider. For a marketing survey, that's fine. For a source who wants to share a document about a public-interest matter, it is not.
- A source submits a description of alleged corruption via the newsroom's contact form; the provider's database contains a readable account before the reporter reads it
- A document upload field accepts a scanned contract; the file is processed by the provider's antivirus, cached by a CDN, and often stored in US-hosted cloud regions
- A subpoena, warrant, or data-access request targets the form vendor; the request reaches source content without the source ever being notified
- The provider suffers a breach; every historical tip — including ones that identify sources — is exposed at once
- The provider's own email notifications send plain-text summaries of submissions to reporters, exposing sensitive content outside any encrypted flow
Source protection is more than a policy statement
In Switzerland, Art. 28a of the Criminal Code and Art. 172 of the Code of Criminal Procedure recognise the right of journalists to refuse to disclose sources in most circumstances. In EU member states, similar protections exist under Art. 10 of the European Convention on Human Rights and Council of Europe Recommendation R(2000)7. But these legal privileges attach to the journalist, not to the form vendor. A third-party processor with plain-text access to submissions is outside the privilege — a weak point where source confidentiality can be compromised without the journalist being in the loop.
How Schweizerform Protects the Channel
Schweizerform is a zero-knowledge end-to-end encrypted form platform. The encryption happens in the source's browser, before any data leaves their device. Only holders of the form's Access Code can decrypt submissions. We — the provider — cannot.
The newsroom generates a form and an Access Code
When a desk creates a tip form, Schweizerform generates a key pair and an Access Code. The public key lives in the form; the Access Code is held only by the reporter or the investigative team. Our servers never see it.
The source submits from any device
When a source opens the form link, their browser encrypts every field — narrative text, file attachments, optional contact details — with strong symmetric encryption, then wraps the symmetric key to the form's public key. Our servers receive encrypted blobs they cannot decrypt.
The reporter decrypts in-browser
When the reporter opens the submission, their browser fetches the encrypted blob, unwraps the symmetric key using the Access Code, and decrypts locally. The plain text never touches our servers.
The platform does not know who the source is
By default, the submission is anonymous. We do not require the source to create an account, and we do not capture identifying metadata beyond what is strictly needed to deliver the ciphertext. A lawful order served on us for 'the identity of the person who submitted this form' cannot be answered, because we do not have that information.
What zero-knowledge does and does not protect
Zero-knowledge encryption protects the content of the submission from us and anyone who might compel, breach, or subpoena us. It does not anonymise the source's network-level identity. A source submitting from a work laptop over an employer network, without additional precautions, may still be identifiable through network logs and device forensics on their own side. For high-risk sources, using Tor Browser, a personal device on a public network, and avoiding work systems matter at least as much as the form's encryption. Newsrooms running high-risk tip lines should combine this platform with clear source guidance — see also dedicated platforms such as SecureDrop where the threat model warrants it.
Concrete Journalism Use Cases
General newsroom tip line
A single encrypted tip form, linked from the newsroom's contact page, replaces the unsecured 'tips@outlet' email address for sensitive submissions. Sources can send a short message or attach documents; every field is encrypted in their browser, and only the tip-line editor can decrypt. For most stories this is enough; high-risk stories may warrant layered channels on top.
Investigative-desk document drop
Investigation units frequently need to accept large documents — contracts, datasets, internal memos — from insiders. A dedicated encrypted drop form accepts uploads in-browser-encrypted form, which are decrypted on the investigator's workstation and moved into the desk's internal secure workspace. The provider never holds a decryptable copy.
Freelancer tip intake
Freelance journalists often lack access to enterprise secure-submission platforms. A Schweizerform tip line gives an independent reporter the same architectural guarantee — the vendor cannot read tips — at a price point and operational complexity suitable for a single person.
Editor-only confidential channel
Some submissions should only reach the editor-in-chief or the legal desk, not the general inbox. A separate form with its own Access Code, held only by those people, creates a narrower compartment — useful for corrections involving powerful subjects, sensitive source outreach, or legal-threat coordination.
Reader-letters channel with identity protection
Opinion and letters desks receive contributions from readers who may be personally at risk if their identity is widely exposed — dissidents, minors, survivors, employees of named organisations. An encrypted reader-contact form protects their text from being cached, indexed, or analysed by third parties, while still allowing the desk to decide, with the contributor, how to handle attribution.
Cross-border collaboration intake
For collaborative investigations across multiple outlets — where a tip needs to reach a small, pre-agreed group of reporters — per-form Access Codes can be held collectively by the project team. A single submission becomes decryptable only by that project, not by any wider newsroom system.
What Sources, Adversaries, and Subpoenas See
| View | Generic provider | Schweizerform |
|---|---|---|
| Source filling the form | Plain-text form, stored on vendor cloud | Plain-text form, encrypted in-browser before submission |
| Provider staff / support agent | Can read tips and attachments | Cannot decrypt; sees encrypted blobs only |
| Subpoena served on the provider | Plain-text tips can be produced | Encrypted ciphertext only; useless without the Access Code |
| Provider breach | Readable tips and attachments exposed | Ciphertext exposed; content remains unreadable |
Legal and Ethical Context
Switzerland has long-standing statutory source protection: Art. 28a of the Swiss Criminal Code and Art. 172 of the Code of Criminal Procedure together give journalists a right to refuse testimony about their sources, subject to narrow exceptions. The European Convention on Human Rights has repeatedly affirmed, through cases like Goodwin v. UK and Sanoma v. the Netherlands, that source protection is a cornerstone of press freedom under Art. 10. Council of Europe Recommendation R(2000)7 sets out the principles in detail.
These protections attach to journalists. They do not automatically extend to third-party service providers that handle source communications in plain text. A newsroom's choice of intake channel affects how much of that protection the architecture actually provides. A zero-knowledge form narrows the circle of people and systems that can see a source's identity or content — consistent with the spirit of press-freedom case law even though the platform itself is not a journalist.
Encryption is one layer of a source-protection programme
A credible newsroom source-protection programme also involves editorial practice (not publicly attributing material that would identify a source), operational security coaching for sources, careful handling of metadata inside editorial tools, clean-room review of sensitive documents, and legal support in the event of a subpoena. Schweizerform is the submission-channel layer — one component among several.
Features Relevant to Journalism
- Zero-knowledge end-to-end encryption on every submission — no provider read access
- True anonymous submission — no account required, no source metadata collected by default
- Encrypted document uploads — contracts, memos, images, recordings, PDFs — encrypted in the source's browser
- Multi-language forms (EN / DE / FR / IT) — essential for newsrooms serving multilingual communities or cross-border investigations
- Per-form Access Codes scoped to specific desks or projects, so a general tip form and an investigative drop can be strictly separated
- Swiss hosting with nFADP-aligned data-processing posture — tip payloads do not leave Switzerland
- Audit log of access events (which reporter opened which submission, and when) without exposing the submission content
- Free tier suitable for a single journalist or a small independent outlet piloting a secure tip line
Common Objections
"We already use a plain email address for tips."
Email is still the default, but it is also the least controlled channel — unencrypted between mail servers, retained on personal devices, searchable by anyone who later gains access to the account, and subject to the email provider's own data-access regime. A clearly branded encrypted tip form sits on the newsroom's own page, tells the source they can submit without identifying themselves, and gives a cleaner legal and technical posture than a generic inbox.
"Won't this be used for spam and hoaxes?"
Any public intake channel attracts noise, and a zero-knowledge channel is not magic. Mitigations are operational: explain the channel's purpose clearly, triage submissions as you would triage emails, and require optional categorisation fields that help the desk filter serious tips from noise. The signal is better than an open inbox; it is not perfect.
"If we lose the Access Code, we lose the tips."
Correct — this is a deliberate property of zero-knowledge architecture. The recommended practice is documented key custody: a sealed envelope held by the editor-in-chief, a backup with the outlet's lawyer, or a hardware security module. It avoids single-person failure while preserving the 'we cannot be compelled to read what we do not have' property.
"We already use SecureDrop for high-risk sources."
SecureDrop is a stronger threat model — Tor-only, isolated air-gapped workstations, dedicated infrastructure — and remains the right tool for high-risk investigative tip lines. Schweizerform is not a replacement. It complements by covering the everyday reader-contact and desk-level tip cases where the full SecureDrop workflow is disproportionate, while still giving an architectural guarantee the vendor cannot read submissions.
Rolling Out a Schweizerform Tip Line
Decide which channels to start with
A typical first pair: a general newsroom tip form and an investigative-desk document-drop form. Keep them separate so the circle of readers on each is clear.
Agree key custody
Decide who holds the Access Code for each form (e.g. the tip-line editor and the head of investigations), document the custody procedure, and test recovery from the escrow copy before publishing the form.
Publish in relevant languages
For a Swiss outlet, typically DE / FR / IT / EN. The same form renders in every language and remains end-to-end encrypted in all of them.
Publish guidance alongside the form
A short 'how to contact us securely' page linked from the form: what the encryption does, what it does not do, practical tips (use a device you trust, avoid employer networks for sensitive tips, consider Tor for high-risk material). Being honest about the limits builds trust.
Practise the workflow
Run a dry-run submission with a colleague: decrypt it, handle the material through the desk's normal review process, delete the working copy once the story is out. Catching operational gaps before a real source arrives is a lot cheaper than after.
The Bottom Line
Source protection is a system: legal privilege, editorial practice, operational security, and the submission channel itself. Most of the system is already in place in a serious newsroom. The submission channel is often the weakest link — because it is cheap, convenient, and invisible, and because its flaws only show up the day a subpoena arrives or a provider suffers a breach.
Schweizerform offers a narrow but important improvement to that channel: zero-knowledge end-to-end encryption on every form, Swiss hosting, and an architecture where the platform itself cannot identify who wrote to you. No paid upgrade for security. No US-cloud dependency for tip content. No third-party-readable copy of source material on a server you do not control.
Start with a single tip-line form on the free tier. Swiss hosting, zero-knowledge encryption, and full EN / DE / FR / IT support — no credit card required.
Disclaimer: This page is general information and marketing content, not legal, editorial, or source-protection advice. References to Art. 28a of the Swiss Criminal Code, Art. 172 of the Code of Criminal Procedure, Art. 10 of the European Convention on Human Rights, Council of Europe Recommendation R(2000)7, press-freedom case law, and third-party platforms such as SecureDrop are summarised at a conceptual level and are subject to jurisdictional interpretation, case-specific application, and future legislative change. Responsibility for source protection, legal strategy, and editorial decisions remains with the newsroom, editor, or journalist. For high-risk stories or sources in hostile jurisdictions, consult qualified media-law counsel and a digital-security specialist before relying on any single intake channel.