@November 6, 2024
Executive Summary (TL;DR):
This article explores how organizations using existing email infrastructure like Microsoft/Office 365 (O365) can integrate ProtonMail as a secure tipping/whistleblower line for handling sensitive communications like ethical concerns.
By setting up a dedicated subdomain that routes messages through ProtonMail’s secure email, organizations benefit from the highest end-to-end encryption, ensuring secure handling of the reports without Microsoft’s constant scanning and archival of your whistleblower inbox or access by third parties like your IT staff and with strong guarantees to your sources that they are, in fact, sending the documents to you.
Our integration approach maintains operational efficiency while adding an essential layer of security and compliance helping to protect sources, the integrity of sensitive information and your company’s reputation.
![Schematic overview of the ProtonMail base tipping hotline running on the subdomain [tips@]protonmail.accountability.news in parallel to the company’s Microsoft 365 based email service on [info@]accountability.news.](https://images.spr.so/cdn-cgi/imagedelivery/j42No7y-dcokJuNgXeA0ig/20c4b489-5356-4220-a033-c84cb1ad07a3/c66c70de-6973-48e0-aa76-76662492f3c9/w=3840,quality=90,fit=scale-down)
Using ProtonMail as Secure Tips Hotline: A Practical Approach for Organizations with O365
Handling sensitive tips and communications securely is a growing concern for news organizations and enterprises alike. If you're managing sensitive material, be it from external sources or an internal whistleblower channel, security isn't just a preference — it's an obligation.
For sensitive materials, security isn't just a preference — it's an obligation.
A breach could lead to the exposure of confidential information, jeopardizing the safety of the source and the integrity of the investigation, and causing significant reputational damage to your organization. However, most organizations will not change their existing email processes to accommodate this one use case, if their main infrastructure is based on Microsoft 365 (O365 / M365). Thus, integrating secure channels for anonymous submissions becomes a technical and operational challenge.
This article provides a practical solution that leverages ProtonMail for whistleblower report submissions all while keeping your existing O365 setup intact, minimizing operational disruption and ensuring the best possible integration into your existing workflows and enterprise branding.
- Using ProtonMail as Secure Tips Hotline: A Practical Approach for Organizations with O365
- Why ProtonMail as a Tip Hotline Solution?
- Two Case Studies
- Case 1: Company Internal Whistleblower
- Case 2: Anonymous Tip Report to News Outlet
- The Tipster's Perspective
- Integrating with Microsoft 365
- Protection Under Swiss Legal Framework
- A Solution Tailored for Your Needs
- Package Details
- Interested in Setting Up Your Secure Tip Line?
Why ProtonMail as a Tip Hotline Solution?
For organizations looking to handle anonymous tips — whether from investigative sources, whistleblowers, or external informants — using ProtonMail as tip line has distinct advantages. ProtonMail is seen as a quasi-standard in secure email communication, trusted by activists, journalists, and security-conscious users around the world. For instance, ProtonMail is used by over 70 million users globally, including organizations like Amnesty International, highlighting its reliability and adoption within privacy-focused circles. ProtonMail provides end-to-end encryption within its email network, ensuring that sensitive tips remain encrypted from the first keystroke to the intended recipient, without placing an undue burden on the sender. This makes ProtonMail a natural choice for anyone looking to create an environment where anonymity, privacy, and data protection are non-negotiable.
ProtonMail provides end-to-end encryption within its email network, ensuring that sensitive tips are encrypted at all stages, without placing an undue burden on the sender.
Two Case Studies
Let's consider two cases: The first showcasing an internal whistleblower line and the second as a tipster line for a targeted news outlet.
Case 1: Company Internal Whistleblower
Consider a scenario where a company receives a critical tip involving internal corporate corruption involving the IT department from a loyal employee of the IT department.
The secure handling of that information from potential abuse of power of the IT department that has control over and access to the email system is paramount. The tipster can reasonably assume his email to be intercepted by his suspicious superiors when using regular company email, leading him to be cautious enough to avoid coming forward for fear of repercussions. Having a dedicated tip line not run by an affected party greatly enhances trust in speaking up without fear of persecution. With an open Tip Line on ProtonMail’s infrastructure the whistleblower can create a free and anonymous ProtonMail Email address to come forward.
Despite being outside the corporate network, there is no risk of data leaks to ProtonMail or third parties since all data remains encrypted even to ProtonMail employees.
Case 2: Anonymous Tip Report to News Outlet
In this second scenario depicted in the diagram at the beginning of the article, consider a national news outlet that received a critical tip involving corporate corruption. The tipster was hesitant to even use a traditional free email account, knowing that the email provider would transmit potentially unencrypted emails that could be intercepted by malicious actors at either the sending or receiving end. By providing a ProtonMail address, the news outlet enabled the tipster to communicate securely, keeping the entire conversation within the ProtonMail network, which guarantees end-to-end encrypted transfer away from prying eyes. The secure handling of that information not only protected the source but also ensured the integrity of the investigation.
The Tipster's Perspective
From the submitter's perspective, having the option to email a secure ProtonMail address offers a high comfort level. The submission process involves creating their own free ProtonMail account, ideally using a secured VPN connection for maximal anonymity guaranteeing that both ends of the communication are secure and private. This step is critical for sources with legitimate concerns about confidentiality, be it from an anonymous tipster with a story of public interest or an employee who needs a safe internal whistleblowing channel.
Benefits
- Enhanced Security: ProtonMail's encryption guarantees that only you and the tipper have access to the information, offering a much-needed layer of assurance for sensitive tips.
- Anonymous Channels: The setup is ideal for tipsters who want to remain anonymous and need confidence that their messages are being delivered securely. This is particularly crucial for journalists or companies managing critical, sensitive disclosures.
- Internal Whistleblower Line: This tip line serves specifically as internal whistleblower channel, giving employees a secure route to report issues with minimal fear of exposure.
- Quasi-Standard Secure Email: With ProtonMail being a trusted choice in the secure email space, both your staff and external tipsters can have peace of mind knowing their data and identity remains protected.
Integrating with Microsoft 365
The idea’s technical implementation is simple: create a dedicated subdomain (e.g., protonmail.yourdomain.com) whose MX records point to the ProtonMail servers. This keeps the tip line inboxes separate from your regular O365 mailboxes, ensuring that all incoming tips are handled by Proton's encrypted infrastructure while giving enough certainty to your sources that they are in fact sending their tips to your organization's designated tip handler and not to some easy to spoof and freely available address such asyourcompany@protonmail.com or similar.
Minimal cost, minimal maintenance burden and limited training for even non-technical staff
By keeping the tip line domain distinct, your regular communication through yourdomain.com continues to be served with M365 while the secure protonmail.yourdomain.com subdomain directs messages directly to ProtonMail’s encrypted system. This approach also helps with compliance by keeping sensitive communications separate — a key benefit for organizations. This separation brings inherent security benefits, reducing cross-contamination risk while maintaining brand familiarity. All at minimal cost, minimal maintenance burden and a limited amount of training for even non-technical handlers of the whistleblower address.
DO NOT set up automatic email forwarding to email addresses outside of the ProtonMail realm, such as to your regular company email. Doing so will disable end-to-end encryption for all incoming emails. If necessary, you can safely forward emails between your ProtonMail addresses ✓ OK: tips@protonmail.yourdomain.com → bob@protonmail.yourdomain.com ❌ BAD: tips@protonmail.yourdomain.com → bob@yourdomain.com https://proton.me/blog/email-forwarding
Protection Under Swiss Legal Framework
A key advantage of ProtonMail is the protection offered under the Swiss legal framework. Switzerland has some of the world's strongest privacy laws, ensuring that all data stored on ProtonMail's servers is protected from external surveillance requests. This provides an additional level of security and reassurance for both tipsters and organizations, knowing that even sensitive meta-information is safeguarded by stringent data privacy regulations.
Read more on our dedicated page:
Advantages of Proton’s Location in SwitzerlandA Solution Tailored for Your Needs
At bitcreed, we understand that no two organizations have identical requirements when it comes to handling sensitive information. That's why our offer is built around your specific needs. We provide support in setting up ProtonMail, including detailed setup documentation, a clear and practical usage concept, and an end-user guide that’s ready for publication to ensure your tip line is easy to use for everyone involved.
Our approach involves more than just setting up the technical components. We help define how this tip line fits into your existing processes, keeping operations smooth while adding a vital new channel of secure communication.
Package Details
Check out our offering page around this service
ProtonMail Based Secure Tips HotlineInterested in Setting Up Your Secure Tip Line?
If this sounds like a solution that fits your organization's needs or if you have questions, contact us today. We're ready to help with a case-specific solution that directly addresses your specific needs.
Contact usYour emails to info@bitcreed.us or any bitcreed.us email address will reach us through ProtonMail’s secure email service.