Contact

Encrypted contact

Channels for sensitive correspondence — security disclosure, journalist source contact, anything where the metadata of the conversation matters as much as the contents. Tiered by sensitivity, with honest notes on the trade-offs of each.

Last updated: 10 May 2026. The fingerprints, usernames, and onion address below are authoritative — verify out of band before sending anything genuinely sensitive.

For routine enquiries

If you don't have a sensitivity reason to use anything below, just use the contact form or email consulting@peterbassill.com. The contact form runs over TLS, doesn't track you, and is hardened against the usual abuse. That is the right channel for 95% of conversations.

For technical and confidential briefings

Signal

Best general-purpose option for two-way conversation. Modern cryptography, forward secrecy, sealed sender, and the protocol underpinning end-to-end messaging across Signal, WhatsApp (with caveats), and Google Messages RCS.

My Signal Username is published in the footer of /now. Signal Usernames mean you do not need my phone number to reach me — and I do not need yours. If your client doesn't show usernames yet, update it.

Default to disappearing messages on. Verify safety numbers on first contact. Do not screenshot anything you wouldn't post on a billboard.

OpenPGP / GnuPG email

The right tool when the conversation needs to be archivable, multi-recipient, or the counter-party requires it (security disclosure mailboxes; CERT-style coordinated-disclosure flows; long-form analysis you want signed). My public key is at /pgp.asc.

The fingerprint will be published here once the current key is generated and rolled into production. In the interim, please use one of the other channels on this page if your message is genuinely sensitive.

If you are new to PGP, the primer on this site walks you through install, import, verification, and a worked example.

For higher-sensitivity matters

Tor (planned)

An onion-service mirror of the contact form is on my roadmap and will be linked here once it is in place. Until then, please combine the channels above — Signal first contact, PGP-encrypted email follow-up — for high-sensitivity material that doesn't yet warrant SecureDrop.

SecureDrop / journalists with sources

I am not a SecureDrop instance and you should not use me as one. If you are a source trying to reach a journalist, use the journalist's organisation's SecureDrop instance directly. If you are a journalist who wants to brief me on a story you're working on (and you have already protected your source through your own organisation's channels), Signal is the right way to start.

Verifying me out of band

Before sending anything genuinely sensitive, verify that the channel you're using actually reaches me — not someone who has spoofed me. Two-channel verification is what you want:

  • Phone or video me on Signal and ask me to read a fingerprint, a Signal safety number, or a one-time string back to you.
  • Ask a mutual contact who has met me in person to confirm a fingerprint.
  • Pull the fingerprint from my published security.txt and from this page and from a recent conference talk slide deck — three independent trees of evidence.

Don't trust a single web page. The whole point of this page is to be the authoritative source once you have already verified you're really reading it.

What I will and won't do

  • I will reply in the same encryption posture you contact me with. If you encrypt, my reply is encrypted. If you Signal me, I'll Signal you back.
  • I will respect a request for further-encrypted follow-up — say "let's move to Signal" and we will, mid-conversation.
  • I will not escalate metadata about who is contacting me to anyone, ever, without a court order. If you are a source, I treat that as a SHIELD-style commitment.
  • I will tell you, clearly, if I think a particular channel is the wrong one for what you're trying to discuss.
  • I will not claim a level of operational security I cannot deliver. If you are genuinely up against a state-grade adversary, you need a journalist with a SecureDrop and a lawyer with disclosure privilege, not a UK consultant with a Signal account. I will say so.

See also: PGP primer · security.txt · Security policy · Privacy hub.