xTip: Journalist Source Protection
XorIDA splits source documents across independent press organizations with pseudonymous aliases, ensuring no single newsroom holds enough information to expose a source -- even under subpoena.
The Problem
Journalist sources stored at single newsrooms are vulnerable to subpoena, hacking, or insider leaks. Source exposure can be life-threatening in authoritarian contexts and career-ending in corporate whistleblowing.
Investigative journalism depends on source protection. Yet the documents, communications, and identity information that connect a source to a story are typically stored on a single newsroom's servers. A government subpoena, a targeted hack, or a rogue insider can expose the entire source relationship in one breach.
Existing tools like SecureDrop protect the submission channel but not the stored documents. Once a document is on a newsroom server, it is as vulnerable as any other file. Shield laws provide legal protection in some jurisdictions but offer no technical guarantee. A compromised server exposes every source the newsroom has ever protected.
The Old Way
The PRIVATE.ME Solution
xTip splits source documents across independent press organizations using XorIDA. Each newsroom holds only a partial share. Pseudonymous aliases decouple source identity from document custody.
When a journalist receives sensitive material, protectSource() splits the documents into N shares distributed across independent newsrooms or press freedom organizations. No single newsroom holds a reconstructable copy. A subpoena to one newsroom produces only an unintelligible share -- mathematically useless without the threshold.
Sources are identified by pseudonymous aliases rather than real names. The alias-to-identity mapping is itself split across custodians using the same threshold scheme. Even the journalist's own newsroom cannot unilaterally deanonymize a source. Document classification via classifyDocument() assigns sensitivity levels that determine the threshold and distribution pattern.
The New Way
How It Works
Source protection operates through three layers: document splitting, alias management, and classification-based routing. Each layer uses XorIDA independently.
Use Cases
Source documents for long-running investigations split across cooperating newsrooms. No single breach exposes the investigation or the sources behind it.
Source ProtectionCorporate and government whistleblower documents split across independent organizations. Retaliation requires compromising multiple independent custodians.
Dodd-Frank / SOXInternational press freedom groups serve as distributed custodians across jurisdictions. No single government can compel full document release.
Cross-JurisdictionLegal teams and media lawyers hold shares of source material. Attorney-client privilege adds a legal layer on top of the cryptographic protection.
Dual ProtectionIntegration
import { protectSource, classifyDocument } from '@private.me/sourcesplit'; // Classify document sensitivity const classification = await classifyDocument(documentBuffer); // classification.level: 'CRITICAL' | 'HIGH' | 'STANDARD' // Protect source with 3 independent newsrooms (2-of-3) const shares = await protectSource(documentBuffer, 'ALIAS-7X92', [ 'newsroom-a.example', 'newsroom-b.example', 'press-freedom.example' ]); console.log(shares.length); // 3 -- one per newsroom
Security Properties
| Property | Mechanism | Guarantee |
|---|---|---|
| Document Confidentiality | XorIDA K-of-N threshold | Information-theoretic |
| Source Anonymity | Pseudonymous aliases + split mapping | No unilateral deanonymization |
| Subpoena Resistance | Distributed custody across jurisdictions | Single-newsroom subpoena yields nothing |
| Document Integrity | HMAC-SHA256 per share | Tamper-evident |
| Quantum Resistance | GF(2) operations, no keys | Unconditional security |
Verifiable Data Protection
Every operation in this ACI produces a verifiable audit trail via xProve. HMAC-chained integrity proofs let auditors confirm that data was split, stored, and reconstructed correctly — without accessing the data itself.
Read the xProve white paper →
Ready to deploy xTip?
Talk to Ren, our AI sales engineer, or book a live demo with our team.
Ship Proofs, Not Source
xTip generates cryptographic proofs of correct execution without exposing proprietary algorithms. Verify integrity using zero-knowledge proofs — no source code required.
- Tier 1 HMAC (~0.7KB)
- Tier 2 Commit-Reveal (~0.5KB)
- Tier 3 IT-MAC (~0.3KB)
- Tier 4 KKW ZK (~0.4KB)
Use Cases
Deployment Options
SaaS Recommended
Fully managed infrastructure. Call our REST API, we handle scaling, updates, and operations.
- Zero infrastructure setup
- Automatic updates
- 99.9% uptime SLA
- Enterprise SLA available
SDK Integration
Embed directly in your application. Runs in your codebase with full programmatic control.
npm install @private.me/xtip- TypeScript/JavaScript SDK
- Full source access
- Enterprise support available
On-Premise Upon Request
Enterprise CLI for compliance, air-gap, or data residency requirements.
- Complete data sovereignty
- Air-gap capable deployment
- Custom SLA + dedicated support
- Professional services included
Enterprise On-Premise Deployment
While xTip is primarily delivered as SaaS or SDK, we build dedicated on-premise infrastructure for customers with:
- Regulatory mandates — HIPAA, SOX, FedRAMP, CMMC requiring self-hosted processing
- Air-gapped environments — SCIF, classified networks, offline operations
- Data residency requirements — EU GDPR, China data laws, government mandates
- Custom integration needs — Embed in proprietary platforms, specialized workflows
Includes: Enterprise CLI, Docker/Kubernetes orchestration, RBAC, audit logging, and dedicated support.