Operational Security

Contact Us Safely

Your security matters to us. This guide explains how to reach TCI while protecting your identity and the confidentiality of your information.

On This Page

Assess Your RiskBrowse AnonymouslyEncrypted EmailSecure MessengersFile SubmissionsMetadata & StrippingWhat Not to Do

If you are considering contacting us, you may have concerns about protecting your identity or the sensitivity of the information involved. We understand.

The Commonlight Initiative is built around the principle that technical infrastructure should protect those who use it. Below, we outline the methods available for contacting us securely and the steps you can take to protect yourself.

You do not need to use all of these methods. Choose the level of security appropriate to your situation. Use the guide below to find the right starting point.

Quick Start

Not sure where to begin? Answer a couple of questions and we'll point you in the right direction.

What would you like to do?

Full Security Guide

Assess Your Risk

Before contacting us, consider who you are concerned about and what level of protection you need. This determines which methods are appropriate.

Low concern

General business inquiry, no sensitive subject matter. Standard email to info@thecommonlight.org is fine.

Moderate concern

Sensitive subject matter but no immediate personal risk. Use our encrypted Proton Mail address with PGP encryption, or contact us via Signal.

High concern

You need to protect your identity. Use Tor Browser to access this site, contact us via SimpleX or Session (no phone number or account needed), and strip metadata from any files before sending.

Maximum concern

You believe you may be under active surveillance. Use Tor Browser from a device not associated with you, on a network not associated with you (e.g., a public library). Contact us only via SimpleX or Session. Do not use any account or device linked to your identity.

Browse Anonymously with Tor

Tor Browser routes your internet traffic through multiple encrypted relays, preventing anyone from seeing both who you are and what sites you visit. It is the standard tool for anonymous web browsing.

  1. Download Tor Browser only from the official website: torproject.org
  2. Install and open it. It will connect to the Tor network automatically.
  3. Navigate to thecommonlight.org. Your visit will be anonymous.
  4. For maximum protection, set the Security Level to "Safest" (click the shield icon in the toolbar). This disables JavaScript. Our site is designed to work without it.
Why this matters: When you visit a website normally, your internet provider can see which sites you visit, and the website can see your IP address (which reveals your approximate location and identity). Tor prevents both.
Do not log into any personal account (Gmail, Facebook, etc.) while using Tor Browser. Doing so links your anonymous session to your real identity.

Encrypted Email

We provide two email channels. For sensitive communications, use our encrypted address.

General

info@thecommonlight.org

Encrypted (Proton Mail)

thecommonlight@protonmail.com

Using PGP Encryption

For the strongest email privacy, encrypt your message with our PGP public key before sending. This ensures that only we can read it — not your email provider, not ours, and not anyone intercepting the message in transit.

  1. Download our PGP public key from the link below.
  2. Import it into your PGP software (GPG, Kleopatra, or your email client's built-in PGP support).
  3. Compose your message, encrypt it using our key, and send it to thecommonlight@protonmail.com.
  4. If you want us to reply securely, include your own PGP public key in the message.
Download PGP Key (.asc)View Full Key & Fingerprint

Fingerprint: 012E 3113 CBD0 C252 C5A2 A937 7630 B51D D1FA F753

Proton Mail to Proton Mail is automatically end-to-end encrypted. If you already use Proton Mail, simply email us — no PGP setup needed.

Secure Messengers

For ongoing or real-time communication, we offer secure messaging channels. Each provides different trade-offs between convenience and anonymity.

Signal

Signal

Recommended for most clients

Signal is the gold standard for secure messaging. End-to-end encrypted by default, open source, and independently audited. Available on Android, iOS, and desktop.

You can find us by our Signal username without needing our phone number.

Signal requires a phone number to register. If you need to avoid associating any phone number with your contact, use SimpleX or Session instead.

Download: signal.org/download

SX

SimpleX Chat

Maximum anonymity

SimpleX has no user identifiers at all — no phone number, no email, no username. Each conversation uses separate cryptographic queues, making it impossible to correlate contacts even if the server is compromised.

To contact us, scan our SimpleX QR code or click our contact link (available on our contact page). No account creation is required on your end either.

Download: simplex.chat

Sn

Session

Built-in onion routing

Session requires no phone number or email to register. Messages are routed through a decentralized onion network (similar to Tor), preventing network-level surveillance. Incorporated in Switzerland.

To contact us, add our Session ID (listed on our contact page).

Download: getsession.org

Submitting Files Securely

If you need to send us documents, images, or other files, take these precautions.

  1. Strip metadata from all files before sending (see the section below).
  2. If possible, encrypt the files using our PGP key before uploading or attaching.
  3. Use our secure file submission portal. No account is required.
  4. For very sensitive material, consider splitting large submissions across multiple uploads and notifying us via an encrypted channel.
Submit Files
Before uploading: Always strip metadata from files first. Photos, PDFs, and Office documents often contain your name, device information, GPS coordinates, and editing history. See the next section.

Stripping Metadata from Files

Files you create or download often contain hidden metadata that can identify you. Photos may contain GPS coordinates and camera serial numbers. Documents may contain author names, organization details, and revision history.

Common Metadata in Files

Photos (JPEG, PNG)

GPS location, camera model, serial number, date/time, thumbnail

PDFs

Author name, software used, creation date, editing history

Office Documents

Author, organization, revision count, tracked changes, comments

Videos

Recording device, GPS, date/time, encoding software

How to Strip Metadata

ExifTool (command line — most thorough)

exiftool -all= yourfile.jpg

Available at exiftool.org. Works on all file types.

MAT2 (command line — Linux/macOS)

mat2 yourfile.pdf

Metadata Anonymisation Toolkit. Open source. Recommended by Tails OS.

On mobile (Android/iOS)

Take a screenshot of the photo instead of sending the original. This removes all EXIF data. For documents, print to PDF from a clean viewer.

What Not to Do

Do not use your work email or work device

Your employer may monitor email and device activity.

Do not send unstripped files

Metadata can reveal your identity, location, and device.

Do not use your real name if anonymity matters

Use a pseudonym. We do not need your real name to help you.

Do not discuss contacting us on social media or unsecured channels

This creates a traceable link between you and our organization.

Do not log into personal accounts while using Tor

This defeats the purpose of anonymous browsing.

Do not assume regular email is private

Unencrypted email can be read by your provider, their provider, and anyone in between.

Do not use public Wi-Fi without Tor or a VPN

The network operator can see your traffic. Tor is the safest option.

Ready to Reach Out?

Choose the contact method that matches your security needs. We are here to help, and your privacy is our priority.

Contact ChannelsDownload PGP Key