Anonymity and confidentiality are two different security properties, and a whistleblowing platform that uses them as synonyms is selling a promise it cannot keep. Anonymity means the reporter’s identity stays unobservable to the platform, to intermediaries, and to recipients, which operationally requires a Tor onion service v3, the Tor Browser on the reporter’s side, and reporter-side discipline against forensic traces. Confidentiality means the reporter accesses the platform over a regular browser; the ISP, the employer network, or a CDN can log the connection, while the platform encrypts the content, restricts recipient access, and keeps logs honest. Both are valid, and the right default depends on context: corporate compliance programmes usually default to confidential with anonymous opt-in via Tor, whereas human-rights initiatives and investigative newsrooms default to anonymous.

A whistleblower report needs a complete encryption protocol, not a checkbox that says “AES-256”. A reference design that has converged across mature open-source whistleblowing platforms pairs three primitives in a way every serious system should recognise: a 16-digit random receipt code (stored on the server only as a SHA-256 hash, shaped like a phone number so the reporter can hide it among contacts), libsodium SealedBox (Curve25519 + XSalsa20 + Poly1305) to wrap a per-submission data key to each authorised recipient’s public key, and libsodium SecretBox (XSalsa20 + Poly1305) to encrypt the submission body and attachments under that data key. Each recipient’s Curve25519 private key sits on the server encrypted under a symmetric key derived from the recipient’s password via Argon2ID tuned to 128 MB of memory and roughly one second of computation per login. As of April 2026, this is the protocol that production deployments serving anti-corruption activists, corporate compliance teams, and investigative newsrooms actually run.