Create a Tipbox

About Tipbox

Fill out this form and we will send you a unique and private URL that you can share to start collecting anonymous feedback and tips.

To enable end-to-end PGP encryption, make sure that the public PGP key associated to your email address has been published to a public key server.

Tipbox created

Your tipbox has been created

The unique and private URL for your Tipbox has been sent to you by email.

#protip: Put your unique URL in your Twitter Bio or in your email signature to let people know how they can reach you anonymously. Or share it within closed communities (e.g. LinkedIn, Facebook groups or forums) to increase the quality of the tips.

Browser Not Supported

Please use a modern browser to use Tipbox.

The browser that you are currently using does not support advanced cryptographic features that Tipbox is using to encrypt the content of your tip before sending it through the network.

Supported browsers: Safari or Chrome on your iPhone or Android, or Internet Explorer 11 or later, Google Chrome, Apple Safari or Firefox on your computer.

TipBox

  • About
  • FAQ
  • Security
  • Terms of Service
  • Privacy Notice
  • Donate
  • Artboard 1

TipBox

☰

Share a URL to collect anonymous feedback

Create a Tipbox

TipBox in Action

  1. Enter your E-Mail
  2. Enter a Subject Line
  3. Get a Unique URL that you can share to start collecting anonymous feedback

Features

  • Artboard 1

    Anonymous

    The person sending you a tip doesn't need to provide any information about them. We don't keep any logs, we don't store any data. There is no way for you to know who sent you the email (unless the person explicitly decided to provide contact information in the body of the email).

  • Artboard 1

    Nothing to install, just open a link

    Make it easy for people to send you tips. Don't require them to install anything. They just have to click on the unique URL of your Tipbox and they are good to go. It's that easy.

  • Artboard 1

    End-To-End encryption

    If you have a PGP key associated to your email address, you can turn on End-To-End encryption. In that case, our server will never be able to read the content of the tips that are sent to you.

About

Tipbox is a free open source service to receive anonymous tips via email.

Ideal for journalists to receive tips or to collect testimonials from certain communities, or for managers to get direct and honest feedback from their team.

Tips are encrypted using PGP on the client side. We don't keep any logs and we don't store any data. Only the recipient gets the email.

This service has been developed with ease of use first and as such doesn't require installing any software. Therefore, we are relying on the security model of your browser. That means that we can't technically make any guarantee that you are running an untampered version of this software. If you care about high level of security, please read our security section very carefully.

See our FAQ for more information.

F.A.Q.

How does it work?

Just provide your email address and a subject line of your choice and we will send you a secret and unique URL that you can share wherever you like. When someone opens that URL, a familiar email interface will invite them to send you an anonymous email (the recipient and the subject line of that email will be already prefilled with what you have defined). If you have a PGP key associated to your email address on a public key server, we will use it to encrypt the email end-to-end.

What is this for?

If you are a blogger or a journalist, you may want to use this to get information from insiders. Create a tipbox and share the link within the appropriate LinkedIn or Facebook group. Remember, "News Is What Somebody Doesn't Want You To Print. All The Rest Is Advertising Or Public Relations."

If you are a manager, you may want to use this to get feedback from your team. You would be surprised of the quality of the feedback that you could get if you can guarantee their anonymity. It’s also very important to give your employees an easy way to voice their opinion internally.

Why building this?

Today, there isn’t any easy tool for journalists to gather anonymous tips. As a result, most of them rely on non-encrypted emails and their sources have to basically create a new email address which takes time (especially now that most email providers require a phone number). So we thought that we could come up with a very easy tool to use that would remove the need for the tipster to create a new email address.

How secure is this?

For the tipster, it is as safe as creating a new email address and sending an email with it through a web interface and removing it right after from the “Sent” folder.

For the journalist, it is as safe as receiving an email. But if have a PGP key associated to your email address, you can opt-in to receive a PGP encrypted email which is definitely safer to keep in your inbox than a non-encrypted email.

That said, since Tipbox doesn’t require the tipster to download any piece of software, it relies -like any other webmail service- on the security of the browser which is not full proof. You need to understand your threat-model/adversary and determine if Tipbox meets you or your orgnizations needs. If you're unsure, you should use SecureDrop which has been especially engineered for the best possible security.

What about the metadata?

While we don’t keep any logs, there are many intermediaries between the end user and our server. Each of those could keep the logs to identify which IP addresses connected to our server. That’s why we strongly advised against using Tipbox while being connected to the Wifi network of your company. Just use it on your phone with your data plan. For increased anonymity, you could also connect to our server via Tor: tipboxtdf3ydy5xq.onion.

However, Tipbox has been engineered in such a way that intermediaries can’t identify the recipient, subject or content of the tip. Intermediaries can’t distinguish between visitors who come to create a new Tipbox and those who use it to submit a tip to person A or to person B.

If security is very important to you, please read more about security.

Who is behind this?

Xavier Damman (@xdamman), Mark Percival (@mdp), @tgouverneur, @montogeek, @evilrabbit_
with the financial support of the Knight Foundation.

Follow this project

We will post updates to our Twitter account @GetTipbox.

You should also star/watch our public repo https://github.com/xdamman/tipbox. This is an open source project. Contributions are welcome!

Security

There will always be a risk associated with leaking information to the press. Even the most secure methods are not risk free. Tipbox’s goal is to make it easy to get information from individuals who may not be able to install the software required by more secure solutions (eg. Tor and Securedrop). These potential users are likely to face a vastly different threat model, one that doesn’t include nation-states. Think migrant workers leaking information about labor conditions vs the Edward Snowdens of the world.

We've made our best effort to build a tool that allows anyone to easily send a tip in a secure and anonymous way with nothing more than a modern browser. Tips sent to recipients with PGP keys feature end-to-end encryption; the server will never know the contents of that tip. We will also never keep logs of who accessed the server or any email that was sent.

However, based on your potential sources and adversaries, you must ultimately decide if the security tradeoffs of Tipbox make sense for you or your organization.

If you do require a higher degree of security, we would refer you to SecureDrop, or the Signal messaging app, available on iOS or Android.

Technical

This site is using the latest SSL cryptography and certificates from LetsEncrypt. We don't keep any logs and we don't store any user data. The tips are directly sent to the email address of the recipient. If the recipient has included a PGP key when setting up their Tipbox, we will use it to encrypt the email end-to-end.

We also have a strict CSP policy, which restricts any Javascript to sources we control, along with specifying each scripts hash to help compare it to the original source code and detect unauthorized changes.

In addition to SSL, we also use PGP to encrypt any communication between the browser and the server. This is designed to help mitigate passive man-in-the-middle attacks, such as a user visiting Tipbox on a laptop with a compromised trusted certificate.

Ways to stay safe

  • Only visit Tipbox on a personal phone or laptop, never a work machine
  • Use “Incognito” mode on your browser
  • Visit Tipbox using a public wifi access point of a business you don’t frequent.

Potential risks

Any intermediary between the end user and this server (such as your ISP) could record the IP addresses that are connecting to this server. To be clear, that would only reveal who accessed this server, not the actual Tipbox, recipient or content of the tip.

Sophisticated attackers who could monitor the requests coming in and out of our server to do statistical analysis of the traffic based on the size of the requests. To mitigate this, we add padding to the requests sent to our server which won't reflect its real size. We also add a random delay between the request to our server and sending the tip to the recipient so that observers can't easily synchronize logs.

Another potential security risk would be someone hacking into our server and changing the html/javascript code being served to our users. To mitigate this, we invite you to make sure that the html page and javascript file served by this server are the same than what is available on our public repo.

That being said, while Tipbox is taking steps to keep your tips secure and anonymous, no security is perfect, and you should use this service at your own risk.

If you do require a higher degree of security, we would refer you to SecureDrop, or the Signal messaging app, available on iOS or Android.

Terms of Service

TL;DR;

Tipbox is not a funded company. It’s an open source project with contributors from all around the world who want to help you collect anonymous emails in an encrypted way. Use at your own risk. Thank you, love, - Xavier & Mark, founders of Tipbox on behalf of all Tipbox contributors.

Acceptance of Terms.

This is a binding contract (“Terms”) between you and TipBox, (“we,” “us,” “our,” “TipBox”). By using TipBox, you agree to be bound by these Terms. If you use TipBox on behalf of an organization, you agree to these terms on behalf of that organization. If you do not agree to these Terms, you may not use TipBox. We may update or alter TipBox features and functionality at any time, and these Terms will still apply.

Eligibility.

TipBox is provided to individuals who are at least 18 years old or to minors who have parental consent to use the service.

Changes to these Terms.

If we make changes to these Terms that are material, we will let you know by posting a notice on our home page. The notice will designate a reasonable period of time after which the new Terms will take effect. If you disagree with our changes, then you should stop using TipBox within the designated notice period. Your continued use of TipBox will be subject to the new Terms.

Intellectual Property:

TipBox is an open source project distributed under the terms of the MIT License. By using TipBox, you agree to abide by the terms of that license.

Responsibility for Content.

You are solely responsible for any content you transmit via TipBox. You agree that you will not use TipBox for any purpose that is unlawful. TipBox does not monitor content. You understand that you may be exposed to content that is inappropriate or illegal, and you assume all risks associated with your use of TipBox.

Feedback.

We appreciate any feedback, comments, or suggestions you may have for improving TipBox. If you have suggestions or wish to help make TipBox better and more secure, please contact us via our GitHub page.

Third Parties.

TipBox does not control, and is in no way responsible for, the acts or omissions of any third party, including but not limited to your ISP, email provider, or other intermediary. We strongly encourage you to carefully review the Terms of Service and Privacy Policies of any third party vendors you choose to use in conjunction with TipBox.

Termination.

You are free to stop using TipBox at any time. We also reserve the right to suspend or stop making TipBox at any time at our discretion and without notice.

Disclaimer of Warranties.

You expressly understand and agree that your use of the TipBox is at your sole risk. TipBox is provided on an "as is" and "as available" basis. TipBox, its founders, and its contributors expressly disclaim all warranties of any kind, whether express or implied, including, but not limited to the implied warranties of merchantability, fitness for a particular purpose and non-infringement. TipBox and its subsidiaries, affiliates, contributors, agents, and licensors make no warranty that (i) TipBox will meet your requirements; (ii) TipBox will be uninterrupted, timely, secure or error-free and (iii) the results that may be obtained from the use of TipBox will be accurate or reliable.

Limitation of Liability.

TipBox shall not have any liability for any indirect, incidental, consequential, special, exemplary, or punitive damages under any theory of liability arising out of, or relating to, these Terms or your use of, or inability to use, TipBox. As a condition of receiving access to TipBox, you understand and agree that our liability shall not exceed one satoshi.

Indemnification.

You will indemnify, defend, and hold TipBox, its founders, subsidiaries, affiliates, and contributors harmless from any and all claims, damages, losses, liabilities, actions, judgments, costs, and expenses (including reasonable attorneys’ fees) brought by a third party arising out of or in connection with: (i) any act or omission by you, in connection with your use of TipBox or (ii) your breach or alleged breach of any of these Terms. We may, in our discretion, elect to take over control of the defense and settlement of a claim subject to indemnification. You agree not to settle any such claim without our prior written consent.

Entire Agreement.

These Terms constitute the entire agreement between you and us regarding your use of TipBox.

Waiver and Severability of Terms.

ipBox’s failure to exercise or enforce any right or provision of these Terms shall not constitute a waiver of such right or provision. If any provision of these Terms is found by a court of competent jurisdiction to be invalid, the parties nevertheless agree that the court should endeavor to give effect to the parties' intentions as reflected in the provision, and the other provisions of these Terms remain in full force and effect.

Governing Law.

You agree that these Terms, and your use of TipBox, are governed by California law, in the United States of America, without regard to its principles of conflicts of law. You and TipBox agree to submit to the personal and exclusive jurisdiction of the courts located in San Francisco, California.

Privacy Notice

We don’t store or share any data, of any kind, about users of TipBox. Period. Full stop. We keep no logs; we have no database. We literally don’t even know how many people use TipBox.

Personal Data We Require

In order to create a TipBox you must give us an email address, so the tips will know where to go. TipBox embeds your email address in the unique URL that is automatically generated for you. We do not store the email address you give us in any form -- as explained above, we don’t keep a database of TipBox URLs. It is up to you whether and how you decide to share the TipBox URL containing your email address.

Further Explanation of the Data We Do Not Collect

When you create a TipBox, we don’t require you to register for an account. We don’t ask for your real name, a username, or a password. We don’t collect your IP address, we don’t know where you live or what language you speak.

We also don’t read or store any of the data that is automatically sent to us by your browser, including information about your browser type, what operating system you run, or even whether you’re accessing TipBox via a mobile device.

We don’t set cookies, or any other technology that can track what you do on our site or across sites. No Google Analytics. We know nothing about you.

We Can’t Share What We Don’t Have

Whether it’s the NSA, a marketing company, or your ex, anyone who comes looking for your data from us is going to be out of luck. The most we’ll be able to give them is a polite explanation of how encryption works.

Security

You can find out about TipBox security here. While we work hard to keep tips anonymous, we do not guarantee perfect security. You use TipBox at your own risk.

Deleting a Tip

The only place a TipBox is stored is in your email inbox. We do not backup tips, so if you delete a tip we cannot recover it for you. Consider yourself warned.

What Other People Might See

Because we rely on in-browser security, there is a risk that a third party, such as your ISP or a malicious attacker, could find out that your IP address connected to a TipBox server (but – by design – they can’t tell which particular TipBox a user was trying to send a tip to). If this is important to you, we recommend you use Tor (you can connect to this server with this .onion url: tipboxtdf3ydy5xq.onion). We have no control over the logging policy of any third party intermediary, and are not responsible for any acts or omissions by third parties.

Changes

We may update this Notice to reflect changes in our product or applicable laws. If we make material changes that might impact you, we will notify you by placing a prominent notice on our home page.

Open Source Project made with ♥ by @xdamman, @mdp, @tgouverneur, @montogeek, @evilrabbit_
with the financial support of the Knight Foundation. Version 2.0.0-beta5

  • Artboard 1

Security

Send

New message

About Tipbox and how it protects your anonymity
loading...

Tip sent

The tip is in da box!

Your email has been successfully sent. To protect your anonymity, it will be delivered to with a random delay of 10 to 20 minutes.

You can now close this tab.

For extra privacy,
you may consider clearing your browser history.

About Tipbox

Tipbox is a free open source service to receive anonymous tips via email.

We don't keep any logs and we don't store any data. Only the recipient gets the email.

Ideal for journalists to receive tips or to collect testimonials from certain communities, or for managers to get direct and honest feedback from their team.

Tips are encrypted using PGP on the client side with the recipient's PGP key if one exists and with the public key of the Tipbox server.

While Tipbox is making a lot of effort to make this service as robust as possible, we can't make any guarantee. Use this service at your own risk.

 

  • Read more about security
  • Follow us on Twitter