Why a PGP contact tool belongs on every serious website
We are told that future conflicts will be fought on the cyber front as much as in the field. In that climate, every inbox, form and contact channel is part of the surface that can be breached. A PGP contact tool is one of the simplest ways to shrink the damage when that happens.
What a PGP contact tool actually is
A PGP contact tool is a short piece of code on your website that lets someone encrypt a message to you in their browser, using your public key, before anything leaves their device. You then use your private key to decrypt the message on your side.
No accounts, no proprietary inbox, no third party relay. Just open source cryptography wrapped in a simple form.
The Reasonable Adjustment and TRSA use exactly this approach in their open source whistleblower tool:
- TRSA whistleblower form
- Open source whistleblower PGP tool
- Secure whistleblower tool explained
- GitHub repository
The modern cyber political climate
Talk of cyber warfare used to sound abstract. It is not abstract anymore.
State actors attack public bodies and critical infrastructure. Criminal groups attack local businesses because they are easier targets. Activists, charities and journalists get swept up when someone wants to know who is talking to whom.
You may not think your organisation is interesting, but you are part of someone else’s supply chain or narrative. That is enough to put you on a list.
In that context, the question is not whether a breach will ever happen around you, but how much can be taken or exposed when it does.
Why data minimisation is now central
When an attacker lands on an email account or web server, they do not need long access. They grab what is there and leave.
That usually means:
- Contact form submissions stored in a database.
- Plain text emails in shared mailboxes.
- Internal reports or complaints forwarded between staff.
- Whistleblower messages handled like any other email.
Good policies help, but the most powerful control is simple. You cannot leak what you do not store in readable form.
How PGP changes the risk equation
With a PGP contact tool, most of the risk above disappears for that channel. The sequence looks like this:
- The visitor loads your whistleblower or secure contact page.
- The page includes your public key and a small encryption script.
- The message is encrypted in the browser before it is sent.
- Your server and email provider see only ciphertext.
- You decrypt locally with your private key.
A mailbox breach at that point reveals nothing useful about the contents of those messages. A hostile insider trawling sent items cannot read them. Even a state level actor with a lawful warrant must still deal with the fact that you never held clear text on the server.
This is what people mean when they talk about end to end encryption. PGP gives you a version you actually control, without waiting for a vendor to turn it on.
Real world use, not theory
The Reasonable Adjustment platform did not build its whistleblower tool as a thought experiment. It built it because people in difficult positions needed a way to send sensitive information without trusting yet another inbox.
The open source tool:
- Runs entirely in the browser, with no back end server logic.
- Uses your PGP public key, not a central key owned by someone else.
- Can be dropped onto any static site in seconds.
- Is available for anyone to inspect and fork on GitHub.
In other words, the barrier is no longer technology. The only slow step is generating and managing your own key pair properly.
Who benefits from a PGP contact tool
A PGP contact form is useful anywhere people might send material that would be awkward or harmful to disclose in a breach. For example:
- Staff raising concerns about misconduct or unsafe practice.
- Service users reporting discrimination or data misuse.
- Contractors sharing evidence about a failing system.
- Community members passing on sensitive information about risk or harm.
In all of those scenarios, the risk is not just reputational, it is personal. The person writing may be exposing themselves to pressure or retaliation. Encryption does not remove that risk, but it takes one weapon out of the hands of anyone who gains access to your systems.
How PGP fits into governance and complaints handling
From a governance point of view, a PGP contact tool supports you in several ways.
1. Protecting whistleblowers and reporters
Many policies claim to protect whistleblowers, yet channel their reports into ordinary email. That model relies entirely on trust in every administrator and system between sender and recipient.
A PGP contact channel shows that you have taken a concrete step to protect confidentiality in transit and at rest on the server.
2. Reducing your exposure in a breach
If you ever need to explain yourself to a regulator, cyber insurer or ombudsman, it is far easier to show that sensitive reports were encrypted in a way that even you cannot casually read without the private key. That is strong evidence of data minimisation, not just a policy promise.
3. Supporting serious public interest work
For advocacy groups and investigative projects, a PGP tool can be the difference between hearing from a key witness and never receiving the message at all. People are more likely to come forward when they can see that the channel is designed with their risk in mind, not your convenience.
What PGP does not do
It is important not to treat PGP as magic. A PGP contact tool:
- Does not verify that the sender is who they say they are.
- Does not stop someone taking screenshots or forwarding decrypted content.
- Does not remove the need to act fairly and lawfully when you receive a report.
- Does not excuse weak internal processes or poor decision making.
It does one thing very well. It makes it much harder for third parties or opportunistic attackers to read sensitive messages that were never meant for them.
Starting simple
If you do not currently have any secure channel for sensitive contact, you can start with a very small, practical plan:
- Install a PGP tool such as GnuPG on a trusted device and create a key pair.
- Publish your public key on your website and in your PGP contact form.
- Use an open source browser side tool, such as the one from TRSA and The Reasonable Adjustment, and adapt it to your branding.
- Write a short internal note on who holds the private key and how decrypted messages are stored and handled.
- Test the full flow with a dummy message so you know the process works end to end.
Over time you can add key rotation, multiple recipient keys for different roles and more formal procedures. The important step is putting a basic encrypted channel in place rather than waiting for a perfect system.
In plain English
- Future conflicts and attacks already play out through cyber channels, not just in physical spaces.
- A PGP contact tool lets people send you encrypted messages that your server and email provider cannot read.
- That reduces the amount of sensitive material available in a breach or mailbox compromise.
- For whistleblowers and vulnerable service users, it is a practical sign that you take their risk seriously.
If you want help implementing a PGP contact tool or folding it into a wider security and complaints strategy, you can read more about Ki-Ki’s work on the Digital support page.