The 2025 journalist’s digital security checklist

☐ Ask yourself these five questions (remix to suit your needs):

• Assets: What am I protecting?
• Adversaries: Who am I protecting my assets from?
• Adversary’s assets: What might they be capable of?
• Likelihood: How big of a risk is this to me now, based on who I am in the world?
• Your resources: What can I do to protect myself?

☐ Work with your team to establish when and how you’ll discuss likely digital security risks. Make a plan to work through an assessment — even if briefly — with your editors and colleagues before you embark on a new story.

☐ Bookmark our article on risk assessment methods developed specifically for journalists and filmmakers. You may be surprised at the risks you haven’t considered.

☐ Look through your phone’s settings app:

• Turn notifications completely off for apps you don’t need to hear from or, if you are an Apple user, adjust how your phone delivers them.
• Review your location settings. Check each app to make sure it is not reporting location data without your consent. Bonus tip: If you choose to allow access to your location when using an app, remember to close the app when not in use. To do that, swipe up to access your open apps and swipe up again on an app to close it.
• Revoke camera and microphone access for apps that don’t need it. Evaluate whether to keep apps that ask for unnecessary privileges.

☐ Keep notifications off your home screen temporarily by toggling to “do not disturb” mode.

☐ Delete any unnecessary apps. You can always reinstall them later.

☐ On an updated iPhone, follow these steps to lock or hide an app. Doing so means that your apps will only be accessible with Face ID or your passcode.

☐ Set up a secondary phone for reporting. Purchase a relatively new model so that it still receives security updates. Only install the apps you need. Consider setting up new accounts (e.g., email, iCloud) for use only on this secondary device.

☐ Read our advice column on notification settings.

☐ Set an alphanumeric passcode on your devices that is longer than the six-digit minimum required. The longer the better!

• Follow these instructions if you use an Android.
• Follow these instructions if you use an iPhone.

☐ Deploy Full Disk Encryption by powering down your phone when entering a potentially dicey situation. It's enabled by default in current password-protected models of Android and iPhone.

☐ Turn off access to Face Unlock when you cover a public action or a protest. Passcodes only! The easiest and most reliable way to disable biometrics is to restart the phone and keep it locked.

☐ If you’re an iPhone user who is at elevated risk, enable Lockdown Mode to maximize device security settings. Note: This may have a small impact on your use of the device.

☐ Learn more about the legal implications of using passcodes instead of Face Unlock when attending a public action.

☐ Protect the contents of your messages and those of your conversation partner, especially sensitive ones, with end-to-end encrypted communication apps.

• Download Signal, if you haven’t already. Signal encrypts the contents of your messages while retaining very little metadata. Read our guide to get started.
• Lock down WhatsApp, if you use it. WhatsApp is owned by Meta, a company known for collecting a lot of metadata about communications across its platforms. Upgrade WhatsApp security by turning off cloud backups, setting disappearing messages, and verifying your conversation partners’ accounts.
• Set up a Proton Mail account for sensitive email communication. Note: In Proton Mail, end-to-end encryption only works if all parties use Proton Mail or PGP.

☐ While Signal’s defaults are already strong, you can harden the app even further. Check out our guide to locking down Signal.

☐ Take advantage of end-to-end encryption in Zoom. Note: AI notetakers are prevalent in online meetings. Consider making a policy for when these are allowed, along with a plan for what to do if an AI notetaker shows up uninvited.

☐ Use Mailvelope to encrypt your email messages.

☐ Create bright lines around what sorts of information you would like to keep offline (e.g., interview transcripts with sensitive sources) and what information you’re OK with storing on providers’ servers (e.g., final copy for an article).

☐ Download and delete sensitive documents from cloud providers.

• Google: If you are ready to leave Google behind rather than deleting individual files, here is a protocol for exiting Google Cloud (note that Google’s policy says this “process generally takes around 2 months from the time of deletion”).
• Dropbox: Note the different steps for deleting a file or folder and for permanently deleting them.
• iCloud: Apple’s documentation says “files you delete from iCloud Drive are recoverable for 30 days.”

☐ Going forward, make a plan for where to store your sensitive documents. Your risk assessment can help.

☐ If you’re an Apple iCloud user, turn on Advanced Data Protection to automatically encrypt many types of data (e.g., photos) before uploading them to iCloud.

☐ Invest in encrypted storage options like Tresorit.

☐ Learn what others can read when your documents are stored in Google Workspace, Apple’s iCloud, and any other service provider you use.

☐ Review transparency reports from Google, Apple, and Dropbox for insight into how they respond to legal requests for access to information. Learn how visible your data is when stored in Google Workspace and iCloud.

☐ Use VeraCrypt to encrypt files before uploading them to cloud storage.

☐ Set a strong passphrase and store it in your password manager.

☐ Update your devices when prompted. These updates often contain patches for known security issues.

☐ Review your privacy and security settings. Make sure screen lock is enabled. Disable location services for apps that don’t need them.

☐ Enable Full Disk Encryption (FDE). Note: You’ll need to power down your device for encryption to work.

• On macOS, enable FDE in FileVault.
• On Windows Pro edition, enable FDE with BitLocker. If you don’t have Pro edition, consider getting it, or use VeraCrypt.

☐ Configure your cloud backups.

• On a Mac: Use system settings to manage iCloud storage. Turn on Advanced Data Protection.
• On Windows: Follow these instructions to turn off OneDrive.

☐ Routinely back up your computer to an external hard drive.

• On a Mac: Back up files with Time Machine.
• On Windows: Back up files with File History.

☐ Read the New York Times guide on securing your Apple computer.

☐ Read the New York Times guide on securing your Windows computer.

☐ Audit your social media posts.

• Delete any that could be used against you. Bonus tip: If you’re sentimental about your posts, download your Twitter/X archive before deleting them.
• Try the Privacy Party browser extension to help automate the deletion of your social media posts.

☐ Update social media privacy settings for your account and, where possible, individual posts.

☐ Google yourself to see what information has been indexed.

• Use the operators listed here to add qualifiers to your search.
• Follow these steps to de-index specific pages from Google. (Note: This will not remove the content from the internet altogether, but will make it more difficult to find).

☐ Review Yael Grauer’s Big-Ass Data Broker Opt-Out List and address the services marked as “crucial” and “high priority.”

☐ Consider setting up a Google Voice number so that you can keep your actual phone number private.

☐ Start using an anti-data-broker service (e.g., Optery, DeleteMe).

☐ Find photos of yourself on the web using PimEyes, and consider filling out an opt-out request so others can’t easily do the same.

☐ Read this study from Consumer Reports that evaluates the efficacy of various data deletion services.

☐ Make a plan for searching. Categorize your typical research pathways and figure out which ones need the most protection.

☐ Protect your browser from third-party trackers.

• Use the uBlock Origin browser extension to help remove potentially malicious ads.
• Use the Electronic Frontier Foundation’s Privacy Badger browser extension to prevent many types of tracking on the web.
• Remove unnecessary browser extensions. Some are malicious and may sell your data.

☐ Learn what private browsing mode does and when to use it.

☐ Get started using a virtual private network to encrypt and tunnel your traffic to a remote location, making it harder for your ISP to monitor your behavior. We specifically recommend Mullvad, IVPN, Proton VPN, and Surfshark. Note: VPNs do not prevent websites from using cookies to track you.

☐ Use the Tor Browser for searches you prefer to keep as anonymous as possible. Tor, short for The Onion Router, is an anonymity network that bounces your traffic around the world.

☐ Read How the Really Internet Works (your local library may have a copy).

☐ Set up and use a password manager. This will help you generate and store unique, random, and long passwords for every account.

• If you are just getting started, think about the accounts where you store your most valuable assets (your email accounts, bank accounts, and social media accounts just for starters) and spend a few moments ensuring they are protected with secure passwords that aren’t used anywhere else. Update everything else as you go.
• One of our recommendations, 1Password, provides free access for journalists. Visit https://1password.com/for-journalists/ to learn more.

☐ Enable multifactor or two-factor authentication, where a second set of credentials is required to log in (e.g., a six-digit code sent to your phone). Many large-scale hacks happen because MFA is not enabled on an employee’s account.

☐ Read our guide on phishing awareness.

☐ Invest in a security key (e.g., a YubiKey). We love them because they are highly resistant to phishing, keeping hackers out of your account.

☐ Use an authenticator app as well, in case you lose your security key. Google Authenticator and Authy are good choices.

☐ Read our advice column on the security of your passwords when using a password manager.

☐ Read our advice column on sharing passwords and two-factor authentication codes across teams.

☐ Decide on your support team. They may be expected to triage tips and keep related devices/apps up to date. (For example, is this an individual, or an institutional tipline run by a team?)

☐ Consider who you want to be able to reach you, and what their likely security needs and capacities are. (For example, where might they be comfortable speaking?)

☐ Select the channels you’d like to support (e.g., Signal, WhatsApp, a self-hosted web form, SecureDrop).

☐ Identify which channels (e.g., traditional email, SMS text messages, X DMs, phone calls) you may discourage because they introduce elevated risk to sources, and which you will keep.

☐ Decide where you will advertise your tip page (e.g., social media bios, social media posts, bylines, personal websites, in-line on institutional websites).

☐ Prepare preview cards/graphics for advertising your tipline, in case someone links it on social media.

☐ Reach out to our team about setting up SecureDrop, the anonymous whistleblowing system. Note that while there are exceptions, this is typically run by journalistic institutions, rather than individuals.

☐ Read our article on overcoming challenges when setting up Signal tiplines.

☐ Read our article on security considerations when setting up confidential tip pages.

☐ Read our article on using OnionShare to accept anonymous text and files.

☐ Check out our resources on source protection.