In tumultuous times, we believe in being prepared, not scared. Sound digital security practice often involves forming and relying on good habits. Building these reflexes now will help keep you better protected. This is why we’ve distilled advice our trainers have shared with thousands of journalists over the years into the actionable, concrete steps below.
Before you dive in, know that there are many ways to shore up your safety and privacy. It’s OK to take them on slowly but surely, one at a time. If you run into any challenges, remember: the Digital Security Training team at Freedom of the Press Foundation (FPF) is here to help. Reach out here.
Five questions for risk assessment
A risk assessment, or threat model, helps you identify your digital assets and create a plan to keep them safe. Knowing what you’re facing is key to ensuring you have the appropriate safeguards in place. Risk assessments change depending on your context, which makes them a great place to start when working on a new story.
Start here
☐ Ask yourself these five questions (remix to suit your needs):
- Assets: What am I protecting?
- Adversaries: Who am I protecting my assets from?
- Adversary’s assets: What might they be capable of?
- Likelihood: How big of a risk is this to me now, based on who I am in the world?
- Your resources: What can I do to protect myself?
Next steps
☐ Work with your team to establish when and how you’ll discuss likely digital security risks. Make a plan to work through an assessment — even if briefly — with your editors and colleagues before you embark on a new story.
Do more
☐ Bookmark our article on risk assessment methods developed specifically for journalists and filmmakers. You may be surprised at the risks you haven’t considered.
Set your phone to prevent snooping
Your phone can share your information without your knowledge in many ways. In person, for instance, notifications sent to your home screen can be read by someone sitting next to you. At a distance, your location data may be visible when your phone delivers calls, sends and receives texts, and interacts with apps. The following steps will help you protect your devices from prying eyes near and far.
Start here
☐ Look through your phone’s settings app:
- Turn notifications completely off for apps you don’t need to hear from or, if you are an Apple user, adjust how your phone delivers them.
- Review your location settings. Check each app to make sure it is not reporting location data without your consent. Bonus tip: If you choose to allow access to your location when using an app, remember to close the app when not in use. To do that, swipe up to access your open apps and swipe up again on an app to close it.
- Revoke camera and microphone access for apps that don’t need it. Evaluate whether to keep apps that ask for unnecessary privileges.
☐ Keep notifications off your home screen temporarily by toggling to “do not disturb” mode.
☐ Delete any unnecessary apps. You can always reinstall them later.
Next steps
☐ On an updated iPhone, follow these steps to lock or hide an app. Doing so means that your apps will only be accessible with Face ID or your passcode.
☐ Set up a secondary phone for reporting. Purchase a relatively new model so that it still receives security updates. Only install the apps you need. Consider setting up new accounts (e.g., email, iCloud) for use only on this secondary device.
Protect your phone from unwanted access
Much of what can be known about you — who you communicate with, where you’ve been, what you’re thinking of purchasing, and so much more — can be gleaned from the contents of your phone. Here’s how to protect that information in case your device is lost or seized.
Start here
☐ Set an alphanumeric passcode on your devices that is longer than the six-digit minimum required. The longer the better!
- Follow these instructions if you use an Android.
- Follow these instructions if you use an iPhone.
☐ Deploy Full Disk Encryption by powering down your phone when entering a potentially dicey situation. It's enabled by default in current password-protected models of Android and iPhone.
Next steps
☐ Turn off access to Face Unlock when you cover a public action or a protest. Passcodes only! The easiest and most reliable way to disable biometrics is to restart the phone and keep it locked.
☐ If you’re an iPhone user who is at elevated risk, enable Lockdown Mode to maximize device security settings. Note: This may have a small impact on your use of the device.
Do more
☐ Learn more about the legal implications of using passcodes instead of Face Unlock when attending a public action.
Secure your communication channels
The contents of standard calls and texts are available to the phone company, making them vulnerable to legal requests. Meanwhile, metadata (or, data about the contents of our communications) reveals who we spoke with, when, and for how long, among other details, to companies from social media platforms to internet service providers. But there are steps you can take to keep the contents of your communications private.
Start here
☐ Protect the contents of your messages and those of your conversation partner, especially sensitive ones, with end-to-end encrypted communication apps.
- Download Signal, if you haven’t already. Signal encrypts the contents of your messages while retaining very little metadata. Read our guide to get started.
- Lock down WhatsApp, if you use it. WhatsApp is owned by Meta, a company known for collecting a lot of metadata about communications across its platforms. Upgrade WhatsApp security by turning off cloud backups, setting disappearing messages, and verifying your conversation partners’ accounts.
- Set up a Proton Mail account for sensitive email communication. Note: In Proton Mail, end-to-end encryption only works if all parties use Proton Mail or PGP.
Next steps
☐ While Signal’s defaults are already strong, you can harden the app even further. Check out our guide to locking down Signal.
☐ Take advantage of end-to-end encryption in Zoom. Note: AI notetakers are prevalent in online meetings. Consider making a policy for when these are allowed, along with a plan for what to do if an AI notetaker shows up uninvited.
Do more
☐ Use Mailvelope to encrypt your email messages.
Keep your documents safe
Your risk assessment might include adversaries who can subpoena the information you’ve stored with account providers (e.g., Dropbox, Google, iCloud). Follow these tips to move individual documents and folders to safer ground — for instance, locally, to your device — or leave a service provider altogether.
Start here
☐ Create bright lines around what sorts of information you would like to keep offline (e.g., interview transcripts with sensitive sources) and what information you’re OK with storing on providers’ servers (e.g., final copy for an article).
☐ Download and delete sensitive documents from cloud providers.
- Google: If you are ready to leave Google behind rather than deleting individual files, here is a protocol for exiting Google Cloud (note that Google’s policy says this “process generally takes around 2 months from the time of deletion”).
- Dropbox: Note the different steps for deleting a file or folder and for permanently deleting them.
- iCloud: Apple’s documentation says “files you delete from iCloud Drive are recoverable for 30 days.”
☐ Going forward, make a plan for where to store your sensitive documents. Your risk assessment can help.
Next steps
☐ If you’re an Apple iCloud user, turn on Advanced Data Protection to automatically encrypt many types of data (e.g., photos) before uploading them to iCloud.
☐ Invest in encrypted storage options like Tresorit.
Do more
☐ Learn what others can read when your documents are stored in Google Workspace, Apple’s iCloud, and any other service provider you use.
☐ Review transparency reports from Google, Apple, and Dropbox for insight into how they respond to legal requests for access to information. Learn how visible your data is when stored in Google Workspace and iCloud.
☐ Use VeraCrypt to encrypt files before uploading them to cloud storage.
Harden your computer’s security settings
Those documents you’ve downloaded are only as safe as the settings on your computer. Same for encrypted tools like Signal Desktop.
Start here
☐ Set a strong passphrase and store it in your password manager.
☐ Update your devices when prompted. These updates often contain patches for known security issues.
☐ Review your privacy and security settings. Make sure screen lock is enabled. Disable location services for apps that don’t need them.
☐ Enable Full Disk Encryption (FDE). Note: You’ll need to power down your device for encryption to work.
- On macOS, enable FDE in FileVault.
- On Windows Pro edition, enable FDE with BitLocker. If you don’t have Pro edition, consider getting it, or use VeraCrypt.
Next steps
☐ Configure your cloud backups.
- On a Mac: Use system settings to manage iCloud storage. Turn on Advanced Data Protection.
- On Windows: Follow these instructions to turn off OneDrive.
☐ Routinely back up your computer to an external hard drive.
- On a Mac: Back up files with Time Machine.
- On Windows: Back up files with File History.
Do more
☐ Read the New York Times guide on securing your Apple computer.
☐ Read the New York Times guide on securing your Windows computer.
Pull back your online data
Online harassment disproportionately affects journalists — especially female journalists. Statements made during the most recent Trump campaign indicate that harassing behavior toward the press will continue, if not increase. Here are our tips to help prevent and prepare for online harassment.
Start here
☐ Audit your social media posts.
- Delete any that could be used against you. Bonus tip: If you’re sentimental about your posts, download your Twitter/X archive before deleting them.
- Try the Privacy Party browser extension to help automate the deletion of your social media posts.
☐ Update social media privacy settings for your account and, where possible, individual posts.
☐ Google yourself to see what information has been indexed.
- Use the operators listed here to add qualifiers to your search.
- Follow these steps to de-index specific pages from Google. (Note: This will not remove the content from the internet altogether, but will make it more difficult to find).
☐ Review Yael Grauer’s Big-Ass Data Broker Opt-Out List and address the services marked as “crucial” and “high priority.”
Next steps
☐ Consider setting up a Google Voice number so that you can keep your actual phone number private.
☐ Start using an anti-data-broker service (e.g., Optery, DeleteMe).
☐ Find photos of yourself on the web using PimEyes, and consider filling out an opt-out request so others can’t easily do the same.
Do more
☐ Read this study from Consumer Reports that evaluates the efficacy of various data deletion services.
Protect your research with secure browsing
Your local browsing history may be visible to anyone who picks up your computer. Likewise, third parties (e.g., your ISP) can learn about your browsing habits by monitoring your web traffic. The good news is that there’s a lot you can do to minimize the risk.
Start here
☐ Make a plan for searching. Categorize your typical research pathways and figure out which ones need the most protection.
☐ Protect your browser from third-party trackers.
- Use the uBlock Origin browser extension to help remove potentially malicious ads.
- Use the Electronic Frontier Foundation’s Privacy Badger browser extension to prevent many types of tracking on the web.
- Remove unnecessary browser extensions. Some are malicious and may sell your data.
Next steps
☐ Learn what private browsing mode does and when to use it.
☐ Get started using a virtual private network to encrypt and tunnel your traffic to a remote location, making it harder for your ISP to monitor your behavior. We specifically recommend Mullvad, IVPN, Proton VPN, and Surfshark. Note: VPNs do not prevent websites from using cookies to track you.
☐ Use the Tor Browser for searches you prefer to keep as anonymous as possible. Tor, short for The Onion Router, is an anonymity network that bounces your traffic around the world.
Do more
☐ Read How the Really Internet Works (your local library may have a copy).
Avoid getting hacked
When you open a browser or app and then log into an account, you are accessing data stored on the servers of the account provider in question. That means the security of that data is in someone else’s hands. But you can do a lot to protect yourself from heartache with some tried-and-true measures.
Start here
☐ Set up and use a password manager. This will help you generate and store unique, random, and long passwords for every account.
- If you are just getting started, think about the accounts where you store your most valuable assets (your email accounts, bank accounts, and social media accounts just for starters) and spend a few moments ensuring they are protected with secure passwords that aren’t used anywhere else. Update everything else as you go.
- One of our recommendations, 1Password, provides free access for journalists. Visit https://1password.com/for-journalists/ to learn more.
☐ Enable multifactor or two-factor authentication, where a second set of credentials is required to log in (e.g., a six-digit code sent to your phone). Many large-scale hacks happen because MFA is not enabled on an employee’s account.
Next steps
☐ Invest in a security key (e.g., a YubiKey). We love them because they are highly resistant to phishing, keeping hackers out of your account.
☐ Use an authenticator app as well, in case you lose your security key. Google Authenticator and Authy are good choices.
Do more
☐ Read our advice column on the security of your passwords when using a password manager.
☐ Read our advice column on sharing passwords and two-factor authentication codes across teams.
Prepare secure tiplines for sensitive materials
Communication channels like text messages and email can be less than ideal for security when journalists receive sensitive materials. This vulnerability could also dissuade someone from reaching out with critical information. Here’s how to empower sources to contact you securely.
Start here
☐ Decide on your support team. They may be expected to triage tips and keep related devices/apps up to date. (For example, is this an individual, or an institutional tipline run by a team?)
☐ Consider who you want to be able to reach you, and what their likely security needs and capacities are. (For example, where might they be comfortable speaking?)
☐ Select the channels you’d like to support (e.g., Signal, WhatsApp, a self-hosted web form, SecureDrop).
☐ Identify which channels (e.g., traditional email, SMS text messages, X DMs, phone calls) you may discourage because they introduce elevated risk to sources, and which you will keep.
Next steps
☐ Decide where you will advertise your tip page (e.g., social media bios, social media posts, bylines, personal websites, in-line on institutional websites).
☐ Prepare preview cards/graphics for advertising your tipline, in case someone links it on social media.
☐ Reach out to our team about setting up SecureDrop, the anonymous whistleblowing system. Note that while there are exceptions, this is typically run by journalistic institutions, rather than individuals.
Do more
☐ Read our article on overcoming challenges when setting up Signal tiplines.
☐ Read our article on security considerations when setting up confidential tip pages.
☐ Read our article on using OnionShare to accept anonymous text and files.
☐ Check out our resources on source protection.