It’s a fact of journalistic life that interviews sometimes need to be recorded. While we’d all love to keep infinite amounts of information stored safely in our minds at all times, that’s both impractical and unrealistic. So journalists often turn to recording tools to keep interviews for future reference. Before hitting the “record” button, though, it’s critical to think through the potential risks associated with capturing and storing audio or video, and to select context-appropriate recording tools and storage options.
In this article, we’ll help you navigate the complexities of recording tools and highlight popular options, assessing their suitability based on the level of sensitivity in your work. To do this, we’ll start by highlighting general security and privacy considerations for recording. We’ll then discuss specific questions to ask when considering local recording apps (meaning apps that save recordings only on your device) and recording options that leverage cloud services. Finally, we’ll provide guidance on how to assess these risk factors for popular recording tools in the context of high- and medium-risk scenarios.
Security and privacy considerations for recording
Building upon the core principles of a digital security risk assessment, it’s important to ground your decisions on an understanding of what you are aiming to protect and from whom. Similar to the questions you might want to ask yourself before transcribing an interview, the answers to the following questions will help guide you toward a decision of whether and how to record and, just as importantly, how to handle a recording once it exists:
- How critical is it to record this interview/conversation? Is it possible to achieve what you’ve set out to do without recording?
- Will you need to share the recording with any colleagues or other trusted individuals?
- Have you made it clear you are recording, and do you have consent from all involved?
- Have you made it clear where and how the recording will be saved, stored, edited, or shared?
- Does anyone being recorded need to be kept on background or anonymous in publication?
- How sensitive is the content of the conversation being recorded? Does it need to be kept completely private (and if yes, for how long)?
- What are the consequences of a breach of this information?
- Would you feel comfortable with any other parties having access to recorded information that you deem sensitive? For example, colleagues with whom you might share access to your device or accounts? What about entities (e.g., law enforcement) that may have the ability to compel such companies to share data?
As we can see with the list of questions above, there are a lot of factors to consider. And while each situation is unique, it can be helpful to walk through common scenarios to see how you can leverage your risk assessment to break things down and select an appropriate tool for the level of confidentiality that you need. As we walk through these scenarios, we’ll be highlighting the security and privacy pros and cons of a range of popular recording tools. We chose these tools based on our knowledge of the field and responses to an informal survey shared with journalist networks and across social media.
The most popular tools, for the most part, break down into two approaches: 1) local recording and 2) cloud-based recording options. Regardless of which direction you go, there are numerous questions to consider that will help guide you to an appropriate approach.
Local recording considerations
For local recording tools, you should ask:
- Does the recording tool or service have a good track record of security (e.g., if it is an app, does it receive regular security updates)?
- Are there features that enable you to back up the local recording to a cloud service and are they turned on? If so, do you have any protections in place to encrypt the data before it leaves your device?
- Are there any situations in which the content might need to leave your device (e.g., to share with a colleague or to be edited/processed)? And how would this change your approach?
- How can the tool be used with secure communications platforms, like Signal, for sensitive conversations?
- How secure is the device on which you are recording and storing content?
When thinking about device security in particular, it is important to consider a range of specific questions, including:
- What steps have you taken to secure the device and secure access to the recording itself on that device (e.g., setting strong passcodes and enabling full disk encryption)?
- Is the device at risk of theft or confiscation?
- Do you have a process to remove or delete sensitive content if you are in a particularly high-risk physical scenario?
- Are you keeping the device updated, staying vigilant about phishing, and otherwise doing what you can to limit the risk of malware?
Cloud recording considerations
For options that leverage cloud services, there’s an even broader set of considerations to keep in mind, including:
- Is it possible to enable two-factor authentication (a method of strengthening login security that requires a second piece of information beyond your password, such as a temporary code, to access your account)?
- How comfortable are you with a third party (e.g., a cloud recording and storage service or other hosting provider) having access to your recording?
- Does the service support end-to-end encryption, meaning that the service or hosting provider does not have access to your content as it travels through and is stored on their systems?
- If the third party has the ability to access the content of your recording or any associated metadata, do you know who at the company might have access to such data?
- Some services may technically have access to your data but commit to not looking at it. Are these reasonable enough assurances, given your context?
- What is the third party’s reputation regarding security and “good” or “bad” behavior when it comes to respecting customer data and privacy?
- What are the third party’s policies when it comes to complying with legal requests for customer data? Where is it and/or its servers located (i.e., in what legal jurisdictions)? Does it have a transparency report about how often it complies with such requests and from whom?
- If recording services make use of other third-party providers (e.g., a recording service storing its data on Amazon servers), are you comfortable with those other parties also having access? Does the service encrypt data at rest on those servers?
- How can the service be used with secure communications platforms, like Signal, for sensitive communications?
- How long are recordings retained by the service, and what happens if you attempt to delete a recording from its systems? Is it actually deleted?
These are a lot of questions! So to help make sense of them, let’s take a look at a couple of scenarios in which a journalist might need to record.
Recording in a high-risk scenario

High-risk scenario: You’re working on a highly sensitive story with a source who is leaking information from a government agency. While you are aware of the source’s identity, they must remain otherwise anonymous, and the contents of the conversation are considered highly sensitive. Your adversary is a government agency that frequently (and successfully) legally compels content from cloud storage providers, and has a track record of investing significant resources into leak investigations, including through digital surveillance.
In a situation like this, you’ll want to be incredibly careful about what you record and how you store it. Unless absolutely necessary, avoid recording at all, as an audio or video recording can be much harder to de-identify than, say, a well-secured notes document that doesn’t list an interviewee’s identity or include potentially identifying content. It is also critical in such a scenario to consider what methods and tools you use to speak with the source (not just the interview or recording itself), and to be aware of how communications and other forms of metadata could also lead to the exposure of your sources.
If recording is absolutely necessary, given the scenario, you’ll want to opt for an approach that allows you to record locally and keep the recordings stored on devices you trust. This removes the risk of a third party sharing the sensitive recording data (e.g., due to a law enforcement request) or leaking it (e.g., due to a data breach). If you need to store the recording in the cloud or back it up elsewhere (perhaps you suspect your device may be at elevated risk of confiscation and you’d like to remove any sensitive data from it), it is essential that the recording be encrypted before being backed up, or that you use a cloud service with end-to-end encryption. You should also delete the recording once you no longer need it, wherever it may be stored.
Even without third parties involved, it is still critical to ensure the device you are using is properly secured. If recording locally, the security of your device itself becomes paramount. After all, an infected, confiscated, or otherwise compromised device could render the relative security of local recording completely moot, and we know in a scenario like this that your adversary may be targeting you physically or digitally in an attempt to gain control over your device. To help mitigate these risks, be sure to keep your device updated (and any software and applications on it), remain vigilant about phishing attacks, be careful when handling attachments and unknown external devices, make use of default antivirus tools like Windows Defender, turn on full disk encryption, set a strong device password, and make a plan for how to reduce risk before taking your device into a potentially risky scenario or location.
Given the high-risk context of a scenario like this, where you’ll want to record locally, let’s assume the conversation you are looking to record is either happening in person or through an end-to-end encrypted communications app. So, how might some of the most popular local recording approaches fare in this situation?
A look at some popular local recording options
According to our survey, a lot of journalists make use of default recording apps built into their smartphones. For iPhones, this is the Voice Memos app. For Google Pixel phones, the Recorder app comes preinstalled. Both of these apps receive regular security updates through the App Store and Google Play stores, respectively, and come from reputable developers. However, if using these apps for a sensitive story, be sure you are not backing up recordings to Google Drive or Apple’s iCloud.
With Google’s Recorder app, by default, your “audio never leaves your device.” But it is quite easy (and often encouraged through the app’s user interface) to link the app with your Google account and enable backup and sync. If you do this, your recordings would be saved in the cloud and accessible to Google, to any law enforcement entities it may be compelled to share data with, or with anyone else who might have access to your Google account. To avoid this, the best option is to use Recorder without a Google Account, which you can enable by following these instructions. If you do have your Recorder connected to a Google account, make sure the “backup” is turned off.
For Apple’s Voice Memos, the same principles apply. Recordings can be stored exclusively on your device, but the Voice Memos app by default is set to sync with iCloud. Unless you completely turn off iCloud sync and all forms of iCloud backups, you are probably syncing your recordings with iCloud. The good news is that Apple allows users (except for those based in the United Kingdom) to turn on “Advanced Data Protection,” which enables end-to-end encryption of all data stored in your iCloud account (preventing Apple itself from having access to the content of your recordings and potentially being compelled to share them). Advanced Data Protection is not enabled by default, however, so if you plan to use Voice Memos for sensitive conversations, we strongly recommend that you enable it by following these steps.
Recent iPhones on iOS 18 and later also have a call recording feature that enables you to record FaceTime audio calls. This convenient feature works by recording and saving the audio and a transcript of your conversation to the Notes app. At that point, the data backup concerns are very similar to those regarding Voice Memos described above. If you want to use this feature while ensuring that the content of your recordings is kept only locally on your device (or at least not accessible to Apple), you’ll need to disable iCloud sync and iCloud backup (or turn on Advanced Data Protection as described above). All of that said, while the content of FaceTime calls is end-to-end encrypted, keep in mind that Apple does collect and retain limited information about them, including who is calling whom, for up to 30 days. So if you are concerned about Apple even temporarily having a record of you having spoken with your source (as identified through your Apple-associated email address and phone number), then FaceTime would not be an appropriate choice. Also, be aware that this Call Recording feature can be used to record regular phone calls, which would not be appropriate in this high-risk context, given that they are fully unencrypted.
There is one significant additional limitation to the aforementioned apps, which is that (aside from iPhone’s Call Recorder feature) they are not designed to record live calls. Just as importantly, none of these options are designed to work with cross-platform, end-to-end encrypted options like Signal, your likely communications app of choice in this high-risk scenario. So, if you are unable to conduct the interview in person and instead have to rely on an end-to-end encrypted call, you will need to have one of these recording apps available on a separate device that records the conversation over the air (or use a traditional physical voice recorder).
While this may lead to limited audio quality, one of these options may suit your needs, given that none of the audio is intended for public use. If audio quality is of greater concern, then consider recording the call using audio cables and a mixer. If you do this, be sure to keep in mind the privacy and security ramifications of any additional software you may be using to process the audio.
While other popular recording apps feature the ability to directly record phone and some voice over internet protocol technology, or VoIP, calls on a mobile device, none that we researched offer exclusively local storage and the ability to work with end-to-end encrypted apps like Signal or WhatsApp. There are also a lot of such “call recorder” apps out there, some of which have very poor security track records, so even in less-sensitive environments, you should think twice about downloading and using them.
One other popular option to consider if your highly sensitive interview must occur remotely (although it comes with significant flags and caveats) is Zoom. While not possible on mobile, the desktop Zoom app allows you to record calls locally. For Zoom to make sense in this high-risk scenario, you would need to enable end-to-end encryption (which requires that you have a phone number connected to your Zoom account), be sure to select end-to-end encryption for the call in question or enable it as the default for meetings created from your Zoom account, and ensure that you select “local” recording instead of recording to the cloud. This is, of course, more complicated than a call on Signal, and hence likely a last resort in such a high-risk context.
Recording in a medium-risk scenario

Medium-risk scenario: You’re working on a story to expose instances of workplace discrimination at one of the major employers in your town. Your source is an employee at the company, who hopes to remain there for at least a few more years while they work to put their kids through college. In the wrong hands, the identity of the source and the contents of your conversation with them could get them fired. Your adversary is the company itself. Due to its limited resources, the company is unlikely to undergo an exhaustive leak investigation (one that might risk racking up significant legal fees), except in cases that could jeopardize its existence. It is, however, suspected to regularly engage in technical surveillance of employees.
While the local recording options for a high-risk scenario can also work for this scenario, here you can consider a wider range of options, including those that rely on cloud storage, given the lack of concern about your adversary legally compelling data from a third-party service. However, given this adversary’s still significant financial resources and technical expertise, it’s critical to only make use of options that enable you to strongly protect your account on the front end with two-factor authentication, protect recording data with in-transit encryption, encrypt data at rest on their servers, have a strong security and privacy policy and reputation. After all, a hack or data breach of the third-party system could still cause serious harm in this scenario. This goes for both the recording tool you use, as well as the underlying method of communication (assuming the interview occurs remotely and not in person).
Popular cloud recording options
The vast majority of respondents to our survey mentioned they use recording features built into Zoom, Microsoft Teams, or Google Meet, or use Otter.ai or Rev. The good news is that these options meet the security criteria listed above for this medium-risk scenario: two-factor authentication, encryption in transit and at rest, and clearly articulated privacy policies. For more details about Otter.ai and Rev, in particular, you can check out our article on transcription services.
While these are likely suitable options for this type of scenario, it is also important to keep in mind that your risk environment can change. What if the company that your source works for suddenly has a particularly cozy relationship with law enforcement, or otherwise finds itself in a position to influence or compel one of these third parties to hand over your sensitive recordings?
In a situation like this, it’s probably a good idea to delete any recordings you’ve saved to the cloud. Rev claims on its website that “when you delete a file it is permanently removed from our servers, and we will no longer be able to retrieve it for you,” and Otter.ai has responded to previous queries from Freedom of the Press Foundation (FPF) in similar fashion. When deleting a recording from Zoom (via the web portal), Google Meet (from Drive), or Microsoft Teams (from OneDrive), the file first moves to a trash bin where it remains for 30 days (or up to 93 days in the case of Microsoft work or school accounts) before being permanently deleted. You can manually empty your trash/recycle bin to permanently delete the recording from your accounts sooner, but at least in the case of Google, note that it can take up to 180 days for data to be completely deleted from their systems after it has been emptied from the trash.
Wrapping up
Hopefully, this guide provides a useful framework to help you think through the myriad considerations that come with recording interviews. Remember, the core principles of a digital security risk assessment should always be your foundation: Understand what you’re protecting and from whom. Always ask yourself critical questions about the necessity of recording, consent, anonymity, sensitivity of content, and third-party access. While we’ve outlined high- and medium-risk scenarios and popular tools like default phone recorders, Zoom, Google Meet, Microsoft Teams, Otter.ai, and Rev, these are just examples. Every journalistic context is unique, and your approach to recording should be tailored to your specific situation. If you have further questions or need personalized guidance, please don’t hesitate to reach out to our digital security training team.