J-school security curriculum: Content updates!

Hi there!

It’s Evan, senior digital security trainer at Freedom of the Press Foundation (FPF), with our regular update on the U.S. journalism school digital security curriculum.

Before we dive in, a quick question for the professors out there: Are you interested in integrating digital security into your journalism students’ coursework? If so, register here for a free, virtual training program designed to help you directly deliver critical content from our U.S. J-school digital security curriculum.

Led by our team’s digital security experts, the program offers a unique opportunity for professors to gain technical knowledge, practice digital security training techniques, and build a plan to directly equip your journalism students with an essential digital security foundation. Focusing on the curriculum’s digital security 101 module, we’ll cover topics including risk assessment, account and device safety, and internet and communications security. No prior digital security experience is required!

The streamlined program will include four sessions tentatively taking place from 2:30 p.m. to 5 p.m. Eastern time on July 28, Aug. 4, Aug. 11, and Aug. 18, 2026.

We’ll cap the program at 15 participants to ensure that we can provide direct follow-up support to everyone, so register soon to lock in your spot!

J-school security curriculum update

• Speaking of the J-school curriculum, we’ve added fresh phishing examples to the digital security 101, authentication, and malware modules. These examples highlight sophisticated — yet increasingly common — phishing attacks leveraging popular services including social media platforms, video calls, and calendar services.

Highlights from digital security in the news

• Chat & Ask AI, a popular artificial intelligence application with over 50 million users, left hundreds of millions of its users’ private conversations exposed. Thanks to a widely known, yet still very common, misconfiguration of Google Firebase — a popular mobile app development platform — an independent security researcher was able to access the app’s database containing user files with a complete history of their AI chats. While the app’s developer fixed the misconfiguration after being notified by the researcher, the security lapse drew attention not just due to its scope, but also the nature of the content revealed by the breach. The exposed conversations included a wide range of highly sensitive queries that users shared with the app’s chatbot, including some regarding self harm, methamphetamine production, and techniques to hack other popular apps. Read more.

• Microsoft handed over encryption keys in response to an FBI search warrant early last year seeking to access data on three encrypted laptops in Guam. The laptops, which the FBI claimed contained evidence related to theft of COVID-19 unemployment funds on the island, were encrypted with BitLocker, the default disk encryption utility in Windows. The technology company had access to the keys to decrypt the devices because the targeted users stored their BitLocker encryption keys in their Microsoft cloud accounts. Against the advice of security and privacy advocates, this cloud-based storage option for encryption keys is the default option for BitLocker, leading many users to unintentionally leave the content on their device vulnerable to this type of legal request. Read more.

• Washington Post reporter Hannah Natanson’s devices were seized as part of a search warrant in connection with an investigation into a government contractor accused of illegally retaining classified materials. The raid on Natanson’s home, which ignored federal law and marked a significant escalation of the Trump administration’s attacks on press freedom, led to the confiscation of her iPhone, Garmin watch, and both a Post-issued and a personal computer. Analysis of public court documents, which describe how data on one of Natanson’s computers was made available to authorities after they required her to unlock it with her fingerprint, has placed a range of digital security tactics in the public spotlight. Read more.

What we’re reading

• Thanks to the heroic efforts of a whistleblower trapped inside a Southeast Asian scam compound, Wired published a spellbinding investigation detailing the sophisticated social engineering tactics and brutal coercion fueling efforts to bilk life-altering sums of money from thousands of people every year. A short paragraph can’t do justice to the intensity of the story, but it offers fascinating insights into the tactics behind this dark industry, and the risks associated with reporting on it — and leaking from within. Read the piece here.

As always, let our team know how you’re using the curriculum, what’s useful, and how it can be improved! Feel free to respond to this email or [email protected].

Thanks so much,
Evan

–

Evan Summers
Senior Digital Security Trainer
Freedom of the Press Foundation