First steps for online safety
Olivia Martin
June 1, 2023
A United States Parks Police officer records the crowd during a protest around the 2017 presidential inauguration of Donald Trump in Washington, D.C. Following the steps in our guide is the first step toward protecting your reporting data at high-risk moments like these. Photo by Mobilus In Mobili. CC BY-SA 2.0
As journalists contend with increasingly violent rhetoric and threats, they’re also seeking more support in fighting online harassment and doxxing. In fact, it’s now one of the most sought-after training topics from our Digital Security Training team. We’re also asked for guidance around protecting data, sources, and colleagues from escalating digital security threats both in the field and at home, with more media professionals working remotely.
Here, we’ve gathered resources that build digital security skills for all journalists, regardless of the sensitivity of their work. Of course, recommendations may shift to adapt to changes in technology and laws impacting it, and we suggest checking our Guides & Training resources often.
Threats to press freedom around the world are at an all-time high. Sign up to stay up to date and take action to protect journalists and whistleblowers everywhere.
Thanks for signing up for our newsletter. You are not yet subscribed! Please check your email for a message asking you to confirm your subscription.
Protecting your valuable data is an ever-evolving process. As your priorities and resources change, so, too, should your digital security plan. A risk assessment provides a simple framework to identify the threats to your data security so you can customize your defensive strategy.
Think of all the valuable data you store within online accounts: email, contacts, transcripts, cloud storage, device backups, and private messages in social media. It's a vast data ecosystem, and for journalists, it's one that requires extra care to make sure no third party can easily access it.
Check haveibeenpwned.com to see if your information has been involved in a recent data breach. Rotate any breached passwords, and don't reuse them on any other services.
A password manager is a tool that assists you in making strong and unique passwords for all your accounts so they cannot be easily guessed by a hacker. A password manager stores your passwords securely in an encrypted database, unlocked with one password that only you know.
Two-factor authentication is the other half of your account security solution. With 2FA enabled on an account, you'll be asked to enter a second method of authentication (typically a short numeric code) after your password. Only you have physical access to this second method of authentication, either through your phone or another piece of hardware.
Your devices are your gateway to the tools you need to get your work done. Software updates keep your operating system and the software you download running smoothly, and they often contain patches to vulnerabilities bad actors may try to exploit with malware.
Another simple way to harden your devices is to make sure you've enabled full disk encryption. Full disk encryption is a utility that scrambles all the data stored on your device as soon as you power it down. This means your data is rendered unreadable to anyone without your encryption key (typically unlocked with a password or passcode). If you store sensitive data on your device, especially if you bring your devices with you into the field, full disk encryption is essential.
Many journalists rely on their phones for core aspects of their newsgathering. However, sometimes apps erode user privacy by requesting unnecessary access to location data, your contact list, the clipboard, and so on. To make your phone safer for work, check your app permissions and dial the intrusive apps back.
2019 research published by security firm Avast lists some of the dubious app permissions requested by "flashlight apps" in the Google Play Store. Image: avast.io.
While you're there, make note of any apps that require suspicious levels of access to your personal data (like a flashlight app with permissions to record your calls) and, well, delete them immediately! These apps make money by selling your data to ad networks and, in some cases, companies under U.S. government contracts.
First, let's discuss which browser is right for your everyday browsing. Security-focused Chrome and privacy-respecting Firefox are two of the most popular browsers on the market. There's also Brave, which is based on Chrome's code, and has additional built-in privacy features. If you want to compare the privacy and security benefits of popular browsers supported on all major platforms, check out our guide to choosing a web browser.
Next, what should you add to your toolkit for riskier browsing and research? When you are on public Wi-Fi, or don't trust the owner of the website you're investigating, you'll want to power on a Virtual Private Network before you start browsing. A VPN will allow you to access websites without revealing your IP address, which may be associated with your approximate location.
With a VPN, you will appear as though you’re visiting from a remote server controlled by your VPN provider, possibly somewhere quite far away from you. Check out our guide to choosing a VPN.
When communicating over an end-to-end encrypted channel, neither the service provider nor eavesdroppers can read your message content. Image by the Electronic Frontier Foundation via Surveillance Self-Defense. CC BY
Between connecting with sources and discussing active investigations with colleagues, journalists need secure and private platforms for sensitive conversations. When a conversation covers sensitive topics, use end-to-end encryption to ensure that only you and your intended recipients have access to the content of your conversation.
There are a number of end-to-end encrypted platforms out there for secure messaging, voice calls, and video conferencing. No one platform is exactly the same in its implementation of end-to-end encryption. We recommend comparing apps based on how they handle conversation metadata (e.g., does the platform have access to my contact list? Can they keep track of who messages me, and when?) and their relative levels of accessibility (e.g., can my conversation partner download and make use of this app?).
Online harassment takes many forms. Doxxing (collecting a target's personal information and publishing it) and trolling (spouting abusive language and mockery about a target on a public forum) are among the types of online attacks aimed at journalists.
We're seeing online harassment used as a tactic to suppress journalists with growing frequency. Research into online harassment suggests that some reporters are more likely to be targeted based on their gender, sexual orientation, or ethnic background. We recommend that all journalists learn to anticipate the damage online harassment attacks might cause, and how to thoughtfully create a response plan before an incident occurs to help minimize it.
There's targeted support out there for journalists in need. FPF has developed resources to support journalists’ quickly-changing digital security needs, including for login security with passkeys, securing your home WiFi, and videoconferencing. Access Now maintains a 24/7 digital security helpline for journalists and other at-risk communities.
If you are a journalist or newsroom in a specialized situation that needs additional digital security support, reach out! Our digital security team provides consulting and training services, priced at a sliding scale.