Security and privacy tips for journalists in a moment of turbulence

olivia_headshot_new

Digital Security Trainer

Law enforcement officer films protesters at a J20 protest in DC

A US Parks Police officer records observers at a J20 protest in DC, while a group of protesters is kettled across the street. Photo by Mobilus In Mobili. CC BY-SA 2.0

The environment in the U.S. surrounding digital security threats to journalists is evolving. The country navigates a presidential election in the midst of a pandemic, all while another wave of protests have journalists out on the streets, facing violence, arrest, and retaliation while covering the fight for racial justice and accountability. What should journalists do to better protect themselves, sources, and colleagues from escalating digital security threats?

A little less than four years ago, we published some tips to bolster journalists' digital security during Trump's imminent presidency. We forecasted that the coming years would be challenging and dangerous ones for journalists in the United States. That forecast proved true within days of Trump's inauguration, when nine professional journalists were arrested on felony rioting charges while covering the J20 protests in DC.

Arrestees' devices were confiscated, and text messages extracted from their mobile phones were used against them in court. It would be almost a year and a half into Trump's presidency when the final charges against those journalists were dropped.

While many of the hazards threatening journalists' ability to protect their data are the same in 2020 as they were in 2017, we've also seen novel threats become weaponized with greater frequency and severity. In the sections that follow, we provide updated resources for journalists weathering digital threats in 2020 and beyond.

The mitigating resources provided will consist of what our digital security team considers relevant skills for journalists, regardless of the sensitivity of their work. However, as with any topic involving technology, recommendations may shift to adapt to changes in technology and laws impacting it.


Table of contents:

  1. With storytelling "going remote," it's time to reconsider your digital security plan
    1. The bottom line: Your risk assessment and security plan
  2. Worried about account hacking? Use a password manager and two-factor authentication.
    1. The bottom line: Account security
  3. Take care of your computer. Run your updates and protect data on your devices with encryption.
    1. The bottom line: Desktop security
  4. Boost the security and privacy of your mobile phone with a few tweaks.
    1. The bottom line: Mobile security
  5. Surfing the web? Researching a story? Create a privacy and security toolkit for all your browsing
    1. The bottom line: Browsing privacy and security toolkit
  6. End-to-end encrypt your conversations whenever possible
    1. The bottom line: Communication security
  7. Worried about staying safe online? Learn how to prevent and respond to online harassment
    1. The bottom line: Online harassment prevention and response
  8. Supporting journalism in 2020 and beyond

With storytelling "going remote," it's time to reconsider your digital security plan

Many newsrooms have now gone remote in order to protect their employees from the spread of COVID-19. The pandemic has also exacerbated economic tensions in the industry; many local outlets have shuttered permanently, or merged with media conglomerates.

These material changes pose challenges to journalists, who must now devise new methods to seek out sources and collaborate with teammates, without eroding their physical safety and digital security.

The bottom line: Your risk assessment and security plan


Worried about account hacking? Use a password manager and two-factor authentication.

Think of all the valuable data you store within online accounts: Email, contacts, transcripts, cloud storage, device backups, and private messages in social media. It's a vast data ecosystem, and for journalists, it's one that requires extra care to make sure no third party has wanton access to.

Without a strong account security practice, you are at a higher risk of losing control of an account through one misstep, like clicking on a suspicious email link, or downloading malicious software. It can also happen from factors outside of your control: Hackers attack online services all the time, and sometimes walk away with user passwords they can abuse and distribute.

A screenshot of a results page from haveibeenpwned.com

You can check haveibeenpwned.com to see if your information has been involved in a recent data breach. Rotate any breached passwords, and don't reuse them on any other services.

A password manager is a tool that assists you in making strong and unique passwords for all your accounts. A password manager stores your passwords securely in an encrypted database, unlocked with one password that only you know. When all your passwords are strong and unique, they can't easily be guessed by a hacker.

Two-factor authentication (2FA) is the other half of your account security solution. With 2FA enabled on an account, you'll be asked to share a second method of authentication (typically a short numeric code) after your password before getting into your account. Only you have physical access to this second method of authentication, either through your phone or another piece of hardware.

The bottom line: Account security

  • Use a password manager: Online password managers LastPass and 1Password are user-friendly tools best for users who need a convenient password management solution. Users who prefer to keep their credentials offline can use the free and open source tool KeepassXC. Learn how to choose the best password manager for your needs.
  • Enable 2FA: Get guidance on enabling 2FA on your accounts at twofactorauth.org. Avoid SMS (text message) authentication whenever possible, and opt for app-based options Google Authenticator or FreeOTP, which can deliver your one-time login codes more safely. With a track record as the most secure 2FA option, hardware-based solutions like a YubiKey can be used on a growing number of popular services.
  • Don't get phished: Follow the recommendations in our phishing prevention guide, and spread anti-phishing tips across your organization. Share the information your teammates need to avoid being the "weakest link."


Take care of your computer. Run your updates and protect data on your devices with encryption.

Your devices are your gateway to the tools you need to get your work done. Software updates keep your operating system and the software you download running smoothly, and they often contain patches to vulnerabilities bad actors may try to exploit with malware.

Another simple way to harden your devices is to make sure you've enabled full disk encryption. Full disk encryption is a utility that scrambles all the data stored on your device as soon as you power it down; this means your data is rendered unreadable to anyone without your encryption key (typically unlocked with a password or passcode). If you store sensitive data on your device, full-disk encryption is essential.

The bottom line: Desktop security

  • Keep your desktop operating system and apps-up-to-date. While you're at it, enable automatic updates whenever possible.
  • Enable full-disk encryption on your computer: If you have a Mac, enable FileVault. If you’re on a PC running Windows 10 Pro, enable BitLocker. (Unfortunately, Windows 10 Home users do not have access to the software needed for full-disk encryption without upgrading their license).


Boost the security and privacy of your mobile phone with a few tweaks.

The first steps toward hardening your mobile phone are simple. The practice, and the reasoning behind it, is nearly identical to the desktop security practice above — with the added step of restricting the personal data you share with apps.

Many journalists are reliant on their phones for core aspects of their newsgathering. We also use our phones to download and use apps that erode user privacy by requesting access to your location data, contact list, clipboard, and so on. To make your phone safer for work, check your app permissions and dial the intrusive apps back.

An image of the suspicious permissions a flashlight app was granted, from call recording to text message receipt.

2019 research published by security firm Avast lists some of the dubious app permissions requested by "flashlight apps" in Google's Play Store. Image by avast.io.

While you're there, make note of any apps that require suspicious levels of access to your personal data (like a flashlight app with permissions to record your calls) and, well, delete them immediately! These apps make money by selling your data to ad networks and, in some cases, companies under U.S. government contracts.

The bottom line: Mobile security

  • Keep your mobile operating system and apps-up-to-date. Enable automatic updates to keep you on track.
  • Enable full-disk encryption on your mobile phone: iOS devices are full-disk encrypted by default, so iPhone users are already covered. Depending on what type of Android device you're using, you'll want to enable "full-disk encryption," "file-based encryption," or a similar variant in your security settings.
  • Review your app permissions: iOS users can go to Settings>Privacy and review what assets you've shared with each app you have downloaded. Android users can check permissions on a per-app basis by long-pressing an app icon on your homescreen and dragging upwards to reveal App Info>App Permissions.


Surfing the web? Researching a story? Create a privacy and security toolkit for all your browsing

First, let's discuss which browser is right for your everyday browsing. Security-focused Chrome and privacy-respecting Firefox are the most popular browsers on the market. There's also Brave, which is based on Chrome's code, and has additional privacy features built-in.

Next, what should you add to your toolkit for riskier browsing and research? When you are on public Wi-Fi, or don't trust the owner of the website you're investigating, you'll want to power on a Virtual Private Network (VPN) before you start browsing. A VPN protects your web traffic on untrusted networks (e.g., cafe or hotel Wi-Fi, or a network you share with a rotation of housemates) by routing your requests through an encrypted tunnel that can't be accessed by whoever is in control of the network you're currently on.

VPNs also grant you location privacy while you're researching. With your origin obscured from the greater internet, your requests will appear as though they're coming from a server controlled by your VPN provider, sometimes located thousands of miles away from you.

The bottom line: Browsing privacy and security toolkit

  • Tweak your browser's privacy and security settings: Consumer Reports' Security Planner guides you to where you can adjust your settings in any recommended browser. As a start, we recommend disabling third party cookies, and reviewing when your browser can access your camera and microphone.
  • Download recommended browser extensions: Download HTTPS Everywhere to ensure that your connection with a site is secured with encryption whenever possible. Privacy Badger is a powerful tracker blocker, and works well in tandem with an ad blocker like uBlock Origin (you can always make exceptions for your favorite news orgs that rely on ad revenue).
  • Choose the right VPN for you: Invest in a trustworthy VPN provider. Our guide details what technical and policy indicators make up our minimum standards for "trustworthy" VPNs. If you already have some background on this topic, you can jump to our shortlist. For more guidance, Wirecutter also has a solid framework for determining their recommended VPNs.


End-to-end encrypt your conversations whenever possible

Between connecting with sources and discussing active investigations with colleagues, journalists need secure and private platforms for sensitive conversations. When a conversation covers sensitive topics, use end-to-end encryption to ensure that only you and your intended recipients have access to the content of your conversation.

There are a number of end-to-end encrypted platforms out there for secure messaging, voice calls, and video conferencing. No one platform is exactly the same in its implementation of end-to-end encryption. When deciding between two platforms, we recommend looking at how each platform handles conversation metadata (e.g., does the platform have access to my contact list? Can they keep track of who messages me, and when?) and accessibility (e.g., can my partner download and make use of this app?).

The bottom line: Communication security

  • Call and message securely: Use Signal for end-to-end encrypted messaging and one-to-one calling (group call support coming soon, too!). WhatsApp is a popular alternative with end-to-end encryption and support for group calls, however, WhatsApp's parent company, Facebook, is much more nosy about your usage metadata. Read our beginner- and security-focused guides for Signal. WhatsApp users can follow Martin Shelton's guide on upgrading its security.
  • Use a secure video conferencing platform: There's a lot of competition in the video conferencing space, so we recommend starting with our overview. Zoom recently rolled out end-to-end encryption for all users, but you'll have to enable it in your settings first. Jitsi Meet isn't end-to-end encrypted, but provides a free service for ephemeral meeting rooms.
  • Consider an end-to-end encrypted alternative to Slack (or Microsoft Teams): Use Wire as a secure alternative for team messaging and voice/video calls. Learn how to get started.


Worried about staying safe online? Learn how to prevent and respond to online harassment

Online harassment is an overwhelming and worrying topic, especially to those who have experienced it, or those who are at a higher risk of being targeted than their peers. You can skip this section and head straight to the conclusion if you need a break, and return later.

Online harassment takes many forms. Doxxing (collecting a target's personal information and publishing it) and trolling (spouting abusive language and mockery about a target on a public forum) are some of the most common attacks aimed at journalists. Regardless of the form of attack, all online harassment has the goal of causing a person either emotional, economic, or physical harm.

We're seeing online harassment used as a tactic to suppress journalists with greater frequency. Research into online harassment suggests that some reporters are more likely to be targeted based on their gender, sexual orientation, or ethnic background. We recommend all journalists know what to do to prevent the damage online harassment attacks might cause, and how to thoughtfully create a response plan before an incident occurs.

The bottom line: Online harassment prevention and response

  • Read PEN America's Online Harassment Field Manual. With broad-reaching resources for journalists, witnesses/allies, and newsroom managers, this is an essential text for those who want to learn how to prevent and respond to online harassment from personal and collective perspectives.
  • Make use of resources from the International Women's Media Foundation (IMWF). Female-identifying journalists can turn to IWMF for an online training on spotting trolls, one-to-one consultation if you're facing harassment, and connections for newsroom-wide preventative training.
  • Learn "how to dox yourself on the internet" from security trainers at The New York Times. Informative resources straight from NYT's information security team include a preventative guide to take stock of your personal information online, and a checklist for ideal privacy and security settings for social media accounts.


Supporting journalism in 2020 and beyond

In the face of these digital threats and historic change, journalism in the public interest persists. We've seen some remarkable stories come out of this time, from reporting on Donald Trump's tax returns, to medical whistleblowing on forced sterilizations in ICE detention centers, and ongoing revelations in the #MeToo movement.

In addition to general purpose resources like this one, there's targeted support out there for journalists in need. FPF has developed resources to support the changing digital security needs of journalists during the pandemic. Organizations like the Committee to Protect Journalists have started initiatives to fund local newsrooms reporting on press freedom and the movement for Black lives. And Access Now maintains a 24/7 digital security helpline for journalists and other at-risk communities.

If you are a journalist or newsroom in a unique situation that needs additional digital security support, reach out! Our digital security team provides consulting and training services, priced at a sliding scale.

Donate to protect press freedom.

Your support is more important than ever.