The Digital Security Training team at Freedom of the Press Foundation works with news organizations to better protect themselves, their colleagues, and sources by upgrading their security posture. In an environment where journalists are increasingly under attack, experiencing targeted hacking, harassment, and worse, we want to see systemic change in the way news organizations learn about and address their digital security concerns. While journalists come from many professional backgrounds, one place we can most reliably address this need for digital security education systemically is within journalism schools, where students are already learning many of the skills they will need in a contemporary newsroom. We know many programs feel underprepared for education of this kind, so we built this curriculum to better support J-schools’ goals for digital security education.
Below, we have created modules responsive to a variety of digital security topics. We intend for this resource to be used by journalism professors and educators looking for a starting point for digital security education. Ultimately, it’s our hope that by tinkering with these materials, you might take advantage of the parts most useful or inspiring to you, and make this curriculum your own.
Unless otherwise noted, this curriculum is Creative Commons-friendly (CC-BY 4.0). With attribution, use or modify it as needed!
We offer two pathways for constructing your course: One, larger and customized for your needs, and a second that is a short workshop. Going through the README will help define how the modules below can be used.
How to get started using the U.S. journalism school security curriculum, a community project of Freedom of the Press Foundation.
Topics covered in this module: An introduction to threat modeling, authentication safety, device safety with full-disk encryption and password practices, safer browsing, and communication security.
Topics covered by this module: Why digital security is relevant to contemporary newsrooms, and what topics are covered broadly during the course. (Note that you will not use this module if you are not conducting an extended course on this topic.)
Topics covered in this module: An introduction to the concept of analyzing risk, and selecting an appropriate defensive strategy in response.
Topics covered in this module: Harassment tactics (e.g., calling SWAT teams to victims' homes; digital attacks on accounts), doxxing approaches (e.g., gathering publicly-available information), information gathering tools (e.g., data brokers), and data removal services (e.g., Abine DeleteMe).
Topics covered in this module: What data about peoples' activities is visible on the web and phone networks, who gets access, and under what circumstances.
Topics covered in this module: Types of user data available to U.S. law enforcement through legal requests to technology firms, the thresholds of evidence required for such requests to be considered valid in courts, and techniques for investigating the legal vulnerability of communication and file storage services.
Topics covered in this module: An introduction to security properties of communication channels (e.g., metadata versus encryption of content), and how they apply to several tools commonly used by U.S. newsrooms (e.g., Signal, WhatsApp, emails, PGP emails, SecureDrop).
Topics covered in this module: Legal and privacy considerations in cloud services, and tools for minimizing risk (e.g., Tresorit).
Topics covered in this module: An introduction to IP addresses, Virtual Private Networks, the Tor network, Tor hidden services, and cell phone location.
Topics covered in this module: An introduction to phishing attacks and password stuffing, as well as two-factor authentication tools and resources to aid in their use.
Topics covered in this module: Why password reuse is a threat, and how to use a password manager.
Topics covered in this module: Techniques for extracting information, underlying psychological principles, popular underlying software, and defensive tactics.
Topics covered in this module: Common techniques and channels for distributing malware (e.g., through malicious attachments), common functions (e.g., surveillance; monetary gain), and mitigation techniques (e.g., opening in rendering tools, as opposed to executing files).
Topics covered in this module: Information observers can extract from files (e.g., file metadata revealing content in a file), as well as risk minimization techniques, such as metadata removal.
Topics covered in this module: Full disk encryption, strong password protection.
Topics covered in this module: Technology used by law enforcement agencies for gathering information through photos (e.g., license plate readers, facial recognition), videos (e.g., "smart" street lights, body-worn cameras, Amazon Ring), audio (e.g., gunshot detectors) phone networks (e.g., via cell-site simulators), and analytics tools (e.g. predictive policing, video analytics software).
Topics covered in this module: Known U.S. intelligence surveillance capabilities (e.g., bulk copying of web traffic, monitoring of call records), abuses of power, and circumstances under which data may be gathered for foreign intelligence surveillance.
Topics covered in this module: How to conduct an analysis of the likelihood of an investigation, and risk minimization. The module also introduces data practices that may compromise source confidentiality based on previous public investigations; in particular, communication from work and inappropriate channels, workplace network and file-based logging, and other forensic techniques (e.g., analyzing printer dots and details in photos).
We encourage you to let us know what works and what doesn’t, so we can make it more useful to this community. We also have a monthly newsletter that will provide brief updates on the project — let us know if you'd like to sign up! https://freedom.press/contact
When we imagined materials we have personally found useful, we found inspiration from other projects that are also important resources for instructors:
This resource drew on the experience of countless people at the intersection of digital rights, journalism, and education. We particularly want to thank…
Image credit: Elisabeth Woldt. CC-BY-NC 2.0