Journalists can protect themselves and their sources by communicating through secure messaging apps, keeping public information under wraps and using a reliable VPN. I recommend ExpressVPN, which you can try for free a 30-day money-back guarantee.
The internet is a dangerous place, but journalists face unique risks. That’s why I’ve put together this online privacy guide for journalists to help guide you through the proper precautions to take.
It’s not enough to say that journalism can be dangerous. On average, a journalist is harmed every five days for bringing information to the public.
- Best VPN for journalists
We encourage all journalists to keep their digital lives separate from their professional and personal activities. This guide will outline some of the best practices for journalists who want to protect their privacy and stay safe online.
How can journalists protect themselves online?Journalists should avoid sharing their private information online, encrypt their internet connection for secured online activity, secure sensitive files and instead try to use a designated secure system to communicate with sources and others in the field.
How do journalists protect sources?When sharing sensitive data, journalists should use anonymous communication methods or stick to instant messaging on platforms with strong encryption that don’t sell user data.
Do journalists use Tor?Journalists can use Tor for better online security while browsing online. It takes just a few minutes and should be used with a VPN and secure connection.
Why is digital security important for journalists?Journalists are seen as threats by totalitarian governments and run the risk of harassment, having private conversations hacked and even suffering violence. Their private communications can be leaked to local authorities or malicious hackers. Learn more in the digital security guide.
Tips for Staying Safe: Online Privacy Guide for Journalists
The digital surveillance dystopia is real. Technological advances make it increasingly difficult to stay secure on the internet, especially if you’re a journalist searching for the latest scoop. But it isn’t an impossible affair.
Here are some basic precautions you can take to safeguard your privacy online:
- Stay anonymous while investigating online by using privacy protection tools like VPNs, encryption and TOR browser.
- Protect your sources by using secure channels to communicate and exchange critical information.
- Protect your own privacy by limiting the amount of public information available about you.
Keep reading to learn about each of these in more detail.
Online Privacy Threats to Journalists
When you consider that professional journalists have both high profiles and access to a variety of sensitive information, it becomes clear why they are such popular targets.
Journalists are at risk of being targeted by state-sponsored actors looking for sensitive information, hacktivists looking to make a point, criminals seeking monetary gain, and even malicious harassers or enemies with an ax to grind.
According to the United Nations, “threats to the safety of journalists, far from abating, have taken new forms in the digital age, especially for women journalists.”
Of course, the journalists themselves are not always the direct target: The sources who provide them with information often face similar threats. Let’s look at some of the most common online privacy threats faced by journalists worldwide.
How To Stay Anonymous While Investigating
Before we get into the nitty-gritty of how to stay anonymous while doing journalism, it’s important to wrap our minds around the power of anonymity in the age of information.
Privacy is more than just a nice thing to have. It has become crucial in our digital age as life increasingly moves online. From your credit cards and bank accounts to your political beliefs, if there’s a piece of sensitive information about you, someone powerful probably wants it.
Staying anonymous is especially crucial for journalists covering controversial or sensitive topics. Journalists can maintain their online privacy by taking the following steps.
Reduce Your Attack Surface
If you are conducting a digital investigation, it’s critical to limit the number of places where people can get information about you.
Install the bare minimum of apps and services on any device you use for journalism. The fewer doors are open for attackers to come in, the better. That also means limiting where you sign into accounts that might be linked to your name.
For example, if you’re using an iPhone or Mac, don’t sign in to iCloud. It’s safer to assume that operating systems belonging to big corporations like Apple have their own tracking methods. Plus, iCloud backups are stored unencrypted on Apple servers and can reveal all kinds of personal information about your life (including chats).
If you need to back up your device, make local backups to other devices, or use a secure cloud backup service. Some of the best services include Sync.com and pCloud.
If you’re going to use email or messaging apps on your phone, consider setting up a new account that’s not associated with your real name.
Encrypt Your Devices
In the past few years, there have been several reports of journalists and human rights workers having their phones and laptops confiscated and searched for incriminating evidence. Cyberattacks have also been launched on news agencies.
You can protect yourself by encrypting your devices. You can use full disk encryption (FDE) for this purpose. If you write anything sensitive on your laptop — like an investigative story about corruption in your government — you should definitely use FDE.
FDE refers to encryption at the hardware level, which automatically converts data stored on your devices to encrypted communications or files. If anyone confiscates or steals your device, they’ll have no way to read your secure communication.
Set Up Passcodes
Setting up passcodes for your devices is one of the simplest but most effective steps you can take to protect your data, especially in the case of theft. It’s not as secure as an FDE, but you can rest assured no one will come snooping around sensitive files on your desktop or phone as long as you have a strong passcode set up.
It won’t stop a determined hacker from reading the data on your laptop. But it will prevent someone who may have stolen your device from getting access to the sensitive data. A good idea is to have back-ups enabled for the data on your phone, so in such a case, the only loss you face is the device but not the information on it.
Use a VPN
If you’re using a VPN (virtual private network), you can rest assured that nobody can see your activity as you travel through the web. Don’t rely on private browsing mode since all that does is hide your history.
A VPN routes your online traffic through one of its servers, encrypting it along the way. Doing so hides your IP address and location from your internet service provider (ISP) and any other prying eyes. This makes your online investigations completely anonymous.
With a VPN, nobody will be able to see who you are as you gather information for your latest story. That’s why it’s important you use the right ones. Premium VPN providers have solid security measures in place as they take their users’ privacy seriously.
This can help reporters and journalists in two important ways:
- Avoiding censorship
- Avoiding government surveillance
For journalists, the safest VPNs would be those not located in any of the “14 Eyes” security alliance countries. VPNs that fall under these jurisdictions are obligated to work with intelligence networks that can collect and share information of VPN users. As a journalist, you should do your research and pick one that is not part of any intelligence-agency alliance.
You can get started with a free service like Windscribe or ProtonVPN, but I recommend going forward with ExpressVPN or NordVPN, the premium VPNs in the market. They come packed with powerful security features and are all-rounders performance-wise compared to the free VPNs. Your security is no place to cut costs.
Use Tor Browser
If you’re investigating people online, a good VPN service will protect your browsing history and IP address, but the VPN still has your browsing information. That’s why you need to use the Tor browser in addition to your VPN service. Learn the difference between VPN and tor in the VPN vs tor vs proxy guide.
Tor is a network of servers that bounce your encrypted internet connection traffic around the world so that no one can track it back to you, not even your VPN.
Tor encrypts your traffic multiple times and sends it through randomly selected nodes on its network before delivering it to its destination server. This means not even the exit node (the final node before your data reaches its destination) can see what you’re doing.
Another great feature of Tor is that if someone were to gain access to your device while Tor was running, they wouldn’t be able to see what sites you were visiting.
However, Tor is not without its risks. Tor has some volunteer-controlled nodes that aren’t exactly high-security. These nodes might be managed by people who use them with malicious intent — to spy on users in the Tor network or even get malware onto their devices.
You wouldn’t want to push your luck when using Tor for sensitive matters, which is why it’s absolutely essential you use Tor together with a VPN.
Tor is free and open-source software and can be used on any operating system. It can also be used in conjunction with a VPN for an added layer of security, though some VPN providers don’t allow this practice. Tor can be downloaded from torproject.org.
If you use a VPN with Tor, make sure your VPN provider allows Tor Over VPN connections. Such VPNs include:
- Private Internet Access
Use an Alternative Search Engine
In an ideal world, you could trust your browser to keep your searches private. In the real world, it’s not quite so simple.
Not only do browsers like Chrome and Safari collect data about your browsing habits, but the search engines themselves do too, especially Google. This can be a problem if you’re researching sensitive stories or information.
Luckily, several alternative search engines out there will allow you to browse with more privacy.
DuckDuckGo is by far one of the most popular and trusted options today. It doesn’t keep any logs of its users’ activity or try to personalize search results based on previous searches they’ve made while using it, which means that no one else can track what your search history.
Other alternatives include:
You can make sure your browsing is secure by regularly deleting your DNS cache, disabling HTML web storage, and turning off location tracking on all your browsers.
How To Protect Your Sources
Protecting your sources is your responsibility. You should have their online safety covered from A to Z, so they don’t face any danger while helping you with your work. Here’s how you can keep your sources away from any threats.
Only Communicate Through Encrypted Channels
When you’re out reporting the news, you need to be careful about what information your sources share with you. They might be at risk of harm or job loss if their identities are revealed publicly. What can a journalist do to protect their sources?
Going with phone calls through landlines or a regular mobile phone is dangerous. All phone operators and ISPs even have basic tracking technologies that enable them to keep tabs on your communications in case the authorities ever request them. Using secure messengers is your best shot.
You can use end-to-end encrypted messaging apps like ProtonMail and a secure call service like the Telegram or Signal app. These products let people keep their identity hidden from everyone except for the person they’re messaging. If someone tries to access your communications with a source, they’ll just see gibberish characters.
Other alternatives include Pidgin and Adium, which support Mac and Windows instant messaging clients for off-the-record encryption.
Avoid WhatsApp or Facebook Messenger, as they are both owned by Facebook (now Meta), a global powerhouse with a poor record of respecting privacy. Make sure that end-to-end encryption is enabled every time you use these apps so that all of your communications are protected with the strongest security technology available today.
Whether you’re planning to publish secret military files or covering just a local story about a business scam, you can rest assured the encrypted messages stay safe.
You can even go old-school and connect using a burner cell phone. That way, authorities can’t track you through your cellular network signals once you dump the phone.
Don’t Meet In Public
If you need to meet a source, assume you’re being surveilled anywhere in public. Find an out-of-the-way meeting spot where the two of you can talk.
Preferably, it will be somewhere indoors and not visible from the street. You can scout it for cameras beforehand if you wish to take an extra measure of caution. Don’t tell anyone where you’re going to meet or who you’re meeting. Don’t walk there together. If possible, don’t even be seen near each other.
When it comes time to leave, go separate ways immediately after saying goodbye. I know this might sound like a page out of a neo-noir crime thriller, but this is a reality for many journalists in the real world who deal with sensitive sources.
Talk to Your Sources About Privacy
When securing a source for your latest article, the first thing you should cover is their privacy and security. Your sources won’t be willing to work with you if they feel that you haven’t got the measures in place to protect them.
Remind your source to take measures that will make it harder for anyone to connect them with the information they’re giving you.
You don’t want a source who encrypts their emails with you but then uses an unencrypted email address when communicating with others about the same topic; this makes it easy for law enforcement or other agencies to figure out who your source is.
Make sure to educate your source on the kind of privacy measures you’re taking so they can do the same to protect themselves.
Protect Your Credentials
It’s no surprise that passwords are absolutely essential to your online security. From your emails and bank accounts to something as simple as your Netflix subscription, passwords control the game and are pivotal to accessibility.
It’s no wonder then that password security is taken for granted. In fact, 50% of users use the same password for all their accounts. Hackers and online criminals often take advantage of this staggering statistic.
All the security measures in the world are useless if one of your adversaries can get into your online accounts — which they can if you don’t set up two-factor authentication (2FA).
This means that when you (or someone pretending to be you) logs in using your username and password, you’ll also need something else: a code usually sent by SMS or generated by an app on your phone or tablet. It’s very easy to set up but makes a world of difference security-wise.
The best way to do this is with a password manager and an authenticator app, such as Authy, on your phone. They have a random password generator feature that can create secure passwords and maintain your overall password security across different accounts. Use password managers like LastPass to store them for you securely.
It’s never a good idea to use the same password for everything.
Exchange Documents Securely
The first step to protecting your sources is communicating with them on the right platforms. The last thing you want to do is save sensitive documents to an unsecured cloud server and have them leak over the internet.
So how does one set up an encrypted channel? And how can journalists be sure that their sources are doing the same?
The answer to both questions is simple: use a tool designed specifically for this purpose. Services like OnionShare and SecureDrop provide a more secure manner to pass sensitive documents and download files than Google Drive or Dropbox.
The latter two options make it easier for reporters and sources to work together, but it also makes it easier for governments to get at their communications. These services keep records of who has accessed what files and when.
The companies themselves could be compelled to give up that information through a subpoena or a national security letter issued by law enforcement agencies or intelligence agencies.
On the other hand, OnionShare and SecureDrop provide much stronger encryption. Even if someone can break into your account — whether through a password hack or another means — they still won’t be able to see what you’re sending and receiving.
How To Protect Your Personal Privacy
Today’s journalists need to maintain an online presence while publishing stories. It’s important for establishing themselves in their fields. Here’s how to do that safely.
Don’t Share Personal Details
When you’re a journalist, it can be easy to share too much information online. This is especially true if you’re new to the field and are excited to interact with other reporters and editors. While it’s great to connect with other people who share your interests, you need to make sure that you don’t post anything that might compromise your security or put you in danger.
Let’s start with the basics: Don’t post personal details on social media or other websites. It can also be dangerous to share personal information in unencrypted emails. Details like your full name, address, private email address, and phone numbers should be kept private.
When using your journalist persona on social media, try not to share too much about yourself or others. For example, if someone tags you in a photo on Facebook, make sure that the photo doesn’t reveal anything about you that could be used against you.
If something in the photo reveals too much personal information, untag yourself from the photo or ask the person who tagged you to remove it.
Scrub Your Online Information
It’s the ultimate dream for journalists to be able to fully protect their online privacy while also having a life. Unfortunately, we aren’t quite there yet, but there are steps you can take to keep yourself and your family safer online. The first step is to minimize the amount of information about you that’s publicly available or being shared with third parties. Start by Googling yourself.
Review the results and see if anything you’d like removed turns up. If it does, try to get in touch with the relevant point of contact who owns the website or place where that information is distributed. Submit a request for removal.
You may also want to sign up for a service like Spokeo, which collects data from a variety of sources, including social media sites, public records and other online sources, then compiles it all into a single profile that you can view online or download in various formats such as Excel spreadsheets or PDF files.
Make Sure Your Data Hasn’t Leaked
Don’t worry — we’re not about to tell you that you should have changed your password before your Uber account was hacked. But we are going to suggest you check out HaveIBeenPwned.com.
What is it? Have I Been Pwned allows users to input their email address or domain and see if their data has been compromised in recent major data breaches. It also gives advice on what to do next and how hackers use the information they have obtained. Another similar website you can use includes DeHashed.
The site is useful because many people reuse passwords across different accounts — journalists especially should be wary of this.
If your email address appears on one of these databases, it may mean that your credentials were stolen from a service that may have little to do with journalism at all. Even so, they may be used against you in your work by malicious actors looking to track down reporters’ sources.
Use a Data Removal Service
The internet is a massive data collection device. The problem will only worsen as more devices are connected, more things are recorded and all that data is stored somewhere. Why not just give up and go live in the woods?
For one thing, journalists need the internet to do their jobs. So instead of giving up, take control of how your personal information is used and shared.
There are plenty of DIY ways to clean up your public-facing data from sites like Facebook to Google, but if you really want to lose yourself online, there’s only one foolproof way: Pay someone else to lose you.
Services like Abine’s DeleteMe scrub your online info more deeply than you could possibly do yourself, manually handling opt-out requests with dozens of data brokers who have compiled online dossiers on your personal information.
It’s fine if you’re overwhelmed by all the options in this guide. I’m just here to give you the tools and information. You can put them to use however you see fit. Not everything I’ve written will make sense for every journalist.
When you’re ready, there’s a lot more for you to learn beyond what I’ve covered here. One great starting point is Reporters Without Borders, a global organization that defends the rights of journalists and supports freedom of information worldwide.
You can also check out these resources:
- The Committee to Protect Journalists Digital Safety Kit
- Security In a Box’s in-depth guides
- Surveillance Self-Defense’s tips for safer online communications
If you’re an online journalist and see a tip I’ve missed out in this article, please let me know in the comments. It’s a dangerous world out there, and it’s up to us to make it safer for ourselves. As always, thank you for reading.