Digital Safety Kit

Artwork: Jack Forbes

Artwork: Jack Forbes

 Last reviewed April 2, 2023

Journalists face a wide range of digital threats and it’s increasingly important that they protect themselves and their sources by keeping up to date on the latest digital security news and threats such as hacking, phishing, and surveillance. Journalists should think about the information they are responsible for and what could happen if it falls into the wrong hands, and take measures to defend their accounts, devices, communications, and online activity.

This digital safety kit is designed to be a general starting point for journalists looking to increase their digital safety. For more detailed security advice, please see our Safety Notes. Journalists are encouraged to complete a risk assessment before starting their assignments.

Contents

Protect your online data

Protect your accounts

Protect against targeted phishing attacks

Device security

Encrypted communications

Secure internet use

Crossing borders

Protect your online data

Journalists are increasingly targeted by online abusers who comb the internet looking for personal data that can be used to threaten and intimidate them. Journalists are advised to review their online profile regularly and take steps to remove information where possible.

To better secure your online data:

Look yourself up online

Removing or restricting data

Other steps to be more secure

Other resources

More detailed information on protecting against online abuse can be found here: Resources for protecting against online abuse.

For editors interested in better protecting their staff against online abuse, please see our Editors’ checklist.

The Coalition Against Online Violence is a useful source for information for those looking to learn more. CPJ is a member of the coalition, a collection of global organizations working to find better solutions for women journalists facing online abuse, harassment, and other forms of digital attacks.

Protect your accounts

Journalists use a variety of online accounts that hold both personal and work-related information on themselves, their colleagues, families, and sources. Securing these accounts and regularly backing up and removing information will help protect that data.

Before signing up to a service

Before signing up for an online service, such as social media platforms, messaging apps, and email services, review the terms of service to find out who owns the company and where the company is based, and to understand what they are doing with your data. Understand how this could put you and your sources at risk if there is a data breach or a legal request for your data. This is especially important if you are using online services to communicate with or store data on sources, including social media, messaging apps, and interview transcribing services.

Review the transparency reports published by the technology companies you use to see which when and how they have replied to government requests to remove or hand over data.

Keep up to date with the latest information regarding the services you use. Be alert to any data breaches or changes of ownership that could indicate that the service is not as secure as it once was.

Secure your accounts

The most effective way to secure your accounts against hacking of your accounts is to turn on two-factor authentication (2FA). Two-factor authentication is an extra layer of security and is now offered by most online services. Turn it on for all your accounts where possible.

There are several forms of 2FA, and journalists should consider using an app, such as Authy, instead of SMS as their form of 2FA. Those at high risk of hacking should consider using a security key, such as a YubiKey.

All online services offering 2FA should also offer backup codes to use in case you are unable to access the account using your form of 2FA. These are one-time use codes that you can submit instead of receiving a code to your phone or app. Ensure you keep a copy of these backup codes. You can print them out and store them somewhere safe or keep them in your password manager.

In addition to 2FA, create long passwords of more than 16 characters. These should be a mixture of numbers, symbols, and letters. Do not reuse passwords or include in your password personal information that can easily be found online, such as your date of birth.

Consider using a password manager to help you manage your passwords. Research all password managers to see which is the best fit for you. Create a long unique password for your password manager.

Manage the content in your accounts

Protect against targeted phishing attacks

Journalists often have a public profile and share their contact details to solicit tips. Adversaries looking to access journalists’ data and devices can target them – or a colleague or family member – with phishing attacks in the form of tailored email, SMS, social media, or chat messages designed to trick the recipient into sharing sensitive information or installing malware by clicking on a link or downloading a file. There are many types of malware and spyware which range in sophistication, but the most advanced can grant a remote attacker access to the device and all of its contents.

To defend against phishing attacks:

Device security

Journalists use a wide range of devices to produce and store content, and to contact sources. Many journalists, especially freelancers, use the same devices at home as well as at work, potentially exposing a vast amount of information if they are lost, stolen, or taken. Encrypt computer hard drives, phones, tablets, and external storage devices, especially if you travel, to ensure that others will not be able to access this information without a password.

To secure your devices:
To encrypt your device:

Encrypted communications

Journalists can communicate with sources more securely using encrypted messaging apps or software that encrypts email so only the intended recipient can read it. Some tools are easier to use than others. Encryption protects the content of messages, but the companies involved can still see the metadata, including when you sent the message, who received it, and other revealing details. Companies have different policies on what data they collect, how they store this data and how they respond when authorities ask for it. 

Recommended messaging apps offer end-to-end encryption, meaning that the information is encrypted when it is being sent from the sender to the recipient. Both parties must have an account with the same app. Anyone with access to a device sending or receiving the message or to the password of the account linked to the app can still intercept the message content. Examples of messaging apps with end-to-end encryption turned on by default include Signal and WhatsApp. Other apps may require you to turn on end-to-end encryption.

Encrypted email is another secure way of exchanging information with a source or contact. Both parties must download and install specific software in order to send and receive encrypted email.

To use encrypted messaging apps:
To use encrypted email:

Using the internet more securely

Journalists rely on the internet for carrying out research, which can leave them and their sources vulnerable if they do not take steps to protect themselves. Internet service providers, governments, companies, and criminals collect data on internet users which can be used to target them, including building legal cases against them.

To use the internet more securely:
Artwork: Jack Forbes

Crossing borders

Many journalists cross borders carrying work and personal information that they may not want others to access on electronic devices. If border guards take a device out of your sight they have an opportunity to search it, access any accounts, copy information, or install spyware. Journalists crossing U.S. borders should consult CPJ’s safety note, “Nothing to Declare.”

Before you travel:
At the border:

If any device is confiscated at the border or anything is inserted into it, assume it is compromised and that any information on it has been copied.

Editors’ note: This kit was originally published on July 30, 2019, and reviewed for accuracy on the date shown at the top.

Exit mobile version