How to stay safe online as a journalist

To support this year’s World Press Freedom Day (May 3rd), we’ve created a complete guide to staying safe online as a journalist, which will help you secure your online accounts, devices, and private data. More importantly, it’ll allow you to focus on what really matters: reporting.

Accounts

Use strong, unique passwords

You likely have dozens of online accounts that require a username and password to log in. Email, social media, the platform that your team uses to assign and track stories – the list goes on and on. All of these accounts need to be protected by strong, unique passwords. That means they should be long – we recommend at least 16 characters – and not include anything predictable, like your name or date of birth.

If you work for a large news organization, you might use Single-Sign On (SSO) to log in to multiple apps and services. It doesn’t matter, however, whether you need to remember 10 or 10,000 passwords – all of them still need to be strong and unique. If you use the same set of characters for everything, you’re putting yourself and your team at risk.

Why? Because if a single service is compromised and your password leaks online, at least one criminal will probably check if they can use it to access your other accounts.

Use two-factor authentication (2FA) everywhere it’s offered

2FA makes it even tougher for criminals to access one of your accounts. Let’s say a criminal somehow managed to find or guess one of your passwords. If they tried to sign in to the associated account, the service would ask for a code – one that you’ve chosen to always be sent via email, SMS (though you shouldn’t use SMS as it’s vulnerable to interception) or an authentication app.

The system works because an attacker is unlikely to have access to both your password and the place where you retrieve your special codes.

Use random usernames for accounts that aren’t tied to your personal brand

Many journalists want a single, recognizable username for all their social media accounts, like Twitter, Instagram, TikTok, and YouTube. Why? Because it helps people find and follow your work. Building a personal brand can also be critical to raise your profile, attract job offers, or become an independent reporter that’s supported by platforms like Patreon or Substack.

But, for all your other accounts, you should create random, unique usernames. If you use the same one for everything, that’s one less piece of information a cybercriminal needs to figure out in order to access your accounts. You may want the same handle for your social media accounts, but that doesn’t mean you should be using it to log into your bank account, too.

Share passwords securely

As a journalist, you likely have at least one password that you need to share from time to time. It could be your newsroom’s Wi-Fi password, a subscription to a paywalled news publication (every reporter needs to know what their competition is publishing), or the login credentials for your outlet’s Twitter account.

Relying on post-it notes, text messages, emails, spreadsheets, or random text documents is risky – use a password manager instead. With 1Password Teams and 1Password Business, you can create custom vaults and control which colleagues have access to them. Additionally, you can securely share copies of passwords and other items you’ve saved in 1Password with anyone – even if they don’t use 1Password – by using item sharing.

Protect your passwords and other digital secrets when traveling

Flying as a journalist can be stressful, in part because you can’t predict how a customs agent will react to your arrival. What should you do if they suddenly ask you to unlock your phone, tablet, or laptop? Your devices likely contain all sorts of passwords and other digital secrets that are connected to confidential stories and sources.

You can avoid this potential problem by carefully preparing your devices before each trip. For example, 1Password has a Travel Mode that lets you temporarily remove some vaults from your device. Once you’ve arrived safely at your destination, you can turn the mode off to view, edit, and autofill your saved data as normal.

Use random answers to security questions

When you create an account online, you’ll often be asked to set up some security questions and answers. Many of these questions require personal information that is easy for anyone to find online, such as your mother’s maiden name, your elementary school, or favorite book.

But: the answers you give don’t need to be factually accurate. You just need to know and, when called upon, recite the answer that you originally chose. (e.g. If you’re given the question ‘What’s your favorite city?’ it doesn’t matter if you choose ‘London’ or ‘Paris’ - you just have to make sure you give the same answer every time you’re asked.)

Check alerts about unusual sign in attempts

Many services will send you an email or push notification if they detect a suspicious sign-in attempt. These alerts are usually a false alarm. For example, you’ll often receive one when you change devices, download a new browser, or travel to a different country.

But you should pay attention to these notifications, because they could one day highlight a malicious sign in attempt. Opening the alert on a trusted device will usually give you the option to block the attack, keeping your account and the associated data secure. You’ll then be able to change the account password before the attacker can try to gain access again.

Communication

Use PGP to encrypt your emails

Almost every journalist uses email to communicate with sources and co-workers. If you want to keep your messages private, you should consider encrypting them. There’s more than one way to do this, but the most popular is PGP, or Pretty Good Privacy. It’s free to use and works on all major operating systems including Mac, iOS, Windows, Android, and Linux.

Watch this guide by Infosec Bytes, a project based at the Centre for Investigative Journalism, if you want to learn more about how it works, and how to set it up on your email account. If you work for a large news organization, you should also contact your IT department and check you have permission to use PGP.

Consider switching to a privacy-focused email provider

Not ready to set up PGP? That’s okay! There are still some steps you can take to make your inbox a little more secure. For example, you can switch to an email provider that prioritizes user privacy, rather than helping some brands deliver targeted advertising. There’s no shortage of independent email providers. Here are just a few options – take some time to compare them all and pick the one that makes the most sense for you:

• Fastmail
• ProtonMail
• StartMail
• Mailfence
• Tutanota
• Mailbox.org
• Runbox
• Posteo

You may not have the power to switch if you work for a large news organization that already has a long-term contract with another email provider. But you can still switch to a privacy-focused email provider for any personal accounts you use outside of work.

Use messaging and video-calling apps that support end-to-end encryption

A simple way to communicate securely is by using apps that support end-to-end encryption. They usually require very little setup – you simply download the app on your devices, create an account, and then check that you don’t need to toggle anything in the settings to activate end-to-end encryption. (For many, it’s a lot quicker than setting up PGP on their email.)

You can use these apps to talk to anyone, including confidential sources, co-workers, and people in your personal life, such as friends and family. Many security experts recommend Signal for messaging and video calls, as it’s powered by the open-source Signal Protocol and offers end-to-end encryption by default. But it’s also worth considering messaging apps like Wire, WhatsApp, Telegram, and Viber, and video-calling services such as Zoom and Jitsi.

Send messages that disappear after a set period of time

Many apps give you the option to send self-destructing messages. (The feature is sometimes called ephemeral messages, or disappearing messages.) This deletes every text you send and receive after a set period of time. That way, if someone takes your phone, tablet, or computer – whether that’s a criminal, government official – they won’t be able to read your private messages, even if they know how to unlock the device and open your messaging apps.

Self-destructing messages are a secure and convenient way to chat with confidential sources.

Self-destructing messages are a secure and convenient way to chat with confidential sources. While not perfect – the recipient could screenshot your messages before they disappear – they’re a worthwhile defense against unwanted eavesdroppers. Self-destructing messages can also help you build trust with people who are wary about speaking to a member of the press, or want reassurances that the information they’re about to share won’t be traced back to them.

Learn how to spot phishing emails

Have you ever received an email that seems real at first glance, but is actually from a criminal impersonating a reputable person or company? This isn’t just spam – it’s a phishing attack. These messages will often urge you to click on a link that seems legitimate but actually sends you to a malicious site designed to steal your private information.

As a journalist, it can be awfully tempting to click on a link from an anonymous source claiming to have something of value. But you need to be wary. Check the sender’s email address (does it seem legitimate?), scan the message for typos, and pay close attention to any language that suggests you need to take quick, drastic action. If something doesn’t seem right, stop and evaluate. Try to verify the sender’s identity, or ask them to share their information in a different, more secure way.

Browser

Use browser profiles to separate your work and personal life

Web browsers can easily become a painfully disorganized mess of tabs when you’re working on a story. You might have some research open, a web-based text editor, and whatever you like to read or watch when you need a quick (okay, sometimes not that quick) break from work. Journalism is chaotic enough, so don’t make it worse by using the same browser profile for your professional and personal life. Instead, create and use separate browser profiles.

If you keep forgetting to choose the right profile, consider downloading a secondary browser. For example, you could use Brave for work and Firefox for your personal browsing.

Use HTTPS everywhere you can

Head to your browser’s address bar and select the tiny padlock symbol next to this article’s URL. You’ll likely see the acronym “HTTPS.” These five characters refer to a web protocol that leverages a robust form of encryption called SSL or TLS. Most people rarely think about HTTPS but it makes a huge contribution toward keeping everyone safe on the web.

Use a browser with a HTTPS-only mode, or an extension like HTTPS Everywhere.

Most websites support HTTPS these days, and many browsers will load the HTTPS version of a website by default. But there are still a number of sites that don’t use this form of encryption. To keep your web traffic secure, use a browser with a HTTPS-only mode, or use an extension like HTTPS Everywhere, which was created by EFF and the Tor Project.

Use the Tor browser for sensitive projects

The free-to-use Tor browser is a great way to increase your privacy and ensure that no-one, including your ISP, can track the sites you visit. Tor (which stands for The Onion Routing) secures your traffic by passing it through multiple servers, better known as relays. As the Tor website explains, there are now thousands of relays around the world, which all help to obfuscate users' actual IP addresses.

The Tor browser might seem like overkill for some stories. But it’s worth setting up on your computer in case you ever travel to a country with extreme levels of government surveillance, or suddenly need to investigate something that requires a higher level of caution and privacy.

Be careful on public Wi-Fi

When you’re out in the field and desperate to upload something – whether that’s a story, interview recording, photo, or video footage – it can be tempting to connect to the first public Wi-Fi network that appears on your device. But be careful, because not all of them are safe. Attackers can exploit poorly-secured Wi-Fi networks to snoop on your web traffic and use that information for any number of unsavory things, like account stealing and identity theft.

But that doesn’t mean you should never use a public Wi-Fi network. You can stay secure by avoiding Wi-Fi networks with suspicious names, keeping your devices' software up to date, and sticking to websites that use the HTTPS protocol (browsers usually convey this with a padlock icon in the address bar). If you’re sitting in a coffee shop and not sure about a particular Wi-Fi network, check with a nearby member of staff, or simply wait and connect somewhere else.

Social media

Keep your personal accounts private

Your online accounts should fall into one of two categories: public and private. Let’s say you use Twitter to promote your work, interact with other members of the press, and talk to people who read, watch, or listen to your stories. That’s a public account. But your personal Facebook page? Or a secondary Twitter account where you like to post more informal updates? These are best kept private.

Control the level of privacy surrounding your accounts.

Most social media platforms come with plenty of tools that let you control the level of privacy surrounding your account(s). For example, you can have a completely private Twitter page that only approved followers are able to access. If you have a public page on Instagram, you can still choose whether a Story is visible to anyone who follows you, or only people that you’ve chosen as Close Friends.

Regularly use “security check-up” options

Many services offer a “security check-up” that will take you through their most important privacy settings. It’s a convenient way to quickly take stock of your accounts and decide whether any settings need tweaking. And don’t just use them once – create a recurring calendar entry that will remind you to review your security settings every six, nine, or 12 months.

Be careful with what you share

Think before you post. That applies to both your personal and professional accounts. You might have some ‘public’ social media pages, but that doesn’t mean you should share your entire life on them. Consider what a criminal might be able to glean from your publicly-visible pages and posts. For example:

• Do you really need to share your birthday on your Twitter page?
• What’s visible in the photos and videos you’ve shared publicly? Could someone use them to figure out your current location, or where you live?
• Are you sharing location data anywhere? For example, can strangers look at your Strava profile and see where you run each morning?

Hardware

Encrypt sensitive data

It’s a good idea to encrypt sensitive data on your computer, just in case it’s ever lost, stolen, or confiscated by someone. You can use Apple’s FileVault and either Microsoft’s device encryption or BitLocker services to encrypt your hard drive and prevent the associated files from being seen or copied by someone who hasn’t been given permission.

There are also third-party tools like Veracrypt, which let you encrypt any hard drive, file, and folder, and Boxcryptor, which protects files stored in cloud-based platforms like OneDrive, Dropbox, and Google Drive.

Consider using a second device that’s permanently offline

As an extra precaution, you could use a second computer that’s always kept offline. For this to work, you would need to transfer research, recordings, and anything else required to produce your stories via external storage, like a USB stick or SD card. Once you finish your report – which could be a text, video, or audio file – it would need to be transferred off the machine in a similar fashion.

You could use a second computer that’s always kept offline.

Why go through all of this? Well, because the device is offline, it would be much harder for a criminal to gain remote access or trick you into downloading malicious software. It’s a potentially costly and time-consuming setup, however, if you’re working on highly sensitive stories that demand extreme care and caution, you should definitely consider this option.

Review and refine

Don’t get complacent. The world is always changing, and technology never stands still. Regularly review the tools and procedures you use to report on the news each day. And always ask what, if anything, you could change or do differently in order to stay safe online and protect your sources who wish to stay anonymous and may be risking their lives by speaking out.

Nick Summers

Content Marketing Manager