No single app or tool makes an organization or even any single communication secure. Because journalists’ communications and digital assets face numerous threats, whether from hostile government agencies or just protecting a source who lodged a complaint against their neighbor, we highly recommend familiarizing yourself with digital security basics. Many groups are currently working to provide up-to-date resources on the landscape of tools and techniques needed to lock down communications and increase security, including the Electronic Frontier Foundation’s Security Self Defense guide, Access Now!, Freedom of the Press Foundation, Tactical Tech, and GIJN’s own Resource Center. Certain tools in other sections of this guide, such as Signal, Jitsi, and OnionShare, can also form components of a secure digital environment.
If you are concerned that your website could be subject to hostile attacks by bots or hackers, the content delivery network (CDN) Cloudflare offers security for websites and applications. It detects and prevents attempts at distributed denial-of-service (DDoS) attacks and bots. Cloudflare also improves site performance by optimizing page load times, speeding up image and video loading as well as automating image resizing for mobile, and load balancing to ensure continuous availability of a website despite local service outages. Cloudflare also offers site analytics.
Cost: Free version includes SSL certification and DDoS mitigation; paid plans start at $20 per month. Through its Project Galileo, journalism organizations vetted by one of Cloudflare’s partners can use the full version of the product for free.
Languages: English, German, Spanish, French, Italian, Korean, Chinese, Japanese, and Portuguese.
Obtain a security certificate to enable HTTPS on your website for free with Let’s Encrypt, which is available automatically through many hosting providers (including WordPress), and can be installed manually on other providers.
Languages: English, German, Spanish, French, Hebrew, Indonesian, Chinese, Korean, Portuguese Russian, Serbian, Swedish, Vietnamese, and Japanese.
Among the options for online password managers that sync users’ data across devices, 1Password garners high ratings for the transparency around its encryption and its willingness to submit to regular third-party reviews. Significantly, 1Password has a service called 1Password For Journalism, which enables teams of journalists to access the app at no cost. 1Password allows the creation of shared vaults for teams that need to securely store joint passwords for tools, while also permitting users to store their own passwords separately. Users can encrypt notes, documents, and contacts. It has a web interface and is also available as a mobile app, a browser extension, and a desktop application. A notable feature for journalists, Travel Mode, wipes your 1Password data from a specific device when you might not wish for it to be found — such as when you are crossing a border — and then allows you to download the data securely once you have reached your destination.
Cost: Currently free for journalists; individual paid plans start at $2.99 per month and team plans begin at $7.99 per user per month.
Languages: English, Spanish, German, French, Italian, Japanese, Korean, Portuguese, Russian, and Chinese.
Dashlane’s features are comparable to 1Password — minus the Travel Mode feature — but many users find its interface easier and more intuitive. It does have a free plan that allows up to 50 saved passwords and sharing with up to 5 other people, and restricts use to a single device (for example, you could use the app on a phone or on desktop, but not both). Although Dashlane’s paid plan is costlier than 1Password’s, it’s more expensive tiers also include a secure VPN service.
Cost: Limited free plan; plans begin at $3.99/month for individuals and $5 per user per month for businesses.
Languages: English, French, Spanish, Portuguese, German, Italian, Dutch, Swedish, Chinese, Japanese, and Korean.
KeePassXC is a free and open source password manager. Unlike popular software like 1Password or Dashlane, KeePassXC is stored locally on a single user’s computer. The simple, offline nature of the tool significantly reduces its convenience, but minimizes the risk associated with transferring data across the web. Transferring KeePassXC data across multiple devices is a multi-step, complex project. KeePassXC is usable across a wide range of operating systems, and includes some useful features like a browser plug-in and a secure passphrase generator.
Virtual Private Networks
A cardinal rule of VPN (virtual private network) services: do not use a VPN that does not offer paid tiers. Aside from generally slower speeds and ad-laden interfaces, time and again researchers have found that 100% free VPN services to be secretly logging user data and to be laden with malware. Because the goal of using a VPN is often to mask your IP address, do not take selecting a VPN service lightly. Experts also recommend avoiding US-based VPN services, due to the strictures of the USA PATRIOT Act. Sites like CNet, SafetyDetectives, and Wirecutter maintain current recommendations for VPNs, which can vary depending on anything from the political situation in a country where the company is based to your own location and reason for using a VPN (such as whether you want to prioritize speed, security, avoiding restrictions in your home country, or connecting to a LAN). Many services, like ExpressVPN and NordVPN, offer 30-day free trials; others, like ProtonVPN, offer a free tier that operates at significantly slower speeds. If possible, consult a local digital security expert before selecting a VPN.