Introduction to Investigative Journalism: Digital Security
Guide Resource
Guide: Introduction to Investigative Journalism
Chapter Guide Resource
Introduction to Investigative Journalism
Chapter Guide Resource
Introduction to Investigative Journalism: Interviewing Techniques for Beginners
Chapter Guide Resource
Introduction to Investigative Journalism: Following the Money
Chapter Guide Resource
Introduction to Investigative Journalism: Data Journalism
Chapter Guide Resource
Introduction to Investigative Journalism: Fact-Checking
Chapter Guide Resource
Introduction to Investigative Journalism: Digital Security
Chapter Guide Resource
Introduction to Investigative Journalism: Collaborations
Chapter Guide Resource
Introduction to Investigative Journalism: Editing: The Investigative Article
In a chapter for GIJN’s Reporter’s Guide to Investigating War Crimes Matt Hansen, strategic director at Global Journalism Security, writes that “security should be a central part of the reporting process from day one for reporters investigating war crimes — especially in an era of increased surveillance, spyware, and other threats.” This is true, regardless of your beat, be it war crimes, climate change, politics, corruption, or something entirely different.
The good news is that the tools you need to work safely do exist, protecting you as long as you use them in the right way; at the right time. This requires awareness of what tools are right for your project and planning to ensure they’re included in your workflow. Digital security may seem a little daunting at first, but increased security will help you build trust with – and protect – current and future sources, along with colleagues and media partners.
This chapter presents numerous tips and tools to help you secure accounts, computers and phones, communications, and personal information. In addition to specific tools and settings, we have also included case studies on the importance of considering digital security when planning your work. There is a lot of information here, so we recommend that you read through the chapter once or twice, then come back to the sections that are most relevant to you. You can refine your approach to both digital and physical security as you learn more and figure out what works best for you. You may find that this process becomes easier the more you do it. GIJN offers training, workshops, and consultations for additional support.
Tips and Tools
The following sections recommend specific tools and settings to help you secure accounts, computers and phones, communications, and personal information.
Protecting Online Accounts
Use a password manager to help you create and store strong, unique passwords for all of your accounts. The password manager acts as a vault for passwords, so you no longer have to remember them on your own. Access to this vault is protected by a “master password” that you set. You can also use the password manager to store other types of important information, such as answers you supply to security questions when signing in (they don’t have to be real answers!), passport data, and phone numbers. Android and iOS have password manager functions built in, but may not have all the same features as 1Password, Dashlane, and Bitwarden. As a journalist, you may qualify for a free license to 1Password.
Turn on two-factor authentication (2FA) where possible, including accounts used for email, document storage, and social media. This can help prevent someone from accessing your account, even if they have the correct password. SMS is the most common form of two-factor, but also the least secure messages are not encrypted and can be intercepted. Consider using a mobile app to generate two-factor codes instead, such as Google Authenticator. The most secure, though less common, option is to use a physical security key, such as the Yubikey. If you’re using Google for email, consider enrolling in the Advanced Protection Program – a free security feature designed for journalists and other high-risk individuals.
Regularly review privacy and security settings available for your online accounts, especially on social media. The goal here is not necessarily to stop sharing on social media and other sites, but to be aware of – and in control of – what you share, when, and with whom. Privacy Party is a free browser extension which helps make it easier to review settings and take action across a number of sites.
If you use an Apple device, turn on Advanced Data Protection for iCloud to encrypt the data you have stored there. Turn on password reset protection on X (previously Twitter) to make it harder for someone to reset the password on your account, as well as Login alerts on Facebook.
Protecting Computers
Make sure you install system and software updates as soon as they become available. These updates include not just new features and enhancements, but also fixes for security holes that could be leveraged by hackers. To protect the information stored locally on your hard drive, you can enable full-disk encryption with BitLocker on Windows and FileVault on macOS. You can also use these tools to encrypt external hard drives and USB sticks. If you need to be able to access the drive on both Mac and PC, consider using VeraCrypt instead. For Windows, Microsoft Defender can help protect your device against common forms of adware and malware.
Journalists frequently work with documents from unknown sources, whether it’s a PDF found on a forum or a Word document sent by an anonymous individual. These documents could contain malware, so you can use Dangerzone on your computer to create safe versions that you can open and review. If you are working with a large set of documents, consider using a dedicated, offline computer to go through the files. To learn more about working with large datasets in a journalism context, check out Micah Lee’s book Hacks, Leaks, and Revelations.
Protecting Phones
Make sure you install system and software updates as soon as they become available, just as you would with computers, tablets, and other electronic devices. If your phone is unable to install the latest update, we strongly recommend that you buy a more recent model. Review privacy and security settings, including location data and lockscreen notifications, to understand what your phone is doing and what you’re sharing with whom. For Android, use Google Play Protect to keep apps and data safe. For iOS, use Lockdown Mode to defend against sophisticated spyware, such as Pegasus. (Read for more information about this feature.) Lockdown Mode is supported on macOS, iOS, iPadOS, and watchOS.
Protecting Communications
Use messaging apps which support end-to-end encryption, such as Signal, WhatsApp, and Facebook Messenger. Signal and WhatsApp can also be used for group calls alongside Jitsi, Google Meet, and Zoom. It’s important to note that these apps will encrypt the contents of calls and messages, but not metadata – e.g. who you’re communicating with, when, for how long, how often. Telegram can encrypt messages in secret chats, but you have to turn on this feature. For Signal, create a PIN and username, choose how you want notifications to show up on your lockscreen, and use disappearing messages. For WhatsApp, use two-factor authentication, security notifications, and – if you backup your chats – enable end-to-end encryption for your backups. To protect messages on Facebook, turn on two-factor authentication for your account.
Protecting Personal Information
If you live in the US, consider using DeleteMe, Optery, or Consumer Reports’ Permission Slip app to help you remove your personal information from data brokers and other websites. These tools may be helpful if you live outside the US too, along with searching for yourself on Google to see what kind of information is easily available about you. Local digital rights groups may be able to advise on services relevant to where you live and work.
But What About…
It’s important to remember that there’s no guarantee that the guidance here will keep you safe. But by using the security and privacy features available to you, you make attacks much harder to achieve for someone wanting to target you. For example, an email account with the password “password” or “123456” and no two-factor authentication is much less secure than one with a strong, unique password and two-factor authentication with a security key. Ensuring that you use the right tools; in the right way; at the right time will go a long way in protecting what’s important to you.
Case Studies
The Snowden revelations, Panama Papers, and Pegasus Project have all demonstrated the importance of planning your work and incorporating digital security in your reporting process. The journalists would not have been able to safely report these stories had they not considered digital security as critical to their work. We strongly recommend reading up on how the journalists worked on these projects and identify processes and workflows you can adopt for your own project. We have included three case studies below highlighting digital security challenges journalists have faced in the past.
In 2012, Vice followed millionaire tech executive John McAfee, who was on the run in Central America. In an article titled We Are with John McAfee Right Now, Suckers, the journalists published a selfie with photo metadata included – indicating that they were somewhere in Guatemala. The magazine Wired was quick to follow up with an article, asking Oops! Did Vice Just Give Away John McAfee’s Location With Photo Metadata?. It’s worth noting that photos and videos may contain metadata such as date, time, device information, and location data — and not all apps, sites, or publishing systems remove this information by default, though you can remove some of the information yourself.
In 2015, a US court document revealed that the subject of a New York Times investigation had been tipped off because the newsroom’s IP address repeatedly showed up in the web server logs. It’s a reminder that larger newsrooms may have IP addresses that are unique to them, meaning the journalists should know how to protect this information using a VPN, such as IVPN, Mullvad, or ProtonVPN, to mask their IP address — or the Tor Browser for added anonymity.
In 2021, two Norwegian journalists investigating conditions for migrant workers in Qatar ahead of the 2022 FIFA World Cup were arrested and detained by Qatari police for more than 30 hours shortly before their flight home. Authorities claimed the pair were wilfully trespassing on private property. The journalists were questioned for eight hours in separate rooms, while their equipment was seized and thoroughly searched. Runa Sandvik – founder of Granitt and author of this chapter – wrote about what this incident teaches us about the importance of digital security and planning how to protect your work, especially when it comes to using encryption to protect digital data.
Additional Support
Access Now, a nonprofit that defends the digital rights of peoples and communities at risk, runs a 24/7, free Digital Security Helpline for journalists and other members of civil society. The organization offers assistance with proactive digital security practices, as well as rapid-response emergency assistance where needed. The Helpline responds to all requests within two hours, and currently supports nine different languages: English, Spanish, French, German, Portuguese, Russian, Tagalog, Arabic, and Italian.
The Security Lab at Amnesty International investigates human rights abuses linked to spyware, surveillance technology, and other digital threats facing civil society. Contact the Amnesty Security Lab if you believe that you may have been targeted for digital surveillance in some way. You can also contact Citizen Lab at the Munk School of Global Affairs at the University of Toronto, Canada.
GIJN offers the Journalist Security Assessment Tool, built on Ford Foundation’s Cybersecurity Assessment Tool, to help journalists and smaller news organizations identify ways that they can improve their digital and physical security. It has already been published in Arabic, French, German, Hindi, Indonesia Bahasa, Portuguese, Russian, Spanish, and Turkish.
For a deeper understanding of the security needs of high-risk communities, check out this guide from the US Cybersecurity and Infrastructure Security Agency (CISA).
Runa Sandvik is the founder of Granitt, a consultancy focused on security for journalists and high-risk people around the world. Her work builds upon experience from her time at The New York Times, Freedom of the Press Foundation, and The Tor Project. She’s an advisor to CISA’s Technical Advisory Council; the Ford Foundation’s BUILD program; and a member of the Aspen Institute’s Global Cybersecurity Group. She tweets as @runasand.