Digital security

Digital Security Guide 1: The basics

12/03/2025
34 min read
Print Friendly, PDF & Email

There are three main ways in which attackers will try to break into journalists’ accounts: guessing or intercepting their passwords, sending them phishing emails, or breaking into or hacking their devices. Those attacks can be mitigated by using two-factor authentication, unique passwords, and keeping software up to date.

Passwords

All passwords, especially those for your important accounts such as email, cloud logins, and social media need to be long and unique. Let’s go into both of those in some detail.

Long passwords

Recommendation: make sure your password is long and difficult to predict. Passphrases are even better

A long password can consist of several different words (we call this a passphrase) or many random-looking characters. Long passwords make it harder for an attacker to guess your password by trying out different combinations. If an attacker knew your password was five characters long, there would be far fewer combinations they would need to try out than if they knew your password to be over ten characters.

You might have seen guides which instruct you to add capital letters, lowercase letters, and special characters to your password. These steps may not make for a better password, though. Some websites will still insist that passwords contain all the different types of characters (it could be that they have a cybersecurity insurance policy from years ago that contains those conditions) but, if a website does not enforce this rule, you can happily skip it. Older guides recommended passwords which looked like this: sua%1nE=!. These turned out to be tough to remember, hard to type, and most importantly less secure than a few randomly generated words. A good, modern password instead looks like this: ‘mug-sheep-orange-lanyard’. Your password manager (more below) can generate great passwords for you. Alternatively, if you’d like to do so yourself, use the diceware method, documented here.

Unique passwords

_Recommendation: use a unique password for every online account. Do not reuse passwords. _

Guessing passwords is hard. Attackers can, however find your password in a data breach. More on this below. Let’s say you used the email address importantjournalist@example.com at a shipping forum which you’re using to research materials, and you used ‘fire-airport-tree-grey’ as your password. Now, unfortunately the shipping forum did not have good security mechanisms, and its passwords leaked to a cybercrime site. Attackers would inevitably try to use the password found in the shipping forum to log in to your email account. To prevent this attack, all your passwords must be unique.

It might be tempting to use similar passwords for all accounts. For example, what if you used ‘fire-airport-tree-grey-marine’ for the shipping forum and ‘fire-airport-tree-grey-office’ for your email? We recommend against doing so; skilled attackers will figure out your pattern. It’s best that each password is generated freshly. Keeping track of all those passwords might be difficult, though, but there’s a great tool that can help you with that: a password manager.

Password managers

Recommendation: use a password manager

Remembering many unique passwords can be quite overwhelming–we therefore recommend using tools called password managers which create, store, and automatically fill-in passwords for you. Remember how your web browser or device occasionally offers to remember and auto-fill your passwords for you? This is called a built-in password manager. There are also stand-alone password manager apps such as Bitwarden and KeePassXC. The big advantage of stand-alone password managers is that they work across different web browsers and device models. They also allow to store additional documents, such as passport scans or other documentation.

At first, using a password manager feels counter-intuitive: why keep all our valuable data in a single place? That’s an excellent question, and there are several reasons for which security professionals keep on recommending them:​​​​​

You only need to remember one single good password, called the main password. Remembering many good and unique passwords is a tremendous challenge, and Password Managers allow you to rely on one main password instead.
Some Password Managers have browser plug-ins that fill in passwords for you. This is not only convenient, but also protects against phishing attacks: the plugin-in fills in passwords only on the correct page.
Password Manages are protected by this main password through encryption: Without your main password, attackers can’t decipher and access the passwords stored in your password manager.

There are two types of password managers: those which synchronize your passwords to a cloud (for example Bitwarden) and those which keep your data in a database stored on your device (such as KeePassXC). Password managers which synchronize to their own cloud make it easy to use multiple devices: if you update or add a password in your desktop or mobile application, it will automatically be added to other devices, too. They use end-to-end encryption to manage and synchronize those password databases. This means that nobody except for you, not even the company which runs the password manager, knows what passwords they store. At the same time, not all users might feel comfortable with sending their encrypted password information to a cloud they do not control. An application like KeePassXC saves the whole encrypted password database locally; the tool offers no cloud of its own. This can give some users greater peace of mind but at the same means that they need to manually synchronize their password databases, for example by copying them over to Google Drive or a similar service.

Using a password manager is, most of the time, the right choice. We recommend to pick one that you find easy enough and convenient to use on a daily basis. To help you pick a particular product we recommend The Electronic Frontier Foundation’s (EFF) discussion of four different password managers here: https://ssd.eff.org/module/choosing-the-password-manager-that-s-right-for-you.

The might be situations where a password manager might not be the best choice, though. The EFF’s guide on password managers https://ssd.eff.org/module/choosing-the-password-manager-that-s-right-for-you also helps you to decide if that is the case for you.

Checking for leaked passwords

Recommendation: Look up if any of your passwords have been leaked

Attackers regularly break into websites and gain access to the usernames and passwords; they then publish or sell these in underground markets.

Troy Hunt is a security professional that collects data from these attacks. He runs a free website, Have I Been Pwned, where you can test if your username or password has been stolen in the past. Just type in your username, email, or phone number on the website, and you will see which data breaches your email was involved in. The service has an excellent reputation among security professionals and we happily recommend it to journalists as well. Some password managers also integrate the service to regularly check if any of your accounts were involved in leaks or data breaches.

If you notice that one of your accounts was in a breach, we recommend to change the password for this account as soon as possible. If you re-used the same password for another account, it would be wise to change it there as well.

Two-factor authentication (2FA)

Recommendation: use some form of two-factor authentication (2FA)

Many email, social media, and cloud providers offer an additional layer of security called two factor authentication (2FA). 2FA means that you need one additional thing besides your username and password in order to log into your account. Even when attackers steal your username and password, they will also need this additional thing in order to access your account. A good 2FA-thing is difficult to steal for attackers — we discuss several options for 2FA below.

Physical security keys

The most secure 2FA-thing is a physical security key. It looks very much like a USB pen drive, and works like this: when you log into your account, you insert the security key in one of the USB slots on your device, and press a button. Some also work wirelessly using Bluetooth.

The big advantage of physical security keys is that they protect you against phishing attacks (see below): the physical security key only works on websites where you registered it, and not on fake websites.

Physical security keys cost money, though. If you can afford them, we recommend that you use them for your most important accounts; had Bellingcat done so in 2019, they might have stopped a successful cyberattack.

If you decide to use a physical security key, you also need to prepare yourself in case you lose it or it breaks. Most websites provide you with backup codes for this case. But an even better option is to register a second security key, that you then keep in a safe location.

Other forms of 2FA

Another form of 2FA works using short codes that you have to enter in addition to your password. When logging in, you’ll get these codes by opening an app on your phone. Since these apps are free, this form of 2FA is much cheaper than physical security keys. One drawback is that attackers might steal one of your codes in a phishing attack. We’ll explain this attack further below.

There is yet another way to get such a code for 2FA, but we’ll only briefly explain it for historic reasons. Some websites will send you a SMS that contains a 2FA code. The problem is that attackers might be able to attack the telephone network or steal your phone number in a so-called SIM swapping attack. These attacks have been so successful in the past, that the U.S. technology standardization body NIST discontinued recommending this method since over 5 years. https://www.schneier.com/blog/archives/2016/08/nistisno_long.html

Phishing attacks

In a phishing attack, attackers lure you on a fake website and try to trick you into entering your username and password. To learn more about these attacks we recommend the EFF’s guide on phishing https://ssd.eff.org/module/how-avoid-phishing-attacks. Shira has also designed a great phishing quiz to teach users what fake and legitimate email messages look like.

The best way to protect yourself against phishing, other than being vigilant and not clicking on links in messages that look suspicious, is to use password manager autofill and physical security keys, as we described above. Those are two powerful technologies designed to never send information to a false website. We recommend always combining the two: that way, even if one of them somehow failed to protect you, you would still be secured by the other.

Passkeys

Much of what you’ve just read about passwords and 2FA might be out of date soon: a new technology called passkeys intends to replace both. A passkey is a combination of a password and a physical security key that is stored in your web browser, password manager, or mobile device and that allows you to log into websites without entering any passwords at all. Much like physical security keys, passkeys are tied to a specific website and will never give your data to a fake webpage.

All those are great features, but passkeys are still in their infancy: browsers, websites, and password managers are just starting to support them. Not only this, but it’s also currently complicated to create backup copies of passkeys, in case the primary device on which they are saved is lost. Because of this, we still recommend regular passwords and physical security keys for your accounts.

Account security: further reading

If you received a suspicious message, check out this guide and answer the questions it poses. If you have been locked out of or otherwise lost access to your account, check out this guide and answer the questions it poses.

Who can you trust? Threat modeling basics for journalists

Adversaries and threat models

Before staring a project, it’s useful to do a basic risk assessment. This essentially boils down to these questions:

  • What do I want to protect?
  • Whom do I want to protect it from?
  • How badly do others want to get at my information?
  • Who are my allies?

(We’re indebted to the EFF for their invaluable work on security plans–the questions we gave above are modified from their guide)

There are many pieces of information you might want to protect. This could include documents, the names of your sources, your investigation plan, travel plans, personal information about yourself, meeting locations.

In general, you are trying to protect this data from an adversary, or someone who wants to harm you. There are many different types of adversaries with differing motivations. What unites them is that they want to disrupt our work or get access to our data, be it stored on our devices, in the cloud, or elsewhere.

There will be lots of different adversaries and it’s usually a bad idea to oversimplify our risk analysis by labeling our adversaries with a broad label such as “governments”. Let’s say that you’re based in Berlin and are investigating how a corrupt official in another country purchased a yacht. You will need to worry about the other country trying to access your data or stop your investigation but will likely be far less concerned about the German authorities. If anything, they could be allies and might alert you about risks or threats to your person. Other allies might include colleagues in your newsroom, digital security experts with whom you’re cooperating, your lawyers, and others you trust.

Adversaries differ in their capabilities and in how we should respond to them. Let’s look at some types of adversaries below.

Normal people

Recommendation: use good passwords, lock your device when not in use, watch out for others watching you enter your passwords

This is the easiest type of adversary against whom you can defend yourself. It might include people who are trying to snoop on your communications but are not particularly well resourced–the most they will likely try to do is look over your shoulder while you are typing, try to log in to your account by guessing your password, or look through a device you’ve left unattended. To protect yourself against such adversaries, you only need to take pretty basic steps: make sure you use a good (see our section on passwords) password, lock your devices when you leave them unattended, and make sure that nobody can look over your shoulder when you’re working on sensitive documents. You can also place so-called privacy screens on your laptop and phone displays that prevent those next to you from seeing whats on your display.

Companies you are investigating

Recommendation: don’t give your data to companies you consider an adversary

It’s a good rule to not use the services of a company that could be an adversary: if Google is your adversary, don’t keep your data in a Google drive. If you are researching a telecom company, do not use their services for any work related to this investigation. In theory, such companies shouldn’t access the information of journalists who are investigating them (and this might be illegal). In practice, better be safe than sorry.

There are other ways in which companies could try to stifle or frustrate your investigation. Some of them might recruit private investigators or law firms and attempt to scare you into abandoning your research. (This happened, among others, with the FT journalists who were looking into Wirecard). This is rare and if you’re worried about this, it’s best to talk to your journalist colleagues and newsroom, who will be best placed to help.

Countries, courts, and governments and companies which store your data

Recommendation: do not store your data in a country you consider an adversary

Different countries have different laws protecting journalists, sources, and the information gathered during reporting. In many countries, the police or a court can force companies to share your data

Never store information with a company based in a country which could be an adversary. If you have, for example, received leaked data from a German ministry and are writing an investigation on it, store this data on servers and with companies located outside of Germany.

If you can, do not carry sensitive data into a country which could be an adversary. If you’re going on a reporting trip, police or border guards could search you and maybe even ask you to unlock your devices. The less data you carry on you, the better.

Motivated attackers, government-backed attackers and intelligence agencies

Recommendation: configure your devices to use secure settings (we have guides below), watch out where you store your files, keep to all the basic security rules, do not store data in a country you consider an adversary

In the section above, we looked at how police or courts could ask you or companies for data. At other times, governments (or powerful nonstate actors) can attempt to directly break into your devices and accounts.

One way they could do so is through phishing. A phishing page created by a well-resourced actor might look far more convincing than one built by a less sophisticated adversary.

Some governments will use spyware to attack journalists’ devices and steal their data. A targeted person can often be infected without needing to click on anything and they will not usually know that an attack took place. You can configure your devices to make it more difficult for attackers to succeed. We will explain this in more detail later on in this guide.

Adversaries who might search your devices

Some adversaries can compel you to unlock your device and force you to show them its content. For example: Border officials or police officers, organized militias, gangs, or other non-state actors who can threaten violence. If you’re worried that you might end up in such a situation, we recommend the following:

  • Do not assume that you will be able to talk your way out of this. While experienced journalists know how to fight for their rights and persuade others, their arguments might have limited impact in countries with weak rule of law or when dealing with non-state actors.
  • Do your research ahead of time. Talk to colleagues and possibly lawyers on what the security services can ask of you in which places. Ask about how nonstate groups behave and what they are likely to do. Research if a police officer or other security official can ask you for your password or can force you to unlock your devices.
  • Carry as little data on your device as possible. If you spoke with a sensitive source, send your notes to your newsroom and then delete them from your device. Same goes for photos and any travel plans. Frequent deletion and disappearing messages are key here. If you need those documents later on, you can always ask your team to re-send them to you once you’re in a safer location such as a hotel.
  • Assume that some of your apps might be searched as well, and delete data from those, too. Your map app or taxi app could keep a history of your searches, travels, and saved locations. If possible, delete those histories. If those histories cannot be deleted, it might be best to remove the app and re-install it later on.
  • A device that is completely wiped and has next to no data might also look suspicious. Keep some innocent-looking files and conversations, for example chats with close friends. The less you stand out, the better.
  • If you are trying to keep where you work secret, make sure that none of your possessions (branded hoodies?) or device login screens do not advertise your organization. Only log in to your work accounts through a web browser, in a private/ incognito window and close it afterwards–your system will not remember that you accessed those.
  • Remember that your password manager and two-factor authentication app keep a lot of sensitive details about both what accounts you have and the login credentials for those. You could back up those apps, send a backup to your newsroom, and restore them once you’re in a safe location such as a hotel (make sure that you’ve practiced this backup process prior to travel; it can be fiddly). Alternatively, you could rename some of the items (and corresponding URLs) in your password manager and two-factor authentication app. What was once called “workemail” and had the credential “journalist@workemail.com” might now be masked as a Facebook login for example. This approach does break autofill and requires you to remember how you masked each email, but remains a low-effort way of evading the attention of all but the most attentive attackers.

Allies, collaborators, and tools

On every project you work on, you’ll have collaborators and allies. Those allies might include authorities in your country, your colleagues, editors, or other professionals (such as lawyers) you work with. It’s worth to take a moment to map out your allies and what kind of support you could receive from them.

Threat modeling: further reading

If you worry that you or your colleagues might be surveilled, check out this guide and answer the questions is poses.

Securing the Tools and Devices you use

Note: we usually don’t recommend or advertise specific tools or services. While this guide occasionally mentions the names of tools, we recommend you rely on additional product comparisons, such as the EFF’s discussion of password managers, mentioned above. We will now briefly explain how we ourselves evaluate tools.

When we evaluate tools we rely on a series of criteria: Has there been an independent security assessment? Is the product open source? Do we trust the organization producing it?

Programmers of tools make mistakes, and these mistakes will make one tool more or less secure than another. Companies pay security experts to find these mistakes in so called audits: experts look through the programmers work and point out any mistakes that they found. Reputable companies and experts are transparent about these audits, and even publish their findings. For example, security experts from the firm Cure53 report about their work here: https://cure53.de/#publications.

Other tools are available as open source: everyone can look at the programmers work and decide for themselves how trustworthy the product is. While non-expert users won’t be able to make that decision for themselves, of course, it still provides a level of reassuring transparency.

We trust organizations that have a track record of good behavior: quick to respond to security issues, honesty about their mistakes and shortcomings, transparency about how much the data they collect about users, and transparency about court requests for user data. (Signal) is one notable example. Finally, we’ll also consider how other experts and befriended organizations evaluate companies and tools.

What cloud service should you use to collaborate with others?

When you’re working with others, you often want to have a central place where you will keep your files and drafts. There are several different types of platforms on which you could collaborate, including:

  • Commercial cloud platforms, such as Google Drive or Microsoft Office 365
  • End-to-end encrypted platforms, such as CryptPad
  • Platforms that your team can run by themselves: such as NextCloud

Standard, commercial platforms

Commercial platforms are easy to set up, user-friendly, and require minimal maintenance. It is easy to collaborate, share data, and work with contributors and editors when using them. Companies like Google or Microsoft have dedicated security teams and experience in repelling state attackers. If you are working on an investigation that might upset governments outside of the US or EU, such platforms are often your a viable option.

At the same time, companies have to obey the law: if courts rule that a company has to hand over your data, the company will eventually comply. This is especially true in jurisdictions like the US or EU. Say you are working on a US goverment whistleblowing story, then it’s best to avoid storing this data with Google.

You might also want to avoid such platforms when working with extremist content: in their efforts to stop the sharing of terror propaganda through their networks, some companies locked the accounts of journalists and researchers who research extremists and stories copies of extremist content. While prominent organizations successfully challenged bans, this might prove harder for small newsrooms.

End-to-end encrypted platforms

Platforms like CryptPad are end-to-end encrypted, which means: The company managing the platform can’t access your data. It won’t be able to hand over any data to the police, because it doesn’t have access itself. There is one caveat, though: courts might force the company to produce a backdoor. This happened to the Email service Tutanota in Germay: https://www.theregister.com/2020/12/08/tutanotabackdoorcourt_order/

End-to-end encrypted collaboration platforms are still in their infancy: they are not as user friendly as standard commercial ones and it can be difficult for many users to collaborate on one document. Big commercial platforms also offer more features for newsrooms, such as the ability to easily manage users and contributors, and more granular restrictions on who can access and edit what content.

For those reasons, we recommend using an end-to-end encrypted platform only for more sensitive investigations, especially those where journalists worry that security services from a US or EU country could request user data.

Self-hosted platforms

Software such as NextCloud allows you to host a server in your newsroom or rent out a server in a data center, and use its software for collaboration. In terms of user-friendliness, such software lies somewhere between standard commercial platforms and end-to-end encrypted ones.

If you keep servers on your premises, you will be alerted every time courts or authorities request the data and you might be able to challenge it in court. However, in order to request data, the police might also decide to search your offices and seize the entire server. If you are self-hosting on a server in a data center, it’s best to check with your lawyers on what power authorities have over it.

Self-hosted platforms require more expertise and maintenance than commercial ones. We recommend you work with IT and security experts in order to set up and operate such a system.

Limit access and audit it regularly

When working with sensitive information: practice the need-to-know principle: Only share information with people who need it to do their jobs. If you are working on a sensitive investigation, then only those who are directly involved therein should have access to key files. Similarly, personnel or payroll files should be restricted to only those who need them to do their jobs. In many newsrooms, phishing emails were targeted not just towards journalists but also back-office staff or those involved in monetization or donor outreach. Attackers assumed that such staff might also have access to sensitive documents related to investigations. Limiting access helps protect against both advanced attacks as well as more basic ones, such as the theft of an unlocked device or a disgruntled employee stealing data.

It’s important to regularly audit access permissions and remove permissions for people who no longer need it. It is a good idea to set a calendar reminder or add it to a checklist anytime somebody leaves a project. Removing access can be a difficult conversation, especially with people you know well: codifying a procedure and explaining that you are keeping to it will be much more success and lead to fewer conflict than arbitrarily picking whose access to withdraw.

Secure Communication

Recommendation: just use Signal whenever possible

We generally recommend using Signal for communication whenever possible. It is both end-to-end encrypted and stores very little metadata. This means that Signal’s servers know neither what the contents of the message are nor who is messaging whom and when. Even if a court asked them for such data, they would not be able to provide it since they simply never collected it. Signal also introduced usernames, which allow you to connect with others without sharing your phone number.

Many, though not all, other messengers are also end-to-end encrypted, but most collect extensive metadata: even if their servers do not know the content of the messages you send, they still know who is messaging whom and when. While WhatsApp a solid messenger with good security features and is impossible to wiretap, it still shares data with Meta, its parent company. (Some other messengers, notably Telegram, offer no end-to-end encryption by default and we recommend against using them for any sensitive work.) There are also cases when Signal isn’t the best idea: maybe it’s uncommon in a certain community and your sources would stand out as people with suspicious security needs if they install Signal. In those cases, we recommend WhatsApp.

Messenger accounts are typically registered through an SMS code. If you want to move the account to a new device, the platform will send another SMS. The problem with SMSes is that they are relatively easy to intercept, and some adversaries have managed to abuse this in order to capture people’s accounts, including of a prominent cybersecurity journalist. To prevent this attack, turn on an additional password on your messenger accounts, so that every time somebody tries to register the messenger on a new mobile phone, they will also need to enter a PIN. Signal calls this feature registration lock while WhatsApp calls it two-step verification.

In general, we recommend not using SMS or standard (non-app) phone calls for any sensitive communication; both of those can be easily intercepted and listened to by a government.

While it’s possible to send and receive encrypted emails using a technology known as PGP, this process is fiddlier than secure messengers. If you would like to try it out, we recommend either Mailvelope (which works on webmail) or the inbuilt features in the Thunderbird email client.

For more information, see also the guide by the EFF about secure communication here: https://ssd.eff.org/module/communicating-others

Device security

Software updates

Recommendation: always apply software updates as soon as possible

As digital rights group EFF put it, “no software is perfect. Programmers make mistakes, best practices get updated, and security problems are discovered over time.”

Advanced adversaries will often try to exploit such security problems to break into your device. Whenever a manufacturer learns of new security problems, they tend to fix them in a software update–one of the main things you can therefore do to keep yourself safe is to always apply software updates. Unfortunately, this also means that a device which is too old to receive software updates is no longer secure and should not be used for any sensitive work. Operating systems, Web Browsers, Office Applications, Email clients: all receive software updates, and we advise to install them as soon as possible.

Sometimes attackers abuse security problems that manufacturers don’t yet know about. You can’t prevent this fully, but you can configure your devices in a way to make the attackers task as difficult as possible. We’ll explain how to do so in the device configuration guides below.

Keeping data safe on your device

Devices store plenty of sensitive data: Signal messages, documents, notes, photos, and more. By encrypting your device, you can make sure that nobody without your device password can access this data. We explain how to do that (and which devices are encrypted by default) in the device-specific guides below.

Encrypting your device won’t protect you against every attack: someone might steal your device while unlocked, watch or film you while entering your password, or coerce you into giving out your password. The police might also find a way break your device’s encryption. To protect against all of this, it’s best to only keep data you still need. This is one of the reasons ​​​​​​we recommend that journalists use disappearing messages: the data automatically disappears, and you no longer need to worry about deleting it.

Passcodes versus biometrics

You can log into your device through one of two ways: through a password or through biometrics, such as your face or fingerprint.

The password is a classical choice. It does, however, have two downside: it’s cumbersome to enter a good password dozens of times per day. And you can be watched or filmed when entering it. Cameras managed to capture the passcodes of Kanye West and digital rights activist and security expert Ola Bini. Modern public surveillance cameras, such as those used in airports, could similarly read passwords as they are being entered.

Biometrics are convenient. They allow you to unlock your device quickly, and don’t show your passcodes to cameras or bystanders. Still, biometrics also have weaknesses. In some jurisdicions, authorities can ask people to unlock their devices by using biometrics but are not allowed to ask them for their device passwords.[^1] There are also some scenarios in which it’s possible to bypass biometrics: maybe you have a family member like a twin with a very similar face to you, or you face a very sophisticated attacker who found your fingerprints on a glass and made a copy. Security services are also likely to have a copy of your fingerprint on file, which they could use to create a fake finger and unlock your devices. We recommend to only use biometrics as an addition to a password like GrapheneOS offers.

Device security settings and firewalls

Recommendation: use your operating system’s security settings

Your operating systems have strong built-in anti-malware mechanisms, such as Windows Defender AntivirusmacOS Gatekeeper and XProtect, and Android’s Google Play Protect. (iOS is different by restricting which apps are allowed to run.)

Those tools do a stellar job at detecting and removing known malware which could steal your data. We describe them–and how to ensure that they are enabled–in the device configuration guides below. We do not recommend installing other third-party virus scanners: they do not significantly improve the level of security of your device, and modify some of your system settings, which could make your system less secure in the long run.

Windows and macOS also come with firewalls: these restrict how other computers can connect to yours. Enabling them usually does not break any Apps, but might help in blocking malicious connections. We thus recommend to enable them unless you have a particular reason not to.

Using new accounts for work devices

When working on a very sensitive investigation we recommend to use a fresh account for your iOS, Android, Windows, or macOS devices. This might seem over the board, but it has two benefits. It helps to prevent accidental data leaks, and it minimizes the chance that attackers find out about these accounts and target them in attacks.

Using different user profiles

Additionally you should use different accounts or profiles for the management and administration of your devices (with maximal admin rights) and work accounts with limited admin rights. This can prevent, that attacks can reach administrational system components. Also different user profiles are isolated from each other, so attacks on your data in one profile will not expose data from another profile, or at least make it much harder to be exploited through the other user profile.

Device security: additional reading

If you are worried about your device acting suspiciously, and it is both up-to-date and has proper security defaults enabled, read this guide and answer the questions it poses. If your device has been lost and you’re trying to figure out how to secure it, read this guide and answer the questions it poses.

Quick intro to encrypted connections and VPNs

Nowadays, most of the data that phones and computers exchange is encrypted: when you load a web page, read your email, or use a messaging app, your device uses several encryption steps to protect your data against prying eyes. In order to learn more about encryption, we recommend the very well written guide by the EFF explaining it in more detail here: https://ssd.eff.org/module/what-should-i-know-about-encryption

Encryption essentially works as follows: When two devices exchange encrypted data, no one else but those two devices can make sense of this information. Say you visit the Wikipedia page on Football: your device tells the computers at Wikipedia to send it the Football page, and this communication is encrypted. Someone listening in on this communication can not tell what it is about: it could be the Football page, the page on Cricket, or something entirely different. What this someone can tell, however, is that your device is communicating with computers at Wikipedia. Imagine a sealed envelope: the postal service can read the address, but not look into it.

(insert picture of envelope here)

If you also want to hide with whom your device is communicating, then you will need a anonymization technology such as a VPN.

VPNs

Imagine the envelope again. Say you want to send a message to Wikipedia. Instead of sending the envelope with Wikipedia on it, you’ll put it into another envelope adressed to a friend, let’s call them Alice. After receiving your envelope, Alice unwraps it and sends it to Wikipedia. The postal service thinks you are chatting with Alice, and Alice with Wikipedia. Wikipedia also thinks that your message came from Alice.

(insert pictures of envelopes here)

In this example Alice essentially does what a VPN does: instead of communicating directly with another device, you send your data to a VPN, the VPN forwards your messages, and also sends messages back to you.

It is important to understand that VPNs require a lot of trust: their forwarded data might again be encrypted, but they can observe with whom your device is communicating. So choose your VPN provider accordingly.

From this alone your VPN will know what sites you visit, what messenger you use, and how much you transfer to which service. For this reason, it’s important to pick a VPN you deeply trust. We recommend this piece, in which two technologists analyze various VPNs, look at various use cases and threat models, and figure out which ones to recommend.

VPNs will also hide your IP address from the server you are communicating with: all it will see is that you are using a VPN. If you are constantly downloading data from a state-owned firm that’s located outside of Germany with a Berlin-based IP address, this company might start to suspect that somebody within Berlin is preparing to investigate them. A sufficiently big newsroom could likewise be identified by its IP address alone: some New York Times journalists were readily identified when researching a firm.

We don’t recommend using a VPN all of the time if you are working in a democratic state with strong privacy laws: your telecom or internet service provider might have better privacy rules than your VPN provider does. Still, there are a few cases where we would definitely recommend turning on your VPN:

  • When you travel, especially to states which conduct extensive internet surveillance (don’t forget though that some states ban the use of VPNs not approved by the government–talk to your editor and others on how you want to proceed when traveling to such places)
  • When you are using your devices in a network that you don’t trust, such as a hotel or cafe.
  • When you are researching a powerful entity and don’t want them to know that you are looking into them

Once you have turned on a VPN, check that it’s on before starting your work. Look up a webpage which displays your IP address and its location (many exist and can be readily found through your favorite search engine). Open the webpage and check that it displays the location of your VPN server and not your own. Many VPN providers also have webpages (for example this one) which allow you to check if you’re connected to their VPN and if the connection is properly configured.

Adblockers

Recommendation: block ads

We recommend that journalists use adblockers on work and personal devices. While valuable conversations are to be had about the ethics of blocking online ads that often bring money to newsrooms, this guide prioritizes security considerations. Ads can be used to deliver malware to your devices, track your browsing activity across the web, and track your location and travels. The US Cybersecurity and Infrastructure Security Agency (CISA) recommended in 2021 that government bodies block ads on their internal networks. This advice became even more relevant in recent years, with a recent report suggesting that authorities purchase data from advertisers to track people’s locations.

We have created detailed security guides for different devices, and those include ad blocking technologies.

[^1]: There are currently many discussions about this in courts and parliaments alike. We prefer not to mention specific places and rules as this information might be outdated very quickly

You may also like