False ideas about technology and digital tools can lead journalists to carelessly behave on the internet, which can in turn compromise their security or that of their sources. In this article, Reporters Without Borders (RSF) takes some common misconceptions about digital security – and explains how things really work.

“Incognito browsing mode makes me anonymous.”

Incognito mode prevents a browser from saving browsing history and storing cookies, but all the browsing data is still accessible to Internet Service Providers (ISP) and governments. Journalists can use additional tools for anonymity while browsing.

“A VPN makes me invisible on the internet.”

A Virtual Private Network (VPN) allows a user to hide their browsing activity from the ISP, and their IP address from websites. However, the VPN itself still has access to all this information, and could be legally bound to share it with governments if requested.

“Encryption makes me invisible.”

Encryption protects the contents of a message from being read by third parties, but does not hide its metadata: the sender, the recipient, the time and the size of the message are all still visible to the messaging app and the ISP, who may be legally obligated to hand over this data to state authorities in certain cases.

“Encryption makes me suspicious.”

Many popular services (WhatsApp, Signal, Google, Facebook) have encryption features built in, so it is not suspicious to use them. Encryption can become suspicious only when it is unusual behaviour, such as in countries where such services are banned or not commonly used, or when a user doesn’t normally use encrypted services but then uses them for a specific task.

“I don’t need to worry about the data that Facebook and Google collect about me.”

It is true Facebook and Google collect data primarily with the purpose of providing targeted advertising. But the information they collect can be extensive. The data risks being hacked, sold to third parties, or handed over to governments.

“Journalists shouldn’t use Google, Facebook, Twitter etc.”

These services are free, accessible, and practical to use. Journalists should not use them to transfer sensitive data such as chats and photos, but need not ban their use altogether.

“It is not safe to provide my phone number to use two-factor authentication (2FA).”

Experts recommend journalists use 2FA for any account which offers it. Phone numbers are usually accessible to apps anyway, and the boost to security is very powerful. There are code generator apps and physical methods to enable 2FA without providing a phone number.

“To be secure, I can just switch off the internet on my smartphone.”

If a phone is connected to a cell service, it can be tracked whether the internet is on or not. For total security, either turn the phone off, or leave it at home. Be aware that some types of malware can make it look like a device is disconnected, while still transferring data.

“Analogue phone calls are safer than internet calls.”

Telecommunication service providers (TSP) are able to intercept calls, and are usually obligated to provide government access. Calls over the internet are generally safer if steps are taken to encrypt the call.

“The cloud is not safe.”

Cloud computing is very useful for journalists who want to be able to access their files remotely. There can be risks, however, so journalists are encouraged to use encryption tools and 2FA to make data stored on the cloud much more difficult to access for an intruder.

“Open source services are dangerous because governments can see vulnerabilities.”

This can be true, but the benefit of open source is that the community that uses it can review the code so there are much less likely to be vulnerabilities for malicious parties to exploit.