Steps to protect journalists and sources from online eavesdroppers

by Jessica Weiss
Oct 30, 2018 in Digital and Physical Safety

Though journalists have always faced the threat of eavesdropping and espionage, digital attacks are forcing reporters to watch their backs online. 

On the web, the universal way we access most websites, HTTP, for instance, is not encrypted (i.e. secure). This means that accessing information via these sites makes users vulnerable to a number of potential threats. At the very least, eavesdroppers of HTTP sites can see a number of details about a user's behavior on the site, like the pages visited and time spent on each. 

In response, The New York Times is in the challenging process of switching its entire site from HTTP to HTTPs, a communications protocol for secure communication over a network (the "s" stands for "secure"), to protect journalists and readers. On Twitter, New York Times chief technology officer Rajiv Pant recently called on all news sites to move to HTTPs by default by the end of 2015.

Committee to Protect Journalists (CPJ) Staff Technologist Tom Lowenthal agrees it’s time for journalists and media outlets to get serious about mitigating risk. In a recent blog post, Lowenthal outlined the three types of adversaries journalists might face online: passive listeners, active "man-in-the-middle" (MiM) interceptors and advanced persistent threats (APTs). It’s a lot of jargon, but the idea is simple: threats come in three main levels of severity.

Advanced threats, Lowenthal pointed out, are “complex but rare.” Passive eavesdropping, on the other hand, is pervasive. “Most of the time even the NSA, as Edward Snowden's revelations showed, just acts as a passive eavesdropper, able only to look at metadata and read the content of unencrypted communications,” according to Lowenthal.

In the blog post, he lays out a handful of steps journalists can take to ward off everyday eavesdropping threats to protect themselves and their sources. The tips won’t protect journalists from every possible adversary (only the most basic), but Lowenthal says even the lowest-level adversaries are an important starting point.


“Every insecure connection a reader makes is an opportunity to attack that reader with malware and take over their computer,” Lowenthal writes. And it’s easy and inexpensive to do.

Lowenthal recommends journalists use a browser add-on called HTTPs-Everywhere, developed by technology civil rights group Electronic Frontier Foundation. HTTPs-Everywhere maintains a list of popular sites that use HTTPs. Once it's installed, any connection a user makes to one of the registered sites automatically reverts to HTTPs, even if the user hasn't physically typed "https://" into the address bar.

“Journalists working for news sites that aren't available over HTTPs should ask their colleagues why,” Lowenthal recommends.


“Email is a juicy target for eavesdroppers,” Lowenthal writes. “It not only tells them who a journalist is talking to, but what they are talking about, what stories they are considering, and which sources they rely on most. Luckily, any encryption will stymie a passive eavesdropper."

Email's protocol is SMTP, which like HTTP, does not use encryption by default. This means messages are sent between providers in an insecure way, which makes the email vulnerable to eavesdropping. In this state, even a passive eavesdropper can read who a message is from and to, as well as its content, Lowenthal points out.

In many cases, an upgraded version of email which supports encryption is available. To find out if your provider applies, visit Just enter the domain name of your email provider and the site will grade your email encryption, indicating whether incoming messages support email encryption. 

For journalists doing more investigative work, or who might be handling especially sensitive information, Lowenthal recommends PGP (Pretty Good Privacy) software, which provides "cryptographic privacy and authentication for data communication." With the tool, a message is encrypted on the sender's computer and can only be decrypted by the recipient. But keep in mind: tools such as PGP work only when both parties know how to use them.


Communications channels such as text messages, instant messaging and phone calls can also be encrypted. Lowenthal recommends tools such as TextSecure and RedPhone for Android or Signal for iOS.  

Via Committee to Protect Journalists 

Main image CC-licensed by Flickr via Brook Ward.