Icfj 的一个项目

Digital security do's and don'ts for journalists

Apr 23, 2020 发表在 Digital and Physical Safety
Locks on bridge

Journalists around the world are working in completely different environments. A journalist in Spain doesn’t face the same security concerns as a journalist working in Iran. But when it comes to digital security, everyone needs to take steps to protect their data, their communications and their sources.

A crackdown on press freedom across the globe has led to increasingly hostile environments, making the need for security even more pressing. Now, as we face new conditions during the COVID-19 global pandemic, we’ve become ever more dependent on the internet to carry out our reporting and collaborate effectively. Making sure we’re doing so safely — for ourselves and our colleagues, as well for our sources — requires we stay up to date on the latest tools and best practices in digital security. 

During IJNet’s webinar on digital security, Rajan Kapoor, director of security at Dropbox, and Sérgio Spagnuolo, former ICFJ former TruthBuzz Fellow and head of data journalism agency and consultancy Volt Data Lab, shared tips and tools that journalists can use to protect themselves, their data and their story.


Utilize two-factor authentication

This is a first, basic step for data security, but Kapoor explained that by using a two-factor authentication for your logins, you can block hackers from getting into your account or accessing your data even if they have your password. He also recommends setting up a recovery method like a backup two-factor authentication and saving recovery codes so you don’t get locked out of your account.

When you set up two-factor authentication, Kapoor suggests using an authenticator app instead of SMS. He uses Duo, but there are other options as well. 

[Read more: Tips for independent media facing security risks]

Look into encrypting your data, both in transit and at rest 

“Encryption is the concept of taking your data  and scrambling it using a key,” Kapoor said. What this means is that even if someone is able to access the data, it will be unreadable without the key that unscrambles it.

To ensure your data is safe, Kapoor said you should look for two things with every service provider: encryption in transit and encryption at rest. Encryption in transit ensures that the data is encrypted when it leaves your device going to the cloud service provider and as it travels across the internet. Encryption at rest means that the provider encrypts the data when they store it for you. 

Get a virtual private network (VPN)

A VPN allows you to browse the web securely through an intermediary server. All the internet traffic data is directed through the proxy server, protecting your internet activity from anyone trying to snoop on you, and masking your IP address to preserve your privacy.

This video gives a short explanation of how a VPN works:



VPNs are typically subscription services, and they can be installed on smartphones as well.

While VPNs are useful, they shouldn’t be used as a catch-all for digital security. “VPNs are a good tool to mask your IP address, but not necessarily privacy protectors,” Spagnuolo said.

Kapoor warns that it’s important to do your research before selecting a VPN. You have to be able to trust that the provider is not recording and sharing the list of websites you visit. 

“There's a lot of sketchy VPN providers out there who actually have designed their service just to mine your data,” Kapoor said. “They are not a bulletproof way for protecting your privacy because if your service provider is hostile or trying to track you, they can still do that with things like cookies.”

We’ll include some recommended VPNs at the end.

[Read more: How the harassment of journalists impacts the news]

Manage the number of people, and applications, with access to your account

“One thing you really don't want to do is to start sharing accounts, or setting up one account  between multiple people, Kapoor said, “because you just don't know if that account has been compromised and someone else is logging in.” 

Many services ask to link to other applications such as your calendar, email, social networking sites and more. Limit the number of connected apps to only a small number of those you trust, and be cognisant of the data that you’re sharing with outside services. Review the apps connected to your services at least once a year and remove any you are no longer using.


Don't openly share document links, especially with sensitive data

Journalists rely on document sharing with colleagues and editors. It’s important, however, to monitor who has access to the documents and how much they can see. To begin, both Spagnuolo and Kapoor recommended never openly sharing a document link if the document contains sensitive data, but instead inviting only certain contributors. This prevents the document from being shared widely.

Spagnuolo also noted that by inviting people to a Google Doc, not only do they have access to the information in the document, they also have previous versions and metadata that may have had contact information, names of sources or locations. Before you share a document — through Google or elsewhere — make sure you have scrubbed the metadata using a tool, or copied the final version to a new document, and share the new version. 

Kapoor demonstrated on Dropbox how a user can add new levels of security when sharing a document such as a password and time limit for the user’s access. 

Don’t reuse passwords across services 

To avoid hackers gaining access to your passwords across sites, avoid reusing the same passwords over and over again. 

“If an attacker is able to breach a site and is able to access usernames and passwords, they go to all of the major cloud service providers immediately, and they try to reuse the usernames and passwords that they already have,” Kapoor said. 

Spagnuolo said that by creating unique, difficult passwords of 10 characters or more, you’re adding a level of security to your password. He suggests using passphrases — strings of random words — and then personalizing them with characters and capitalization. You can even use song lyrics, he said. 

Keeping passwords straight is a challenge, but Spagnuolo recommends never saving them within a browser. Instead, both Kapoor and Spagnuolo suggest using a password manager like 1Password, or in an encrypted file.

Don’t treat all data the same

If you’re holding a public webinar or discussing mundane topics at the office, this data likely doesn’t need top-notch security. In these cases, you can use regular cellular services, video conferencing tools or chat apps. But make sure you are aware that your connection might not be completely secure.

If you’re talking to a source or working on a story with sensitive information, you’ll want to consider the methods you’re using. Both Spagnuolo and Kapoor suggest using Signal for sensitive conversations, both over chat or audio.  

There are also certain data or files that you might want to encrypt yourself when you store them locally on your laptop. 

“If someone were to get access to your laptop or your hard drive, they wouldn't be able to look at the data that's on there,” Kapoor said. 

For this, both Kapoor and Spagnuolo recommend full disk encryption which can be built into your devices. 

“Just make sure you don't lose your password, otherwise you'll never be able to retrieve the data,” Spagnuolo added.


Spagnuolo created a toolbox with a number of tools broken down into three categories: privacy and security, browsers and search, and documents and data. These include VPN suggestions, encryption services, collaborative tools and more.

Main image CC-licensed by Unsplash via Jon Moore.