Cybersecurity for journalists: How to defeat threat actors and defend freedom of the press

Cybersecurity for journalists: How to defeat threat actors and defend freedom of the press

When you’re a journalist or work for the press, there may be times when you need to take extra cybersecurity precautions—more so than your Average Joe. Whether a reporter is trying to crowd-source information without revealing their story or operating in a country where freedom of the press is a pipe dream, cybersecurity plays an important role for any journalist producing work online—which is essentially every journalist today.

While the stakes may be a little higher for reporters in war zones, on crime beats, or in political journalism, all writers with public bylines, newscasters, press agents, photographers, and other journalism staff need to consider cybersecurity best practices a priority. Protecting personally identifiable information, online accounts, and proprietary data is not just a nice-to-have for journalists. It’s fundamental to the integrity of their professional reputation—and trust in the press in and of itself.

What happens if a hacker “outs” a source whom a journalist promised anonymity? Could that source experience retribution or physical harm? What if a cybercriminal could access national stories and change content to be untrue? Already, misinformation is rampant on the Internet.

If Facebook won’t ban all-out lies in political ads, it’s up to our newspapers and publishing outlets to defend the truth. And one way they can better do so is by increasing cybersecurity defenses and awareness.

Why journalists need cybersecurity

There are many valid reasons for journalists to better educate themselves on cybersecurity and consider investing in some security tools, but some of the most important are:

  • Protecting sources’ PII, especially locations, identities, and titles
  • Hiding from authorities who might be trying to kill a story or force you to reveal a source under penalty of law
  • Keeping data secure and private if you are asked to turn over a device
  • Securing communication when you fear eavesdropping, bugging, or other forms of online surveillance
  • If writing under a pen name or pseudonym, preventing online harassment or doxing

As any journalist worth her salt knows, if your anonymous sources become public knowledge, no one will want to talk to you, much less reveal confidential information to you, again. There goes your livelihood.

In some countries and under some circumstances, journalists may not want to reveal what they are working on or where they are working on it. Being able to conduct investigations “off the grid” is key in these conditions, as is making sure your best-kept secrets and tomorrow’s scoop aren’t revealed in data leaked online or easily scraped from an unlocked device.

Communications can be intercepted, no matter which type. Even face-to-face conversations can be overheard or eavesdropped on. But reporters’ juicy interviews may be of particular interest to cybercriminals, especially nation-state actors conducting longtail reconnaissance on high-profile targets. Whether you’re talking to the local baker for a human interest story or sitting down with the Director of National Security, it is wise to assume you are under surveillance—or could be if you don’t take precautions.

Unfortunately, many journalists know first-hand how publishing online can invoke Internet ire via commenting trolls and rage-filled Tweetstorms. A thick coat of armor is necessary to withstand the sometimes needlessly cruel and personal feedback; many an online reporter have booked therapist appointments accordingly. But additional cyber defense is necessary to ensure physical protection from harm, as well to shield from harassment and doxing attempts.

Cybersecurity methods and tools

Not every journalist needs all of the cybersecurity methods and tools listed below, but they should at least have a basic understanding of what these methods can do for them, and how to apply them when necessary.

  • Data encryption
  • End-to-end encrypted communication (email, chat, videoconferencing)
  • Deleting metadata
  • Disabling location services when necessary
  • Creating secure backups, either to the cloud or to external hard drives
  • Private browsing and other online activities
  • Deleting navigation history and cookies
  • Using caution when activating IoT devices that may be vulnerable or insecure; for example, don’t use Alexa to dial an anonymous source
  • Using a VPN to anonymize Internet traffic
  • Educating yourself on basic cybersecurity hygiene, and implementing a few technology solutions, including an AV/anti-malware, firewall, password manager, 2FA, and updating any software when patches are ready

Data encryption and creating secure backups are closely related. When your device falls into the wrong hands, you don’t want a criminal to be able to simply exfiltrate all the data you have gathered on it. Encryption can make finding the data hard, or impossible, for those who don’t have the key. And if you do lose a device, its securely backed-up data can be accessed elsewhere.

Encrypted communication is a bit more challenging. The more sophisticated the method of communication, the harder it seems to render it secure.

Encrypting email is fairly easy. Many have done it before you and how-to-guides are readily available. Using end-to-end encrypted chat is a matter of choosing the right software. Real end-to-end encryption means the information will be encrypted using a secret key rather than in plain text. All you need to do is find a trustworthy app that both parties can use. The same is true for video conferencing software, though it may be harder to find familiar names that also offer end-to-end encryption.

Your location can be given away in more ways than you may realize. It is not only a matter of turning off location access completely. Your local time, IP address, and list of Wi-Fi networks you used can also give someone at least a crude idea of where you are or have been.

When it comes to keeping your location a secret, also remember to delete the navigation history of your car, browser, or other device used to find a physical address. Also make sure that the rental “connected vehicle” has been reset, so the previous user can’t keep track of you on his phone.

For photographers, it’s also relevant to delete metadata, as it doesn’t always just include technical and descriptive data, but can also contain a GPS location.

While browsing, it pays off to use a browser that was developed with your privacy in mind, or using a well-vetted plugin or extension that protects privacy. Add a VPN to your toolset to hide your true IP. Using a VPN may raise awareness that you are up to something, and not every VPN provider will treat your data with the same respect, so do some digging into their background and track record before you decide which one to use.

Recent articles have made us aware of the fact that some of our IoT devices are eavesdropping on us. So, when you are having a private conversation that needs to stay private, check your surroundings for devices that could be listening and make sure they can’t hear or relay your talk.

With all this in mind, don’t forget about basic cybersecurity hygiene and awareness. We can’t say this enough: Keep your software up-to-date, patched, and properly configured. Use an anti-malware solution and at least a basic firewall. Use 2FA authorization where possible, and password lock all your devices. Clear your browser cache and search history.

Another basic principle when you are a public figure and don’t want to be doxed or harassed is a strict social media regime. Consider all that you post public to the world, even if you have a private account. or separate your journalist account from your personal one, with zero links between the two.

Recommended reading: Cybersecurity basics

If you are not skilled in cybersecurity, do not be ashamed to ask for help setting up your defenses. And know who to contact if anything goes south, even after all your efforts. Also do not assume that your employer is on top of your secure communications: Ask about it.

Resources for journalists

This list is not exhaustive, but it gives you an idea of what’s available:

The Assistance Desk of Reporters Without Borders (RSF) provides financial and administrative assistance to professional journalists and citizen-journalists who have been the victims of reprisals because of their reporting.

To report a press freedom violation, you can contact the appropriate Committee to Protect Journalists (CPJ) regional staff. All information is confidential. Contact details per region can be found on the CPJ website.

Totem offers digital security training specifically for activists and journalists. It helps them use digital security and privacy tools and tactics more effectively in their work.

Citizen Lab’s Security Planner aims to improve your online safety with advice from experts. All you need to do is answer a few questions and get personalized online safety recommendations.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.