We are reader supported and sometimes earn a commission if you buy through a link on our site.

Online Privacy Guide for Journalists – How to Protect Your Sources

While all of us should be concerned about protecting our privacy online, there are other users for whom protecting their private information could literally be the difference between life or death, or at the very least, imprisonment.

Journalists have a strong need to protect both their privacy and the user privacy of their sources. This is true around the world, as numerous countries have been known to imprison journalists and their sources. Meanwhile, in other parts of the world, journalists could face legal action to try to force them to reveal their sources.

In this article, I’ll share the many security measures journalists can use to protect themselves and their sources from having their privacy violated. These methods include various methods of protection, ranging from using technology to simply playing it smart.

1. Play It Smart in the Real World

Some of the tips in this section many readers might automatically put in the “DUH!” column, but there may also be some that need to see this.

Just like you should never write passwords on a post-it note and stick it on your monitor or slide it into your desk drawer, you should never write notes down about your sources or the information they give you.

For that matter, don’t type it into a note keeping app on your computer or mobile device. If you do use an app of this type, make sure it is password-protected and encrypts all entries.

Also, always act as if you’re being followed or tracked. Public security cameras and other methods of tracking individuals are a way of life in many countries. Never meet a source in a public location if at all possible. We’ll discuss more about this in some of the following sections of this article.

2. Make Sure Your Sources Are Educated About Privacy

Privacy is a two-way street, so make sure all of your sources are educated on ways to protect everyone’s privacy. If they are not protecting things on their end, all of the privacy steps you’re taking will be for naught. If you have to, send them a link to this article.

3. Be Cautious

As I previously mentioned, you should always act as if you are being tracked or monitored, because there is a very good chance that you are. Security cameras on every street, doorbell cameras, GPS tracking and cell signal tracking in your smartphone – it seems as if everything is tracking you.

Consider not carrying your smartphone or wearing your GPS-enabled smartwatch when you meet a source. If you need a phone to set up a meeting, do it on a disposable and cheap “burner phone.”

Be aware of your surroundings. If possible, avoid meeting in public places. Heck, Twitch streamers love taking their audiences along with them when they go out for coffee or for a walk. It’s a long shot, but they might get you and your source in the shot with them. There goes your plausible deniability. (Admittedly, this is thinking outside of the box.)

4. Protect Your Digital Communications

You will need a way to communicate with your sources, and sometimes the only way to do so is via a voice call. However, always think twice before using a landline or your smartphone to conduct such conversations.

Even if no one is listening in to your voice calls, there is incriminating information being recorded about the call, just as a matter of normal business. Every telecom company records information about their customers’ calls. This sensitive data can include the date and time of the call, the caller’s number and the answering party’s number, the call’s duration and more.

If you need to have a voice conversation, consider doing it only over a burner phone or by using end-to-end encrypted calling apps like FaceTime on your phone or computer.

You can also use end-to-end encrypted text messaging apps, such as Apple’s iMessage system, to protect text conversations. (Keep in mind, though, that iMessage only protects conversations between Apple devices. If you’re texting with an Android user, the conversation is unprotected on the Android end of things.)

If you need to protect your texting between Android and Apple devices, consider using WhatsApp or another end-to-end encrypted instant messaging system, such as Signal, WhatsApp and other services.

5. Use Anonymous Communication Methods

The initial contact between a journalist and their source can be tricky. How can you make initial contact to set up identification and preferred methods of secure communication?

Luckily, there are ways to get around this, thanks to platforms like SecureDrop, GlobaLeaks and Secure Connect. These platforms facilitate anonymous contact or the anonymous sharing of documents. They are used by numerous well-known publications to allow for private sources and whistleblowers.

When using these services, I strongly encourage the use of the Tor Browser to ensure total privacy. These services will remind users to upload using Tor. More about the Tor browser in a later section.

6. Encrypt All Information

Always make sure to encrypt your computer or mobile device’s storage. This includes any external drives you may use with your computer. Full disk encryption protects all of the sensitive data on your hard drive, making it nearly impossible to view the data on the drive or device without knowing the password.

On a Windows 10 Pro PC, you can use utilities like Bitlocker to encrypt your hard drive. On a Mac computer, you can use macOS FileVault to encrypt your Mac’s hard drive.

As for mobile devices, both Android and iOS include encryption for your device and can’t be read without entry of your PIN code, fingerprint or Face ID.

7. Protect Yourself by Using Strong Passwords

The best protection for your computer, other devices, and every account you use is a strong and unique password. We’ve discussed proper password use in the past, and that advice remains the same today – password security is a must.

Never use the same password on multiple accounts, computers or other devices. Arguably the biggest risk of any data breach, be it corporate or personal, is that hackers will use login information from a data breach to try to access accounts on other websites and services.

Secure passwords will be lengthy (at least 10 characters or more) and should include a combination of upper and lower case letters, numeric characters and special characters ($, %, &, #, @ and others).

While this makes it tougher to remember your passwords, there are password managers available that can both create and store all of your passwords. Password manager apps include offerings from 1Password, Dashlane, LastPass and others.

8. Use Two-Factor Authentication When Available

Two-Factor Authentication (2FA) is a method of authorization that requires a second piece of identification. The two pieces are usually a piece of sensitive information that the user knows, such as a password, and something the user has.

The secondary piece of information could include a temporary alphanumeric code sent via text or email, a fingerprint or a facial or retina scan, a one-use code from a key fob, or other forms of secondary verification.

You are likely familiar with this method from logging into your bank account for the first time, or even from logging into a social network, such as Twitter.

9. Keep Your Documents Secure

You should always password-protect all important folders and the documents those folders contain. While the bad guys or authorities might be able to eventually decrypt the documents, it will take valuable time to do so.

If at all possible, don’t use standard cloud storage services like Dropbox, iCloud or Google Drive. Instead, use services like OnionShare and SecureDrop. Both of these services allow you to share and accept documents in a secure manner. At the very least, encrypt your files before uploading them to the cloud.

10. Encrypt All Emails and Messages

Encrypt your emails by using S/MIME or PGP/MIME, depending on the email client you use. You can also use Hushmail. However, keep in mind that even if your emails are encrypted, quite a bit of information, such as sender, receiver, time, date and subject line are all still visible to outsiders.

Disposable email accounts are a valuable tool for both journalists and their sources. Services like Mailinator provide a free disposable email address, keeping your email communications anonymous. Private-Mail is a pay-for-play encrypted email service that also protects your email by using strong encryption.

11. Keep Your Browsing Private

When you are investigating a story or are doing research for an article, you’ll want to keep your browsing activity as private and anonymous as possible.

First of all, don’t be fooled by “private browsing” mode on your browser. While this mode may not save your browsing history, and deletes cookies when the browsing session ends, it does not hide your online travels from your Internet Service Provider or other third parties that may be monitoring your internet usage.

I’m not saying that private browsing is a bad thing. It’s only one of many steps you should take to keep your browsing private. You should also delete your cookies, internet cache, and your browser history after each browsing session.

To keep third parties from monitoring your online activities as they occur, I strongly suggest using the Tor Browser and a Virtual Private Network (VPN). More about that a bit later on.

12. Use the Tor Browser

Users who are serious about browsing the web without being tracked will want to investigate the advantages of using the Tor Browser.

The browser uses the Tor (“The Onion Router”) network to anonymize your web browsing by encrypting your internet connection and bouncing your connection around the net via a series of volunteer relay stations around the globe.

The connection is encrypted at each relay along the way, and the “bouncing” of the connection obfuscates your actual IP address. This prevents anyone from detecting your original IP address and your actual geographical location. Journalists and activists located in overly restrictive countries have used the private browser with much success.

Keep in mind that the Tor Browser only encrypts your traffic through the browser, leaving the rest of your computer or device’s online traffic open to being monitored. To encrypt your other traffic, you’ll need to use a Virtual Private Network (VPN).

It should also be noted that your ISP can tell when you’re using the Tor Browser, which can put you on certain “watchable” lists. Using a VPN with the Tor browser also helps avoid this.

See also: Best VPNs for Tor

13. Use a “Live” Operating System

If you’re looking for a way to browse the internet and have all of your online activities vanish into the ether, investigate a “live” operating system distro.

Live operating systems boot from a CD/DVD or a USB stick, allow you to securely browse the internet and perform other tasks, and save no sensitive information to the computer the distro is used on. This means there is no evidence of your activities once you turn off the computer you were using.

One such distro is Tails. Tails is a live operating system offshoot off the Debian GNU/Linux operating system. All network connections are routed through the Tor Network, and any apps that attempt to access the internet directly are blocked from doing so. (The distro can also be configured to use the anonymous I2P network.)

14. Don’t Use Google or Bing

When you’re researching a story, you’ll likely do plenty of searches on the internet. While your first impulse is to use Google or Bing for those searches, you need to resist the temptation.

Google, Bing and most other search engines track and store a history of your searches, making it easy for savvy users to find out way too much about your online activities. They do this so they know which ads to show you, which is how they make a large portion of their income.

While you can limit the information saved by these search engines, and even erase your past search activity, you are still tempting the online privacy gods.

Instead of Google and Bing, use an alternative, privacy-protecting search engine, like DuckDuckGo or StartPage. Neither of these search providers track or record your online activity, so there is nothing to share or expose.

15. Run AntiVirus Software and Anti-Malware/Spyware Protection

Spyware (a form of malware) is often used by hackers, government surveillance agencies and other nosy types to monitor and track information and usage on computers and mobile devices. Spyware can infect your devices via malicious links and attachments in emails and text messages, or if a bad guy has a few moments when he or she is left alone with your device.

Always run reliable antivirus or anti-malware protection on your computer and mobile device. Reliable protection for your desktop, laptop and mobile devices is available from Malwarebytes, Bitdefender, Kaspersky and other providers.

If you believe your smartphone may have been infected, check out this article for more cyber security information on how to detect and remove malware from your device. For more information on malware detection and removal on your Windows machine, read this article.

16. Always Use a Virtual Private Network

If you’re using an unprotected WiFi connection, anyone can monitor your online activities. This means your ISP, hackers, government agencies – literally anyone with the right knowledge and tools – can monitor your internet travels.

Always use a Virtual Private Network (VPN) when connecting to the internet. A VPN encrypts internet traffic, hiding your online activities from prying eyes and protecting your real IP address from being detected.

This can especially be handy when you’re forced to use an unprotected WiFi hotspot, such as those found in airports and coffee shops. Most of these hotspots don’t have encrypted connections, meaning all of your online activity is open to being monitored. A VPN’s encrypted connection prevents monitoring, keeping your internet activities safe from prying eyes.

A VPN is also a handy tool for journalists located in overly restrictive countries where internet access is closely monitored and controlled. In addition to hiding your online activities, a VPN also enhances them by providing your device with an IP address located in another part of the world, opening access to websites and services that might normally be blocked.

Remember, while a VPN keeps your online activities undercover from most third-party observers, the VPN provider can see your activity. Some VPNs will record this information for sale to advertisers and other interested parties, such as the government.

This means you’ll want to only use VPNs that keep no logs of any kind on their servers. No logs equals no evidence to bite you later. I recommend ExpressVPN, which is a top-notch VPN provider that takes the privacy of its users quite seriously, keeping no logs of any kind.

ExpressVPN Coupon
Special Offer - get 3 months extra FREE
Get Deal ›
Coupon applied automatically

In Closing

As we’ve seen above, online security is key. It is extremely important for journalists to protect their sources and any whistleblowers that share information with them. By using the tips and tricks listed above to keep all of your communications and research private, you’ll ensure your story will be told.

Journalists Online Privacy FAQ

Is It Important to Do a Security Audit on My Installed Apps?

Security is an all-important factor, especially for journalists. While both the iOS and Android app stores are closely curated by Apple and Google, respectively, malware can sneak onto your device via email and text message links and attachments.

This makes performing a security audit on your device, either by the devices’ built-in capabilities or by running antivirus and anti-malware apps on your device or computer, all-important. I suggest running such audits weekly, or even daily if possible.

As a Journalist, Should I Be Concerned About Surveillance Devices?

My advice for anyone concerned about their security is to always act as if you’re being watched. Think and act like a spy. Always use PGP email encryption when communicating with your sources and make use of secure services like SecureDrop when sharing information.

I Am a Photojournalist, Where Can I Securely Store My Photos?

Photojournalists can save their photos to external hard drives, USB storage sticks and the cloud.

I strongly recommend that no matter which media you store your photos on that you encrypt and password-protect all files. Encrypt your external drives with the built-in encryption features of Windows and macOS, and perhaps zip your photos using an encryption password before uploading them to the cloud.


Leave a Comment