Journalists should be aware of the dangers of digital attacks, including through hacking, phishing, and surveillance, and should take steps to protect themselves, their sources, and their work.
To minimize the risks:
Secure your accounts:
- Common password managers such as 1Password, LastPass, or Dashlane help protect your accounts.
- All your passwords should be different and tough for computers to crack. Random eight-word passphrases are hard to crack but easy to remember if you type them often.
- Turn on two-factor authentication (2FA). 2FA protects your accounts even if someone learns your password. Options from best to worst include a security key that can't be phished, a code-generator app on your phone, and codes sent via SMS/email. You can lock down a Google account even further by turning on Advanced Protection.
- Audit your accounts regularly. Every major service lets you look at the places you are logged in and the apps with access to your account. Check for rogue access monthly.
Secure your devices:
- When possible, turn on full-disk encryption on all your devices. iOS devices have it turned on by default. On MacOS it is called FileVault, on Windows it is BitLocker, and on Android it is listed as device encryption.
- Lock your screens automatically after two to five minutes. Use a strong PIN or passphrase. Fingerprint unlock is OK, but turn it off before sensitive encounters such as border checkpoints or when covering protests.
- Always install software updates immediately to protect yourself from malware. Automatic is best wherever possible. Antivirus software does not help.
Use the safest software you can:
- Use Chrome. Bolster your security with HTTPS-Everywhere to use secure connections wherever possible; uBlock Origin to protect against "malvertising" (the use of advertising to spread malware); and Privacy Badger to protect against online tracking.
- Install minimal software and extensions. Every piece of software is a potential vulnerability. Experts report that PDF readers and business software suites are particularly risky. They advise that you view PDFs in Chrome and use Google Docs instead.
- Use the safest devices you can. Experts advise that the safest laptop is a Chromebook and the safest mobile device is an iPhone, iPad, or iPod Touch.
- Use safe texting apps. Signal, Wire, WhatsApp, or Facebook Messenger's secret conversations are the current best options. Do not rely on the privacy of email.
- Protect yourself from phishing. Check the details of a sender's contact details carefully to see if they look legitimate. A password manager will never fill your password on a phishing site, and Chrome will try to protect you. Be suspicious of messages, even if they appear to come from someone you know.
- Pick good providers. Look for "end-to-end" or "zero knowledge" encryption but beware of overblown claims such as "uncrackable," "NSA-proof," or "military-grade." Be aware of legal attacks as well as technical ones. Google is one of the safest places for your data.
- Consider using a VPN. VPNs conceal your network traffic from your Internet Service Provider or mobile provider.
For additional information on digital safety support, visit CPJ's resource center. Citizen Lab's Security Planner provides an excellent resource for digital safety.