Reporting can involve researching and contacting people who pose a threat to you or the media outlet you work for. Using personal devices and accounts to do so could expose you to harassment and identity theft, since using your phone or the internet can reveal information about you and your location such as your email or Internet Protocol (IP) address. Take steps to protect yourself before reaching out.
- Search your subject to see if they have a history of harassing journalists who report on them and whether the risks are digital, physical, or both.
- Review safe online research practices below before you visit a subject’s website or other digital platform such as chat rooms or Facebook groups.
- Discuss your story and its risks with your editor to find out what support will be available as you investigate and publish it.
- Carry out a risk assessment, and review and update it regularly throughout your investigation.
- Weigh the risk of investigating the story against the reward. Is the risk significant?
- Purchase a separate phone and SIM card or virtual phone number from a service like Google Voice for the story. Review the safer communications section below.
- For very sensitive stories, consider using Tails, a portable, secure operating system for any computer. Seek help from a security specialist to set it up.
- Imagine someone searching online for data that they can be use to harass, intimidate or discredit you. Review your profiles to see what is in the public domain and remove what you can, as detailed below.
- Be aware that sources may keep or record communications with you, including phone calls, and could make them public, present them out of context, or otherwise manipulate them.
- Step up security measures when initiating contact with sources and immediately after publishing, when you will be most at risk.
Conducting safer research online
- Use a VPN when carrying out research online and downloading documents, especially when viewing sites run by groups known to harass the press. A VPN hides your IP address so the website owner can’t see where the device you’re visiting from is located.
- Use the Tor browser, the most secure way to browse the internet anonymously available right now, for your most sensitive research. Digital security specialists can provide assistance if you need.
- Confirm websites you visit are encrypted, shown by a lock icon in the navigation bar of your browser and a web address that starts with https. Unencrypted sites are insecure and leave your device vulnerable to malware.
- Use uBlock Origin for Chrome or Firefox to protect yourself from advertising that could be used to track you or install malware, and the uMatrix plug-in for Chrome or Firefox to control how your browser communications with the sites you visit.
- Create dedicated social media accounts and use them in place of personal accounts when joining groups run by people who might wish you harm. Use a service like Twilio or Google Voice in the U.S. to mask your real phone number when setting them up. Revealing your name or other identifying data such as your date of birth on these accounts increases the risk of harassment, and many journalists use generic photos appropriate for the group they are connecting with instead of their own.
- Use a throw-away email address when registering with sites that could put you at risk.
- When interacting, be extra careful not to give away personal information or click on links that might be compromised.
Creating a throw-away email
When choosing a new email for a single purpose, such as registering with a website or contacting sources:
- Use words or references that are popular with the community. Connect to chat rooms via a VPN before joining to see how others represent themselves.
- Only use the new email address for the purpose of contacting a particular online community.
- Do not include anything personal, like your phone number, regular email addresses, date of birth, or location, when creating the email account, or link it to social media accounts showing your real identity.
- Erase all information and delete the account when you have finished research. Remember to back up any communications that you will need.
Securing your online data
General best practice
- Turn on two-factor authentication (2FA) for all accounts, including financial ones such as shopping websites.
- Create long, unique passwords for each account and store them in a secure password manager.
- Prioritize protecting data that can be used to locate you, contact you, or steal your identity, such as home address, personal phone number, and passport number.
- Set regular calendar reminders to look yourself up online, and do so on a range of search engines using private or incognito mode. Note anything you could make private or remove.
- Sign up for Google alerts to be notified when others use your name online. Include common misspellings of your name, your address, and any other personal information you feel would be useful.
- If possible, sign up for a credit monitoring service to alert you if someone is seeking credit in your name.
- Make content private on sites and accounts you own.
- Ask family and friends to remove information from sites and accounts they control.
- Be aware that it may not be possible to remove data stored on sites owned by third parties, such as public databases, and that deleted data may live on in screen shots or internet archive sites such as the Wayback Machine.
- Ask Google Maps, Apple Maps, and other companies to blur or remove your home or other identifying information.
- Ask Google Search to remove links from public search results, which can include links detailing personal data, such as your home address. Results on other search engines will not be affected.
- Contact the creator of the public database, normally a government body, to see if your information can be removed or made private. Laws about this differ by country.
- Services exist to help you remove your information from sites which trade data for advertising and other purposes, though it can take a month to see the effects. One example, DeleteMe owned by the company Abine, operates in the U.S. and some other countries.
Securing your social media accounts
- Create separate accounts for work and personal use to help contain security issues to one area of your life.
- Check privacy settings regularly, as they are subject to change. Access your own profile from a browser in private or incognito mode to see what is public.
- Remove personal information such as your date of birth or where you went to university, which others could use to impersonate or investigate you.
- Turn off your location and any geo-tagging functions that show where you were for specific posts if the information could put you or others at risk.
- Verify your accounts if possible in case fake accounts appear in your name.
- Move conversations to Signal or Whatsapp, rather than direct messaging, and only use the dedicated phone and SIM card you have bought for your research.
- Think about what you post. Don’t share pictures of your office, a hotel, or something else that gives away your location.
- Ask family and friends to avoid posting information and photos of you. Discuss what they share online and whether it could put you or them at risk.
- Buy a separate phone and SIM card to contact your sources and don’t use your personal or work phone. This protects your identity and helps separate you from subjects who may be involved in illegal activities.
- Disguise your phone number with a virtual one from Google Voice (U.S.) or Twilio if you are unable to buy a new one.
- Only use a throw-away email address on the phone to prevent your research from syncing with personal or work accounts via the cloud, especially if you could be sent something that might be considered illegal.
- Keep photos of yourself off the device.
- Use apps with end-to-end encrypted messaging such as Signal or WhatsApp to communicate, since calls and SMS messages exchanged over mobile phone networks are not encrypted and governments and others can access the content. Be aware that a government could subpoena WhatsApp to access the metadata attached to specific accounts, such as when you created it and which other accounts you talk to; Signal stores much less.
- Secure Signal or WhatsApp accounts with advanced security features if needed, such as screen lock, registration lock, disappearing messages, and “view once” photos and videos.
- Use Wire to communicate where possible, since you can sign up without a phone number.
- Create a plan to back up and delete content stored in the apps and on the phone. Consult a digital security professional if needed.
- After publication, back up anything you need, then delete everything stored in the accounts and then the accounts themselves. Disconnect the phone number and factory reset the phone.
Receiving and managing documents
- Use DangerZone to scan files received from a source for malware and convert potentially dangerous PDFs, images, and other documents into safe PDFs.
- Remember that almost anything you do on a device leaves a trace, and IT experts can recover deleted content even if you have used specialized software to scrub your computer.
- Send documents under 100MB via Signal or another end-to-end encrypted service.
- Send documents over 100MB using OnionShare.
- Be aware that metadata contained in documents, files, and messaging apps – such as the time and date a document was sent – is not always encrypted and could help someone identify both you and your source.