Digital safety: Guidance for journalists in exile

Journalists in exile face a range of digital security challenges unique to their individual circumstances. These include hacking attempts on their accounts, online harassment, and attacks on their websites or blogs. This guide provides journalists with practical steps they can take to better ensure their safety.

General guidance

• Journalists should research the tech capacity of those that they feel threatened by. To do this, you can look up the name of the person, group, or authority targeting you alongside keywords, such as spyware, phishing attacks, surveillance, and hacking.

• Know the laws and regulations of the countries you are traveling to or through with regards to encryption and the use of pirated software. Read CPJ’s guide on border crossings and digital safety for more information.

• Stay up to date with the latest news on technology, especially in the region you are from and the region you are now living in. Sign up to tech newsletters which are often put out by major news outlets. Look for news on hacking, changes to laws around surveillance or encryption, as well as developments in business related to technology.

• If you need to visit a government website to look at information and/or download documents and you do not want their website to register your internet protocol (IP) address, use a virtual private network (VPN). This will mask your IP address, including your location data.

Keeping accounts safe from hacking attempts

Journalists may be targeted by hacking attempts on their accounts by governments, government supporters, and others. This may be to obtain information held in the accounts, to use the accounts to publish erroneous information, or to lock journalists out of their accounts. The guidance below explains how best to protect yourself.

Two-factor authentication (2FA)

The best way to secure accounts from being hacked is to turn on 2FA. This is an extra layer of security that takes the form of a code sent to your phone via an app or via SMS. To log into your account you will need your email address, your password, and then the code. Turning on 2FA will prevent others from accessing your account unless they have access to the code.

• All major online services now offer 2FA and you should turn it on for all your accounts, not just email and social media. 

• Use an app like Authy as your form of 2FA. Download the app onto your phones and follow the instructions to set it up. Then go to the online account you want to secure, for example your Gmail account. Go to the settings section of the account, and then to privacy and security, and add two-factor authentication. Choose the app option and follow the instructions to link the app to the account. 

• You won’t be prompted for a code each time you log in, rather only if you sign in from a different device. The service may request the 2FA code from time to time to ensure that the service is working. 

• Each online service that offers 2FA should also offer the option to save a backup code or backup codes. This is a one-time code that you can use should you lose access to your form of 2FA and are unable to log into your account. 

• If you are from a country where the government has a history of orchestrated and successful hacking attacks against journalists, including journalists in exile, then you should consider using a security key as your form of 2FA. This is a device that you insert into your phone or laptop in order to access your account. Examples of keys include Yubikey and Google Titan.

• Consider signing up for Google’s Advanced Protection scheme. This program is designed for journalists and human rights defenders and offers extra protection for your Google services. You will need to have security keys in order to use this service. 

Creating secure passwords

• A secure password is a long password, more than 15 characters. The longer the password, the more difficult it is for an algorithm to crack or for someone to guess.

• A password can be a mixture of numbers, symbols, and letters or a collection of words that have no relation to each other, known as a passphrase. An example of a passphrase is elephanticecreamswimmingtelephone. Passphrases are often easier to remember.

• Do not use personal information, such as your date of birth or pet’s name in your password. This is information about you that can easily be found online and can be used to guess your password.

• Do not reuse passwords on accounts. You should use a different password for each online account. This is because if you use the same password for an online service, for example a food delivery service, as you do for your email account and the online service is hacked, your password will be available online for criminals and others to look at and/or buy. They will then also have the password to your email account.

• Remembering passwords can be challenging. Use a password manager, such as 1Password to create, store, and autofill passwords on websites. You will not have to remember all your passwords, but you will have to create a strong password for your password manager and remember it. If you are not at risk in your home, do not travel frequently, and are not at risk of arrest and detention, then you may want to write your passwords down and keep them somewhere safe. This is safer than using short passwords or reusing passwords.  

Protecting against phishing and spear phishing

Phishing is when you are sent a generic message asking you to do something urgently; for example, to click on a link or download a document. Spear phishing is when the attacker studies the person they want to phish and tailors a message specifically for them. Both these types of messages can be sent via SMS, email, messaging apps, and social media, and the objective is to infect your device with malware.

• Think before clicking on links or downloading documents. Try to verify who has sent you the information. Check to see if this information is available elsewhere, for example on a website.

• Preview attachments in email by using the preview button available in most email services. Alternatively, upload the document to the cloud account linked to the email. This will allow you to view the document but it will not be downloaded onto your device.

• Review the link and check to see if it looks legitimate. To do this, hover your cursor over the link until it fully displays. Do not click on it. Check that the link includes information that matches the sender. For example, if the link comes from a company, it should contain data about the company, such as the name. 

• Be aware that links and documents shared in group chats that have many participants may be attempts to infect users with malware.

• Use a password manager. A password manager will only fill out your passwords on a legitimate website, for example a Gmail login page. It will not fill out your passwords on fake sites designed to steal your account passwords.

Learn more about protecting yourself against phishing with CPJ’s Digital Safety Kit.

Protecting your online personal data

The data you and others put online about yourself can give away information about your location, routine, and can be used to harass you and your family. Take the following steps to be more secure.

• Look yourself up online using all search engines and make a note of anything you feel uncomfortable having in the public domain. You may want to look up family members as well, as they could also be targeted.

• Ideally any data that can be used to locate you, contact you via a means you do not want, or any information that can be used to commit identity theft against you, such as your date of birth, should be kept offline.

• Take steps to remove your personal data online. This could include deleting or hiding content on your own social media accounts as well as on the accounts of others. Review data held in third-party platforms, for example a public database, and see if you are able to remove it.

• Think about what data you share online about yourself and others who may be in exile with you. Be mindful about posting photos and information that could give away your location. This can include tagging locations or sharing images of notable landmarks in the area you are staying in.

• Better protect your location by turning off location data for apps and online services where it is not needed.

For more information on how to protect your data online please read CPJ’s guide to online abuse and protecting personal data.

Communicating with others in your country of origin

Communicating with people, including sources, back in your country of origin could put both them and you at risk. Follow the guidance below to ensure your communications are secure as possible.

• Consider that the person you want to speak to might be under surveillance or may be at risk of arrest and detention. Things to think about include whether their devices are infected with spyware, whether their home phone number is tapped, whether they are under physical surveillance, or whether they will be detained and their devices searched.

• Think about whether you may be targeted by digital surveillance. This can include being subjected to high-level phishing attacks with the aim of infecting your devices with spyware. Research whether your government has a history of using spyware against journalists especially when they are outside of their country of origin.

• Think about what you want to speak about. The more sensitive the conversation, the greater the risk to the person in the country as well as to yourself.

• Use end-to-end encrypted messaging apps, such as WhatsApp and Signal, to communicate with others. All content sent via those apps is encrypted, which means it cannot be intercepted. The content is also stored in encrypted form on the server of the company, which means it cannot be legally requested by a government.

• Follow best practices for securing your messaging apps and for communicating with others; for example, by turning on disappearing messages.

• Ensure that the people you speak with back in your country do not store conversations or content shared with you on their phone in case they are detained and their devices are searched. Encourage them to regularly delete content from their phones.

• Be aware that any contact with others that is not encrypted can potentially be accessed by others, including governments and mobile phone providers.

• If you are a journalist in exile from a country where the government has a history of carrying out physical threats outside of their own jurisdiction, then think carefully about what details you are giving away during a conversation. Be cautious about sharing details about your location, daily routine, and people you spend time with.

• Be aware that if you or the person you are speaking with has spyware on their phone, then all forms of communications can be accessed, including calls and messages, even if you are using an end-to-end encrypted messaging app, such as Signal or WhatsApp. This is because the device itself is compromised.

• Users of Apple devices with iOS 16 or devices using the company’s latest software, including phones, laptops, iPads, and the Apple watch, can better protect themselves from spyware by turning on Lockdown Mode. Learn more about how to better protect yourself against spyware in CPJ’s Pegasus spyware safety advisory.

• For those working with sensitive sources, learn more about how to best protect them in CPJ’s guide to better protecting confidential sources.

For more information on securing encrypted messaging apps and for working with sources to manage content on phones, see CPJ’s guide to encrypted communications.

Protecting your website

If you run your own online website or blog and have concerns that it could be targeted by hacking attempts or taken offline, then the following steps will help you best secure it.

• Regularly back up the content on the site in case it is targeted and data is lost. There are two ways to do this. If you are using a hosted service, such as WordPress, export your pages, comments, and posts into a single XML file. Be aware that this will not backup images. The second way to backup content is to create a mirror of the site. You can read more about creating mirrored sites in this guide by the Electronic Frontier Foundation (EFF). 

• Ensure that you follow good account security practices for your website, including using a password manager and turning on 2FA. See the section above on keeping accounts safe for more information.

• If you own a web domain, the personal data you used to register the site as well as other details, such as the hosting provider, are likely to be available for others to view online. You can check this by using a service like Whois Look Up. If your details are publicly available, then you should contact the domain service to see if they are able to remove this data. There may be a fee for doing so.

• Protect yoursite from a DDoS attack by registering it with a service such as Project Shield.

• Ensure that your contact management system (CMS) and any plugins that you use on your site are updated regularly.

• Consider whether you want comments enabled on your site. If you do allow comments, it is better to moderate these in advance of them being posted. This will reduce spam as well as offensive commentary. If you feel unable to moderate those comments yourself, it can be helpful to have a colleague or trusted person do so.