Beginner’s guide to improving online security

Amid growing revelations of hacking and internet surveillance, improving online security is necessary for journalists and others who work with sensitive information. Here are our tips for how to get started.

Investigative journalists like the members of ICIJ are facing growing concerns about security. Our members often work with leaks or other materials requiring protection of sources, collaborate across borders with colleagues at risk for their physical safety, and communicate with devices and services open to surveillance or attack.

And that’s not to mention the growing revelations of surveillance and hacking by the U.S. National Security Agency and its allies – such as efforts to infiltrate and destroy the reputations of “hacktivists” and other targets unrelated to counterterrorism. 

For journalists, the ease and low cost of communicating and sharing via e-mail, instant messaging, file sharing tools and cell phones have weighed  in favor of convenience versus security.  But if your reporting puts you at risk, and you need to protect your data, your sources and your stories, you can take steps to gain security savvy and reduce vulnerability.

Last week at a conference in Baltimore that broke attendance records for the National Institute for Computer Assisted Reporting (NICAR), questions about digital security sent me to sessions on surveillance, safety, privacy and anonymity and between-session conversations on security threats and solutions.

Speakers at NICAR included Jonathan Stray and Susan McGregor (Columbia Journalism School), Jennifer Valentino-DeVries (Wall Street Journal), Josh Meyer (Medill National Security Journalism Initiative) Chris Doten (National Democratic Institute), Kelley Misata (Tor Project)  and Gary Price (

Here are some of the basics I learned from the experts at NICAR. 

  • Protect your identity and data with better and safer passwords or 2-step verification – you log in with password and then confirm with a verification number sent to your phone. 
  • Phishing – tricking a user to visit a site to enter personal information and passwords or download malware – is the most common attack. So check any link you receive in e-mail: read the URL and underlying html, don’t click on it!
  • Spear phishing – Personalized message targeting attempted by researching your information or impersonating your friends or colleagues – is growing. You may think you know the sender but it can be a hoax.
  • The weakest link: everyone in your newsroom or collaboration must use safe practices to prevent phishing attacks on others in a trusted group.
  • Encrypt everything. Make it a habit. If you use encryption all the time for communications and data, and encourage or demand it from colleagues and sources, then content will be protected and encryption can become normal behavior for journalists and the industry.
  • PGP is encryption for e-mail. OTR is Off The Record encryption for messaging, which is used by chat programs like Pidgin (PC), Adium (Mac) and CryptoCat (web based). Google “off the record” chat is NOT Off The Record (OTR).
  • Encryption is not anonymity.  Encryption protects content but not the identity of the sender and recipient. To anonymize communication traffic and web browsing, go to the Tor Project, learn about the Tor network and download Tor software.
  • Having the Tor software on your computer indicates you are using anonymous communications. If this puts you at risk, you can instead use Tails – Tor on a USB stick, which leaves no trace. Find out at
  • Protect your data on physical devices. What if your laptop is stolen? Your USB drive? Your cell phone?  What about your address book? Encrypt everything. Secure your passwords.
  • Your cell phone is a location device. It holds all your contacts. Think about security.  Know where your data is and take steps to protect it.

If you want to learn more about enhancing your security online, you can get Jonathan Stray’s complete presentation “Threat modeling: Security for your story” with audio here.  The Journalist Security Guide from the Committee to Protect Journalists also offers useful tips on protecting your online activities in its section on information security. 


 Subscribe to The ICIJ Global Muckraker by email or get the RSS feed


Email newsletter Find out first! Receive ICIJ's investigations by email


Panama Papers revenue recovery reaches $1.36 billion as investigations continue

Apr 06, 2021

Five years later, Panama Papers still having a big impact

Apr 03, 2021
London Panama Papers protest

The fight against offshore crime will be a long campaign

Apr 03, 2021

From front pages to prison time: Behind the scenes of a Panama Papers criminal case

Apr 03, 2021
China's flag flying at European Parliament

EU, US, Canada, and UK sanction Chinese officials for human rights violations in Xinjiang

Mar 22, 2021

US sanctions mining magnate accused of corruption in the Congo, reversing Trump-era move

Mar 10, 2021
ICIJ is dedicated to ensuring all reports we publish are accurate. If you believe you have found an inaccuracy let us know.