Whether you cover the CIA or city hall, journalism is as much about keeping secrets as exposing them. We created this online security guide to help democracy’s defenders defend themselves too.
Part of our mission at Proton Mail has always been to give journalists, dissidents, and others the tools and knowledge they need to do their jobs safely. Journalists are one of the largest groups in our user community, and over the years, we have given dozens of talks and workshops on email security(new window) in order to help journalists stay safe.
Back in September 2016, we were invited to hold a workshop at the Second Asian Investigative Journalism Conference(new window) in Kathmandu, Nepal. Like many of the workshops we have held with journalists, it was a great opportunity to gain insights from our users in the field and understand what we can do to better protect journalists and their sources.
One conference speaker was Krishna Gyawali, a reporter for Nepal’s largest daily newspaper, Kantipur. That year he led an investigation into the country’s anti-corruption body and discovered the agency itself was abusing its authority—including to suppress his reporting. It was daunting work. “You are being spied on, your every movement is being tracked and sources are scared to speak with you,” he said. “It’s a psychological threat.”
The reality is that in journalism, attacks can come from any direction and by any method: A local police chief you’re investigating can monitor your movements, a disgruntled subject can break into your Twitter account, or a government agency can try to subpoena your email contacts(new window). The more the attacker stands to lose from your reporting, the greater the lengths they’ll go to challenge it.
Over the past year, we’ve worked hard to provide journalists and activists with better tools to conduct their work safely. Sometimes, it’s new security features such as our encrypted contacts manager(new window), or making our encrypted email service accessible via Tor.(new window)
A lot of it is also better education and resources. Here we present common threats and practical safeguards, from commercial tools to best practices. As the security landscape changes or more tools become available, we’ll update these security tips accordingly.
1. Choose strong passwords
The easiest point of entry for an attacker is to simply log in to your account. Usernames are often publicly available or easy to guess, so it’s important to choose a strong password—one that cannot be easily guessed or cracked using a brute-force attack. We recommend passwords with at least 16 characters, including a variety of upper-case and lower-case letters, numbers, and symbols.
Choose a different password for every online account. This way, if one is compromised, the others will remain secure. Never ever reuse passwords, as your old passwords may already be compromised(new window) from a data breach you don’t even know about.
Password managers are a useful tool for generating and storing complex passwords. These may be cloud-based or installed locally on the user’s device. Be sure to choose a service like 1Password that has end-to-end encryption(new window) so the provider doesn’t have access to your credentials. And make sure you properly back up your password manager data; that way, if your computer crashes, you won’t lose all your passwords.
2. Don’t ignore your recovery accounts
In August 2012, a hacker named Phobia called Amazon tech support and asked them to add a new email address to the account tied to a San Francisco technology reporter named Mat Honan.
From there, it was simple to log in to Honan’s Amazon account and learn the last four digits of his credit cards. It wasn’t long before Phobia had danced from one account to the next, breaking into Honan’s Apple, Google, and Twitter. They even cracked the hard drives of his Apple devices, nearly wiping them clean. Why did Phobia do it? No reason in particular. They just liked his Twitter handle — @mat.
You can check out the full story here(new window). We mention this case as a reminder that every account you own could become a target for a creative adversary. Be aware of how your accounts may be linked together, and use services with higher restrictions on password recovery. For example, Proton Mail has a strict set of protocols in place to prevent social engineering attempts(new window) from succeeding.
3. Use two-factor authentication whenever possible
Even with strong passwords, there are other ways an attacker can access an account. Hackers broke into the Gmail account of Hillary Clinton’s campaign through a simple spear-phishing attack: Her campaign chairman clicked a link in a phony Google security email and gave his password to the hackers.
To fend off these kinds of attacks and to protect you if your password is compromised, it is important to use two-factor authentication (2FA)(new window) whenever possible. We recommend using 2FA apps like Authy(new window) rather than SMS-based 2FA, which can be more easily compromised (for this reason, Proton Mail disallows 2FA via SMS(new window)).
4. Encrypt your devices
Laptops, phones, and tablets are attractive targets for those seeking to shut down or disrupt your work—they not only contain your vital information but are also incredibly easy to steal.
You should always assume that your devices will be lost, so it is essential to encrypt them. Note, it is not sufficient just to set a password on your device; encryption is usually a separate, additional step. Windows and Mac both support device encryption and you can find guides here: Windows(new window)/Mac(new window). Android and iOS also support encryption (and you’re probably already using it(new window)).
5. Secure your backups
If your device is lost or stolen, you lose everything it contained—so it is essential to have backups. However, backups themselves can become a source of vulnerability.
Be sure to encrypt your files before they go into the cloud or an external drive (otherwise they are accessible to anybody who gains access to your backups). Also be wary of pre-installed or automatic backup software, such as Apple iCloud. They may be automatically backing up sensitive files to the cloud without encryption, even if your computer itself is encrypted.
Something else that’s important to note: Many of the most popular online services (such as Gmail, Google Drive, or Facebook Messenger, etc) can access the content you store there, such as emails, contacts, and documents.
Those accounts could be breached by hackers or even employees of those companies(new window). And they could also become a target for the government. Prosecutors can and have issued subpoenas for records—to reveal the names of whistleblowers, for example, and service providers can be forced to comply.
6. Use encrypted services
When Edward Snowden contacted filmmaker Laura Poitras with information about NSA surveillance programs, he didn’t send a Dropbox link. Snowden used end-to-end encryption—meaning only his intended recipient, Poitras, had the key to unlock the data, and not even a third party that could intercept that traffic could decrypt the files.
It is important here to draw a distinction between encryption, and end-to-end encryption. Only end-to-end encryption provides the protection described above. In recent years, end-to-end encryption technology has improved a lot, and many are now just as easy to use as unencrypted alternatives.
End-to-end encryption requires that both “ends” of a conversation use it. Thus, Proton Mail is the most secure when both parties are using it, and we have made this easy by making Proton Mail free. However, even if the other party is not using Proton Mail, there are still substantial security benefits(new window) because of the fact that your data at rest is protected with zero access encryption. For chat, there are messaging apps such as Signal(new window) and Wire(new window) which also provide end-to-end encryption.
7. Protect your internet traffic
Every time you browse the internet, your IP address(new window) is logged by a variety of servers, including those of the websites you visit and your internet service provider (ISP)(new window). This information can be used to track you, provide insight into what you are researching, and identify whom you might be contacting.
There are three main ways to keep your online activity secure. The first is obvious but important: Never send information through a website that does not use encryption. You can verify it does by ensuring the website URL begins with “https://”.
The second is using a VPN. A virtual private network (VPN) creates an encrypted tunnel between your device and the VPN server, shutting out anyone who might be lurking in the middle.
That includes your ISP(new window), a hacker sharing the coffee shop router, or a government surveillance agency(new window). VPNs also help shield your IP address, which allows you (in most cases) to access websites which are censored in certain countries. In order to protect internet users and prevent online censorship, we also provide Proton VPN, a free VPN service(new window).
A third option is Tor, a software program that anonymizes your device by bouncing your connection through a series of random servers. Proton VPN actually comes with Tor VPN support(new window) built in, but for ultimate anonymity you can also run Tor locally on your machine. The downside is that Tor is slow, can be tricky to set up, and can sometimes attract attention to yourself.
8. Be vigilant
All this information is a lot to take in, but if we were to distill this guide into a few practical points, they would be the following:
- Set strong and unique passwords (and keep them hidden)
- Use two-factor authentication (2FA)(new window)
- Be wary of phishing attempts (see our guide on preventing phishing attacks(new window))
- Keep in mind the risk from linked accounts
- Encrypt your backups, and don’t “accidentally” back up sensitive files
- Use encrypted services (Proton Mail for email, Signal for chat, etc.)
- Protect your internet traffic with a secure VPN(new window)
Journalists routinely protect vulnerable sources, take anonymous tips, honor off-the-record comments and keep newsroom scoops under wraps. Following this guide will mitigate common online threats and help you safeguard the information you’ve been entrusted to protect.
Additional resources
Proton Mail threat model(new window)
Proton VPN threat model(new window)
How to prevent phishing attacks(new window)
Center for Investigative Journalism(new window)
You can get a free secure email account from Proton Mail.
We also provide a free VPN service(new window) to protect your privacy.
Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(new window). Thank you for your support!
P(new window)ress inquiries:(new window) If you are interested in testing or using Proton Mail and have questions, please contact ust at media@proton.me. We provide complimentary paid accounts for journalists as part of our mission to support free press.
