Top cybersecurity tips and tools for journalists

“I do not think journalists take their basic mobile and data security seriously enough,” Director of the International News Safety Institute, Hannah Storm, told the World Editors Forum: “It seems to be over the last six months there has been a greater number or almost a greater excuse for people to say ‘Let’s target the journalist,’” she said. So, how can journalists better protect themselves from cyber attack? Lucy Dean and Krysten Dawes report.

by WAN-IFRA Staff | July 28, 2014

Twenty one out of the world’s top 25 news organisations were subjected to attacks from state-sponsored hackers, Google research carried out earlier this year has revealed.

A hacker who has access to a user’s computer will also have access to contact details, evidence of a user’s habits, and personal information, thus potentially facilitating a physical attack.

If journalists are not suitably protected, “It is not only the information that is at risk,” Jorge Luis Sierra, director of the Knight International Journalism Fellowships Program told the World Editors Forum. “The digital risk is sometimes the first step in a plan to attack a journalist.”

Sierra is an award winning investigative reporter who spent four years in Mexico mapping crime and developing digital tools to prevent attacks on journalists and bloggers. He recently hosted a WAN-IFRA Webinar on digital and mobile security in which we participated. We’ve curated lists of his cyber and mobile security tips and his recommended tools, backed up by independent review.


1. Create an easy to remember (but hard to crack) password

Creating passwords is the first and often most important step in establishing online security.

According to research recently published by Microsoft, internet users who are sick of memorising long lists of passwords should reuse weak passwords for websites that don’t possess important information. Instead, users should save their strong passwords for sites holding sensitive information.

But what is a strong password and how can users remember it? Websites like StrongPasswordGenerator can be helpful in building passwords that tick the boxes as far as numbers, upper and lowercase letters and symbols go but are less helpful for users who want to be able to remember their passwords with relative ease.

Microsoft suggests fashioning those characters into an acronym, word or phrase that is easily remembered. For example, “I love journalism” could become “iLuvJ0urnal1sm!.”

2. Install antivirus software

Antivirus software is crucial for any Internet user; it protects against viruses, worms, Trojan Horses and other cyber-diseases.

There are multiple software programs users can install.  Sierra encourages users to simply find the best fit for their needs. Columbia Journalism School recommends McAfeeNorton and Computer Associates among others.

3. Store files on different devices

It might seem obvious, but storing everything in one place is generally not a good idea. If that device crashes, everything is lost. Also, using only one device to store files makes it an easy target for hackers. If they hack that device, users will potentially lose everything.

Jorge Luis SierraJorge Luis SierraWhen it comes to organising users’ files, Sierra suggests dividing sensitive and non-sensitive information. “You have to have your information well organised in order to be accessible at any time,” he says. “The idea is that if you eventually lose your computer or your mobile phone or your tablet, you don’t lose all of your information.”

He also stressed the importance of having sensitive information encrypted (see section below on encryption), especially when travelling with a device.

4. Only access websites using “HTTPS”

Mike Shema, the author of Hack Notes: Web Application Security, describes using websites without “HTTPS,” as the same as giving your laptop to a stranger for 20 minutes. In his article for Mashable, he wrote, “The encryption within HTTPS is intended to provide benefits like confidentiality, integrity and identity. Your information remains confidential from prying eyes because only your browser and the server can decrypt the traffic.”

5. Log out

Leaving a device or website logged in without the user present is a quick and easy way to get hacked. As Paul Bradshaw for The Online Journalism Blog said, even if users don’t think they’re interesting enough to warrant an attack – hackers aren’t always after them. Often they’re after the user’s sources, their colleagues, their audience or their access.

6. Be aware of the GPS function

The GPS function on any device can be a means of security but also a security risk. Whether a journalist should enable the GPS function depends greatly on the investigation and the specific reporting process, Sierra cautions.

Journalists reporting in areas of conflict may find it prudent to enable the GPS function. Javier Garza Ramos, the World Editors Forum special advisor on newsroom safety says, “Having colleagues know the location of a reporter can save valuable minutes in emergency situations.”

However if a journalist is unaware that their GPS is enabled, they can be put at risk. Attackers conducting surveillance are able to identify where the journalist is, putting not only the journalist in danger but potentially their sources, friends and colleagues too.

(Note: Emergency Journalism has reviewed several GPS devices that could be employed by journalists. For more information on safety apps for journalists see the World Editors Forum piece on recent tech innovations.)

7. Use secure browsers.

The way you access the internet can also be made more secure. “Avoid Internet Explorer,” Sierra says. Up until recently, Internet Explorer was the most popular web browser, Mashable reports, and so attracted the majority of bugs and was exploited by hackers the most regularly. The browser still attracts over 30% of browser usage.

Sierra instead recommends using Mozilla Firefox or Google Chrome as they have added security features. It takes 10 minutes at most to download Google Chrome and even less for Mozilla Firefox. Alternatively, users can download TOR. Though slower than Firefox and Google Chrome, Tor incorporates encryption and directs user traffic through thousands of networks, making it one of the safest browsers to use .

(See below for more on TOR).

8. Make sure your apps and programs use encryption

In the Post-Snowden era, journalists are looking beyond the basic methods of online and computer security and seeking stronger protection.

“Any reasonable intelligence agency is capable of tapping phones, intercepting email and following our every move – both online and in the real world,” journalist and author of Deep Web for Journalists, Alan Pearce says.

While online communications are never entirely secure, by encrypting data, documents and conversations, journalists have a greater ability to shield their work and protect the privacy of their sources from third parties.

Using complex mathematical algorithms, encryption helps to secure a user’s privacy by scrambling data, making it indecipherable to hackers and outside sources.

The technique can be used on a number of devices including PC, tablet PC and smartphones.

“Journalists must be able to rely on the privacy, security and anonymity of their communications,” UN Special Rapporteur, Frank la Rue commented.

Cyber security expert, Sierra warns however, that it is not only journalists who should be concerned about privacy and security invasions, but it should be a concern for “every citizen; every person.”


1. Tor

Originally produced to protect the privacy and security of the U.S naval communications, Tor is now used by millions of direct users every day. The Tor network conceals the identity of its users by directing their traffic across thousands of Tor servers, increasing the difficulty for outside sources to identify the Tor user and their location.

Micah LeeMicah LeeAlthough Tor is not completely secure, The Intercept’s technology analyst, and author of Encryption Works Micah Lee notes that “…even if some Tor circuits can be defeated by a global adversary, if enough people are getting their traffic routed through the same Tor nodes at the same time, it might be difficult for the adversary to tell which traffic belongs to which circuits”.


  • Strong encryption of users content and searches

  • Free to download and to use

  • Once Tor is on a user’s USB they are able to run it on any computer without installation

  • Available on multiple platforms including Mac, Windows and Linux as well as iOs and android devices

  • Allows users to access blocked websites


  • Researchers have recently found a weakness in the system which allows hackers to deanonymise Tor users. Tor is reportedly working with the researchers on the problem and are close to fixing the fault

  • Plug-ins such as Flash and Quicktime (used for viewing videos) are blocked

  • Browser experience is slow

  • Reviewers claim it is difficult to set up

2. Hushmail

HushmailHushmailAccording its namesake website, Hushmail is a browser-based email serviceprovider offering secure and encrypted email and file storage. Founded in 1998, it encrypts email content when it is sent and automatically restores the email to its original form when received by other Hushmail recipients.


  • Great basic security and privacy for individuals sending and receiving low risk content

  • Strong encryption of users’ emails and files

  • Unlike many other encrypted email sites, the Hushmail site is easy to navigate and simple to use

  • Eliminates need for user to deal with the difficulty of OpenPGP (the world’s most widely=used email encryption standard)

  • It is free to sign up and to use (there is however, a paid option with added benefits)

  • It automatically scans for viruses

  • Different versions of Hushmail offered (for a fee) – ‘Hushmail for Individuals’, ‘Hushmail for Business’, ‘Hushmail for HIPAA’ and ‘Hushmail for Resellers’

  • No third party advertising

  • Those using other email service providers are still able to receive encrypted emails from Hushmail users. Those using other service providers will need to answer a secret question (created by the sender) in order for the message to be decrypted.


  • Hushmail is subject to Canadian law and in the past they have handed over user data in response to a subpoena

  • You cannot use your existing email address. Users must create a Hushmail account in order to use the service.

  • The free service account must be used regularly in order to remain active

  • If you forget your password, you will never be able to recover it. To provide user protection and eliminate the possibility of its employees accessing your emails, Hushmail does not store your password in its system.

  • Hushmail does not currently have an app available

Hushmail alternative

While Sierra recommends the use of Hushmail, Micah Lee instead recommends that journalists use their own ‘keys’ through OpenGnuGP (the software applied to OpenPGP). “If your newsroom is hosting its email with Gmail or Microsoft, you and your editors won’t even know when those third party companies get subpoenaed for your email during a leak investigation. If you host your email service yourself, you’ll be the first to know and you’ll have a chance to fight it,” Lee says.

“We’re still a long way from having software that journalists should use that’s both very secure and very usable.. (but) There is a lot of work going into making PGP easier to use, such as the Mailpile project.”

3. RedPhone 

RedPhoneRedPhoneRedphone, an app developed by privacy and security software company, Whisper Systems, encrypts phone calls made on android devices, adding security to calls made by its users. Runa Sandvik, technical advisor to the Freedom of the Press Foundation, recommends RedPhone, along with Micah Lee and Jorge Luis Sierra.


  • Free secured phone calls that run off data and Wi-Fi, not talk minutes

  • Easy to use and navigate

  • Connection and call quality is generally good among reviewers

  • Users do not need to create an account in order to use the app

  • Service providers are not able to access to the metadata on calls made

  • Includes a mechanism that verifies that encryption is not being attacked


  • Both parties engaged in phone call need to have the app installed in order for the app to function correctly and securely.

  • No missed call or voicemail notification

  • Currently only available to Android users, however Whispers Systems are developing the app for iOS users

4. Sicher 

Sicher, a private messaging app created by SHAPE, offers end-to-end encryption on smartphones and tablets. Users are able not only to send encrypted messages, but also files including PDFs, Word documents, photos, and videos.


  • Easy to set up and to use

  • Sicher site claims that all features of Sicher 1.0 are free of charge and will remain so

  • Available on most devices

  • Contains an automatic destruction timer set by the user that erases communications between the sender and receiver (on both users devices)

  • Does not send usage statistics and crash logs

  • No personal data is stored on the server

  • Group chat option

  • Push notifications are anonymous


  • Sicher messages can only be sent to and received by other Sicher users

  • It is not possible to recover your password if you forget it. You must uninstall the app and sign up again.

  • Currently only available in English and German

Sicher alternative

Like Sicher, TextSecure sends end-to-end encrypted text messages. The Whispers System app is recommended by Sierra, Lee and Sandvik but it is currently only available on android devices.

Note: You can view our full list of primary and secondary sources for this article here 

Picture: Perspecsys Photos (Creative Commons/Flickr)

Share via
Copy link