News

The Security Playbook Every Journalist Should Know

Nieman Reports · last updated

As journalists confront increasing threats — from commercial spyware to subpoenas, raids, and device seizures by law enforcement — the question is no longer whether they should take digital security seriously, but how prepared they should be when these situations arise. 

The FBI’s January raid on the home of Washington Post reporter Hannah Natanson — during which agents confiscated her phone, two laptops, and her Garmin watch — served as a jarring reminder to many U.S.-based journalists that they need to think more seriously about safeguarding sources and sensitive materials in the current political climate. Many international journalists are accustomed to such threats, but increasingly, members of the media everywhere need working knowledge of best practices, advanced planning, and clear cybersecurity strategies.

A virtual Nieman-to-Nieman seminar in February, moderated by Henry Chu, Nieman’s interim curator, featured digital security experts and a Nieman alum with experience in high-stakes investigations. The speakers outlined ways that journalists can better assess risk, secure their devices, and continue reporting safely. 

The discussion brought together Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation; Sandrine Rigaud, a 2025 Nieman Fellow and program director of the Global Investigative Journalism Network (GIJN), who previously helped lead Forbidden Stories’ Pegasus Project investigation into how government-licensed spyware was used to target journalists, activists, and political figures; and Rick Valenzuela, a 2024 Nieman affiliate who advises reporters and newsrooms on digital security and works with the Critical Internet Studies Institute (CISI).

For a comprehensive list of digital security resources from the Committee to Protect Journalists (CPJ), Reporters Without Borders (RSF), GIJN, Access Now, and others — see the Nieman Foundation’s guide.

Edited excerpts: 

Start with threat modeling

Eva Galperin: A way [to] think about our digital security is a process called threat modeling, or risk assessment. Software developers use this [process] to figure out how people are going to attack various aspects of their software, and how to harden their programs and products. 

Threat modeling is a series of questions to ask yourself: What do you want to protect? Who do you want to protect it from? What are the capabilities of the attacker? How might they get at the things that you are trying to protect? What are the consequences if you fail? And finally: How much trouble are you willing to go through in order to avoid those consequences?

When the FBI is knocking at your door, or when you receive a subpoena … you are not making your best decisions in the moment, so it’s really important to have a plan in advance. 

Treat phones as high-risk devices

Sandrine Rigaud: For the Pegasus Project, we had to ask [all] 80 journalists to buy new phones and computers. We used iPods and messaging systems without any SIM cards. Whenever we had a meeting on the [investigation], we had to keep our devices outside the room. Often, we had them switched off during the day.

Phones are the main vectors of attack today, so think of activating your lockdown mode on iPhone, or your advanced protection system on Android, [and using] Signal. 

Galperin: Your Fourth Amendment protections — your right to protection against unreasonable search and seizure in the United States — are stronger for things that are locked with a password than things that are locked biometrically. The things that law enforcement has to do in order to compel you to hand over your fingerprint are much less rigorous than the things the court has to do in order to compel you to hand over your password, which is [considered] the contents of your brain. This is why a password is a stronger protection.

Configure your tools and encrypt your data 

Rigaud: We used Tails (The Amnesic Incognito Live System). It’s a secure operating system [installed on a] USB stick.… When you take it out of your computer, everything is erased from your [device]. 

Signal is great, but nothing is 100% secure. To make Signal safer, turn on the “relay calls” option [and] the “disappearing messages” option. Disable link previews. You can use WhatsApp, which is end-to-end encrypted like Signal, but you have to enable the “protect IP during calls” option. This is quite important.

Galperin: If you have data that is being stored with a platform like Google or Microsoft or Apple, you want to make sure that it is end-to-end encrypted, so that when someone comes to that third-party platform with a warrant, they cannot hand it over — because all they have is a pile of encrypted data. You should be extremely careful about your metadata, because you can’t encrypt [the] metadata that you’re sending back and forth with these platforms.

Separate, back up, and distribute your data

Galperin: You might have particularly sensitive information that you have to put on a separate hard drive or a thumb drive. 

I strongly recommend compartmentalizing. You do your work on your [designated] work devices … and you keep your personal information — your banking, personal social media, and pictures of your children — somewhere else [on a separate device].

Rick Valenzuela: There’s a phrase for backups called the “321 rule.” So you want to have three copies of your media: one [on] your working laptop and then two backups. [I would suggest] two separate hard drives, or one hard drive copy and a cloud backup. One of these [devices] has to be off site. 

Rigaud: In some of the countries where I was doing dangerous reporting, I was getting two or three copies of my work. I was [creating] two or three copies of my hard drives [and] leaving them to two or three different people, so that I was sure one of them, at least, would end up arriving [in] Paris [where I am based]. 

Consult and collaborate with security experts 

Galperin: If you work for a journalistic organization, there’s a good chance that you work [alongside] an IT department. You should definitely partner with them to talk about how you’re putting together your stories, what their policies are, whether or not they have lawyers who will protect you if the FBI shows up with a subpoena.

Rigaud: You might need to partner with tech specialists if you’re concerned about your security. We partnered with Amnesty International Security Lab [on the Pegasus Project]. Without them, such an investigation wouldn’t have been possible. 

[Some platforms offer you]specific account protections if you’re a journalist. You can contact Google, Microsoft, or Proton if you think that you’re more likely to be attacked. 

Be careful at borders and while traveling

Galperin: Your devices are particularly vulnerable when you have been detained — if you are at a protest, you get arrested, if you are stopped by law enforcement, or, most importantly, when you are crossing a border. 

You might want to think about being particularly careful when you’re at the airport. That is an area where not only do you not have a lot of legal rights to protect your data, but we also willingly waive a lot of those legal rights when the consequence is that we won’t make our flight. There’s a lot of: “You have my phone, and I could leave you my phone indefinitely, and protect my rights, or I could let you into my phone and still make it to my plane.” 

Your Fourth Amendment rights still exist within 100 miles of the border, but [they are] not particularly strong against Border Patrol. In a political environment in which Border Patrol is a particular concern, that is something that we should really keep in mind.

Rigaud: If I had to go to the U.S. now for reporting, I would probably take an empty device. I wouldn’t take my own phone. I would buy another phone, use a new SIM card, leave all my notes in France, and just get the minimum information I need. I would definitely not travel with any data. 

Create an emergency plan for device seizure, leaks, and raids

Valenzuela: What happens when defenses fail? How can you keep on publishing? This is not how to prevent the incident; it’s how you continue despite it. That could be a subpoena, a raid, a hacked account, lost devices, robbery, fire. [It] doesn’t have to be a cyberattack.

The minimum viable setup might be a way to communicate with editors, a way for sources to reach you safely. This may entail alternate communication channels or trusted intermediaries. Whatever it is, it needs to be figured out beforehand. You and your conversants need to know [your] handles, [your] alternate email address. 

You need to have access to your drafts, your notes, [and] your media assets, [and] know where those are. If that’s going to be a cloud backup, offline backup, or off-site offline backup, if you already had things in the cloud, if your CMS was cloud-based, that’s helpful [information]. 

Find a pro bono lawyer, [and] not during a crisis. Organizations like CPJ, RSF, and GIJN can help you find legal support. Scrambling after the fact is going to waste critical time. 

Talk over what [to do] if you get “the knock.” There are certain things you definitely don’t want to do. Your lawyer would probably advise you [to not] hand over your devices. 

During a search: Know your rights and document everything

Valenzuela: Let them search, [don’t] let them take [the devices] immediately, invoke the Privacy Protection Act of 1980, say that you’re objecting, that you want to limit the scope [of the search]. You might want to think [in this scenario], how am I going to contact my lawyer? 

If you … open your door, and that’s the FBI right there, or local police with a warrant … you might want to look at the warrant through the window. That should give you time to at least make that phone call to your lawyer. If they are in the house with you, you go to grab a phone, [but] they could actually just take that phone. So, the first phone you might want to grab could be a burner. 

You might want to think about … documenting the process, [if] they are seizing equipment. You want to take a photo of the evidence bag and the serial number, [but] you’re not going to [have] your phone. You might want to have a GoPro or a dedicated camera there, something that probably is not on the warrant list.

You need to know what other stakeholders you need to contact: your sources, your teammates. You may need a trusted intermediary to get that word out. You need to have this [information] in a physical place, a piece of paper, [as] you won’t have access to your phone or your laptop [to get] the file. 

[You’ll] need to reestablish your accounts and log in to things if your phone is taken from you. [If you have] two-factor authentication, [and need a] recovery code to get back into your email or to your chat app, where are those recovery codes? Do you have [them] printed out? If you are reestablishing your phone so that you can get to your Signal account, you need to get a new SIM card. 

The post The Security Playbook Every Journalist Should Know appeared first on Nieman Reports.

View full article

here today, more tomorrow

We’re launching briefing.center with a focus on the press and media.

And we’re adding Citizen Cartwright, a daily quick-read news summary by veteran Washington journalist Linda Cartwright. (Sign-up for a dedicated morning email is available at Citizencartwright.com.)

We’re readying our first policy briefing.center, on energy and climate. We’d love to hear from you in what our other policy priorities should be.

You can use briefing.center as the center of your information management, or just one of your tools. We’re happy to discuss your connectivity needs.

Sign up