Whether you cover the CIA or city hall, journalism is as much about keeping secrets as exposing them. We created this online security guide to help democracy’s defenders defend themselves too.

Part of our mission at ProtonMail has always been to give journalists, dissidents, and others the tools and knowledge they need to do their jobs safely. Journalists are one of the largest groups in our user community, and over the years, we have given dozens of talks and workshops on email security in order to help journalists stay safe.

Back in September 2016, we were invited to hold a workshop at the Second Asian Investigative Journalism Conference in Kathmandu, Nepal. Like many of the workshops we have held with journalists, it was a great opportunity to gain insights from our users in the field and understand what we can do to better protect journalists and their sources.

One conference speaker was Krishna Gyawali, a reporter for Nepal’s largest daily newspaper, Kantipur. That year he led an investigation into the country’s anti-corruption body and discovered the agency itself was abusing its authority—including to suppress his reporting. It was daunting work. “You are being spied on, your every movement is being tracked and sources are scared to speak with you,” he said. “It’s a psychological threat.”

The reality is that in journalism, attacks can come from any direction and by any method: A local police chief you’re investigating can monitor your movements, a disgruntled subject can break into your Twitter account, or a government agency can try to subpoena your email contacts. The more the attacker stands to lose from your reporting, the greater the lengths they’ll go to challenge it.

Over the past year, we’ve worked hard to provide journalists and activists with better tools to conduct their work safely. Sometimes, it’s new security features such as our encrypted contacts manager, or making our encrypted email service accessible via Tor.

A lot of it is also better education and resources. Here we present common threats and practical safeguards, from commercial tools to best practices. As the security landscape changes or more tools become available, we’ll update these security tips accordingly.

1. Choose strong passwords

The easiest point of entry for an attacker is to simply log in to your account. Usernames are often publicly available or easy to guess, so it’s important to choose a strong password—one that cannot be easily guessed or cracked using a brute-force attack. We recommend passwords with at least 16 characters, including a variety of upper-case and lower-case letters, numbers, and symbols.

Choose a different password for every online account. This way, if one is compromised, the others will remain secure. Never ever reuse passwords, as your old passwords may already be compromised from a data breach you don’t even know about.

Password managers are a useful tool for generating and storing complex passwords. These may be cloud-based or installed locally on the user’s device. Be sure to choose a service like 1Password that has end-to-end encryption so the provider doesn’t have access to your credentials. And make sure you properly back up your password manager data; that way, if your computer crashes, you won’t lose all your passwords.

2. Don’t ignore your recovery accounts

In August 2012, a hacker named Phobia called Amazon tech support and asked them to add a new email address to the account tied to a San Francisco technology reporter named Mat Honan.

From there, it was simple to log in to Honan’s Amazon account and learn the last four digits of his credit cards. It wasn’t long before Phobia had danced from one account to the next, breaking into Honan’s Apple, Google, and Twitter. They even cracked the hard drives of his Apple devices, nearly wiping them clean. Why did Phobia do it? No reason in particular. They just liked his Twitter handle — @mat.

You can check out the full story here. We mention this case as a reminder that every account you own could become a target for a creative adversary. Be aware of how your accounts may be linked together, and use services with higher restrictions on password recovery. For example, ProtonMail has a strict set of protocols in place to prevent social engineering attempts from succeeding.

3. Use two-factor authentication whenever possible

Even with strong passwords, there are other ways an attacker can access an account. Hackers broke into the Gmail account of Hillary Clinton’s campaign through a simple spear-phishing attack: Her campaign chairman clicked a link in a phony Google security email and gave his password to the hackers.

To fend off these kinds of attacks and to protect you if your password is compromised, it is important to use two-factor authentication (2FA) whenever possible. We recommend using 2FA apps like Authy rather than SMS-based 2FA, which can be more easily compromised (for this reason, ProtonMail disallows 2FA via SMS).

4. Encrypt your devices

Laptops, phones, and tablets are attractive targets for those seeking to shut down or disrupt your work—they not only contain your vital information but are also incredibly easy to steal.

You should always assume that your devices will be lost, so it is essential to encrypt them. Note, it is not sufficient just to set a password on your device; encryption is usually a separate, additional step. Windows and Mac both support device encryption and you can find guides here: Windows/Mac. Android and iOS also support encryption (and you’re probably already using it).

5. Secure your backups

If your device is lost or stolen, you lose everything it contained—so it is essential to have backups. However, backups themselves can become a source of vulnerability.

Be sure to encrypt your files before they go into the cloud or an external drive (otherwise they are accessible to anybody who gains access to your backups). Also be wary of pre-installed or automatic backup software, such as Apple iCloud. They may be automatically backing up sensitive files to the cloud without encryption, even if your computer itself is encrypted.

Something else that’s important to note: Many of the most popular online services (such as Gmail, Google Drive, or Facebook Messenger, etc) can access the content you store there, such as emails, contacts, and documents.

Those accounts could be breached by hackers or even employees of those companies. And they could also become a target for the government. Prosecutors can and have issued subpoenas for records—to reveal the names of whistleblowers, for example, and service providers can be forced to comply.

6. Use encrypted services

When Edward Snowden contacted filmmaker Laura Poitras with information about NSA surveillance programs, he didn’t send a Dropbox link. Snowden used end-to-end encryption—meaning only his intended recipient, Poitras, had the key to unlock the data, and not even a third party that could intercept that traffic could decrypt the files.

It is important here to draw a distinction between encryption, and end-to-end encryption. Only end-to-end encryption provides the protection described above. In recent years, end-to-end encryption technology has improved a lot, and many are now just as easy to use as unencrypted alternatives.

End-to-end encryption requires that both “ends” of a conversation use it. Thus, ProtonMail is the most secure when both parties are using it, and we have made this easy by making ProtonMail free. However, even if the other party is not using ProtonMail, there are still substantial security benefits because of the fact that your data at rest is protected with zero access encryption. For chat, there are messaging apps such as Signal and Wire which also provide end-to-end encryption.

7. Protect your internet traffic

Every time you browse the internet, your IP address is logged by a variety of servers, including those of the websites you visit and your internet service provider (ISP). This information can be used to track you, provide insight into what you are researching, and identify whom you might be contacting.

There are three main ways to keep your online activity secure. The first is obvious but important: Never send information through a website that does not use encryption. You can verify it does by ensuring the website URL begins with “https://”.

The second is using a VPN. A virtual private network (VPN) creates an encrypted tunnel between your device and the VPN server, shutting out anyone who might be lurking in the middle.

That includes your ISP, a hacker sharing the coffee shop router, or a government surveillance agency. VPNs also help shield your IP address, which allows you (in most cases) to access websites which are censored in certain countries. In order to protect internet users and prevent online censorship, we also provide ProtonVPN, a free VPN service.

A third option is Tor, a software program that anonymizes your device by bouncing your connection through a series of random servers. ProtonVPN actually comes with Tor VPN support built in, but for ultimate anonymity you can also run Tor locally on your machine. The downside is that Tor is slow, can be tricky to set up, and can sometimes attract attention to yourself.

8. Be vigilant

All this information is a lot to take in, but if we were to distill this guide into a few practical points, they would be the following:

Set strong and unique passwords (and keep them hidden)

Use two-factor authentication

Be wary of phishing attempts (see our guide on preventing phishing attacks)

Keep in mind the risk from linked accounts

Encrypt your backups, and don’t “accidentally” back up sensitive files

Use encrypted services (ProtonMail for email, Signal for chat, etc.)

Protect your internet traffic with a secure VPN

Journalists routinely protect vulnerable sources, take anonymous tips, honor off-the-record comments and keep newsroom scoops under wraps. Following this guide will mitigate common online threats and help you safeguard the information you’ve been entrusted to protect.

Additional resources

ProtonMail threat model

ProtonVPN threat model

How to prevent phishing attacks

Center for Investigative Journalism

You can get a free secure email account from ProtonMail.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support!

Press inquiries: If you are interested in testing or using ProtonMail and have questions, please contact ust at media@protonmail.ch. We provide complimentary paid accounts for journalists as part of our mission to support free press.