Protect

For journalists, activists, and anyone handling sensitive sources, digital security is not an abstract concern but a practical part of the work. The stakes are higher than for an ordinary user: a leaked contact list can expose a source, and a compromised account can unravel months of careful reporting or organising. This guide is a starting framework, not a substitute for tailored training when the risk is serious.

Start with threat modelling

Everything useful begins with threat modelling — deciding, honestly, who might want your information and what they could realistically do to get it. A local reporter, an international correspondent, and a community organiser face very different adversaries, and the right precautions follow from that picture rather than from a generic checklist. Over-preparing for the wrong threat wastes effort; under-preparing for the real one is dangerous.

The fundamentals, only more so

The same fundamentals that protect ordinary users protect you too, only they matter more. A password manager with unique passwords for every account, two-factor authentication everywhere it is offered, and a well-secured email account are the baseline. Because email is the recovery key to most other services, locking it down with a strong password and a second factor is often the highest-value single step you can take.

• Start with threat modelling: who is the realistic adversary?
• Prefer a hardware key or authenticator app over text-message 2FA
• Use end-to-end encrypted messaging and email by default
• Mind metadata — who contacted whom can expose a source
• Encrypt devices, compartmentalise accounts, and watch for phishing
• Security is collective: protect sources and colleagues, and get expert help for high risk

For two-factor authentication specifically, prefer a hardware security key or an authenticator app over codes sent by text message. Text-message codes can be intercepted or redirected through attacks on the phone network or through SIM-swapping, where an attacker persuades a carrier to move your number to their device. A physical key is dramatically harder to defeat remotely and is worth the small cost for high-risk accounts.

Encrypt communications and mind metadata

Protect your communications with end-to-end encryption by default. End-to-end encrypted messaging means only you and the other person can read what you send, and using disappearing messages where appropriate limits how much sensitive history accumulates on either device. For email, an end-to-end or zero-access encrypted provider keeps stored correspondence private from the provider, which matters when a single subpoena could otherwise expose it.

Think carefully about metadata, because content encryption does not hide it. Even when a message body is encrypted, the record of who contacted whom, when, and from where can expose a source on its own. Reducing metadata means choosing tools that minimise it, being deliberate about which accounts and numbers you link together, and recognising that the pattern of your communications can be as revealing as their contents.

Secure devices and compartmentalise

Secure the devices themselves, not just the accounts. Full-disk encryption protects what is on a laptop or phone if it is lost or seized, a strong passcode is far better than a short PIN or a face unlock you can be compelled to use, and prompt software updates close the known vulnerabilities that real attacks rely on. A device left unlocked or unpatched undermines every careful choice you made about accounts.

Compartmentalise to limit the damage when something goes wrong. Separating sensitive work from personal accounts, using different identities or devices for different projects, and keeping source-related material isolated all mean that one compromise does not cascade into total exposure. This discipline is tedious, which is exactly why it is worth building into a routine rather than improvising under pressure.

The human link, and security as collective

Remember that the weakest link is often human, not technical. Phishing — a convincing message that tricks you into entering a password or approving a login — defeats strong encryption by going around it. Slowing down before clicking, verifying unexpected requests through a second channel, and treating urgency itself as a warning sign protect you against the attacks that actually succeed most often in the real world.

Finally, treat security as collective rather than individual. Your protections are only as strong as those of the people you communicate with, so sharing good practice with sources and colleagues raises everyone's safety at once. When the risk is high, seek out dedicated organisations and trainers who specialise in protecting journalists and activists; this guide points in the right direction, but serious situations deserve expert, situation-specific help.