Digital security for journalists and activists

  • WeThePurple
  • Protect
  • 8 min read

For anyone handling sensitive sources, a practical framework: threat modelling, encryption, metadata, device hygiene - and why security is collective.

For journalists, activists, and anyone handling sensitive sources, digital security is not a vague worry. It is a practical part of the work. The stakes are higher than for an ordinary user. A leaked contact list can expose a source. A hacked account can undo months of careful reporting or organising. This guide is a starting frame, not a stand-in for training built for your case when the risk is serious.

Start with threat modelling

A person writing notes by hand on paper next to a laptop.
A person writing notes by hand on paper next to a laptop.

Everything useful starts with threat modelling. You decide, with honesty, who might want your data and what they could really do to get it. A local reporter, a foreign correspondent, and a community organiser face very different foes. The right steps follow from that picture, not from a generic checklist. Preparing for the wrong threat wastes effort. Under-preparing for the real one is risky.

The fundamentals, only more so

The same basics that protect ordinary users protect you too. They just matter more. A password manager with unique passwords for every account, two-factor login everywhere it is offered, and a well-secured email account are the baseline. Email is the reset key to most other services. So locking it down with a strong password and a second step is often the single most valuable move you can make.

  • Start with threat modelling: who is the realistic foe?
  • Pick a hardware key or authenticator app over text-message 2FA
  • Use end-to-end encrypted messaging and email by default
  • Mind metadata - who contacted whom can expose a source
  • Encrypt devices, compartmentalise accounts, and watch for phishing
  • Security is shared: protect sources and colleagues, and get expert help for high risk

For two-factor login, pick a hardware security key or an authenticator app over codes sent by text. Text codes can be grabbed or redirected. That happens through attacks on the phone network or through SIM-swapping, where an attacker talks a carrier into moving your number to their device. A physical key is far harder to beat from afar. It is worth the small cost for high-risk accounts.

Encrypt communications and mind metadata

Protect your communications with end-to-end encryption by default. End-to-end encrypted messaging means only you and the other person can read what you send. Disappearing messages, used where it makes sense, limit how much sensitive history piles up on either device. For email, an end-to-end or zero-access encrypted provider keeps stored mail private from the provider. That matters when a single subpoena could otherwise expose it.

Think hard about metadata, because content encryption does not hide it. Even when a message body is encrypted, the record of who contacted whom, when, and from where can expose a source on its own. Cutting metadata means choosing tools that hold little of it. Be careful about which accounts and numbers you link. The pattern of your communications can be as telling as their content.

Secure devices and compartmentalise

Secure the devices themselves, not just the accounts. Full-disk encryption guards what is on a laptop or phone if it is lost or seized. A strong passcode is far better than a short PIN or a face unlock you can be forced to use. Prompt software updates close the known holes that real attacks rely on. A device left unlocked or unpatched undoes every careful choice you made about accounts.

Compartmentalise to limit the harm when something goes wrong. Keep sensitive work apart from personal accounts. Use different identities or devices for different projects. Keep source material on its own. All of this means one breach does not spread into total exposure. This discipline is tedious. That is exactly why it is worth baking into a routine, not improvising under pressure.

Compartmentalise to limit the harm when something goes wrong. Keep sensitive work apart from personal accounts. Use different identities or devices for different projects. Keep source material on its own. All of this means one breach does not spread into total exposure. This discipline is tedious. That is exactly why it is worth baking into a routine, not improvising under pressure.

- WeThePurple

The human link, and security as collective

Remember that the weakest link is often human, not technical. Phishing is a convincing message that tricks you into entering a password or approving a login. It beats strong encryption by going around it. Slow down before clicking. Check odd requests through a second channel. Treat urgency itself as a warning sign. These habits protect you against the attacks that actually succeed most often in the real world.

Last, treat security as shared, not solo. Your protections are only as strong as those of the people you talk with. So sharing good practice with sources and colleagues raises everyone's safety at once. When the risk is high, seek out groups and trainers who focus on protecting journalists and activists. This guide points the right way. But serious cases deserve expert help built for the situation.

Related