Digital Security

for Journalists
(and Activists, Govt. Officials, etc.)

Pranesh Prakash

Policy Director (and Resident Geek)

Centre for Internet & Society





CC-BY-SA 4.0
(copy, share, adapt: sharing is caring)

no proprietary software or standards were used in the making of this slideshow

Journalists & Activists

Source Confidentiality Matters.


Sources trust you: you owe them a duty

So you need to protect information on who you're communicating with.

Often, no legal protection.

Journalists & Activists

Confidentiality of internal communications matters.


Investigative journalism is impossible otherwise.

Your communications with your editor, with colleagues.

(Imagine the Panama Paper leaks)

Journalists & Activists

Confidentiality of Research Matters.


Again, investigative journalism is impossible otherwise.

But sometimes the information is in the public, so this may not be true in your case.


You requirements may vary with time, with project, with story.

Digital Security (OPSEC)

"Threat Model"

(i.e., why asking "Is Gmail/Facebook/WhatsApp secure?" is not a sensible question.)


What are you protecting?

Whom are you protecting yourself against?

What capabilities does the adversary have?

What do you hope to achieve?

(e.g., preventing the snooping or simply to make it tougher?)
(e.g., confidentiality of communications, or anonymity?)

To what lengths are you willing to go?

Trade-offs: Convenience vs. Privacy/Security


Data in Transit vs. Data at Rest
(most of this workshop will focus on former)

Casual vs. Employers vs. Police vs. Intelligence Agency vs. NSA/GCHQ

Access to device vs. Access to network vs.
Access to intermediaries

To what lengths are you willing to go?

At Stake




Communicated Information



Secondary Research + Stored Data

It depends. But potentially:

Location + IP Address + E-mail address (& Subject) + Phone number + MAC ID + IMEI, etc. + URLs (DNS + HTTP) + Timestamps + correlation




(from Telco, ISPs, WiFi hotspot/OTA, web service, MITM, etc.)

What all can they have access to?

Your phone is a surveillance device


Your ISP is a surveillance provider


FB/Google are spyware

Privacy comes at a cost

(usually at the cost of convenience, but sometimes at the cost of security or of privacy too)


No one simple solution!


Think about your security practices.


Encourage at-risk sources, colleagues to be security-conscious (and not just wrt tech!)


Also: Use phone calls and SMS (and your phone, even if just for Internet) as little as possible in sensitive matters. It is much harder to communicate anonymously using your phone.


Realize that security technologies are tools and not solutions.

Tech Solution?

Good Hygiene


{Traffic, End-to-End, Device-Level} Encryption


Free/Open Source Software


Open Standards


Decentralized Solutions


Federated Networks


For end-to-end encryption (meaning the decryption happens at the your/the source's end, and that intermediary can't read it), the source will also have to be using the same encryption as you, and potentially the same software.  

This means, this won't happen.  So generally, you'll need to figure out what the source is comfortable doing, what their security risks are, and how best to secure your communications with them. It's always a trade-off.


Security is not only about "ultra-secure" tools, but about applying the best practices to a given circumstance. Many times the tools may not befit the circumstances.


Don't fetishize the tools. They're just tools.

Commonly Used + Insecure

Communication Protocols / Apps

  1. Mobile + Landline Calls (v. weak)
  2. SMS (v. weak)
  3. Email (from v. weak to not strong)
  4. Signal + WhatsApp +  Wechat + Skype + Twitter + FB Messenger, etc. (from okay to not v. strong)


There is no magic bullet!
What's "good"/"secure" depends on your needs.


No way to really secure.  (Metadata always leaks.)

Instead use data or use coded language.



Silence (SMS, Android-only - Metadata still leaks)


If you have data connectivity, other alternatives exist: XMPP (Conversations, Android: Play Store + F-Droid), Signal (Android, iPhone), WhatsApp, etc.


For average needs: Use WhatsApp
(since all your non-anonymous sources/correspondents already do)

Phone Calls

No way to truly secure.  (Metadata always leaks to telco.)

(For 2G, only Airtel & Tata DoCoMo use even weak encryption. Also SS7 attacks!)

Instead use data or coded language.



1. WhatsApp (multi-platform, call quality is good)


2. WebRTC
(free providers like /

IM/Chat + Files

WhatsApp (since Dec. 2015 supports file transfer)




Other options: XMPP App (w/ OMEMO) + XMPP Provider

Modern apps: Conversations (Android), ChatSecure (iOS), Dino (Windows, Linux), Dino (Mac OS X)

Provider: / /

(or ask me for the service I maintain)

E-mail + Attachments

Use something other than e-mail (since metadata leaks)

For press orgs: GlobaLeaks / SecureDrop


Else: E-mail Provider + E-mail Client + Autocrypt

Provider: / ProtonMail

(downside: painting-target-on-your-back)


Client: Thunderbird + Enigmail / Claws + Claws GPG plugin / K-9 (Android)


OpenPGP using GnuPG: built-in (Linux), GPG4Win (Windows), GPGTools (Mac OS X), OpenKeychain (Android)

Sharing/Publishing Files

Scrub the "metadata" if the source is sensitive.

Just as you redact a document to protect sources / sensitive information, you need to "redact" metadata too.


Metadata and other embedded data in files (jpg, pdf, mp3, docx, etc.) you upload can lead directly to your source.


NSA whistleblower Reality Winner was doxxed because the Intercept didn't take care to remove printer "microdots"!


OpenNews's guide to removing metadata


Mat2 is a tool that can strip most (not all) metadata.

Skype (video/voice/desktop)

WebRTC (using browser/phone app)

1. Jitsi Meet (

2. Signal / WhatsApp / etc.






It just works.




Keep your identities separate! 

Compartmentalize using


Weak anonymity is easy. Strong anonymity is difficult.  Truly untraceable anonymity if a well-resourced police department or intelligence agency is after you: next to impossible.


For a good guide to paranoia and tradecraft, read the grugq's blog, esp. this presentation.

Transport Security + Anonymity

Against ISP / WiFi

  • Encrypted Proxy Service ("VPN") (weak anonymity, security till VPN, so hides content from ISP but is not end-to-end)
    • RiseUp VPN, ProtonVPN, etc.
    • Complex / software-only, i.e., not a service:
      • WireGuard (Linux-only, using your own provider),
        Tailscale, etc.
  • Anonymizing Networks (Tor / I2P) (very strong anonymity, hides content from ISP, but security is not end-to-end & traffic data is transparent)

General Hygiene

  • Set a lock-screen with a passcode!
  • Use Free and Open Source Software
    • Linux (even my parents find Ubuntu easy to use)
      • If need be, use TAILS /
        QubesOS / Whonix
    • Android (e.g., LineageOS, GrapheneOS, etc.)
    • FOSS on Mac/Windows
  • Physically secure your devices!
  • Use full-disk encryption
    • Linux (dm-crypt), MacOS (FileVault), Windows (BitLocker).
    • Android (v5+), iOS (v8+).

Passphrase Hygiene

Use a password manager (pass / BitWarden / KeePass / Browser)

Long master password / passphrase using phrases in Hindi/Tamil/etc. / WebPassGen / Diceware

Don't reuse passwords!

Test password strength using telepathwords & zxcvbn

Use multi-factor authentication wherever available (but don't tie your real identity to a pseudonymous account!). And beware, MFA can cause you to lose access!

Make sure you keep an eye on what you've authorized using your {Google, Facebook, Twitter, etc.} credentials

Never share your passwords, except through secure mechanisms like a group password manager. Don't ever respond to e-mails asking for password.


Browser Hygiene

Use Brave, Firefox, or Chromium

Essential Extensions/Add-ons

Password Manager (inbuilt, or add-on)

uBlock Origin (FF & Chromium & Safari)

HTTPS Everywhere (FF & Chromium & FF for Android)

uMatrix (FF & Chromium, not for beginners)

NoScript (FF-only, I use it w/ default "allow")

"Private Browsing" mode only deletes stuff (browser history, cookies, etc.) once you close the browser.

Browser Hygiene


If anonymity is needed in addition to security, then use the Tor Browser
(and don't use any of your regular usernames, and don't visit HTTP sites since many exit nodes do sniff traffic)

(While Tor Browser is easy to use, I would recommend using TAILS over Tor Browser if at greater risk.)


Anonymity does NOT work without identity segregation.

E-mail Hygiene




Only ever open attachments using Zoho or Google Docs. Never download it or open it locally on MS Word / Excel, etc.


Scan all attachments using a malware scanner (especially if you use Windows). VirusTotal is a great online scanner.


E-mail Hygiene



NEVER click a link in an e-mail that scares you into thinking you need to change your password, etc.  The bulk of these are phishing attempts.


ALWAYS check the link (usually it appears in the status bar) BEFORE clicking it.

E-mail Hygiene

Requests for Personal Information


  • Howsoever authentic looking, never reply to an e-mail asking you for personal information like your password, bank account details, etc.

Temporary Accounts

Disposable e-mail


Disposable SMS



Disposable identities & CC numbers



Contact Details

Get in touch with me using:

XMPP: pranesh(at) + pranesh(at)

E-mail: pranesh(at) + pranesh(at)

IRC: the.solipsist/freenode + sol/oftc



For help, join this XMPP chatroom:

Digital Security for Journalists

By Pranesh Prakash

Digital Security for Journalists

  • 10,220