Thank you for attending a training session! We covered a lot of ground, so these notes are meant to serve as a reference and reminder of the advice we gave you.
Please don't hesitate to contact me with questions.
You must use an iPhone. Android phones are not safe for journalists to use.
Your phone is the most secure device you have. Do whatever work you can on it.
Make sure you have at least a six-digit key code or passphrase. Longer is better.
Turn off TouchID (the fingerprint sensor that unlocks your phone). Your fingerprint is easy to spoof (using a photograph, or just a 'generic' fingerprint), and you can be compelled to touch the sensor in situations where you can't be legally compelled to give your password.
Turn off Siri on the lock screen, and ideally everywhere else. Siri can reveal information about your contacts even when the phone is locked.
Keep your phone software updated. Don't wait.
When you travel, carry a USB filter to use in airport and hotel room chargers. This physically blocks any data transfer, while still allowing your devices to charge.
Your personal email account holds the keys to your online life, and will be the primary target for attackers. Use Gmail for your personal email, and Chrome as your web browser.
Don't have sensitive conversations over email. Use Signal or WhatsApp (see below).
Don't give any apps permissions to read or write your email inbox.
Make sure your email is protected with a security key. We should have already set this up during the training. If you need to set it up again, or to set it up for someone else, here are detailed instructions for adding a security key to Gmail.
Attachments are one of the biggest risks you face. Even attachments coming from a trusted sender are a danger; if someone you know gets their email hacked, the attacker may send you a message that looks just like a typical message (for example, an email from your editor with a Word doc).
Here is the hierarchy of attachment safety, from safest to most risky:
- Safest is to open them on an iPhone.
- Open them on a Chromebook (an inexpensive computer that only runs Chrome).
- Save them directly to Google Drive from Gmail. If you hover over an attachment in Gmail, you'll see a 'save in Google Drive' icon.
- Download them to disk, and upload them to Google Drive in your browser. Make sure you delete the downloaded file, so you don't accidentally double-click it in the future.
- The least safe way to open an attachment is to double-click it on your laptop. Avoid doing this, despite it being a hard piece of advice to follow!
Where possible, send files as a link to a Google doc. Get out of the habit of sending attachments.
Don't use Dropbox or Evernote.
Remember that your phone is always more secure than your laptop.
We should have turned on full-disk encryption on your laptop during our session. This will protect the data on your laptop if it is lost or stolen. Files on the laptop cannot be recovered without knowing the user's system password.
Keep your software up to date.
If possible, consider getting a Chromebook. This is a simplified computer, far more secure than an ordinary laptop, that can only run the Chrome browser.
Avoid putting USB drives in your computer.
We recommend you use Signal or WhatsApp for sending text messages. In terms of security, the two offer the same level of protection. WhatsApp is more usable, particularly for group chats. However, WhatsApp (and therefore Facebook) aggressively tracks message metadata. That means it knows who you talk to, when, and how many messages you exchanged.
Even though WhatsApp can't see the contents of what you send, the metadata can reveal a lot about your conversation. Signal does not retain message metadata.
Avoid SMS (regular text messages) or iMessage for private messaging. If you use Facebook Messenger, make sure to turn on private conversations.
Treat Twitter and Slack as a public forum, even if you use their private message features.
Slack and Twitter
Assume that anything you say on Slack and Twitter, especially in private messages, will one day be public.
Move sensitive conversations to Signal or WhatsApp.
Use Google Chrome as your default browser on your laptop. We should have installed this and set it up during the training. Avoid Safari and Firefox. Under no circumstances use the Tor browser (it's okay to use Tor, but do it with Chrome, and seek additional training on how to set it up).
On your iPhone, it's okay to use Safari.
Use the uBlock Origin and HTTPS Everywhere Chrome browser extensions. We should have set these up during your training. Avoid using other extensions.
Make a habit of using incognito mode.
If you are visiting websites that you feel are particularly dodgy, consider using a Chromebook for the purpose, or your phone.
We strongly recommend you install a password manager called 1password. We're working on a tutorial for setting this up, and using it.
Don't reuse the same passwords (or similar passwords) across sites. It is better to keep a list of random passwords in a text file or Word document than it is to re-use passwords.
Any clever scheme you use to remember your passwords can be cracked within minutes by modern techniques. Pick truly random passwords instead, and save them in a password manager like 1password.
If you need help, or feel out of your depth reporting a sensitive story, contact us! We'll do our best to connect you to security experts who can give you additional training.
Our goal is to help keep working journalists safe. If you found this training valuable, please spread the word to your colleagues!