Journalist Digital Security Guide

Protecting Sources, Stories, and Yourself By Liz Howard, The Multiverse School


🚨 Critical Understanding

You are NOT "most people." When security experts say "this is probably fine for most people," they're talking about average users, not journalists. You face state-sponsored actors, corporate espionage, and targeted harassment. Your threat model is in the top tier.

Your sources' lives may depend on your security practices.


🎯 The Journalist Threat Landscape

You Face:

State-Level Adversaries: - NSA/Five Eyes surveillance - Foreign intelligence services - Law enforcement investigations - Court-ordered disclosure - Border searches - FISA warrants

Corporate Threats: - Private investigators - Corporate security teams - SLAPP suits with discovery - Hacked law firms - Competitive intelligence

Individual Threats: - Doxxing campaigns - Harassment networks - Source compromise - Metadata exposure - Physical surveillance


🧠 The Psychology of Security

It's a Marathon AND a Sprint

Security fatigue is real. You can't maintain perfect security 24/7, so:

Managing the Paranoia


🛡️ Phase 1: Identity Protection & Anti-Doxxing

A. Accept the Inevitable

You WILL be doxxed. Plan for it now:

  1. Credit Lockdown:
  2. [ ] Freeze all credit reports NOW
  3. [ ] Only unfreeze when applying for credit
  4. [ ] Use verbal passwords with agencies

  5. Financial Fortress:

  6. [ ] Unique password for every bank account
  7. [ ] 2FA on all financial services
  8. [ ] Separate "public" and "private" bank accounts
  9. [ ] Consider credit union over big banks

  10. Document Security:

  11. [ ] Get new driver's license number if compromised
  12. [ ] Use P.O. Box for public records
  13. [ ] Remove address from voter rolls if possible

B. Disinformation as Defense

Confuse the bots and trolls:

  1. Create Decoy Profiles:
  2. [ ] Make 3+ fake accounts with your name/photo
  3. [ ] Post plausible but false information
  4. [ ] Different birthdays, schools, jobs
  5. [ ] Keep them semi-active

  6. Poison the Well:

  7. [ ] Old/wrong info is your friend
  8. [ ] Multiple "official" websites
  9. [ ] Conflicting biographical details
  10. [ ] Let errors propagate

C. Know Your Doxxers


📱 Phase 2: Device Security Architecture

A. The Three-Device System

1. Daily Driver (Your regular phone/laptop): - Assume compromised - Never for sensitive sources - Public-facing work only - Full encryption enabled

2. Source Device (Dedicated secure device): - Never connects to personal accounts - Tails OS or GrapheneOS - Tor/VPN always - Different location use only

3. Burner Device (Disposable): - For high-risk temporary needs - Cash purchase, no activation - Destroy after use - Never bring home

B. Smartphone Hardening

Your Phone is a Hot Mic:

Daily Phone Security: - [ ] Keyboard apps spy - don't type keywords - [ ] Assume all apps can access all data - [ ] Lockdown mode when possible - [ ] Biometrics = legally compellable - [ ] Cover cameras when not using

Signal Configuration: - [ ] Disappearing messages ALWAYS for sources - [ ] Registration lock enabled - [ ] PIN reminder frequency to never - [ ] Screen security enabled - [ ] Relay calls through Signal servers

Location Discipline: - [ ] WiFi/Bluetooth OFF except at home - [ ] Yes, Bluetooth headphones identify you - [ ] Location services fully disabled - [ ] Airplane mode isn't enough

C. Computer Hardening

The Basics: - [ ] NOTHING plugs into journalism computer - [ ] Camera covered with tape - [ ] Microphone physically disconnected if possible - [ ] Full disk encryption mandatory - [ ] Separate user accounts for different work

Backup Strategy: - [ ] Daily to offline drive - [ ] Weekly to large memory card - [ ] Monthly mail backup to trusted friend - [ ] Multi-cloud with different emails - [ ] Test restore process quarterly


🕵️ Phase 3: Source Protection

A. Initial Contact

Never Compromise at First Touch: - SecureDrop for anonymous tips - Signal with disappearing messages - Separate device for source comms - Meet in person when possible - Assume all digital = recorded

B. Ongoing Communication

Compartmentalization is Key: - One source = one device ideally - Never mix source pools - Different passwords per source - Separate encrypted volumes - Regular security reviews with sources

C. Document Handling

The Printer Problem: - [ ] Printers add tracking dots - [ ] Reality Winner was caught this way - [ ] Use DEDA to add noise - [ ] Better: Don't print sensitive docs - [ ] Best: Old printers from flea markets


🎭 Phase 4: Sock Puppet Mastery

A. Account Creation

The Golden Rules: 1. Separate device (never your main) 2. Different location (never home/office) 3. Different network (never your WiFi) 4. Different habits (posting times, style) 5. Never cross the streams

Device Selection: - [ ] Secondhand older phone - [ ] Factory reset twice - [ ] No SIM activation - [ ] WiFi only (public/borrowed) - [ ] Wear mask if using FaceID device

B. Operational Security

Location Discipline: - [ ] Pick dedicated "posting location" - [ ] Never bring device home - [ ] Store in separate location - [ ] Different transport route - [ ] Cash for everything

Digital Hygiene: - [ ] No weather apps (location) - [ ] No personal accounts ever - [ ] Different email per identity - [ ] VPN + Tor for all access - [ ] Regular device rotation


📹 Phase 5: Protest & Event Coverage

A. Pre-Event Preparation

48 Hours Before: - [ ] Scout location without devices - [ ] Memorize routes (no Google Maps) - [ ] Identify safe houses/exits - [ ] Coordinate with legal support - [ ] Prep all equipment

Device Decisions: - [ ] Leave primary phone at HOME (not car) - [ ] Bring only burner if needed - [ ] Hidden cameras > obvious ones - [ ] Memory cards, not WiFi/Bluetooth - [ ] Faraday bag for transport

B. On-Scene Security

The Stingray Problem: - Assume IMSI catchers present - All phones in area surveilled - Airplane mode insufficient - Better to have no phone - If livestreaming, accept compromise

Alternative Comms: - [ ] Mesh networking (Meshtastic) - [ ] Pre-arranged signals - [ ] Dead drops for footage - [ ] Courier handoffs - [ ] Time-delayed publishing

C. Post-Event Protocol

Immediate Actions: 1. Don't go straight home 2. Check for physical surveillance 3. Transfer footage to secure device 4. Wipe/destroy burner devices 5. Debrief with team securely


🔐 Phase 6: Advanced Techniques

A. Voice Anonymization

When You Need Different Voice: - Speech Conversion Tools - Coqui TTS for generation - Amphion Toolkit for processing - Real-time vs. post-processing - Test with voice printing tools

B. VPN Reality Check

What VPNs Actually Do: - Hide IP from websites (not governments) - Prevent ISP data collection/sales - Change apparent location - That's it.

What VPNs Don't Do: - Make you anonymous - Protect from state surveillance - Hide traffic patterns - Prevent browser fingerprinting

Best Practice: - Mullvad VPN (accepts cash) - VPN + Tor, not VPN alone - Different VPN per identity - Assume VPN provider compromised

C. Tool Selection

Avoid: - Zoom → Use Jitsi - Gmail → Use ProtonMail - Dropbox → Use Tresorit - WhatsApp → Use Signal

More alternatives: prism-break.org


💰 Phase 7: Acquiring Technology

A. Purchase Security

Never: - Use your Amazon account - Use credit cards - Buy from big box stores - Create patterns

Always: - Pay cash at sketchy electronics stores - Buy at flea markets/yard sales - Use different locations - Vary purchase times - Consider proxy buyers

B. "Burner Phone" Reality

The Truth: - True burner phones barely exist - All phones have unique identifiers - Activation = identification - "Burner phone dealers" often compromised - Better: Rotating old devices


📊 Phase 8: Metadata Discipline

A. Understanding Metadata

What Kills Sources: - Call records (who, when, duration) - Location data (where you met) - Message timestamps (patterns) - File metadata (creation, edits) - Network connections (IP addresses)

B. Metadata Stripping

Every File, Every Time: - [ ] Photos: Remove EXIF data - [ ] Documents: Clear properties - [ ] PDFs: Sanitize with tools - [ ] Audio: Strip recorder info - [ ] Video: Remove all metadata

Tools: - ExifTool for images - MAT2 for multiple formats - PDF Redactor for documents - Metadata Cleaner for bulk


🧘 Phase 9: Sustainable Security

A. Building Habits

Daily (5 minutes): - Check device for new apps - Review recent logins - Clear browser data - Check for updates

Weekly (30 minutes): - Full device backup - Security news review - Source OPSEC check - Tool updates

Monthly (2 hours): - Threat model review - Complete security audit - Rotate passwords - Test disaster recovery

B. Mental Health

Warning Signs of Security Fatigue: - Skipping steps because "tired" - Paranoia affecting relationships - Not leaving house - Checking locks repeatedly - Isolating from colleagues

Recovery Practices: - Regular offline time - Security buddy system - Professional support - Boundaries with work - Exercise and nature


📋 Quick Reference Cards

Source Meeting Checklist

``` Before: □ Leave all devices behind □ Counter-surveillance route □ Cash for everything □ Meeting location secured □ Legal contact ready

During: □ No phones present □ White noise/music □ Visual surveillance check □ Note-taking discipline □ Establish future comms

After: □ Different route home □ Transcribe notes immediately □ Secure all materials □ Schedule followup □ Update threat assessment ```

Daily Security Card

``` Morning: □ Check overnight alerts □ Review day's risks □ Select appropriate devices □ Verify backups current

Workday: □ Source comms on secure device only □ Metadata stripped from all files □ Disappearing messages enabled □ Location services managed

Evening: □ Devices backed up □ Accounts reviewed □ Tomorrow's security planned □ All devices charging securely ```


🔗 Resources

Essential Tools:

Training:

Emergency Contacts:


💪 Remember:

Your security protects: - Your sources' lives - Your stories' integrity
- Democracy itself - Future journalists - The truth

You're not paranoid if they're really watching you.

Stay sharp. Stay safe. Keep reporting.


Secure support: liz@themultiverse.school
Private consultation: https://jitsi.themultiverse.school

The best security is the security you'll actually use.

Clear your browser history. Protect your sources. 📰

Secure Technology Acquisition Guide

For Journalists Needing Untraceable Devices


🚫 Never Do This:


✅ Safe Acquisition Methods:

1. Flea Markets & Yard Sales

Best for: Old laptops, printers, basic phones - Pay cash only - Different markets each time - Wear hat/sunglasses - No small talk about use - Test before leaving

2. Sketchy Electronics Stores

Best for: USB drives, cables, accessories - The dustier, the better - Independent shops only - Cash transactions - Buy common items too - Never fill out warranty cards

3. Craigslist/Local Classifieds

Best for: Older smartphones, tablets - Meet in public places - Bring exact cash - Use different email each time - Factory reset immediately - Never meet near home

4. Pawn Shops

Best for: Diverse device selection - Negotiate prices down - Check multiple locations - Avoid shops with cameras - Don't provide ID - Pay cash only


📱 Device Selection Tips:

For Phones:

For Computers:

For Printers:


🎭 Purchase Personas:

"The Student"

"The Grandparent"

"The Repair Person"


🚗 Transportation Security:


💰 Cash Management:


🏠 Post-Purchase Protocol:

  1. Don't go straight home
  2. Remove batteries immediately
  3. Check for tracking devices
  4. Factory reset at secure location
  5. Never turn on at home first
  6. Install OS at public WiFi
  7. Different location for each step

🚨 Red Flags to Avoid:


📋 Shopping Checklist:

Before Shopping: - [ ] Cash prepared (mixed bills) - [ ] Transportation planned - [ ] Cover story ready - [ ] Hat/sunglasses packed - [ ] Shopping list memorized

During Shopping: - [ ] Stay in character - [ ] No personal conversations
- [ ] Check for cameras - [ ] Count change carefully - [ ] Get generic receipt only

After Shopping: - [ ] Indirect route away - [ ] Check for surveillance - [ ] Remove batteries - [ ] Secure devices properly - [ ] Document nothing


Remember: The goal isn't perfection, it's breaking patterns and avoiding easy tracking. Every layer of anonymity costs your adversaries more resources.

"The best technology is technology they don't know you have."