Security by Threat Level: Baseline, Sensitive, High-Risk

Not every journalist needs the same security stack. A freelancer covering local government has different needs than an investigative reporter handling leaked classified documents. This guide organizes tools into three tiers. Start at baseline. Move up when your reporting demands it.

Tier 1: Baseline — every journalist

This is the floor. Every journalist should have these tools installed and in daily use. They protect against the most common threats: credential theft, unencrypted communication, browser tracking, and ISP surveillance.

1Password or Bitwarden Password manager

Unique passwords for every account. 1Password costs $3/month. Bitwarden is free and open-source. Either eliminates the single biggest vulnerability most journalists have.

Two-factor authentication Hardware key or authenticator app

Enable 2FA on every account that supports it. A hardware key (YubiKey, $25-55) is the strongest option. An authenticator app (Aegis on Android, the built-in iOS authenticator) is the next best. SMS-based 2FA is better than nothing but vulnerable to SIM-swapping.

Signal Encrypted messaging

End-to-end encrypted by default. Minimal metadata collection. The standard for journalist-source communication. Enable disappearing messages.

Mullvad VPN or Proton VPN VPN

Encrypts your internet traffic from your ISP and hides your IP from the sites you visit. Mullvad accepts cash payment and requires no email to sign up. Proton VPN has a free tier and integrates with the Proton ecosystem.

uBlock Origin Browser extension

Blocks ads, trackers, and malicious scripts. Prevents browser fingerprinting and malvertising. Install in Firefox for maximum effectiveness.

Tier 2: Sensitive reporting — source protection

This tier is for journalists who handle confidential sources, leaked documents, or stories that powerful entities want suppressed. Everything from Tier 1 plus these additional tools and practices.

SecureDrop Anonymous tip submission

An open-source whistleblower submission system used by The New York Times, The Washington Post, ProPublica, and over 70 other news organizations. Sources submit documents through Tor without revealing their identity. Requires organizational infrastructure to run.

Tails Portable operating system · Free

Boots from a USB drive, routes all traffic through Tor, and leaves no trace on the host computer. Use it when reviewing sensitive documents or communicating with sources on untrusted networks. Everything disappears when you shut down.

VeraCrypt Disk encryption · Free · Open-source

Creates encrypted volumes for storing sensitive files. Supports hidden volumes — a container within a container that is undetectable. Use it for leaked documents, source lists, and investigation notes that cannot be stored in the cloud.

Compartmentalized accounts Operational practice

Separate email addresses, phone numbers, and devices for sensitive stories. A compromised personal account should not expose your source communication. Use a dedicated Proton Mail address and a prepaid SIM or VoIP number for each high-sensitivity investigation.

Tor Browser Anonymous browsing · Free

Routes your browsing through three encrypted relays. Use it for researching sensitive topics when you do not want your ISP, employer, or government to see what you are reading. Slower than a VPN, but stronger anonymity.

Tier 3: High-risk — authoritarian contexts

This tier is for journalists operating in or reporting on authoritarian regimes, those who face state-level surveillance, or anyone with reason to believe they are personally targeted. This requires dedicated hardware, strict operational discipline, and training.

GrapheneOS Hardened mobile OS · Free · Pixel devices only

A hardened version of Android that removes Google services and adds exploit mitigations. Runs on Google Pixel hardware. Used by journalists, activists, and security researchers operating in high-surveillance environments. No telemetry, no tracking, no Google account required.

Briar Peer-to-peer messaging · Free

Briar does not depend on a central server. Messages sync via Tor, Wi-Fi, or Bluetooth. It works even when the internet is shut down — a real scenario in Myanmar, Iran, and Sudan. No phone number or email required to register.

Tails + air-gapped machine Physical isolation

An air-gapped machine has no Wi-Fi, no Bluetooth, no network connection. Use it to review the most sensitive documents. Transfer files via USB only. Combine with Tails for an operating system that leaves no forensic trace. This is the setup Edward Snowden recommended to Laura Poitras.

Amnesty MVT Mobile Verification Toolkit · Free

Built by Amnesty International's Security Lab. MVT scans your phone for indicators of spyware including Pegasus, Predator, and other commercial surveillance tools. It was used to confirm the Pegasus Project findings that identified surveillance of journalists in over 50 countries. Requires a computer and command-line knowledge to run.

Tella Secure evidence capture · Free

Tella disguises itself as a calculator or other innocuous app. Inside, it captures photos, video, and audio with encrypted storage. Designed for human rights documentation in hostile environments. Used by journalists and activists in Syria, Venezuela, and Belarus.

Frequently asked questions

How do I know which threat level applies to me?

Baseline applies to every journalist. If you work with confidential sources, handle leaked documents, or report on topics that powerful actors want suppressed — you are at the sensitive level. If you operate in or report on authoritarian regimes, face state-level surveillance, or have reason to believe you are personally targeted — you are at the high-risk level.

Do I need everything in a tier, or can I pick and choose?

Each tier is designed as a complete toolkit. Partial adoption leaves gaps. The baseline tier takes 30 minutes to set up. The sensitive tier adds 1-2 hours. The high-risk tier requires dedicated hardware and ongoing operational discipline.

Is a VPN enough to protect my browsing?

A VPN hides your IP address from the sites you visit and encrypts traffic from your ISP. It does not protect against browser fingerprinting, malware, or compromised endpoints. A VPN is one layer — pair it with uBlock Origin, a privacy-focused browser, and good operational habits.

What is Tails and do I really need it?

Tails is a portable operating system that runs from a USB drive and routes all traffic through Tor. It leaves no trace on the host computer. You need it if you are handling documents that could identify a source and the adversary has the resources to seize or forensically examine your computer.