Journallist / trust.txt

Machine-readable transparency file for news publishers — declares organizational affiliations, ownership, social accounts, and AI training permissions in a standard text format.

Verification

Built for journalism

Adequate

https://journallist.net · Reviewed 2026-04-03 · Editorial assessment by Mike Schneider — not an independent security audit

What should journalists know about Journallist / trust.txt?

Trust.txt is a plain-text file you host at /.well-known/trust.txt on your domain — modeled after robots.txt and ads.txt. It declares which associations you belong to (belongto=), which sites you control (control=, controlledby=), your verified social accounts (social=), vendor relationships (vendor=, customer=), ethics disclosures (disclosure=), and whether you permit AI training on your content (datatrainingallowed=). The system is decentralized: each publisher hosts their own file, and claims are validated by checking that the referenced organization's trust.txt reciprocates the relationship. JournalList.net aggregates these files into a searchable dataset. Founded in 2018 by Scott Yates, a Colorado journalist and serial entrepreneur, JournalList is a 501(c)(6) nonprofit incorporated in Delaware. The board includes Claire Wardle (Brown University, formerly First Draft News), Ralph Brown (former CTO of CableLabs), Randy Picht (Reynolds Journalism Institute), and Susan Kantor (Alliance for Audited Media). RJI partnered with JournalList in 2022; Mark Stencel (formerly Duke Reporters' Lab, Washington Post, NPR) was appointed executive director when Yates left to run for Congress. An IETF Internet-Draft was submitted by Ralph Brown in February 2025 but expired in August 2025 — trust.txt has no formal IETF standing. A browser extension built by Ralph Brown and Microsoft engineer Christian Paquin shows a badge on participating sites. Compared to JTI (Journalism Trust Initiative by RSF, ISO-based, 2,000+ outlets in 119 countries, requires independent audit) and NewsGuard (paid editorial ratings), trust.txt is lighter-weight: it reports affiliations rather than evaluating quality. That is both its strength and its limitation. It tells you who vouches for a publisher but not whether the journalism meets any standard. Adoption grew from 110 to 3,000 publishers in two years, but that is still a fraction of the news ecosystem. The datatrainingallowed field (added April 2024) is a useful opt-in/opt-out signal for AI crawlers, though enforcement depends on crawlers choosing to respect it — same limitation as robots.txt.

Best for

Declaring organizational affiliations in a machine-readable format. Helping ad platforms and search engines distinguish legitimate publishers from pink-slime sites. Verifying social media account ownership. Signaling AI training permissions. Press associations that want a lightweight way to vouch for member outlets.

Not for

Evaluating journalism quality — trust.txt reports affiliations, not editorial standards (use JTI for that). Individual journalists without a publication domain. High-stakes verification where you need editorial ratings (use NewsGuard). Replacing fact-checking or content verification tools. Publishers not affiliated with any recognized association — the system's value depends on reciprocal relationships.

Security & Privacy

Encryption in transit Yes

Data is scrambled while being sent to their servers

Encryption at rest Unknown

Data is scrambled when stored on their servers

Data jurisdiction United States. JournalList Inc. is incorporated in Delaware with offices in Denver, CO. The trust.txt files themselves are hosted on each publisher's own domain under their own jurisdiction. JournalList.net aggregates these files but the spec is decentralized — no single entity controls all data.

Where servers are located — affects which governments can request your data

Security rating Adequate

JournalList.net collects standard website data: comment form info, IP addresses, browser user agents for spam detection. Contact form submissions are retained. Cookies for login (2 days or 2 weeks with Remember Me) and screen preferences (1 year). They state they do not share data outside JournalList Inc. All staff access requires 2FA. The trust.txt files themselves contain only organizational relationships and public URLs — no personal data.

How to protect yourself:

Trust.txt files contain only public organizational data, so exposure risk is minimal. Verify that your trust.txt only lists affiliations you want public. The datatrainingallowed field is advisory — AI crawlers may ignore it, just as they sometimes ignore robots.txt. Do not treat a trust.txt badge as proof of journalism quality; it confirms association membership, not editorial standards. If you control multiple domains, each needs its own trust.txt file with matching control/controlledby entries.

Trust.txt files contain only public organizational data — no personal information, no credentials, no sensitive content. The spec is open-source with an expired IETF draft. JournalList.net uses HTTPS and requires 2FA for staff. The decentralized architecture means no single point of compromise for all publisher data. The main risk is not technical but conceptual: trust.txt signals affiliation, not quality, and consumers or platforms may conflate the two. Low data sensitivity, straightforward implementation, no authentication required to read the files.

Who Owns This

Owner JournalList Inc., a 501(c)(6) nonprofit. Founded by Scott Yates (2018). Current executive director: Mark Stencel (appointed 2022, formerly Duke Reporters' Lab). Board: Claire Wardle (Brown University), Ralph Brown (former CTO CableLabs), Randy Picht (Reynolds Journalism Institute), Susan Kantor (Alliance for Audited Media).

Funding Nonprofit membership fees (amounts undisclosed). Accepts no funding from platforms, governments, or competing organizations per stated policy. Partnership with Reynolds Journalism Institute (University of Missouri) provides institutional support. Alliance for Audited Media expanded complimentary access to 1,100+ audited publishers in 2023.

Business model Nonprofit association. Revenue from optional membership dues. The trust.txt spec itself is open-source and free to implement. JournalList aggregates and distributes the data to platforms, ad buyers, and researchers. No ads, no tracking, no affiliate revenue.

Known issues

The IETF Internet-Draft expired in August 2025 with no formal standardization — trust.txt remains a de facto spec, not an official internet standard. 3,000 publishers is meaningful growth but still a small fraction of global news outlets. The system only works when both parties (publisher and association) maintain matching trust.txt files — stale or missing files break the chain. The datatrainingallowed field has no enforcement mechanism beyond voluntary compliance by AI crawlers. Trust.txt confirms affiliations but does not assess journalism quality, editorial independence, or factual accuracy — a publisher could belong to a legitimate association and still produce poor journalism. The browser extension exists but has minimal consumer adoption. Membership fee structure is not transparent.

Pricing

Free to implement. Adding a trust.txt file to your site costs nothing. JournalList membership (optional) carries fees, though amounts are not publicly disclosed. In August 2023, JournalList announced complimentary access for all publishers from its association members.

This is an editorial assessment based on publicly available information as of 2026-04-03, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.

Something wrong or outdated? Report it.