QGIS
Open-source geographic information system used by every serious data journalism team.
What should journalists know about QGIS?
QGIS is the free ArcGIS — and for most journalism work, it is ArcGIS. Current stable is 3.44 (the final 3.x LTR); QGIS 4.0 ships February 2026 with a Qt6 rewrite. The learning curve is real: expect 10-20 hours before you're productive, longer for geoprocessing or Python scripting. But no other free tool matches its analytical depth. Opened ~22 million times per month as of late 2025. GIJN, IRE, and Berkeley AMI all teach workshops on it. Bellingcat lists it in their investigation toolkit. Runs entirely locally — zero cloud exposure by default. The 2,000+ plugin ecosystem is both a strength and a risk: some plugins are unmaintained or buggy, and any plugin can connect to external services. For journalists handling sensitive location data, QGIS with network disabled is the gold standard.
Publication-quality maps from geographic data. Election mapping, pollution tracking, demographic analysis, disaster coverage. Analyzing government GIS data (shapefiles, geodatabases, Census TIGER files). Geocoding incident locations and running buffer/proximity analysis for investigative stories. OSINT geolocation work.
Quick web maps for a story due in an hour (use Datawrapper or Flourish). Interactive embeddable maps (use Mapbox GL JS or Leaflet). Simple point-on-a-map graphics (Google Earth Pro is easier). If you've never touched GIS, budget real learning time.
Security & Privacy
Data is scrambled while being sent to their servers
Data is scrambled when stored on their servers
Where servers are located — affects which governments can request your data
Privacy policy summary
No data collection. No telemetry. No accounts. No analytics. Processing is 100% local. Third-party plugins may connect to external tile servers (OpenStreetMap, Google, Bing) or geocoding APIs — those connections are visible and optional.
How to protect yourself:
Runs entirely on your machine. For sensitive geographic data (source locations, conflict zones): disconnect from the network before opening project files, which prevents base map tile fetches. Audit installed plugins — remove any you didn't intentionally install. Avoid third-party geocoding plugins for sensitive addresses; do offline geocoding instead.
Runs entirely locally with no telemetry, no accounts, no cloud dependency. Open-source with 579 contributors and active security response. Backed by the OSGeo foundation and 141 sustaining member organizations. 2025 Swiss NCSC penetration test confirmed strong security posture. The only real risk vector is third-party plugins that phone home — manageable by auditing your plugin list and disconnecting when handling sensitive data.
Who Owns This
Known issues
Steep learning curve — plan 10-20 hours minimum before productive use. Performance degrades with very large vector/raster files on modest hardware. Plugin quality is uneven: some of the 2,000+ plugins are unmaintained, crash-prone, or incompatible across versions. 3D visualization still lags behind ArcGIS Pro. Print composer requires manual fiddling for truly polished cartographic output. CVE-2024-55565 (nanoid dependency, low severity) was patched in 3.42.1. A 2025 Swiss NCSC penetration test of QGIS Server found no directly exploitable vulnerabilities — only one low-criticality issue found via source code review.
Pricing
Free. No paid tiers, no feature gates, no usage limits.
This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.
Something wrong or outdated? Report it.