The original SaferJourno was launched in 2014 with the aim of bolstering the digital security capacity of trainers working with journalists around the world. For this new and updated version this aim has not changed, but the content has.
Journalists face a complex array of digital threats. Some of these are old, such as account hacking and malware attacks, but others are new and present significant challenges. This includes the increasing use of sophisticated spyware as well as state-sponsored online smear campaigns designed to undermine a journalist and their reporting. This guide provides trainers with best practice on how to mitigate these risks in a way that is both practical and accessible for the journalist.
SaferJourno is designed for both experienced digital security trainers who are less familiar with teaching journalists, as well as media trainers who work with journalists but might lack digital security expertise.
This guide was created with trainers, rather than journalists, in mind, but portions of it can still prove helpful for freelancers and newsrooms. We are also working on a learners’ handout for journalists, which might include security checklists, and which we hope to add to SaferJourno by mid-2024.
SaferJourno has a range of activities for both beginner and experienced trainers. Trainers can pick activities which suit their level of expertise and training style. They can also mix and match SaferJourno activities and case studies with their own materials and knowledge, so as to better reflect the needs of the communities they serve and the threats they face.
You can copy and paste or translate parts of SaferJourno to create your own training content, as long as you keep to the terms of the license. Among other things, this means when you create modified versions of SaferJourno or organize trainings which incorporate content from SaferJourno, you must credit the source and specify that your materials or training includes SaferJourno material. In addition to that, if you publish such material, you must do so under the same license (CC BY-SA 4.0) as SaferJourno.
- All trainers who are new to digital security and risk assessments are encouraged to begin with chapter 1, which focuses on assessing risk.
- Chapters 2 and 3, which explore account and device security, respectively, will be of relevance to most journalists.
- Chapter 4 covers online research. It will be of particular interest to trainers working with investigative journalists and others who spend a lot of time browsing web pages and downloading data from potentially adversarial institutions, such as state or corporate actors.
- Chapter 5, on encrypting materials, will be especially useful for journalists who travel or regularly work outside of the newsroom and are concerned that adversaries could access their data. It’s also incredibly helpful for journalists who are afraid of office or home raids.
- Chapter 6 explores safe communication and should be of relevance to most journalists, especially those who work extensively with sources.
- Chapter 7 explores online abuse and protecting data. We recommend that every trainer review this chapter. Many journalists, especially those who come from marginalized populations, will benefit immensely from a lesson on how to mitigate the worst effects of online harassment.
- The last sections of SaferJourno consist of advanced guides on safer travels, identifying forgeries, and protecting sources while working with audio-visual leaks. Those three pieces focus on threats which most journalists will not encounter within their careers. We nonetheless recommend that trainers who work with high-risk journalists and sources familiarize themselves with those sections and implement them in their training, if they are relevant.
Understanding and reducing risk is an important part of keeping journalists safe. SaferJourno includes both case studies, linked to in most chapters, and a risk assessment template at the end, both of which we believe to be valuable learning tools.
Threat assessments can be one of the most difficult aspects of journalist security to teach. Learners might struggle to identify realistic threats, overestimate some threats, and underestimate others. Not only this, but journalists might also struggle to responsibly talk to sources about threats: overstating a threat could scare away a potential source while understating could put the source at risk or make them think that the journalist cares little about their safety.
The case studies and risk assessment template at the end of this guide can be used as a training tool to help learners think about who their adversaries are, what they are capable of, and what sorts of attacks are realistic or likely. Focusing on the process of assessing risk rather than specific threats ensures that journalists will be able to replicate the process in the future and respond to the ever-changing threat landscapes which may emerge. Real-world case studies (trainers are encouraged to find additional ones from their region!) can help contextualize risks and discussing them can build journalists’ risk and security intuition. If time permits, it might also be useful to role-play conversations with colleagues and sources about some of the risks outlined in the case studies and the template: what arguments should a journalist use to persuade others about the seriousness of a threat and that they should take appropriate mitigations? How might you respond as a journalist who has been doxxed? What steps might help protect you and your colleagues in the event of an unexpected office raid?
If you have never run digital security trainings before, your first trainings might be a little overwhelming. We recommend reading through the Security Education Companion’s Security Education 101 articles as a good general introduction to teaching digital security.
LevelUp, another resource for trainers, contains some excellent pieces on how to run a good digital security training:
- Be a Better Trainer: looks at some common mistakes which digital security trainers make and offers some advice on how to avoid them
- Golden Rules of Effective Training: demonstrates three big rules all digital security trainers should keep in mind to create a safe and effective training environment
- How to Handle Surprises During Training: notes down some possible things which can go wrong during training and how best to deal with them
- Roles and Responsibilities of a Digital Security Trainer: a deeper look at what it means to run a responsible digital security training which empowers rather than demotivates learners
- Setting Expectations For Participants, Organizers, and Yourself: guides trainers on how they can manage expectations, includes some key questions to ask oneself before the training
- Psychosocial Underpinnings of Security Training: a series of pieces on how to deal with topics such as anxiety, trauma, and pressure during trainings
While conducting your training, keep the following in mind as well:
- Good security makes journalists more confident. Run engagements that make journalists feel calmer and more in control, not more fearful. This could include sharing stories of journalists who have successfully implemented key security mechanisms, reassurances about how encryption and password policies make journalists safer, and a readiness to listen to security concerns and offer empathetic answers to questions.
- If possible, talk to your training participants ahead of time to best understand how they work and what their needs are. Not all journalists necessarily engage in a lot of travel or investigative work, for example. Adapt your trainings accordingly.
- Appreciate how journalists’ needs and threat perception will vary from region to region. Internews conducted some research on the needs of Central European journalists, but the needs of the journalists you train might differ slightly.
- You will not know the answer to every question. It’s ok to step back, do some research, and follow up afterward. Being transparent and honest about your own limitations is key. You can also refer to participants to other trainers or organizations you know, or suggest resources like the Access Now Digital Security Helpline.
- Every engagement is different. No matter how many times you introduce an individual or group to a topic, tool, or practice, there will always be new questions and new things to learn as a facilitator.
- To make lessons more effective, make sure to read the room. Observe if people are listening, reacting, or making eye contact. If you feel like you are losing the training participants’ attention, think of how to regain it.
- Use personas, or talk about others’ experiences to allow participants to speak about security without revealing too much about themselves.
- Talk to participants about moments when they felt that they were really heard. Ask what you could do to reproduce this in your engagements.
Don’t forget that risk tolerance varies significantly among journalists. Those who come from marginalized communities or who have caretaking duties might have completely different security concerns and threat models. Many journalists feel a deep duty of care towards their sources: you might be most persuasive as a trainer if you frame some of the security steps below as protecting journalists, their sources, and their wider networks (including family and friends).