Information Security for Journalists

By Silkie Carlo and Arjen Kamphuis

We're very glad to be able to provide this handbook as a free download, and we really want to keep it that way.

If you've found the handbook useful, or you want to help ensure it remains available to those who couldn't afford to buy a copy, please consider making a donation here.

Many thanks from the Centre for Investigative Journalism.

Download the book:

(Version 1.3 available only online or as PDF, all other formats currently still V1.2)

PDFePub, MOBI, AWZ3, LIT and FB2 formats or view it online. For SHA-256 hashes for verifying the integrity of the download, please see the table below.

This handbook is a very important practical tool for journalists and it is of particular importance to investigative reporters. For the first time journalists are now aware that virtually every electronic communication we make or receive is being recorded, stored and subject to analysis. As this surveillance is being conducted in secret, without scrutiny, transparency or any realistic form of accountability, our sources, our stories and our professional work itself is under threat.

The UK Government’s new surveillance legislation, the Investigatory Powers Bill, marks a disconcerting departure from legal principles of source protection in favour of unbridled spying powers.

Journalists were dismayed by the realisation that almost all digital communications are now being recorded; for them and their sources there are real risks and now danger in their work. This danger does not just worry reporters, whistleblowers and other sources, but all those who hear privileged information and whose privacy is considered fundamental to the courts, the practice of law, and justice in all of its meanings.  Lawyers and accountants and their clients are now without the protection of client confidentiality, and are vulnerable to the secret surveillance of an increasingly authoritarian and unaccountable state.

After knowing how Snowden’s disclosures were safely presented to the public, we know that there are real protective measures available.  The CIJ’s handbook, Information Security for Journalists, lays out the most effective means of keeping your work private and safe from spying.  It explains how to write safely, how to think about security and how to safely receive, store and send information that a government or powerful corporation may be keen for you not to know, to have or to share.  To ensure your privacy and the safety of your sources, Information Security for Journalists will help you to make your communications indecipherable, untraceable and anonymous.

When planning work that must remain private and confidential it is important to carefully assess the level of threat that may be associated with it.   Shop floor maintenance, building site health and safety, restaurant hygiene, and hospital cleaning may be areas where the precautions and methods described here are unnecessary or might act to complicate and slow down your work. In these cases a phone call made or received away from work or home to a source or a reporter, may ensure sufficient protection at least in making an initial contact.

People working or reporting on national security, the military, intelligence, nuclear affairs, or at high levels of the state and in major corporations should probably consider this handbook as very important to their safety.

Although this handbook is largely about how to use your computer, you don’t need to have a computer science degree to use it. Its authors, and other experts advising on the project have worked to ensure its practical accuracy and usability.  The authors expect that after six months, updates and some changes will be required.  Please return to the tcij.org website to download the latest edition. You will not of course want to download this on a machine identified with or close to your employer or your source or your home.

Gavin MacFadyen, Director of the Centre for Investigative Journalism

Download links for the book:

The links to download the book in various formats can be found in the table below, along with their respective SHA-256 hashes which can be used to verify the integrity of the download.

Link SHA-256
PDF E748C1AFBF907B2B7A8B2541B68A7593B8523175E95585405A5A66532855E1B3
EPUB 10ae03051d833791d4d497e88785e0a191c9e5fab94138fdefcedbd4cf66a57d
MOBI 17bdaf16d56abb807fd0f75a7cd0e73d7cc9bcbd681dcb1332c7fb24c08fae7e
AZW3 565cd7e17b22ee2c34b4365103ea3a9be1784ae521c925e231e72d5c479de191
LIT 53224949dd50bcdf2c0a9f5da55825482be98fb2f2c6db5b3ec7fd5fee02f958
FB2 1106f0c30e27c5dedc31ae609eac3642612245a58dfbd4d11e400f023e980c0b
1-page instruction leaflet for starting Tails USB-drives 5eb4606df25801302072d1f5acaacea2ff27e0d02fc1c74dab04ad59eca7b9de

This book is also available as a set of webpages. We have put much valuable feedback from the Summer School 2014 and several readers in the improved version. Slides from the Summer School 2014 lectures on information security are here in PDF and PPT.

This handbook is being translated into Arabic, Chinese, French, German, Turkish, Spanish, and other languages.

CC BY-NC-SA

Creative Commons (CC BY-NC-SA 4.0). Licence for humans. Licence for lawyers.

Articles by participants who attended our training:

Securing our information – we have the technology; we just have to have the will to do it
Valentina Novak interviews Arjen Kamphuis

Information security for journalists: staying secure online
How can journalists protect both the sources and the communications when online? Infosec expert Arjen Kamphuis shared his advice on top-level security by Alastair Reid (from journalism.co.uk)

A day with the surveillance expert - CIJ's Arjen Kamphuis
by Jason Murdock, Offtherecord.in

We are always looking for ways to make this book better, so any feedback about this book will be most gratefully received.
Please email infosec@tcij.org

If you want to use encryption to secure these mails please use KeyID :0x23F5FB02  
Fingerprint: 3E93 1B31 7676 CC7F 1F98 71E9 37A1 396C 23F5 FB02

The PGP key can be downloaded from keyservers by searching for KeyID mentioned above. Failing that copying the key below manually will also work.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
 
mQINBFdoF/8BEADebR3sIge29fG51533gDmUz3Jo3dB+qiKsmDNlbC52njnaniCb
XlAQHjtdSVnZytADB+y9hzKw1I49PHByhehrIo8/eXbs7z/2ApbENXjlgty9Mrcx
aBFpeg3DOJNqCkI92yC6LzldCSsq6XNnws/fq/92Xv+uGhMETPwz1BrYedKQvLS1
JfitFiTvxCPUOi/XM+13pNjtU6c3n6gESUJH6n2sbs0d4AFZwtJKotueSxp3pn/w
dq5dhcWwTs++W4xangYaw6KF+Mt0SVz2qX60c5xPiIuIw4fSwyNhrH0nvTImq439
xMMModUejJnObYPS9YDtqMkmUH7nP3iKeGWngjakab2RywGfw7Dq7eE7xt4Zk1Al
GuIzlYEedgNsrWucoJifXRvi4Xnn9RoMmzBn5btX8Jty9uTNfZvoWYJdweSpV3TR
fO8B2aTiOtct/UAH2PVysmJJNcVoEo2rI6z5xgr/BywP11TPgI6eq8+KQ/9orUSS
hDAs/Z4AVPn832s40+Qn9s6+D7sg60I5GJGKwCR1R/SaLlIYCOqhDULulWfgZ49Z
M/RPthhNTW9jqhSF6iTzC+p4VXS9s4yd2PCJnnVAbQC+aXwtnKYg29TjdZpg//Je
RsmBJh9Dp5yebsr8wnbeEjXd23sMzEUJIkvLM1hWX6LaoghthA6xvKVoMQARAQAB
tBlJU1RDSUogPGluZm9zZWNAdGNpai5vcmc+iQI/BBMBCAApBQJXaBf/AhsjBQkB
4TOABwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQN6E5bCP1+wL3khAAtuG/
JiDV6/rbTaOHdd7p+V3zoQkArNkMPORA0jXLJK53QtyvgREw2LweJnRCjXhCVM3A
jKhW4J+pjhtt/LfZcbkbd7tmnMcdL5CUyqN6uBYnqNxNMIghz3c0f5o0mwYNasa1
pnLJOdmSTSWHgt0cEDn+wfUzpYRdPlL5pX/vhQ3Kg6aZ/g9dnDnBHMl8Y28bXmqb
niATwkTRWRJQ8lDjV+8wBneSXVWOUx3SQR0EJuw5i/Z2C4ZFEujuyWPlDrVv74nU
qB0NrkgJFovUHtFtVBuebWRxnHfiygqnYvMFHxqDh2L9bLFMDajKiA7Q6tqleijO
XwFp3U6TC5d8PWVKhHowimfwG4Bo/N7iGGw/qX81SYRr2uSi61HnNJiMsLOUFNGO
NoNzoUWNPiMYsXYRV4NL7z31OddEASjNrT1oeiYhkLvDSf9zM/Ylhcw7K9HgkHO3
jIze86jYn2R/7+dsuTiCzyMFlnbB3DJwo2+MfexqAs3CvMn3VOEJLqnMuWJV8Hn6
lo0VG6cwI9NhMVs5+PgZyF2dzpf6beDWzkUIS1YEMHvMU42IA1JCBIB9SBnZyljK
8y1keS1YfMT2te8QyPg6+A3Dehrhszt1dCsh40F58anIWtvljjEOBssDiXuCrxQc
LExS5b/Zj90iF9bFKLxxoDt79KZd7k4UUJ4aUM65Ag0EV2gX/wEQAMHY2wjRJchr
3vt20Lg4JMC35UlHSEAIZMG8cjimNTq5mBSU0vHnfJe+isszsixj7GE3I4DGT6U0
rGA0Yjuq/9s0kEENZQt4uprObEc2C/A4N1q8ZVZnIkV87/rlpkjFlh/K7etCvqYW
qih2FiLgLtn+gZa6uGBjrB0OKORu79VNd+BopgJOpAX9YNMt1TdMU6h5vb1WW9jb
zU1yNDoF+pu4kkFs0jQ5WfWv4iMfwP2V1+HPWug5j8cvFZnxy12qZFyTQJiJM4b2
wzPtWO9Mve+sYaCVdX0/o9v3+OV35gYftayJNcYNRbSmJfEBzsWzWKag08dD7DFJ
s5EWu89xDLQpEwcvhcrUg3CTZXAa9IQQkRUN3ptPayFTElZ97W96XxcpmtNQoNnI
tD2iE/JPwf++ZhJs2Q/E3rfesKL/4pfAh6smE/zCXumwKIVIIgqA1TOldfLBMVGq
/uaor6+vMHvsq+Pkq4JWZmYvFuMh7uw8i0TYhrmJH1myiarTDbki7+0n3HH4+OnG
apPyd0vwJmgEug0ixl8suG2EqaekxjYLHO1vrMtytwQIOKOJRFWfi/LTR0XbUf2/
fCZ1p/TwzOKIBnS4CkRyd60NgDCte0l/g2BELv1bdHAyrp4gkHLjhSOug0r3PQy1
XmRWYQx4Eu2AW02/9WpIUj5ILVUmnXPdABEBAAGJAiUEGAEIAA8FAldoF/8CGwwF
CQHhM4AACgkQN6E5bCP1+wLaUQ//cvKX/a+vHJK7g78Gh5ulKJvzFinkuC/6NW57
+KEVqZw/laeci78j/HuW+CpQlhAuavZh/v1/OiUvvhgI8XuYkW/wBY7e+4vBNa2m
mNWVwCga/R0ocOXAVK2EE/EJUo+t54HbOIeJ6S2RZVlge8LYR/ffpJ/GPfwjoU+5
kqn8kAT4TR0hxKPBFrgPhBwSSfxzT+ghZj4fZZ4jhzL8O6Mx5Y0Bw1A9Dn1PD08g
5fTX+oTMU099zQE28W/SLlh0MfDqFMuBDFpr7qw044ViEUJhPA1zVyYIM//JXxpd
Z9fKufeYZgK8cRRxWFUypu0Ko+nmpiTAJdlYpiuqSa6pFtXgggcytVCroDR9wPDm
PqOTPUYNfbNANCiQVrjGmcLNY/1MnuXBaBFu346Oj3XHY8QSk1c5Jfzl6nvhLRot
d7LC6NY2aqo7n1dVG0pPwD4N+13dCjo0FLOnxSvFNqIgVh+MhnPMMl3mhZI/9+Ti
hn6/F1vdV2QpIm+DWXkWKxJr4qYtLIn3OSDLM4hPJAagK9iZgZdHre9gVp2fS3ZM
aZJkVHzam7dtlV4xGp12f4B4Mq6MHxkNp949qCXMSLk4rPSljM5a4m/VuJAeHwYu
kpJcmSB3+nr9JVI1qVdEHBWyRxqsfIVRfpttCZscjg54bgvGMOqtojvOF1YJfmi7
KUy6Tfc=
=eXQr
-----END PGP PUBLIC KEY BLOCK-----