Digital Security for UK Journalists: Protecting Sources, Devices and Data

Threat Modelling for Journalists

Effective security starts with understanding your specific threats. Not every journalist needs the same level of protection — a local news reporter and an investigative journalist covering organised crime face very different risks:

Identify your adversaries: Who might want to access your communications or data? Possibilities include government agencies, police forces, corporate targets of your investigations, criminal organisations, political actors, or online harassers. Each adversary has different capabilities and motivations.
Assess your assets: What are you protecting? Source identities, unpublished stories, interview recordings, research notes, and personal information all require different levels of protection. Prioritise the assets whose compromise would cause the most harm.
Evaluate the consequences: What happens if your security fails? For some stories, a leak means embarrassment. For others, it means a source faces imprisonment or physical danger. Scale your security measures to the consequences of failure.
Accept trade-offs: Perfect security is impossible and would make your work impractical. The goal is to make accessing your data sufficiently difficult and risky that your adversaries choose easier targets or give up.

Encrypted Communications

Choosing the right communication tools is fundamental to source protection. Here is what UK journalists need to know about the main options:

Signal: The gold standard for encrypted messaging. Signal uses end-to-end encryption by default, collects minimal metadata (only the date of account creation and last connection), and has a proven track record of resisting government demands for data. Use disappearing messages for sensitive conversations. Signal requires a phone number, so consider using a dedicated number for sensitive source communications.
ProtonMail: Swiss-based encrypted email service. Messages between ProtonMail users are end-to-end encrypted. Messages to external recipients can be password-protected. ProtonMail is subject to Swiss law and has complied with Swiss court orders for IP logging in specific cases — so it is not a guarantee of anonymity, but it is significantly more secure than Gmail or Outlook for journalist-source communications.
WhatsApp: Uses the Signal protocol for end-to-end encryption, but is owned by Meta and collects significantly more metadata (who you message, when, how often, your contacts). Many sources prefer WhatsApp because they already use it. It is adequate for low-risk communications but should not be relied on for high-risk source protection.
SecureDrop: An open-source whistleblower submission system used by major newsrooms including The Guardian and the BBC. If your organisation runs SecureDrop, understand how it works and direct sources to it for the most sensitive submissions.

Warning: Standard SMS text messages and regular phone calls are not encrypted and can be intercepted with relative ease by law enforcement and intelligence agencies. Never discuss sensitive source matters over unencrypted channels.

Device Security

Your devices are the most vulnerable point in your security chain. A compromised phone or laptop gives an adversary access to everything:

Full-disk encryption: Enable FileVault on Mac, BitLocker on Windows, or LUKS on Linux. On mobile, both iOS and modern Android devices encrypt storage by default when a passcode is set. This protects your data if your device is lost, stolen, or seized.
Strong authentication: Use a strong alphanumeric passcode (not a four-digit PIN) on your phone. Enable biometric unlock for convenience but know that UK law allows police to compel biometric unlocking under certain circumstances, while the legal position on compelling passcode disclosure is more complex.
Software updates: Install operating system and app updates promptly. Many security exploits target known vulnerabilities that have already been patched. Delaying updates leaves you exposed to attacks that could have been prevented.
Separate devices: For high-risk investigations, consider using a dedicated device that is not linked to your regular accounts, phone number, or identity. A cheap pay-as-you-go phone with a SIM registered to your news organisation provides basic compartmentalisation.
Two-factor authentication (2FA): Enable 2FA on every account that supports it. Use an authenticator app (Authy, Google Authenticator) or a hardware key (YubiKey) rather than SMS-based 2FA, which is vulnerable to SIM-swapping attacks.

VPN Usage and Limitations

VPNs (Virtual Private Networks) are useful but widely misunderstood. Understanding what they do and do not protect is essential:

What a VPN does: Encrypts your internet traffic between your device and the VPN server, hiding your browsing activity from your internet service provider and local network. Useful on public Wi-Fi networks, in countries with internet surveillance, or when you do not want your ISP to see which websites you visit.
What a VPN does not do: A VPN does not make you anonymous. The VPN provider can see your traffic (you are trusting them instead of your ISP), and websites can still track you through cookies, browser fingerprinting, and account logins. A VPN will not protect you from malware or phishing.
Choosing a provider: Use a reputable, audited VPN provider with a verified no-logs policy. Mullvad and ProtonVPN are generally recommended for journalists. Avoid free VPN services, which frequently monetise user data.

Metadata Risks

Even when message content is encrypted, metadata — who you contacted, when, how often, and from where — can reveal source identities and investigation targets:

Phone metadata: Call records and cell tower location data show who you spoke to, when, for how long, and your approximate location. Under the Investigatory Powers Act, these records are retained by telecoms providers for 12 months and accessible to a wide range of public authorities.
Email metadata: Email headers contain sender, recipient, timestamps, IP addresses, and server routing information. Even if the body is encrypted, the metadata reveals the communication pattern.
Document metadata: Files created in Word, Excel, or PDF often contain embedded metadata including the author's name, organisation, creation date, edit history, and sometimes tracked changes. Strip metadata from documents before sharing them, especially if a source has provided leaked files.
Photo metadata (EXIF): Digital photographs contain EXIF data including GPS coordinates, camera model, date/time, and sometimes the photographer's name. Always strip EXIF data from photos before publishing, particularly if they could reveal a source's location. Our photography guide covers this in more detail.

RIPA and IPA: UK Surveillance Powers

UK journalists operate under one of the most extensive state surveillance frameworks in any Western democracy. Two pieces of legislation are critical to understand:

Regulation of Investigatory Powers Act 2000 (RIPA): Governs directed and intrusive surveillance by public authorities. RIPA authorises the interception of communications, the acquisition of communications data, and covert surveillance operations. Journalists have been targets of RIPA operations — most notoriously, police forces used RIPA powers to identify journalists' sources without judicial oversight.
Investigatory Powers Act 2016 (IPA): The “Snoopers' Charter” significantly expanded state surveillance powers. It requires ISPs to retain every UK citizen's internet connection records for 12 months, authorises bulk data collection by intelligence agencies, and permits equipment interference (hacking) by GCHQ and other agencies.
Journalist protections: Following public outcry over police using RIPA to identify journalists' sources, the IPA introduced additional safeguards for journalistic material. Applications to access a journalist's communications data to identify a source now require approval from a Judicial Commissioner, not just a senior officer. However, these protections only apply where the purpose is to identify a source — not in all circumstances.
The NUJ position: The NUJ has consistently campaigned against mass surveillance of journalists and offers legal support to members whose communications have been intercepted. If you suspect your communications are being monitored, contact the NUJ's legal team.

Key tip: The Investigatory Powers Tribunal (IPT) handles complaints about surveillance by public authorities. If you believe your communications have been unlawfully intercepted, you can complain to the IPT, which has the power to order the destruction of unlawfully obtained material.

Protecting Source Identity

Source protection is the cornerstone of investigative journalism. The NUJ Code of Conduct and IPSO Clause 14 both enshrine the duty to protect confidential sources. Here is how to do it in practice:

Minimise digital traces: Where possible, meet sensitive sources in person rather than communicating electronically. Leave your phone behind (or powered off in a Faraday bag) when meeting sources who face serious risk.
Compartmentalise: Do not store source identities alongside the information they provided. Use codenames in your notes. Keep source contact details separate from story files.
Legal privilege: Journalist-source communications do not benefit from the same legal privilege as lawyer-client communications. Courts can order disclosure of journalistic material under the Police and Criminal Evidence Act 1984 (Schedule 1). However, applications for “journalistic material” require a circuit judge's order and must meet specific conditions.
Destruction policies: Consider whether retaining source-identifying material after publication serves any purpose. If not, securely delete it. Use file shredding software that overwrites data multiple times, making recovery impractical.

Social Engineering and Doxing Prevention

Journalists are frequent targets of social engineering attacks and online harassment campaigns. Our journalist safety guide covers physical security; here is the digital dimension:

Phishing awareness: Targeted phishing emails impersonating editors, sources, or press offices are a common attack vector. Verify unexpected emails independently before clicking links or opening attachments. Be especially suspicious of emails urging immediate action or containing unexpected attachments.
Reduce your digital footprint: Audit what personal information is publicly available about you. Remove your home address from the electoral roll (register anonymously if you face a genuine threat), use your newsroom address for official purposes, and be cautious about what you share on social media.
Doxing defences: Doxing — the malicious publication of someone's personal information — is increasingly used to intimidate journalists. Proactive steps include using a PO box for post, removing yourself from data broker sites, and using separate email addresses for professional and personal use.
Incident response: If you are targeted by a harassment campaign, document everything (screenshots with timestamps), report threats to the police, inform your editor, and contact the NUJ or the Committee to Protect Journalists. Do not engage with harassers directly.

Further Resources

Best Free Tools for UK Journalists 2026 — Including security and privacy tools
GDPR for UK Journalists — Data protection obligations and exemptions
Investigative Journalism Techniques — Secure methods for investigations
UK Journalism Ethics Codes — IPSO and NUJ guidance on source protection