How Journalists Can Protect Themselves Against a Global Surveillance Industry
From the Editor’s Desk
May 6, 2026
Governments worldwide are deploying sophisticated spyware against journalists through methods that are growing cheaper, more powerful, and harder to detect, according to a recent report by the International Federation of Journalists (IJF). For journalists who want to understand what they are up against and what they can do about it, the report also offered a set of recommendations, based on interviews with digital security specialists.
The threats the report documents range from software that breaks silently into a phone without the journalist clicking anything, to devices planted near protests that sweep up the identities of everyone present, to spyware installed on a phone while it sits in a police station during a detention. (If you have not read the full report, a News Briefing is available here.)
While no protective steps may guarantee safety, some measures can make surveillance significantly harder and more expensive for those trying to carry it out.
Your Phone and Laptop
The first line of defence is the device itself. The report recommends Apple iPhones with a feature called Lockdown Mode switched on. Lockdown Mode, introduced by Apple in 2022, drastically reduces the number of ways an attacker can get into your phone by disabling features that spyware commonly exploits, such as certain message previews, web technologies and wired connections. You give up some convenience, but you gain significant protection.
The alternative the report recommends is a Google Pixel phone running GrapheneOS, a free operating system built specifically for security. It compartmentalises apps so that even if one is compromised, the attacker cannot move freely through the rest of the phone.
For laptops, the report says full-disk encryption is essential. This means that if your laptop is seized or stolen, nobody can read its contents without your password. On a Mac, the tool is called FileVault and can be switched on in System Settings. On Windows, it is called BitLocker. On Linux, the equivalent is LUKS. All three are built into their respective operating systems and cost nothing to enable.
For storing sensitive files, the report recommends VeraCrypt, a free tool that creates an encrypted container, essentially a locked folder, on your device or on an external drive. Even if someone gets into your laptop, they cannot open that container without the password.
When travelling to high-risk environments or covering dangerous assignments, use a separate, clean device configured only for that trip. Do not log into your personal email, social media, or cloud accounts on it. Treat it as a burner that carries nothing from your regular digital life.
Replace your phone’s numeric PIN with a password that mixes letters, numbers and symbols. On an iPhone, go to your passcode settings and tap Passcode Options to find this. On Android, go to Settings, then Security, then Screen Lock, where you will see options including Pattern, PIN and Password. Select Password. A numeric PIN can be watched over your shoulder. A longer password that mixes letters and numbers takes far more time and effort to break.
How You Communicate
For messaging and calls, the report recommends Signal. Signal is a free app that encrypts everything end to end, which means only you and the person you are speaking with can read or hear the exchange. No one in between, including Signal itself, can access it. WhatsApp also uses end-to-end encryption for message content, but it collects metadata, meaning it records who you contacted, when, and for how long, even if it cannot read what you said. The report says WhatsApp is acceptable for ordinary exchanges but should not be used for sensitive communications.
For email, the report identifies ProtonMail as a reliable option. ProtonMail is a Swiss-based email service that encrypts messages so that even ProtonMail’s own servers cannot read them.
For the most sensitive exchanges, the report says face-to-face conversation is still the safest option, with no digital record at all.
On VPNs, services that encrypt your internet traffic and route it through a server in another location, the report urges caution. A VPN protects you on an untrusted network, such as airport Wi-Fi, by preventing others on the same network from intercepting your traffic. It does not make you anonymous. Most VPN providers keep logs of your activity and can be required by authorities to hand them over. Use a VPN as one layer of protection, not as a way to hide your identity.
Your Habits and Routines
After any incident where your device was out of your control, change all your passwords immediately. Assume that anyone who had physical access to your phone or laptop may have copied data or installed something on it.
In any case, keep sensitive material off your devices as much as possible. Store it on an external encrypted drive that you keep separate from your phone and laptop. When you are not using it, keep it disconnected.
Avoid using airport Wi-Fi, hotel networks or shared computers for anything sensitive. Assume these networks are monitored. In hostile environments, use a phone with as few apps as possible, disable cloud backups and turn off any setting that automatically syncs your data to an online account.
Before beginning a sensitive assignment, take time to think through who might want to surveil you, how they might try to do it, and what information on your devices would be most damaging if exposed. The level of precaution you take should match the level of risk you face. However, excessive security measures applied unnecessarily can slow your reporting without adding meaningful protection.
If You Think You Have Been Targeted
Spyware is designed to be invisible, but there are sometimes indirect signs. An unusually fast-draining battery, unexpectedly high mobile data usage, or apps behaving in ways you do not recognise can all be indicators, though none is definitive on its own. If you notice these signs, document them, take screenshots and note the dates.
If you suspect your phone has been infected, do not reset it and do not install software updates immediately. Both actions can erase the forensic traces that specialists need to confirm an infection and identify who was behind it. Instead, stop using the device for sensitive communications, disconnect it from Wi-Fi and mobile data, and contact one of the three organisations the report identifies as having the expertise to help. These are Citizen Lab at the University of Toronto, Access Now’s Digital Security Helpline, which operates around the clock and in multiple languages, and Amnesty International’s Security Lab. Contacting them before doing anything else gives investigators the best chance of finding evidence.
Finally, the report acknowledges that living and working under surveillance causes real psychological harm. The fear of being watched, the uncertainty about whether your sources are safe, and the isolation that comes from not being able to speak freely all take a toll. The report recommends building networks of trusted peers, journalists and others who face similar threats, to share information about risks, exchange practical advice and provide mutual support. Carrying this alone makes it harder to keep reporting.
You have just read a News Briefing, written by Newsreel Asia’s text editor, Vishal Arora, to cut through the noise and present a single story for the day that matters to you. We encourage you to read the News Briefing each day. Our objective is to help you become not just an informed citizen, but an engaged and responsible one.
