Digital Hygiene

The phrase "digital hygiene" sounds clinical, even bureaucratic — the kind of thing covered in a mandatory corporate training that nobody actually watches. The reality is more urgent. Every journalist, researcher, source, and reader who operates online is generating a continuous stream of data about who they are, where they are, who they communicate with, and what they think. That data is collected, aggregated, bought, sold, and in some cases subpoenaed. In an environment where governments increasingly treat journalism as a threat and where the commercial surveillance economy has made personal information a tradeable commodity, the question of how to protect your digital life is not abstract. It is professional and civic infrastructure.

The problems cluster into two distinct but overlapping environments: the personal and the professional. What follows is not a checklist. It is an attempt to describe the landscape of risk clearly enough that the solutions — most of which are documented in the further reading at the end of this piece — make sense when you encounter them.

Personal

The most common point of personal digital failure is also the most mundane: password reuse. The average person uses the same password, or minor variations of it, across dozens of accounts. When one of those services is breached — and breaches happen at a scale that should alarm anyone paying attention, with billions of credentials now available on dark web markets — every account sharing that credential is compromised. A password that was never particularly strong to begin with becomes, once exposed, a skeleton key to everything else. The solution to this problem is well-understood and widely available, but the problem persists because convenience routinely defeats security in everyday decision-making.

Two-factor authentication — requiring a second proof of identity beyond a password — significantly raises the bar for attackers who obtain a password through breach or phishing. Not all two-factor systems are equally strong, however. SMS-based two-factor, which sends a code to a phone number, is better than nothing but is vulnerable to SIM-swapping attacks, in which an attacker convinces a mobile carrier to transfer your phone number to a device they control. For journalists who handle sensitive sources or operate in high-risk environments, hardware security keys represent the strongest available protection. For most everyday users, an authenticator application on a smartphone is a substantial improvement over SMS alone.

Cookies — the small data files that websites deposit on a browser to track behavior across sessions and sites — represent a different kind of problem. Most cookie consent banners that web users encounter are designed, by legal obligation or by dark pattern, to make acceptance easier than refusal. The tracking infrastructure that cookies enable allows commercial data brokers to build detailed profiles of an individual's interests, location, political views, health concerns, and personal relationships without that individual's meaningful awareness. Those profiles are sold. They end up in databases maintained by companies that most consumers have never heard of and with which they have no direct relationship. Removing and blocking cookies is a starting point; the deeper problem is the broker ecosystem into which that data flows regardless.

That ecosystem now has a meaningful regulatory counterweight, at least in California. The state's Delete Act, signed into law in 2023 and fully operational from January 2026, created the Delete Request and Opt-Out Platform (DROP) — the first mechanism in the United States that allows a consumer to submit a single verified deletion request that applies to every registered data broker in the state simultaneously, rather than having to contact each company individually. California residents can access DROP at privacy.ca.gov. Starting August 2026, data brokers are required to process these deletion requests on a 45-day cycle. For residents of other states, the process remains more fragmented, requiring either manual opt-out requests to individual brokers or the use of paid removal services.

Virtual private networks (VPNs) are widely misunderstood. A VPN encrypts traffic between a device and the VPN provider's servers, concealing browsing activity from an internet service provider and masking a user's IP address from the sites they visit. What it does not do is make a user anonymous: the VPN provider itself can see all traffic, and the quality of privacy protection offered depends entirely on the provider's own data practices and jurisdiction. A free VPN is, almost without exception, a service monetizing user data rather than protecting it. The use of a reputable paid VPN meaningfully reduces exposure on public networks and is a reasonable everyday precaution — but it is not a substitute for the other hygiene practices described here, and it does not protect against the much wider range of data collection that happens at the application and device level.

Social media presents a category of risk that many users underestimate because it feels voluntary. The problem is not only what users post — location tags, relationship disclosures, political views — but what the platforms themselves infer, aggregate, and retain. Facebook's advertising system, for example, can target users based on behavioral data that was never explicitly provided and that the user would not expect the platform to hold. The metadata of social media activity — who you follow, what you like, how long you pause on a particular post — is as informative as the content itself. Account privacy settings on most platforms are set to maximize data collection by default and require active, repeated adjustment as platforms update their terms of service.

In the Office and Newsroom

The most dangerous communications channel in most newsrooms is also the most universal: email. Standard email is not encrypted in transit between most mail servers, is trivially easy to intercept on unsecured networks, and is routinely subject to court orders and national security letters that can compel a provider to disclose content and metadata without the account holder's knowledge. For routine internal communication this may be an acceptable risk. For communication with sensitive sources, discussions of unpublished investigations, or coordination with colleagues in high-risk environments, it is not. The widespread assumption that work email is private because it has a password is mistaken — it is, at best, private from casual observers.

Encrypted messaging applications represent the most practical improvement available to most journalists and their sources. End-to-end encryption ensures that messages can be read only by the sender and intended recipient, not by the service provider, not by a court order served on the provider, and not by an attacker intercepting traffic in transit. Signal is the most widely audited and recommended option among security professionals, offering end-to-end encrypted voice calls, video calls, and messages, with optional disappearing messages that automatically delete after a defined period. The key limitation is that encrypted messaging protects communication in transit but does not protect against an attacker who has physical access to a device or who has installed surveillance software on it.

Surveillance software — spyware — is a threat that has moved from the domain of nation-state actors targeting high-profile journalists to a more commercially accessible threat landscape. The Pegasus spyware produced by Israel's NSO Group, confirmed to have infected the phones of journalists at The Wire, the Washington Post, and dozens of other organizations, requires no action by the target: it can be installed through a zero-click exploit that leaves no trace visible to the user. This is not a problem that standard good hygiene practices can fully address — it is an infrastructure-level threat that requires device-level forensic investigation to detect. The Amnesty International Security Lab and Access Now's Digital Security Helpline both provide support to journalists and activists who suspect they may be targeted.

The newsroom's shared network infrastructure presents its own vulnerabilities. Devices connected to an office network are potentially exposed to other devices on that network, and unpatched software — operating systems, applications, and firmware on printers, routers, and other connected hardware — represents a persistent attack surface. The device that runs SecureDrop, Freedom of the Press Foundation's open-source whistleblower submission system, is deliberately air-gapped from the internet for this reason: the documents a source submits should never be opened on a machine that has any live internet connection. The SecureDrop Workstation, which reached general availability in 2024, uses the Qubes OS operating system's security-through-isolation architecture to provide an equivalent to the physical air gap on a single laptop, using virtual machines to ensure that a malicious document opened in review cannot reach the broader system.

Document security is a distinct problem from communication security. Documents obtained in sensitive investigations — whether received digitally from a source or scanned from physical copies — often carry metadata that can identify their origin: printer steganography codes (the near-invisible yellow dots that most color laser printers embed in every page, which encode the printer's serial number and the time of printing), embedded authorship information in Word files, and GPS coordinates in image files are among the most common. Stripping this metadata before sharing or publishing documents is a standard operational security practice. Dangerzone, a free open-source tool maintained by Freedom of the Press Foundation, is designed specifically to help journalists safely open documents from untrusted sources by rendering them in an isolated virtual machine before converting to a clean PDF.

The organizational dimension of digital hygiene is often the hardest to address, because it requires changing behavior across a team rather than for a single individual. Consistent adoption of a password manager, two-factor authentication on all organizational accounts, an encrypted messaging policy, and device encryption on every laptop and phone are the baseline. Achieving that baseline across even a small newsroom requires training, clear policy, and someone with the organizational authority to enforce it. Most small news organizations have none of these things in place, not because they are ignorant of the risks but because the operational pressure of daily journalism leaves almost no bandwidth for security infrastructure work.