It’s 2025. Do you know how secure your newsroom is?

For the last several years, a few things about many journalists’ workflows have remained constant: They talk to their colleagues on Slack, contact sources via some combination of phone, email, Zoom, and messaging apps, and file their stories in Google Docs.

But now, as the federal government ramps up its attacks on American journalism — revoking funding for public media, suing major news outlets, and successfully pressuring broadcasters to yank hosts off-air — it’s a good time to ask the question: How secure are the tools we take for granted?

Newsroom security can broadly be broken down into two thematic buckets: security and privacy. Davis Erin Anderson, a senior digital security trainer at the Freedom of the Press Foundation, told me security essentially refers to the hackability of the tools you’re using, while privacy determines how easily service providers can access your data. Many common business tools tend to be secure but not private; Google Drive, for example, is secure — Anderson says Google “has some of the best security people I can think of” — but documents in Google Drive aren’t end-to-end encrypted, and Google may pass them on to authorities if it is served with a request from law enforcement.

“It was a lot easier, in some ways, for journalists back in the 80s and 90s, before all of these cloud platforms existed,” said Melody Kramer, a product manager at ProPublica who works on engagement and crowdsourcing tools. “You would put things in a Microsoft Word document, share that within your [physical] newsroom, and nothing would live in a data center or different space.” The most sensitive stories could be written on computers without network connections and discussed and edited only in the office.

Offices, of course, come with all of their own security concerns — hackers can try to gain access to local servers or wireless endpoints with viruses, and newsrooms with offices have to think about physical security as well as digital.

“It’s a series of tradeoffs, all of which are imperfect,” said Ben Werdmuller, senior director of technology at ProPublica. “The risk profile has changed significantly lately, but many of the things we’re talking about as risks for journalists have been possible for a very long time.”

Start with the basics

“If I had no money, was running a newsroom, and wanted to improve security, I would make sure everyone is on a password manager, has multi-factor authentication set up, and is on Signal,” Werdmuller told me. Hackers steal billions of passwords a year, and weak passwords are the easiest point of entry to any organization. Password managers take the mental work out of creating strong passwords, and the best ones now support passkeys. Multi-factor authentication provides a second layer of security, so that a hacker with a stolen password can’t access your accounts without an authentication token.

Signal, meanwhile, is perhaps the most famous of the encrypted messaging apps. The app is end-to-end encrypted, which means that nobody other than the sender and intended receivers — not even Signal — can read messages sent on it. While other messaging apps, like WhatsApp, are also end-to-end encrypted, the privacy policies of their parent companies (WhatsApp is owned by Meta, the parent company of Facebook and Instagram) make them less private than Signal.

As Signalgate demonstrated, there’s another basic to keep in mind: access privileges. “Making sure that you have a good idea of what is visible to whom is pretty key,” said Anderson. If you have a group text, make sure the members are who you intend (Signal’s built-in contact verification is helpful for this). If you’re working with people outside your organization, check what documents they do and don’t need access to, and make sure you can revoke access when you’re no longer working together. If you’re using an encrypted email service, make sure that whomever you’re emailing also uses a service that supports that encryption.

“What’s really important is that sources know where to reach you in a way that helps them stay secure, even if they’re not always thinking about it,” Anderson said. “If, say, a whistleblower reaches you via Gmail, that [unencrypted] connection has been made. So make sure you’re available on multiple encrypted channels.”

Establish policies and norms

Using tools like Slack and Google Drive “doesn’t have to be an all or nothing proposition,” Anderson told me. The key is establishing rules around when those tools are used, and when work should be moved to other, more secure tools. Slack, for example, is great for team-wide updates, but not for sensitive conversations about anonymous sources. Figuring out when conversations should move to a more secure channel, like Signal, is an important part of the security puzzle.

Policies and norms will vary by team. A publication’s culture desk, for example, will have different needs than a publication’s sports or investigative desks. Create onboarding documents so everyone knows how and when to use secure tools, and establish security and privacy practices with freelancers at the very beginning of your relationship with them.

Having these policies in place can help you keep using the tools you’re used to while maintaining security. If you’re working on a story with anonymous sourcing, for example, you might be fine writing and editing in Google Docs, since that is what you’ll be presenting to the world when the story is published — as long as you keep information that might reveal a source’s identity, like interview transcripts or recordings, in a more secure location.

Think about alternative tools and where they’re based

“Encryption and increased security often come with increased costs,” said Kramer. Slack and Google Drive both offer higher-security enterprise versions of their products that offer a form of encryption, but they can be prohibitively expensive for smaller newsrooms and also come with tradeoffs: Slack, for example, might lose support for some app integrations or the ability to collaborate with people from other organizations in the same workspace.

Neither Google nor Slack offer end-to-end encryption; their offerings are encrypted in transit and at rest, which is only partial encryption. Anderson doesn’t trust either company to safeguard a newsroom’s data; she points out that Slack, after all, is an acronym for “Searchable Log of All Communication and Knowledge.” The same goes for Microsoft Teams, which offers end-to-end-encrypted calling but otherwise also only partially encrypts data. Instead, Anderson recommends finding alternatives that both offer end-to-end encryption and house their servers outside the United States — ideally somewhere like Switzerland, where the law forbids companies from sharing data with foreign law enforcement.

One alternative to Google Drive is Proton Drive, from the same company that makes the secure email service Proton Mail. Proton Drive, like Proton Mail, is end-to-end encrypted by default, and the company’s servers are housed in Switzerland. While Proton doesn’t offer the same suite of tools as Google workspaces (it doesn’t, for example, have software for making presentations or spreadsheets), it does have a built-in word processor that works much like Google Docs; this story was written and edited in Proton Drive before we moved it over to Nieman Lab’s CMS.

Other alternatives include Tresorit, which is actually a part of Swiss Post (and therefore subject to the same Swiss protections as Proton Drive), and NextCloud, which offers secure self-hosting solutions for organizations that are looking to host their own cloud servers. This is particularly helpful for organizations trying to use services like SecureDrop, which requires setting up a server. If an outlet does decide to go the self-hosting route, Anderson says, “knowing who you’re dealing with and what their policy is around subpoenas is really important.” And, Werdmuller points out, basing servers outside the U.S. isn’t a magic fix either: ProPublica consults with its lawyers when considering new services to make sure that using them wouldn’t trigger foreign laws that might, say, open it up to lawsuits outside the U.S. or compel it to edit or remove international stories.

Slack and Teams are a bit harder to replace. Signal is great for direct messaging or small groups, but isn’t set up for company-wide communication the way Slack and Teams are. There are alternatives in development, like Matrix and Quiet, but neither are as user-friendly or ready for use at scale; Quiet’s developers themselves write that the app still hasn’t had a security audit and so shouldn’t be used “in situations where security or privacy are critical.” This, again, is where the policies and norms come into play.

Finally, if your newsroom uses AI tools, think about how those may affect your security. While some models can be run locally, many modern AI tools send data to the service provider for processing — and that data could be stored and used for future training. “If you are using AI with sensitive information, you’re just blasting a hole through your information security,” Werdmuller said.

The state of newsroom security is constantly evolving; we plan to keep covering it as things change. This is by no means a comprehensive document, and there are more resources out there; the Freedom of the Press Foundation, for example, has a source protection guide with helpful resources to ensure source safety. Finally Kramer and Werdmuller said, newsrooms can and should help each other out; if you work at a newsroom that is trying to establish security practices of its own and would like to get advice from an outlet that puts security at its core, you can reach Kramer on Signal at melk.93.