Journalist Privacy Stack - Complete Operational Guide 2026

Before building your privacy stack, assess your actual threat model. Different adversaries have different capabilities: **Tier 1 - Low threat (tabloid, local reporting):** Adversary: companies with legal teams, local law enforcement Tools needed: HTTPS everywhere, encrypted email, VPN or VPS for sensitive research **Tier 2 - Medium threat (national political reporting, corporate investigation):** Adversary: national law enforcement, corporate intelligence Tools needed: Tier 1 + Signal, ProtonMail, offshore VPS, separate devices for sensitive work **Tier 3 - High threat (national security reporting, organized crime, authoritarian countries):** Adversary: national intelligence services, organized crime organizations Tools needed: Tier 2 + Tails OS, air-gapped devices, Tor for all sensitive communications, SecureDrop for source intake **Tier 4 - Extreme threat (reporting from within repressive states, writing about intelligence):** Adversary: state intelligence services with surveillance infrastructure Tools needed: Tier 3 + physical security (no device in sensitive meetings), multiple compartmentalized identities, constant OPSEC Most Western journalists operate at Tier 2-3. Journalists in countries like Russia, China, or Myanmar operate at Tier 3-4.

**Everyday reporting (Tier 1-2):** - Encrypted laptop (FileVault on Mac, BitLocker on Windows, LUKS on Linux) - Automatic lock after 5 minutes idle - Strong unique passwords via password manager (1Password, Bitwarden) - Two-factor authentication on all accounts (hardware key preferred) **Sensitive investigation device (Tier 2-3):** - Dedicated laptop used only for sensitive investigations - Full disk encryption with strong passphrase - No cloud sync, no Dropbox, no Google Drive sync - VPN or VPS connection for all internet activity on this machine **Air-gapped device (Tier 3-4):** - Computer that has never connected to internet - Used for reading sources, analyzing documents, writing drafts - Physical removal of network cards or use of a device that never had network - Files transferred via encrypted USB only, never via network **Tails OS for operational security:** Live OS that runs from USB, leaves no traces on the computer, routes all traffic through Tor. Recommended for all sensitive source meetings, document review, and secure communications.

**Source intake:** SecureDrop is the gold standard. Install on your Iceland VPS (Tor-only access). Sources access via Tor Browser, submit documents anonymously. No source metadata stored. Used by NYT, WaPo, Guardian, and hundreds of news organizations. If SecureDrop is too complex: Signal Desktop for receiving tips. Sources contact your Signal number. Signal stores messages encrypted on their device and yours - not on any server. The weakness: sources need your Signal number, which can link back to you if your phone number is public. **Team communications:** Matrix (Element) homeserver on Iceland VPS. End-to-end encrypted by default for private rooms. Federation disabled for privacy. Team uses your homeserver - messages stored on your Iceland server, encrypted. Wire for Teams: end-to-end encrypted team messaging, based in Switzerland. Lower technical overhead than running your own Matrix, but adds Wire as a trusted party. **Email:** ProtonMail for sensitive communications. ProtonMail to ProtonMail is end-to-end encrypted. ProtonMail to external email: use PGP encryption (ProtonMail supports this). Key signing parties: verify contacts' PGP keys in person or via trusted channels. **Calls:** Signal voice calls: end-to-end encrypted, recommended for sensitive calls. For calls where Signal number exposure is a risk: use a secondary Signal number (Google Voice in US, virtual number services internationally) linked to a separate device.

Your Iceland VPS serves multiple journalism infrastructure functions: **Publication infrastructure:** WordPress or Ghost (static site preferred for minimum attack surface). Served via HTTPS. Domain registered with WHOIS privacy. CDN (Cloudflare) optional - Cloudflare provides DDoS protection but adds Cloudflare as a party with visibility into traffic. For high-risk situations, avoid Cloudflare. **Secure source intake:** SecureDrop or Signal submission number. Accessible via Tor (hidden service). The .onion address for your SecureDrop should be published on your main website and distributed through trusted networks. **Team collaboration:** Nextcloud for encrypted file sharing. Cryptpad for collaborative editing. Matrix for team messaging. All on Iceland VPS, accessible via VPN or Tor. **Backup and archival:** Encrypted backups to a second VPS in a different location. Keep your investigation notes and source communications in LUKS-encrypted volumes. Back up encrypted volumes to your backup server. VPS monitoring: install Wazuh for intrusion detection. Alert on unexpected login attempts, configuration changes, and outbound connections. Compromise detection is as important as prevention.