"Encryption makes me invisible."
No. Encryption just protects the content of your communication, but the communication itself and the metadata of it is still visible. What does that mean?
Let’s say you open a new chat on WhatsApp, which then says: “Messages you send to this chat and calls are now secured with end-to-end encryption.” End-to-end encryption is powerful, because only the sender and recipient are now able to read the messages. Even WhatsApp is excluded due to the encryption. However, it is still visible that the sender and recipient are communicating, when and how often they exchange messages and what size the messages have.
Encryption only hides what you communication, but not that you and your partner communicate.
"Encryption makes me suspicious."
Indeed, this can be true, but really depends on your personal threat model. There are countries that try to ban encryption on a large scale or accuse people of wrongdoing only because they use encryption. This is an illegitimate view, because freedom of expression and privacy are human rights, and encryption can be necessary to protect that. Today, a lot of popular services like WhatsApp, Signal, Google or Facebook use (different kinds of) encryption. In these cases, the encryption would not make you suspicious, because almost everybody uses it.
Only if encryption is really likely to make you suspicious, you should at least be careful to add encryption to your communication. For example, if you never encrypt an email, but one day only one to a potential source, this could cause attention. Or if everybody in your country uses a certain chat app, but only you a very secure one, this could also cause some problems. For these cases, you should think of different ways. Mostly it’s not the encryption itself that makes people suspicious, but unusual behaviour.
“The inkognito mode of the browser makes me anonymous.”
No. The incognito mode basically only prevents you from making a browsing history, storing cookies and other information that are stored in the browser itself. So if you have reason to suspect that someone with access to your device is intersted in your surf history, the incognito mode could indeed help.
But be aware: The incognito mode does nothing more. Your internet service Provider, governments or commercial tracking companies still can easily see what you are doing on the internet. To prevent that, you should use additional tools for anonymisation.
"A VPN makes me invisible."
No. A VPN – Virtual Private Network – just works as a “bridge” into the internet. It helps you that your Internet Service Provider (ISP) and Websites cannot easily see your IP address. An IP address can be used to identify you. However, the VPN provider sees your IP address and also what you are doing on the internet. You and your online activity are still visible. The question is not whether you are visible, but: “Visible for whom?”
Normally, you connect yourself over your ISP with the internet. You tell your ISP where you would like to go and the ISP connects you with a service. The “bridge” in that case is the ISP. Using a VPN means that you only tell your ISP that you want to be connected with your VPN provider. In that case, your ISP only sees that you are connected with a VPN, but not where you would like to go. This is what you tell only the VPN. But be aware: Now the VPN knows your IP address and where you go.
Consequently, a VPN is neither good or bad. If you do not trust your ISP, because it may give your data to your government, a VPN could be a way to circumvent that. But you still have to trust the VPN provider. It also might be legally bound by your government or share your data for commercial purposes. If you do not want to trust anybody, you should rely on Tor.
“I don’t use Two Factor Authentication, because I don’t want to provide my phone number.”
Two Factor Authentication (2FA) means that you need a second credential to log in to your account, additional to your password. This is powerful, because even if an adversary gets your password, it cannot automatically log in. Reporters Without Borders recommends everybody to use 2FA on all accounts that offer it!
Some people are hesitant to enable 2FA because the services can ask for a phone number. In that procedure, a code is sent via SMS every time when you want to log in. Two things on that: Firstly, most of the services have your phone number already anyway, according to their terms of service or because others shared their telephone books with your number in it. Secondly, there are also other ways to enable 2FA without providing a phone number, for example with a code generator app or a physical key.
"As a journalist, I don't care about data that Facebook and Google collect about me."
Well… Commercial services and the big technology companies collect data about their users mostly to use it for advertising. That is their business model. In that regard, it is in the first place unlikely that they track journalists specially and try to compromise their confidentiality.
However, journalists should be aware that these companies can be legally bound to hand over information to governments, that they share user data with other services or that they got hacked and user data are revealed to the broader public.
"Journalists shouldn’t use Google, Facebook, Twitter (...)"
Realistically, a lot of journalists rely on the big services more than ever: they are free, offer innovative solutions, could help journalists to reach more people and help to find new sources. In many cases, journalists do not really have a choice. And although these services collect a lot of data, they are not bad per se. In countries with a censored internet, Facebook for example can be one of the very few ways to get independent information.
But journalists have to be aware that the companies might be legally obliged to share data about their users with governments. So journalists should not ban these services, but limit and protect their sensitive data like chats and photos as much as possible.
"To be secure, I switch off the internet on my smartphone."
This might not be an error, but the question is: Why should you do that? Indeed, if you switch off the internet and GPS, apps cannot connect to the internet anymore and might not track you. However, your smartphone would still be connected to the network of your telecommunication service provider (TSP). This is necessary to receive calls. It means, however, that the TSP – and therefore possibly also your government – still knows who you are, where you are and whether you communicate with someone over the phone. To prevent that, you should switch off the phone completely or – even better – do not take it with you.
Disclaimer: There is also malware that makes you believe that you switched off your smartphone, but in the background it is still working. Without advanced technical knowledge, it is nearly impossible to know whether your smartphone is infected or not. To protect yourself against that, do not take the smartphone with you if you really want to be sure that your position or a conversation is not recorded.
"Analogue phone calls are safer than internet calls."
In almost every case, this is not true. A regular phone call is operated by a telecommunication service provider (TSP). They “own” the infrastructure and are mostly regulated on a national level by national governments. The TSPs are technical able to intercept communication and are also legally bound by governments to provide access to calls.
Calls over the internet, however, offer more ways for users to encrypt it. If you take a service that offers end-to-end encryption like Signal or Wire, you exclude both the TSP and the service itself from intercepting your conversations. Consequently, a call over the internet is better to avoid wiretapping, if you use a service with end-to-end encryption.
"A cloud is not safe."
Cloud computing is very practical: You can easily upload and download files, share it with others and access it everywhere, even when you do not have your personal devices with you. But this also means that everybody could access your files who is able to log in to your account of a cloud service. This is indeed risky. Moreover, the cloud service provider might also have access to your files and could be legally bound to hand it over to governments. So yes, there are a lot of reasons to be careful in using clouds.
However, there are also arguments for clouds. For example, when you use an additional tool to upload your files encrypted into the cloud, others would have problems to decrypt them even with access to the cloud. Also, there are ways to protect your account like a two-step-verification, so that it is hard to get access to your cloud at all. And especially, a cloud service has much more financial resources to protect the service against hacking and social engineering than a single user for its computer.
"Open Source is dangerous, because governments can see vulnerabilities."
“Open Source” means that the code of a program is publicly available. Everybody can review it, search for vulnerabilities and develop it further. The opposite is “Closed Source”, so that none but the developer – e.g. a company developing an app – can review it.
The idea of “Open Source” is that a community controls itself by being completely transparent. Of course, also malicious actors can be part of that community. For example, an intelligence agency could find vulnerabilities and exploit it instead of improving the code for everybody. But the more independent people who review it, the less likely it is that the intelligence agency succeeds. The argument for “Open Source” for journalists is that they do not have to trust anybody that a service is safe, but could (theoretically) review it on their own.
Especially when it comes to very popular services who are constantly reviewed by a large community, “Open Source” can serve as an argument for journalists to trust a service that it really does what it claims to do.