Digital privacy guide for NGO workers abroad.

The specific risks: access by partner government authorities who are formally cooperative and operationally hostile; surveillance by actors with a direct interest in what your organisation is doing; border searches in both directions; local infrastructure that may be monitored at the state level. None of that is addressed by a list of VPN reviews.

Worth naming early: the people most at risk are rarely the senior staff who have been through training. They are local employees, in-country partners, field workers who use personal accounts for operational communications because organisational infrastructure does not extend to them. That gap is the most common real vulnerability in NGO security. It requires an organisational decision to close, not an individual one.

Assess the actual threat before you pack

Not every deployment carries the same risk. A country where the government has a documented record of accessing humanitarian worker communications is a different situation from a country where the primary concern is opportunistic device theft.

The questions that need answers: what is the host government’s documented relationship with NGOs doing this work? What can local authorities compel from communications providers without an international legal process? Has your organisation or its partners been targeted before? The answers determine what preparation is necessary. A checklist that skips those questions is decoration.

The structured way to write those answers down before departure is in how to build a written threat model. Without one, every defensive choice is guesswork dressed as discipline.

The device question is an organisational decision

Does your organisation issue dedicated field devices, reset before and after each deployment? Or are workers using personal phones because nothing else is available?

Personal devices carry years of accumulated history: messages, contacts, photos with location embedded, accounts that have nothing to do with the deployment but reveal personal relationships and patterns. A device issued specifically for the deployment, containing only what the deployment requires, presents a fundamentally different access profile at a border crossing or during a search. That device exists because someone at the organisational level decided it should. If that decision hasn’t been made, making the case for it is the first recommendation in this guide.

The case for it is documented in how an NGO worker’s phone was searched at the border. The worker had prepared properly. The personal device still produced enough material to compromise an entire country team.

Communications in the field

Signal with disappearing messages for sensitive communications. WhatsApp is not sufficient. Content is encrypted in transit, but the backup is not end-to-end encrypted by default, and who communicated with whom and when is accessible under legal process in the US jurisdiction where Meta operates.

The full breakdown of which channel fits which threat sits in Signal versus ProtonMail versus Wire. WhatsApp is acceptable for logistics, never for sources.

Proton Mail for email that may be sensitive. A dedicated address for field communications, not your primary professional one. Brief your contacts before you leave, not after you arrive.

A VPN tested and confirmed working before departure. Not configured the night before the flight. Tested three days in advance, on a restricted network if you can find one, so you know it connects before you depend on it. For deployments into actively-blocking jurisdictions, the shortlist of providers that still work is in the VPNs that still work in China, Iran, and Russia.

Local SIM: what you are actually trading

Buying a local SIM registers your identity with local authorities through the carrier. Your number is known. Your traffic runs through local infrastructure. Your call metadata, who you called and from where, is available to local authorities without the friction of an international legal request.

For deployments where the existence of foreign workers is itself sensitive, a local SIM protects nothing and adds a registration record. For deployments where the main concern is data costs, it is a practical trade-off if you understand what you are trading.

On return

A field device needs review before it reconnects to organisational networks. Change passwords for accounts accessed during the deployment from a clean device first. If the device was out of your physical control at any point, at a border, at a hotel, in a shared vehicle, treat it as potentially compromised until someone has looked at it properly.

Frequently asked questions

What VPN is recommended for NGO workers in restricted countries?

Proton VPN with Stealth protocol. Stealth makes VPN traffic look like standard HTTPS, which keeps connections alive in environments that block standard VPN protocols. Test it from a home network before departure. Know that it connects before you need it.

Should NGO workers use personal phones for work?

Where possible, no. Personal devices carry personal history that creates unnecessary exposure if searched. If a personal device is the only option, audit it before departure and strip it to the operational minimum.

What should an NGO do about local staff using personal devices?

Treat it as the priority security gap. Local staff often carry the most operationally sensitive contacts and the least institutional protection. Issuing a basic field device to local employees, with the same operational hygiene as international staff, closes the largest practical exposure most country offices have. Budget objections usually fade when set against the cost of one compromised contact list.

Should NGO workers carry encrypted external storage in the field?

Generally no for primary copies of sensitive data. Encrypted storage carried across a border raises the visibility of the device and may be compelled open in jurisdictions where authorities have that power. The safer pattern is encrypted cloud storage accessed only when needed, with no synchronised local copy on the device crossing the border. Carry less material on the device, and rely on remote retrieval.

Proton Unlimited is the tool we recommend for encrypted email, VPN and secure storage. It’s what we’d use ourselves.

---

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.