Digital security for diplomats and expats in high-risk countries.

The problem that duration creates

In a short deployment, you use a travel device and leave. In a year-long posting, you build an operational environment from scratch: accounts, relationships, devices, services, patterns of movement and communication. Each of those things accumulates. Each represents information that was not there on day one and that has value to someone with an interest in what you do.

The most important habit for long-term deployment is a review, every three months, of what accounts are active in-country, what contacts exist on which devices, and what is accessible through cloud storage tied to your location. Delete what is no longer operationally necessary. A footprint that grows unchecked is a footprint someone is building a picture from.

Local SIMs and local devices

A local SIM registers your identity with local authorities through the carrier at the point of purchase. Your number is known. Your call metadata — who you called, when, how long, and your location as registered by cell towers — is available to local authorities without an international legal process.

The practical approach: a local SIM in a basic device for local logistics and daily life. A separate device, on Wi-Fi or a trusted international SIM, for sensitive communications. The device associated with your local registration should contain as little as possible.

The social engineering risk that long postings create

Long deployments create relationships that short trips do not. Local colleagues, service providers who become familiar, contacts that start to feel like friends because they have been consistent for months.

Documented cases involving diplomats and long-term posted professionals include relationships cultivated over months by individuals working for intelligence services. The cultivation is entirely social: rapport built gradually, trust established over time, information obtained through ordinary conversation. The target doesn’t know it is happening. The relationship feels genuine, because in many respects it is.

This is not an argument for treating every local contact as an adversary. It is an argument for being deliberate about what information goes where, and for understanding that the social network a long posting creates is an attack surface a two-week trip does not have.

Device discipline over months

For a long posting, the security basics need to stop being conscious decisions and become automatic ones. Strong alphanumeric passphrase. USB Restricted Mode enabled. Automatic screen lock after a short interval. iCloud backup disabled for sensitive apps. These settings need to be verified periodically because OS updates and device replacements reset them without notice.

For diplomats at higher risk of targeted spyware: Citizen Lab and other researchers have documented zero-click attacks against diplomatic targets — device compromises that require no action from the person being targeted. Against that level of adversary, consumer-grade security measures provide limited protection. The realistic response is periodic device replacement, professional review, and a clear-eyed acknowledgment that some threat actors operate above what any consumer tool reliably stops.

When the posting ends

The data a posting created does not disappear when you leave. Revoke access from local devices. Change credentials for every account accessed in-country, from a clean device, before reconnecting to anything else. Review what data exists with local providers and request deletion where you can.

A password manager with a dedicated vault for in-country accounts makes this practical. When the posting ends, you audit what exists and close it down deliberately rather than leaving accounts active in a country you have left, held open by a password you may not remember.

Frequently asked questions

Are diplomats targeted with spyware?

Yes, in documented cases. Citizen Lab has documented Pegasus and similar tools deployed against diplomatic targets in multiple countries. Zero-click variants compromise devices with no action required from the target. Standard consumer security measures are not built to defeat this level of adversary.

What is the practical difference between a diplomat’s security posture and an expat’s?

Diplomats in formal governmental roles are more likely to face sophisticated, state-level targeting. Expats face a combination of their professional risk profile and the opportunistic surveillance that comes with operating on local infrastructure in a country where that infrastructure may be monitored. The foundational practices are the same. The adversary’s capability and the consequence of a breach are not.

(See: How to secure communications in the field. And: Pegasus does not need you to click anything.)

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.