Digital security for diplomats and expats in high-risk countries.

The problem that duration creates

In a short deployment, you use a travel device and leave. In a year-long posting, you build an operational environment from scratch: accounts, relationships, devices, services, patterns of movement and communication. Each of those things accumulates. Each represents information that was not there on day one and that has value to someone with an interest in what you do.

The most important habit for long-term deployment is a review, every three months, of what accounts are active in-country, what contacts exist on which devices, and what is accessible through cloud storage tied to your location. Delete what is no longer operationally necessary. A footprint that grows unchecked is a footprint someone is building a picture from.

The same logic plays out in the field, as documented in how an NGO worker’s phone was searched at the border. The worker had prepared. The accumulation across the deployment still produced enough material to map a country team.

Local SIMs and local devices

A local SIM registers your identity with local authorities through the carrier at the point of purchase. Your number is known. Your call metadata, who you called, when, how long, and your location as registered by cell towers, is available to local authorities without an international legal process.

The practical approach: a local SIM in a basic device for local logistics and daily life. A separate device, on Wi-Fi or a trusted international SIM, for sensitive communications. The device associated with your local registration should contain as little as possible.

The reasoning is that the carrier itself is a data source even where the local infrastructure is not actively hostile, as documented in how your phone carrier sells your location data. The local SIM is a registration. The device that holds it should be treated as one too.

The social engineering risk that long postings create

Long deployments create relationships that short trips do not. Local colleagues, service providers who become familiar, contacts that start to feel like friends because they have been consistent for months.

Documented cases involving diplomats and long-term posted professionals include relationships cultivated over months by individuals working for intelligence services. The cultivation is entirely social: rapport built gradually, trust established over time, information obtained through ordinary conversation. The target doesn’t know it is happening. The relationship feels genuine, because in many respects it is.

This is not an argument for treating every local contact as an adversary. It is an argument for being deliberate about what information goes where, and for understanding that the social network a long posting creates is an attack surface a two-week trip does not have.

Device discipline over months

For a long posting, the security basics need to stop being conscious decisions and become automatic ones. Strong alphanumeric passphrase. USB Restricted Mode enabled. Automatic screen lock after a short interval. iCloud backup disabled for sensitive apps. These settings need to be verified periodically because OS updates and device replacements reset them without notice.

For diplomats at higher risk of targeted spyware: Citizen Lab and other researchers have documented zero-click attacks against diplomatic targets, device compromises that require no action from the person being targeted. Against that level of adversary, consumer-grade security measures provide limited protection. The realistic response is periodic device replacement, professional review, and a clear-eyed acknowledgment that some threat actors operate above what any consumer tool reliably stops.

The mechanics of one of those tools, and what individual mitigations actually narrow the surface, sit in how Pegasus does not need you to click anything.

When the posting ends

The data a posting created does not disappear when you leave. Revoke access from local devices. Change credentials for every account accessed in-country, from a clean device, before reconnecting to anything else. Review what data exists with local providers and request deletion where you can.

A password manager with a dedicated vault for in-country accounts makes this practical. When the posting ends, you audit what exists and close it down deliberately rather than leaving accounts active in a country you have left, held open by a password you may not remember. The Travel Mode feature that hides specific vaults at a border crossing sits in our 1Password review for journalists, which translates directly to the long-posting case.

Frequently asked questions

Are diplomats targeted with spyware?

Yes, in documented cases. Citizen Lab has documented Pegasus and similar tools deployed against diplomatic targets in multiple countries. Zero-click variants compromise devices with no action required from the target. Standard consumer security measures are not built to defeat this level of adversary.

What is the practical difference between a diplomat’s security posture and an expat’s?

Diplomats in formal governmental roles are more likely to face sophisticated, state-level targeting. Expats face a combination of their professional risk profile and the opportunistic surveillance that comes with operating on local infrastructure in a country where that infrastructure may be monitored. The foundational practices are the same. The adversary’s capability and the consequence of a breach are not.

Should an expat use a personal cloud service hosted in their home country?

For sensitive material, yes. A cloud account with the legal jurisdiction of the home country, accessed only over a VPN that connects from the home country, narrows the local legal exposure considerably. Local authorities cannot compel a foreign provider through domestic process. They can compel the local network to record the connection, which is why the VPN matters. Treat the choice of provider, jurisdiction, and access pattern as one decision, not three.

What should be in a quarterly account review for an expat?

List every account opened or used since the last review, by category: financial, professional, social, utility, communications. For each, decide whether it is still operationally necessary. Close the ones that are not, document the closure, and rotate credentials on the ones that remain. The review takes thirty minutes if you keep the list. It takes a day if you start from scratch every quarter, which is why most people skip it.

---

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.