Digital security for NGO workers and aid staff in restricted environments. The complete operational guide.

The threat model in the field

Most security guidance for NGO workers assumes one of two threat models: either you are working under a generic “high-risk” label, or you are a specific target of a specific state. The reality on the ground is that you are usually neither, and then you are both at the same time, often within the same week.

The first threat layer is ambient state surveillance. The country’s signals intelligence service does not need to know your name to capture your communications. Mass collection at the carrier level, lawful intercept on encrypted apps, IMSI catchers around protest sites, all of it operates against everyone in the geography. You enter that net the moment your SIM connects to the local network.

The second layer is targeted. It activates the day your name appears on a list. The list might be a leaked diplomatic cable, a visa overstay flag, a complaint filed by a local government partner who decided your programme was politically inconvenient. Once you are on it, the resources directed at you are different. The threat model that applies to diplomats and expats in restricted environments applies in identical form, often with less institutional protection than a diplomat has.

The third layer is criminal. Local actors who do not work for the state but who profit from access. A driver who sells your route to a kidnapping group. A fixer who lets a friend copy your contact list off the spare phone you left in the office. A hotel staff member who reports back to whoever is paying for that week’s information.

The fourth, and the one that ends more programmes than the other three combined, is your own colleagues’ operational discipline. The team WhatsApp group where someone screenshots a sensitive update. The shared Google Drive with a beneficiary spreadsheet that was supposed to be encrypted. The volunteer who connects to the office Wi-Fi with a personal device that has not been updated in two years. We have lost more sources to internal hygiene gaps than to active surveillance.

Before you board the plane

The work that actually determines your operational posture in the field happens before you leave home. Once you are in country, your options narrow. The day before departure, you still have access to clean infrastructure and time to make decisions calmly.

Travel with a device that does not contain your full digital life. This is not about paranoia. It is about reducing the consequence of any single device being seized, lost, or copied. A laptop that holds your personal photos, your unrelated client work, your tax returns, and your field notes turns into a comprehensive intelligence product the moment it leaves your custody. A laptop that holds only what the deployment requires turns into a much smaller problem.

The same applies to the phone. The most useful technique we have found is to use a secondary device for the field deployment, signed into a separate Apple ID or Google account, with no connection to your personal cloud, your personal photos, or your personal contacts. The pre-departure security checklist for high-risk countries walks through this in operational detail.

Audit your contact list before you go. Every phone number, every email address. If your phone is searched at the border, what does it say about who you know? An NGO worker we audited two years ago carried a contact list with three names that had been flagged in the destination country’s media as opposition figures. None of them were operational contacts. They were old friends from a previous deployment. The contacts left the phone before she did.

Review your linked devices on every account that holds sensitive material. Email, Signal, WhatsApp, cloud storage. Most accounts accumulate sessions over years. A laptop you used at a conference. A tablet that belonged to a former colleague. A browser session on a friend’s machine. If any of those have not been revoked, anyone who controls those devices reads what you read.

Crossing borders

The border crossing is not where security ends. It is where it concentrates. In one place, in one window of minutes, you transition from a jurisdiction where your devices have a baseline of legal protection to a jurisdiction where they do not. What happens during those minutes can determine the rest of your deployment.

Power down your devices before approaching immigration. Cold devices require credentials to decrypt. Devices that have been recently unlocked may be vulnerable to specific extraction techniques in the period immediately after use. The simple step of fully shutting down phones and laptops before queueing reduces the technical surface available to whoever is on the other side of the counter.

Know your rights, but do not rely on them. The legal regime governing border searches varies by country and is shifting in most. The practical reality is that if a border officer wants to search a device, refusal usually results in either entry denial or device seizure for further inspection. The question is not whether you can refuse. It is what happens to your deployment if you do.

If a device is examined or copied at the border, treat it as compromised. Do not connect it to networks containing sensitive material. Do not log into accounts from it. Do not assume that wiping and reflashing eliminates the exposure. The fastest decision is the safest one: that device is now field furniture. Replace it.

Communications in the country

The communications tools that work in stable democracies do not always work in the field. End-to-end encrypted messaging requires a network to connect to. Many of the environments where NGO workers operate have unreliable connectivity, deep packet inspection, and active blocking of common tools. The platforms that survive are not always the ones the security training mentioned.

Signal remains the baseline for sensitive communication where it is reachable. The Russia-linked Signal phishing campaign documented across European targets showed that the protocol’s encryption holds and the human interface around it does not. Audit your linked devices monthly in the field. Treat any unsolicited message claiming to come from Signal as the attack, not the safety net.

WhatsApp works in more places. It is owned by Meta, which complies with lawful intercept requests in most jurisdictions, and it stores metadata that Signal does not. For routine logistics where confidentiality is not the issue, it is functional. For anything where confidentiality matters, route it elsewhere.

Telegram has near-universal coverage in the regions where many NGOs operate and is the default platform of choice for staff who grew up with it. Treat it as the local public square. Default Telegram chats are not end-to-end encrypted. Secret Chats are, but most of the volume on the platform is not.

For voice calls where confidentiality is the issue, use Signal voice or a Session call. Do not use a local SIM for a call you would not be comfortable having transcribed. Cellular voice is intercepted as a matter of routine in many of the geographies covered by this guide.

Source and beneficiary protection

Most security guidance focuses on protecting the NGO worker. The harder problem is protecting the people they meet. The journalist source. The beneficiary in a sensitive programme. The local partner who has signed on to a project that may become politically unwelcome.

The first principle is to separate identifiers. The list of beneficiaries in a programme should not live on the same device as the operational notes from that programme. The contact details of a source should not appear in the same contacts database as the source’s case file. We have seen a single seized phone produce both halves of a relationship that had been compartmented in every other respect.

The second is to reduce metadata generation. The visit log entry at the project site that records “met with M.A. for 90 minutes” produces metadata long after the encrypted notes from that conversation are deleted. The location services on the phone that pinged a tower near the safe house generates a record that no encryption protects. Be deliberate about what your tools record by default.

The third is to test the chain before sensitive material moves through it. If a source needs to send you a document, walk through the process with them on a non-sensitive document first. Find out whether their device supports the tool. Find out whether the local network blocks it. Find out whether they understand what they are doing before they are doing it under pressure.

When something goes wrong

Detention. Device seizure. The local partner who stops returning calls. A break-in at the office. The known channels for any of these events compress when they happen to you, and the decisions you make in the first hours determine what survives.

The first action is to assume any device you no longer control is compromised. Including any device the seizing party returned. We have seen returned phones with monitoring software added during the period of seizure. We have seen laptops returned with bootloader modifications that were not detectable by routine inspection. What forensic tools actually extract from a seized device is the operational ceiling on what should be considered known to whoever held it.

The second is to notify the people who would be exposed by anything that was on the device. Sources, contacts, colleagues. Not everyone needs to know everything. Each of them needs to know what touched them. The message you do not want to send is the one you should have sent two days earlier.

The third is to revoke every credential that was authenticated on the device. Not change. Revoke. A new password that is set from a clean device, while the old session on the compromised device is killed, is the only way to ensure that whoever holds the device cannot continue using it as a key.

Family back home

The NGO worker’s threat model includes people who are not in the field. Their spouse who posts on Instagram. Their parents who answer the phone when an unfamiliar number calls asking about their son’s work. Their children whose school posted a class trip update with the date and location.

The discipline that applies to military families applies in close to identical form. The same data brokers that aggregate active-duty service members’ addresses aggregate aid workers’. The same social engineering scripts work on the same family members. The mitigations are the same.

Have the conversation with your family before the deployment, not during. Agree on what is shared publicly while you are away. Agree on a verification phrase for the day a call comes in that does not feel right. Most adversaries do not need much. A family member who confirms a flight date by reflex is enough to start the chain.

Frequently asked questions

Should NGO workers use a VPN in the field?

It depends on what threat the VPN is meant to address. A VPN protects against local network operators seeing what sites you connect to. It does not protect against state-level signal collection of the encrypted traffic itself, against malware on the device, or against the VPN provider being compelled to log. In many of the geographies covered by this guide, using a VPN is itself a regulatory or legal flag. The decision is operational, not technical.

Is using a personal phone for work safer than a work-issued one?

Generally no. Personal phones accumulate more data, more apps, more accounts, and more contacts than work-issued devices. They are also harder for an organisation to wipe or replace if compromised. The safer architecture is a work-issued phone with no personal accounts on it, kept separately from the personal phone, and treated as expendable.

What is the minimum security training a field deployment requires?

Threat-model briefing specific to the destination, device hygiene including device wipe and recovery procedures, communications tooling specific to the local environment, source protection protocols, and an incident response chain that the deployed worker has rehearsed. Front Line Defenders maintains current operational guidance for human rights defenders that complements organisational training with field-tested protocols.

What happens if my organisation does not provide digital security support?

The operational answer is that you build it yourself, document what you have built, and use it as a starting point for the conversation with the organisation. The institutional answer is that organisations operating in high-risk environments without digital security support are exposing every worker they deploy. Both can be true at the same time. The deployment does not wait for the institution to catch up.

How often should I rotate devices and accounts in long-term deployments?

Devices that have been used in country for more than twelve months accumulate exposure that is hard to audit. The pragmatic cadence we recommend is a device refresh annually for high-risk deployments, with a full credential rotation on the same schedule. For lower-risk environments, every two years with quarterly account audits. The cadence is less important than that there is one.

---

The work of NGOs and aid staff is built on relationships of trust that take years to establish and minutes to break. The digital infrastructure that carries those relationships does not get the same investment as the field methodology that creates them. This guide describes what has worked, what has failed, and what we apply to our own deployments. Treat it as a starting point. Rotate it. Audit it against the specific geography. Adapt it.

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.