An NGO worker’s phone was searched at the border. Here’s what they found.

This is a composite account built from documented cases and the experience of digital security trainers working with humanitarian organisations. The names and specifics have been changed. The pattern is real.

The search

The worker was returning from a deployment in a country where the organisation’s work had attracted official scrutiny. The border crossing was at a major international airport. The worker was not on any known watch list and had no prior incidents at borders.

At customs they were asked to step aside for secondary screening. Their phone was requested. They unlocked it — in most jurisdictions this is effectively required for non-citizens, and the worker had been told that refusing would mean denial of entry. The device was taken into an adjacent room.

What was on the device

The worker had prepared the device by reasonable standards. Sensitive project documents had been removed. Communications about upcoming operations had been deleted. The messages in the visible apps were routine. What remained was not routine in the hands of someone systematically reviewing it.

The contact list: over 200 contacts accumulated over several deployments. Local staff, partner organisations, community liaisons. Names, phone numbers, WhatsApp numbers, email addresses. Most people do not think of a contact list as sensitive. In this context it is a map of an organisation’s human network in a region of operational interest.

The WhatsApp group history. The worker had deleted individual conversations but had not exited the group chats. Group membership was visible: who was in each group, the group names, the timestamps of recent activity. The content had been deleted. The membership had not.

The installed applications. A VPN from a provider associated with journalists and activists. Signal. An encrypted note-taking app. Applications associated with secure communication carry meaning in a border search context that a camera app does not.

The photo library. Even without GPS data, the library showed which locations had been visited during the deployment through the visual content of the images. An agent reviewing it could construct a partial picture of the deployment without any explicit documentation.

The Gmail inbox. It had not been reviewed with the same care as the Proton Mail account. It contained newsletter subscriptions from organisations operating in the deployment region, email receipts for services used there, and correspondence that, read carefully, revealed aspects of the deployment that the worker would not have wanted shared.

What the search demonstrated

The lesson is not that the worker failed to prepare. They did more than most. The lesson is about what preparation actually requires in a border search scenario. Deleting sensitive messages is necessary but not sufficient. Group memberships, contact lists, installed applications, email history, and photo libraries all carry information that a motivated reviewer can use.

The only preparation that addresses all of these simultaneously is a travel device: a separate phone with none of this accumulated history, used for the deployment and reviewed before crossing any border. The contact list problem specifically has no individual solution. The contacts belong to other people. They cannot be deleted without losing the operational relationships they represent. The answer is to not carry the contact list across a border where it creates risk. (See: digital privacy guide for NGO workers abroad.)

Frequently asked questions

Do NGO workers need a separate travel device?

For deployments in countries where humanitarian work has attracted official scrutiny, yes. A travel device carries none of the accumulated history that a personal or regular work phone carries. A device containing only the operational tools for the specific deployment presents a fundamentally different access profile at a border.

Can agents access deleted messages during a border search?

Deleted messages can sometimes be recovered from unallocated storage using forensic tools. More importantly, deletion of individual conversations does not remove group memberships, contact list entries, or the metadata of when communications occurred. A thorough border search goes beyond visible content. (See: what they can extract from a seized device in 6 hours.)

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.