An NGO worker’s phone was searched at the border.

This is a composite account built from documented cases and the experience of digital security trainers working with humanitarian organisations. The names and specifics have been changed. The pattern is real.

The search

The worker was returning from a deployment in a country where the organisation’s work had attracted official scrutiny. The border crossing was at a major international airport. The worker was not on any known watch list and had no prior incidents at borders.

At customs they were asked to step aside for secondary screening. Their phone was requested. They unlocked it, since in most jurisdictions this is effectively required for non-citizens, and the worker had been told that refusing would mean denial of entry. The device was taken into an adjacent room.

What was on the device

The worker had prepared the device by reasonable standards. Sensitive project documents had been removed. Communications about upcoming operations had been deleted. The messages in the visible apps were routine. What remained was not routine in the hands of someone systematically reviewing it.

The contact list: over 200 contacts accumulated over several deployments. Local staff, partner organisations, community liaisons. Names, phone numbers, WhatsApp numbers, email addresses. Most people do not think of a contact list as sensitive. In this context it is a map of an organisation’s human network in a region of operational interest.

The same logic explains why border agents seized a journalist’s laptop in a parallel case where the device contained no story drafts. The drafts were not the asset. The professional graph that surrounded the drafts was.

The WhatsApp group history. The worker had deleted individual conversations but had not exited the group chats. Group membership was visible: who was in each group, the group names, the timestamps of recent activity. The content had been deleted. The membership had not.

The installed applications. A VPN from a provider associated with journalists and activists. Signal. An encrypted note-taking app. Applications associated with secure communication carry meaning in a border search context that a camera app does not.

The photo library. Even without GPS data, the library showed which locations had been visited during the deployment through the visual content of the images. An agent reviewing it could construct a partial picture of the deployment without any explicit documentation.

The case of a single photo that got a source arrested shows how much a reviewer can extract from one image, even before the question of GPS data is asked. The frame is the data.

The Gmail inbox. It had not been reviewed with the same care as the Proton Mail account. It contained newsletter subscriptions from organisations operating in the deployment region, email receipts for services used there, and correspondence that, read carefully, revealed aspects of the deployment that the worker would not have wanted shared.

What the search demonstrated

The lesson is not that the worker failed to prepare. They did more than most. The lesson is about what preparation actually requires in a border search scenario. Deleting sensitive messages is necessary but not sufficient. Group memberships, contact lists, installed applications, email history, and photo libraries all carry information that a motivated reviewer can use.

Preparation in this sense starts upstream, with a deliberate written threat model for the deployment, not with the device the day before departure. Without that, every defensive choice is guesswork dressed as discipline.

The only preparation that addresses all of these simultaneously is a travel device: a separate phone with none of this accumulated history, used for the deployment and reviewed before crossing any border. The contact list problem specifically has no individual solution. The contacts belong to other people. They cannot be deleted without losing the operational relationships they represent. The answer is to not carry the contact list across a border where it creates risk.

The full sequence for preparing that device sits in our security checklist before travelling to a high-risk country. Read it weeks before the deployment, not the day before the airport.

Frequently asked questions

Do NGO workers need a separate travel device?

For deployments in countries where humanitarian work has attracted official scrutiny, yes. A travel device carries none of the accumulated history that a personal or regular work phone carries. A device containing only the operational tools for the specific deployment presents a fundamentally different access profile at a border.

Can agents access deleted messages during a border search?

Deleted messages can sometimes be recovered from unallocated storage using forensic tools. More importantly, deletion of individual conversations does not remove group memberships, contact list entries, or the metadata of when communications occurred. A thorough border search goes beyond visible content.

What apps should not be visible on a travel device?

Anything whose presence implies the work, the affiliation, or the destination. Encrypted messengers raise questions, but not having Signal on the phone of a known journalist or aid worker also raises questions. The decision is not whether to remove the apps but whether the absence is more or less explainable than the presence in your specific operational context. There is no general answer. There is a per-deployment answer, and it should be written before departure.

What should an NGO worker do if their device is taken into a back room?

Note the time the device left your possession. Note the time it returned. Take a discreet photo of the room or the agents if doing so is safe and lawful in the jurisdiction. On returning to the deployment base, the device should be treated as compromised: rotated out, factory-reset and re-imaged is the minimum, formally retired is better. Report the incident to the security focal point on the same day. The recoverable evidence of what happened during the search is the timeline you write while it is still fresh.

---

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.