How to secure communications in the field. NGO field guide.
Short answer
Office security protocols assume office conditions. Stable internet. Organisational devices. Staff who have been through training. Time to verify contacts before responding. Field conditions are none of those things.
Connectivity drops. Devices get shared. Networks are unfamiliar and often hostile. Local partners use personal accounts for operational communications because there is no alternative. The person holding the most sensitive information frequently has the least security infrastructure around them. This guide is written for that environment.
The network is hostile by default
Hotel Wi-Fi, conference networks, local SIM data, shared internet in partner offices: all of these are environments where traffic can be read by parties you have no visibility into. The default assumption is hostile until proven otherwise.
A VPN running at all times on every network you don’t control. Set it to start automatically when the device connects. Manual activation gets skipped under pressure, which is exactly when it matters most. Enable a kill switch so that if the connection drops, traffic stops rather than reverting to unprotected. Proton VPN with Stealth protocol for environments where standard VPN protocols are actively blocked.
Messaging
Signal works in intermittent connectivity. Messages queue and transmit when the connection returns. Enable disappearing messages for all field communications. Message history that does not accumulate cannot be seized, produced in proceedings, or used against contacts in the field. For high-sensitivity communications, a 24-hour timer is reasonable.
For local staff and partners who cannot or will not use Signal: WhatsApp with backups disabled is significantly better than SMS. The investment in getting field contacts onto Signal, with actual hands-on help and a clear explanation of why, is worth making. The weakest link determines the protection of the entire chain.
Shared and borrowed devices
Never log into personal or organisational accounts on a device you don’t control. You do not know what is installed on it, who has access to sessions after you close them, or what the device retains. If you must use one urgently: private browsing, no saved credentials, full logout, and assume the session was observed. Not for source communications. Not for legal correspondence.
Sending documents and files
A file sent through an unencrypted channel to an email address your organisation controls is accessible under legal process in the jurisdiction where your email provider operates. For documents with operational sensitivity, the channel is as important as the content. Proton Mail between two Proton addresses encrypts content end-to-end.
Strip EXIF metadata from photos before you send them. A photo taken in the field contains GPS coordinates, a timestamp, and device information. ExifTool removes it in one command. The photo that places you at a location at a specific time, sent through the wrong channel, is a problem that takes thirty seconds to prevent.
Frequently asked questions
What messaging app should NGO field workers use?
Signal with disappearing messages enabled. For contacts who cannot use Signal, WhatsApp with cloud backup disabled is significantly better than SMS. Use the most secure option that the contact’s actual constraints allow.
What if a field device is returned after being taken at a border?
Treat it as compromised. Do not reconnect it to organisational networks or log into sensitive accounts until it has been reviewed. The cost of a replacement device is always less than what a compromised device can reveal. That calculation does not change.
There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.