How to secure communications in the field. NGO field guide.

Connectivity drops. Devices get shared. Networks are unfamiliar and often hostile. Local partners use personal accounts for operational communications because there is no alternative. The person holding the most sensitive information frequently has the least security infrastructure around them. This guide is written for that environment.

The network is hostile by default

Hotel Wi-Fi, conference networks, local SIM data, shared internet in partner offices: all of these are environments where traffic can be read by parties you have no visibility into. The default assumption is hostile until proven otherwise.

A VPN running at all times on every network you don’t control. Set it to start automatically when the device connects. Manual activation gets skipped under pressure, which is exactly when it matters most. Enable a kill switch so that if the connection drops, traffic stops rather than reverting to unprotected. Proton VPN with Stealth protocol for environments where standard VPN protocols are actively blocked.

The shortlist of providers that ship usable obfuscation in actively-blocking jurisdictions is in the VPNs that still work in China, Iran, and Russia.

Messaging

Signal works in intermittent connectivity. Messages queue and transmit when the connection returns. Enable disappearing messages for all field communications. Message history that does not accumulate cannot be seized, produced in proceedings, or used against contacts in the field. For high-sensitivity communications, a 24-hour timer is reasonable.

For local staff and partners who cannot or will not use Signal: WhatsApp with backups disabled is significantly better than SMS. The investment in getting field contacts onto Signal, with actual hands-on help and a clear explanation of why, is worth making. The weakest link determines the protection of the entire chain.

The full breakdown of which channel fits which threat sits in Signal versus ProtonMail versus Wire. WhatsApp is acceptable for logistics, never for sources.

Shared and borrowed devices

Never log into personal or organisational accounts on a device you don’t control. You do not know what is installed on it, who has access to sessions after you close them, or what the device retains. If you must use one urgently: private browsing, no saved credentials, full logout, and assume the session was observed. Not for source communications. Not for legal correspondence.

The same logic applies to your own field device once it has left your hand. The walkthrough is in how an NGO worker’s phone was searched at the border. The worker had prepared. The device still produced enough material to map a country team.

Sending documents and files

A file sent through an unencrypted channel to an email address your organisation controls is accessible under legal process in the jurisdiction where your email provider operates. For documents with operational sensitivity, the channel is as important as the content. Proton Mail between two Proton addresses encrypts content end-to-end.

Strip EXIF metadata from photos before you send them. A photo taken in the field contains GPS coordinates, a timestamp, and device information. ExifTool removes it in one command. The photo that places you at a location at a specific time, sent through the wrong channel, is a problem that takes thirty seconds to prevent.

The case for treating every photo as a forensic asset is documented in a single photo that got a source arrested. EXIF is one part. The frame itself is the other.

Frequently asked questions

What messaging app should NGO field workers use?

Signal with disappearing messages enabled. For contacts who cannot use Signal, WhatsApp with cloud backup disabled is significantly better than SMS. Use the most secure option that the contact’s actual constraints allow.

What if a field device is returned after being taken at a border?

Treat it as compromised. Do not reconnect it to organisational networks or log into sensitive accounts until it has been reviewed. The cost of a replacement device is always less than what a compromised device can reveal. That calculation does not change.

Should we use a satellite phone for high-risk field communications?

For voice in environments where cellular is unreliable or actively monitored, yes, with the same caveat as any phone: the call exists on the carrier side. Iridium and similar networks log connection metadata. The content of the call may be encrypted depending on configuration. The fact that a call happened is not. Use satellite for connectivity in degraded environments, not for confidentiality. Confidentiality lives in the messaging app on top of the link.

How do we onboard local staff who have never used encrypted messaging?

In person, with the device in front of both of you, in their language. A printed one-page reference in the local language sits next to the demonstration, not as a substitute for it. Do not assume the install survived a week without checking. Operational security depends on the weakest link in the chain, and that link is usually the contact who never quite finished the setup. Budget time for a follow-up at week one and week four. Both are short. Both are necessary.

Proton Unlimited is the tool we recommend for encrypted email, VPN and secure storage. It’s what we’d use ourselves.

---

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.