Protecting Information in the Field

  1. What devices should their team members use, and
  2. What applications should their team members use.
Approaching a checkpoint on the outskirts of As Salamiya, Syria.

The ability to communicate is the key to safety

Before getting into specific techniques to secure information, I want to emphasise that your ability to communicate is the key to your safety.

Establish a baseline level of security for your devices

As a baseline, ensure all your electronic devices are secured to a reasonable level. Reasonable security measures include:

  • Setting a passcode (ideally an alphanumeric passcode)
  • Enabling full-disk encryption and firewalls (for laptops)
  • Installing and using a VPN
  • Installing and using secure browsers
  • Installing and using a password manager
  • Installing and using secure messaging applications
  • Installing and using secure email applications
Routine checks at a checkpoint in Syria.

Use clean devices where necessary

We all have a lot of information either stored on our devices or accessible from our devices. Sensitive work emails and documents, the occasional nude photo, break up emails, draft resignation letters, and that email to your doctor about … that issue. Plus there’s your location history, your browsing history, your online shopping records, and so on. In the wrong hands, our devices are a goldmine for targeting and exploitation. We all have at least one document, photo or message on our devices we’d rather other people didn’t see or we’d struggle to explain away. There will always be something that a trained officer could use to coerce you or to leverage your cooperation.

Practice strict compartmentation

You have a private life and work life. You may also be involved with projects that are particularly sensitive. When it comes to securing information, you need to keep these different lives and activities separate.

Practice good security hygiene

Maintaining effective security — including compartmentation — demands a combination of discipline and good habits. We can call this ‘security hygiene’.

  • If you don’t need regular access to an application, either delete it and reinstall it when you need access, or access the application via a browser.
  • Delete emails and messages once you’ve read them.
  • Enable the ‘disappearing’ messages feature in messaging applications.
  • Regularly clear your browsing history, cookies and site data, and cached files and images (if you can, set this up so data is cleared when you exit the browser).
  • Delete your call history (not a complete solution, but will help to avoid problems at checkpoints).
  • Consider erasing and restoring your clean phone after each trip or after specific activities.

Carry the minimum

More devices means more potential vulnerabilities. If you don’t need to carry a laptop with you, don’t. These days you can get a lot done with just a phone. If you need to do a lot of typing and need a full-size keyboard, either carry a keyboard that you can use with your phone or consider the utility of using an iPad and keyboard instead of a laptop.

Consider how to communicate information

Before you communicate, consider the most appropriate means of communication given the sensitivity of your contact and the sensitivity of the information that needs to be passed or shared.

Have a plan for handling hard copy information

With more attention now focused on the security of electronic devices and data, techniques used to protect physical information that were once well understood are at risk of being forgotten.

Avoid attention

Let’s go back a few steps.

Wandering the streets of Beirut.

Ensure your persona is congruent

Hand in hand with maintaining a low profile, it’s key that your persona — who you claim to be — is congruent. There should be nothing about your behaviour, what you are wearing, what you are carrying, what you are saying, or what others might say about you, that would make an official believe you are not who you say you are.

Remember that activities are information

Don’t just focus on the data on your devices. Everything you do is information that can be used by someone to learn more about you and potentially uncover sensitive or suspicious aspects of your activities.

Avoid checkpoints whenever possible

Every checkpoint presents risks. Never accept a risk that can be avoided.

Inside a military checkpoint in rural Syria.

If you are stopped, keep it together

Assuming you are only carrying the devices you need, and have your devices properly secured, you should have little concern about sensitive information being compromised if you are stopped and searched.

Be mindful of your online activity

Being stopped and having your devices inspected is one problem. Having your online activity monitored and analysed is another.

Document organisational policies

Whatever your organisation decides is the appropriate approach to protecting information in the field, the policies and procedures should be documented and team members who work in the field should be trained and exercised.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store