“Sir, this way please. Yes, yes, over here. Do you have a phone? Please show me. Unlock your phone. Is this your messages app? Show me your messages. Who is this person? Have you met this person? Why did you meet them? Show me your photos. Is this the same person? Do you have Facebook? Open Facebook and show me your feed. What is this application for? Open it…”
If you live or work in higher-risk locations or countries with autocratic governments, this scenario may be one that keeps you up at night.
Most of us carry around phones, tablets or laptops with hundreds of contacts, and with thousands of messages, emails and photos (if not tens of thousands). Depending on what you do for a living, this information could cause serious problems for you or your organisation if it gets into the wrong hands. In some locations, you could be detained, interrogated, or worse.
Over the last year or so, we’ve experienced an increase in demand for training from organisations who have people in higher-risk locations where there are serious threats to people and information.
The client ask is typically:
- What devices should their team members use, and
- What applications should their team members use.
These are easy questions to answer, but they aren’t necessarily the right questions to be asking. The answers to these questions don’t come close to solving the complex challenges that individuals and teams face when trying to secure information and protect themselves when operating in higher-risk environments.
Here’s the context: You’re either travelling to — or living and working in — an environment where government forces or militia are hostile. While you’re (hopefully) not involved with anything illegal, you may be engaging with specific people that are on the radar of the security services. The types of professions that may work in such environments include journalists, security professionals, and people working for NGOs (amongst others).
In this article, I’ll focus on practical and actionable techniques you and your organisation can apply to protect information — and people — in environments where there are real threats to both. As you’ll learn, effective information security in the field is not as simple as buying the latest iPhone and installing Signal.
The ability to communicate is the key to safety
Before getting into specific techniques to secure information, I want to emphasise that your ability to communicate is the key to your safety.
Your mobile phone is your lifeline. Your phone may be the only tool available to you to get help if an incident occurs. You need to make sure that you, or the people you have in the field, have access to reliable means of communication. While not carrying a phone potentially solves a lot of information security problems, it’s not a sensible option in most contexts.
Depending on where you’re operating, guaranteeing the ability to communicate may require some additional planning. You’ll need to ensure redundancy across devices, across networks and across applications. If the mobile network goes down, you need to have a satellite phone or satellite communicator available. If your preferred secure messaging application is blocked, you need to be able to immediately switch to an alternate option.
Establish a baseline level of security for your devices
As a baseline, ensure all your electronic devices are secured to a reasonable level. Reasonable security measures include:
- Setting a passcode (ideally an alphanumeric passcode)
- Enabling full-disk encryption and firewalls (for laptops)
- Installing and using a VPN
- Installing and using secure browsers
- Installing and using a password manager
- Installing and using secure messaging applications
- Installing and using secure email applications
With each of these services and applications, there will be additional settings to improve the level of security. Be sure to check what these settings are and apply them where appropriate.
In addition, use a dedicated set of charging cables and adapters, install a privacy filter, and protect your device with a good case.
For applications, use multi-factor authentication (MFA) for key services — file sharing applications, social media, messaging and email. All passwords should be strong and unique, just like you. Use a password manager to make it easy to generate passwords and store them securely.
You’ll be balancing convenience and security here, but not to the extent you may think. It’s not difficult to have a very secure device and still be able to use that device without significant inconvenience.
The measures above form a baseline, or minimum standard. However, these measures won’t be enough for some operating contexts.
Use clean devices where necessary
We all have a lot of information either stored on our devices or accessible from our devices. Sensitive work emails and documents, the occasional nude photo, break up emails, draft resignation letters, and that email to your doctor about … that issue. Plus there’s your location history, your browsing history, your online shopping records, and so on. In the wrong hands, our devices are a goldmine for targeting and exploitation. We all have at least one document, photo or message on our devices we’d rather other people didn’t see or we’d struggle to explain away. There will always be something that a trained officer could use to coerce you or to leverage your cooperation.
It’s obviously far too difficult to sift through all the information on our normal devices to determine whether any of that information may be sensitive or could increase suspicions of ourselves and our activities.
Instead, the solution is to carry ‘clean’ devices. Clean devices are not optimised for our normal day-to-day activities. Instead, they are optimised to assure the security of information when operating in complex and higher-risk environments.
When the officer at the checkpoint demands your device, this is the device you hand them. You should be comfortable unlocking the clean device and going through all of the applications in the knowledge that there is no significant information to be found.
Will the officer demand to know why you have a device empty of content? Maybe, and that’s something I’ll address a little later. But remember that you’re dealing with the lesser of two evils here.
Your clean device should be secured as per the baseline measures described above. The device should have a VPN, secure browser, password manager, secure messaging application, and — if needed — a secure email application. You can also disable any services you don’t need, such as Bluetooth, Wi-Fi and location services (just note that you may need these services from time to time). You may have other apps installed on this device, such as apps to interface with satellite communicators.
If you don’t need continued access to a password manager app, you can access the password manager via the browser. Some password managers have a travel mode, which removes all but the passwords you need to access from the device. The same goes with email — you may prefer to access your email service via the browser rather than download an application.
When setting up a clean device, be sure not to sync any cloud services (contacts, calendar, mail, photos, notes etc) or file sharing services (Dropbox, Box etc). There should be no information on this device until you start sending messages. Even then, you should be deleting these as you go (or use a disappearing messages feature). If you need to store contact information, use the password manager.
Do not install any social applications on your clean device, and do not access social media websites from this device. Use your normal device for social media and other routine services, such as online shopping, arranging get togethers with friends etc.
Whether you carry your normal phone and your clean phone should be based on a sound assessment of threats and risks. For some locations, you should only travel with a clean phone. For other locations, you may travel with both phones, but may decide to take the clean phone with you when you’re out on the street or when travelling to a specific location.
Practice strict compartmentation
You have a private life and work life. You may also be involved with projects that are particularly sensitive. When it comes to securing information, you need to keep these different lives and activities separate.
You can keep these lives or projects separate by practicing compartmentation. In this context, compartmentation requires the use of different devices and the use of different applications on each device.
If you’re using a clean device, use different applications on your clean device than you do on your normal device. For example, you may use WhatsApp and Signal on your normal phone, and Threema and ProtonMail on your clean phone. Creating this separation avoids mixing accounts and profiles between devices and reduces the risk of a screw up.
Along with using different applications on each device, also compartment your communications. When dealing with a contact, communicate with them using only one device. For example, you may communicate with your driver on your normal device, but communicate with a local contact on the clean device. Don’t start a conversation with someone on one device, then move it to the other. This approach breaks compartmentation and weakens your security.
Compartmentation can be a difficult technique to maintain over time. In fact, I’d wager that if you’re going to screw up anywhere, you’ll probably screw up by breaking compartmentation. Mostly, you’ll do this out of the need for convenience. However, if you apply the techniques described above, you’ll be far less likely to compromise your own security.
Practice good security hygiene
Maintaining effective security — including compartmentation — demands a combination of discipline and good habits. We can call this ‘security hygiene’.
Here are a few techniques you can apply to maintain good security hygiene:
- If you don’t need regular access to an application, either delete it and reinstall it when you need access, or access the application via a browser.
- Delete emails and messages once you’ve read them.
- Enable the ‘disappearing’ messages feature in messaging applications.
- Regularly clear your browsing history, cookies and site data, and cached files and images (if you can, set this up so data is cleared when you exit the browser).
- Delete your call history (not a complete solution, but will help to avoid problems at checkpoints).
- Consider erasing and restoring your clean phone after each trip or after specific activities.
Consciously build good habits over time and don’t allow discipline to waver. Use application settings to automate processes where you can (such as disappearing messages and deleting browser data) and build daily habits to routinely erase data and keep your device clean.
Carry the minimum
More devices means more potential vulnerabilities. If you don’t need to carry a laptop with you, don’t. These days you can get a lot done with just a phone. If you need to do a lot of typing and need a full-size keyboard, either carry a keyboard that you can use with your phone or consider the utility of using an iPad and keyboard instead of a laptop.
If you don’t need continual access to a device for safety or tracking reasons, consider powering the device down. Powering down devices enables hard disk encryption and switches off other services. If you find yourself in a situation where you need to ditch some gear, ditching a powered down device is better than a ditching one that’s on and locked.
Consider how to communicate information
Before you communicate, consider the most appropriate means of communication given the sensitivity of your contact and the sensitivity of the information that needs to be passed or shared.
Why email information when you can send it via Signal with the disappearing measures feature activated? Why send it via Signal if you can meet in person?
That said, face-to-face meetings aren’t necessarily secure. As I’ll explain shortly, activities are information. Just because you avoid electronic communications and meet someone in person doesn’t mean that you haven’t left an electronic and analogue signature (analogue in the sense that you’ll be observed and remembered by people). If you determine that the best way to relay information is to meet with someone, you’ll need to be additionally careful regarding how you assure the security of both parties.
Have a plan for handling hard copy information
With more attention now focused on the security of electronic devices and data, techniques used to protect physical information that were once well understood are at risk of being forgotten.
Hard copy information may actually be preferred to digital information in some contents. Depending on who you’re dealing with on the ground, that may be their only way to communicate with you.
If you want to avoid meeting a contact (for their protection or yours), you may need to instruct them in how to digitise the information and transmit it to you securely. What you want to avoid is a situation where you’re passed hard copy information in a meeting with no plan to assure its security. If you’re caught with hard copy information that’s sensitive, it’s impossible to explain away. Consider your options and have plans in place in advance.
Let’s go back a few steps.
Before you even consider how to secure your devices and data, you should be focused on ensuring you aren’t targeted in the first place. As I’ve discussed in other articles, maintaining a low profile is one of the most basic aspects of security. If you’re not noticed, you’re less likely to be targeted.
In the context of a border entry or street checkpoint, officers will look for something — anything — unusual that they can use as a reason to stop you, go through your gear, ask you questions, or even detain you. If there’s any aspect of your demeanour or any item that you’re carrying that arouses their suspicions, that will be all they need to conduct a more thorough search and start asking questions. From there, it can be a slippery slope to a dirty interrogation room and a rusty set of pliers.
Ensure your persona is congruent
Hand in hand with maintaining a low profile, it’s key that your persona — who you claim to be — is congruent. There should be nothing about your behaviour, what you are wearing, what you are carrying, what you are saying, or what others might say about you, that would make an official believe you are not who you say you are.
For the same reasons, it’s preferable to rely on commonly used secure communications applications, rather than using less mainstream options, even if they claim to be more secure. As an example, Signal is now sufficiently mainstream to not raise that many eyebrows if the app is found on your phone. Anything more exotic may result in avoidable questions and interest.
Don’t use accounts in fake names, including on your clean device. Even if you use fake names and email addreses for legitimate privacy reasons (e.g. for newsletters or online shopping), your desire for privacy probably won’t be well understood by the sweaty officer from the secret police staring at you from across the interrogation table.
On the other hand, do use nicknames. For example, if your name is Eddie Lee, you could use ‘edify’ as a screen name for your accounts and probably be able to explain that away. You could even use ‘bigbear’ and just say that’s what people call you. Why do they call you that? That might be a story for another day… But you wouldn’t set up accounts using the name ‘Jacob McDonald’ or ‘Eugene Wong’ if these people aren’t you. Using fake names is a surefire way to get yourself detained and accused of espionage.
Remember that activities are information
Don’t just focus on the data on your devices. Everything you do is information that can be used by someone to learn more about you and potentially uncover sensitive or suspicious aspects of your activities.
The staff in your hotel will be aware of your comings and goings, and most of your activities in public areas of the hotel will be recorded on a video surveillance system. Your driver will know the locations you’ve visited around town, and may know who you’ve met. They may have even caught snippets of whispered conversations in the back seat.
While device and data security are important, it’s useful to get back to basics and focus on your activity profile. Ensure that every activity you undertake has a legitimate and believable explanation.
Avoid checkpoints whenever possible
Every checkpoint presents risks. Never accept a risk that can be avoided.
As a principle, avoid checkpoints wherever possible. Similarly, avoid presenting yourself in situations where you may be stopped and searched. In practice, this may mean using backstreets to avoid known checkpoint locations or not moving about after a certain time in the evening when people are more likely to be stopped and searched. You may also determine that checkpoints are busier at certain times of the day, reducing the likelihood that you’ll be stopped and searched if you move through at that time.
If you are stopped, keep it together
Assuming you are only carrying the devices you need, and have your devices properly secured, you should have little concern about sensitive information being compromised if you are stopped and searched.
However, how you manage yourself during a situation where you’re stopped will have a major impact on what happens next. Don’t argue with the official, try to embarrass them, or try to assert your authority. Instead, defer to their authority, be physically submissive and be compliant. Most importantly, be boring. The more boring you are, the more the official will want to move you along and focus on someone who appears more interesting.
Organisations should consider running realistic simulated activities to train team members in how to respond at checkpoints when searched and when questioned.
Be mindful of your online activity
Being stopped and having your devices inspected is one problem. Having your online activity monitored and analysed is another.
Autocratic governments monitor communications and make lists of their enemies and their enemy’s associates. These lists can be used to surveil, harass, arrest and murder.
When it comes to visiting websites or engaging with social media, you’ll need to be aware of who or what you may be associated with. Specifically, be mindful of the potential sensitivities relating to having contact with government officials, members of opposition parties, activists and anyone else who may be of interest to the authorities. Same goes for commenting on sensitive political or social issues.
Document organisational policies
Whatever your organisation decides is the appropriate approach to protecting information in the field, the policies and procedures should be documented and team members who work in the field should be trained and exercised.
Team members should understand the policies and procedures and be confident applying them in the field. As touched on earlier, these policies and procedures also provide team members with an explanation as to why they are using certain applications, or why they have no contacts or photos on their device.
“Yeah, I know. It sucks, right. But it’s company policy. I just do as I’m told. They won’t even let me download Facebook! Did you drop that $20 note? I don’t think it’s mine. Are you sure it’s not yours?”
And so it goes.
This article isn’t an exhaustive analysis of information security in the field. There’s a lot more to discuss on the topic, but the sections above cover many of the key aspects. There should be enough detail there to keep most people out of trouble.
Parting advice is not to be fixated on devices and applications. Focus your attention on ensuring your persona is congruent with who you say you are. Remember that activities are information, and the security of your activities is just as important as the data you send or store on your devices. Establish compartmentation when it comes to devices, applications and contacts. Finally, practice good security hygiene.
If you believe your organisation would benefit from learning more about securing information in the field, don’t hesitate to get in touch. Happy to coordinate training, review or draft policies and procedures, or share perspectives on a call. We have a range of training options available that may be of interest, as well as a series of publications focused on operating safely and successfully in higher-risk environments.
If you have experience in this area you’d like to share, I’d love to hear from you. What interests me most is the different operational techniques that people working in higher-risk locations use to secure their information. I’m less interested in apps and more interested in techniques and trickery.
Thanks for reading.
Grant Rayner is the founder of Spartan9. His work primarily involves supporting clients navigate complex and higher-risk environments.
For additional information and insights, read The Guide to Travelling in Higher-Risk Environments and browse through our other publications. When you’re ready to go a level deeper, consider our training workshops. If you’d like to follow our work, the best way is via our monthly newsletter — subscribe here. Also infrequently on Instagram and Twitter.
If there are other aspects of travelling to complex and higher-risk environments you’d like to explore or learn more about, please let me know.