Travelling under Watch: Practical Electronic Security for High-Risk Jurisdictions
- Matthew Parish
- 7 minutes ago
- 6 min read
States with extensive surveillance capabilities—such as Russia and China—treat foreigners’ devices and online accounts as rich intelligence targets. The objective for travellers is not to “beat” a sophisticated electronically intrusive nation-state, which is unrealistic, but to reduce exposure, control what is at risk, and ensure that compromise (if it occurs) is contained. The principles below are framed for journalists, lawyers, businesspeople, researchers and aid workers who may carry sensitive data or meet sensitive contacts.
Core principles
Minimise data: the safest data are the data you do not carry.
Assume inspection: border agents may lawfully search and image devices; zero-day exploits may infilitrate electronic devices and permit unobstructed inspection of those devices; contents; hotel rooms and meeting spaces may be monitored.
Segment risk: separate identities, devices and accounts so that compromise in one area does not cascade.
Plan for loss: treat confiscation, theft or covert cloning as plausible events and rehearse recovery steps.
Obey local law: some controls (encryption, VPNs, secure messaging) are restricted or scrutinised; carrying illegal software can create leverage against you.
Before you travel
Decide what not to take
Travel with clean, low-cost “travel” devices (laptop, phone) that contain only what you truly need. Leave your primary devices at home.
Do not carry long email archives, full client files, personal photo libraries, password vaults, or corporate repositories.
Remove sensitive contacts from local address books; keep them in a separate, secured account you will not log into while in-country.
Prepare accounts and authentication
Enable hardware-key based 2FA (two-factor authentication - FIDO2/U2F keys such as YubiKey) for primary email, cloud storage, password managers, messaging and financial accounts. Where hardware keys are impractical, use an authenticator app on a different device than the one you will carry, or on a separate travel phone.
Create travel-only accounts (email, collaboration, messaging) with least-privilege access to what you need for the trip. Remove admin privileges from any account you will use abroad.
Generate unique, strong passwords and store them in a reputable password manager that you will access only through your travel device. Do not bring plaintext recovery codes in your luggage.
Review and lock down account recovery paths (backup emails, phone numbers) so adversaries cannot reset your credentials (such as email passwords) while you are in transit.
Harden your devices
Fully update operating systems, firmware and applications immediately before departure.
Turn on full-disk encryption (BitLocker, FileVault, Android/iOS device encryption). Confirm encryption is actually enabled.
Set short auto-lock and require a strong passcode or passphrase (avoid simple PINs). Prefer passphrases to biometrics in environments where compelled unlocks may occur; you can temporarily disable Face/Touch ID before sensitive checkpoints.
Strip the device down: remove unnecessary apps, disable developer options and USB debugging, and revoke high-risk permissions (camera, microphone, location) for apps that do not require them.
Pre-install only one vetted VPN (if lawful) and a secure, cross-platform messenger (Signal, Wire, or similar). Pre-load offline maps and translation to avoid installing local app store software.
Network and communications plan
Assume public and hotel networks are monitored. Plan to avoid sensitive logins on in-country networks.
Set up out-of-band check-ins with your home team using agreed codewords or innocuous phrasing to report status or duress (e.g. a simple messenger with recipients disguised as family members).
Pre-arrange content mirroring: needed files hosted in a secure cloud workspace with version history, so the travel device can stay minimal.
Legal and policy awareness
Quietly check the lawfulness of VPNs, encryption, and secure messaging in your destination and transit countries. In some places, licensed VPNs or government-approved apps are required. Use of non-approved apps may highlight you to the authorities in the context of their data collection procedures.
Understand border search powers: you may be asked to unlock devices; refusal may have consequences (detention, denial of entry). Plan your response in advance with your organisation or counsel.
At the border
Reduce unlock surface: before landing, enable airplane mode, disable biometric unlock, and power the device off. A powered-down, encrypted device is harder to probe.
If compelled to unlock, unlock only the travel profile or travel device. Do not log into non-essential accounts even if requested. Keep explanations calm and consistent.
Never surrender account passwords written on paper or stored plainly (just say you cannot remember them); if required to provide access, do so on the travel account with limited scope.
While in-country
Device handling
Treat your room and meeting spaces as microphone-rich environments. Leave devices outside sensitive discussions or place them powered-off, wrapped in a simple Faraday pouch if you use one; do not rely on it completely as they are not 100% reliable against sophisticated recording and interception technology.
Avoid public USB charging in public places, as they can be used to extract or implant data or software on your device; use your own power brick and cable. Consider a USB data-blocker if you must use unknown ports.
Do not attach unknown peripherals (USB drives, cables, SD cards).
Keep Bluetooth and Wi-Fi off when not in use; prefer personal tethering from your travel phone over hotel Wi-Fi for routine browsing, while recognising that cellular networks can also be monitored.
Network use and applications
Use your pre-vetted VPN only if it is lawful and stable; otherwise, assume traffic is observable and tailor behaviour accordingly.
Prefer end-to-end encrypted messaging for sensitive exchanges. Be cautious about joining large local chat groups, which are often monitored or infiltrated.
Avoid installing new apps from local stores; if unavoidable, use a secondary, sacrificial user profile with no sensitive data or permissions.
Do not access core personal or corporate accounts (primary personal email, banking, source code repos, HR systems). If unavoidable, use a web session in an isolated browser profile and sign out fully afterwards.
Information discipline
Share on a need-to-know basis. Keep notes in a simple encrypted text store rather than sprawling documents.
Avoid tagging local contacts by full name in notes, calendars or messages; use initials or descriptions agreed in advance.
Delay posting geotagged photos or travel updates to social media; upload after departure.
Physical safety intersects with digital safety
Expect overt approaches (e.g. “helpful” tech support, ride-share drivers, social invitations) and covert pressure to share information. Maintain polite boundaries; assume attempts may be recorded.
If something goes wrong
If a device disappears from your sight (even briefly in a back room), treat it as compromised. Move to pre-arranged contingency communications and stop using the device for sensitive work. If you buy a new device in-country, be aware that it may contain features allowing it to be compromised and do not let it come into physical proximity with any device you have brought with you. Technology exists that can connect devices that are carried around in close physical proximity to one-another, by following their triangulation to the same or proximate mobile phone masts.
From a separate channel or after departure, rotate credentials for any accounts touched in-country, starting with email and password manager. Invalidate tokens and review login history.
If you observe targeted phishing or account resets, invoke your organisation’s incident response: preserve logs, note timings, and avoid tipping the adversary with partial resets.
After you return
Do not reconnect travel devices to corporate networks until they are forensically checked or completely wiped and rebuilt. Most organisations simply reimage or destroy low-cost travel devices.
Change passwords again for accounts accessed during travel, remove any recovery options added for the trip, and review multi-factor configurations.
Conduct an after-action review: what data were at risk, what was accessed, what went well, and what to change next time.
Special considerations for specific roles
Journalists and researchers: protect source identities by separating contact lists, using delayed-release publishing workflows, and never carrying raw interview media unless already encrypted and backed up elsewhere.
Lawyers and corporate advisers: keep privileged materials off devices; use controlled data rooms with per-file watermarks and expiry; avoid opening client documents in local office suites that leave recoverable caches.
Engineers and scientists: do not carry proprietary code or designs; use read-only remote desktops if essential; strip build tools and compilers from travel devices.
A compact packing list
Clean travel laptop and phone (fully updated, encrypted).
Two hardware security keys for 2FA (kept separately).
Power bank, known-good charger and cables; optional USB data-blocker.
Simple Faraday pouch for when devices must be present in meetings.
Minimal paper: passport, visas, itinerary; no printed passwords or seed phrases.
A final word on mindset
Electronic security in high-surveillance countries is less about clever software than about discipline: carry little, unlock rarely, talk softly, and separate your digital lives. If you reduce your attack surface and plan for the possibility of compromise, you preserve your safety, protect your contacts, and keep your mission on track—even under watchful eyes.