Last updated: March 16, 2026

Immigration activists and organizers face unique security challenges when working with undocumented community members. Beyond standard privacy practices, you must protect people whose safety depends on operational security. This guide provides technical implementation details for setting up a privacy-respecting infrastructure tailored to immigration advocacy work.

Threat Modeling Before You Configure Anything

Before deploying any tool, map your threat model. Immigration work involves at least three distinct risk profiles that require different mitigations:

A tool that works for lawyers may be unusable for community members. A communication channel safe for outreach workers may be inadequate for attorneys handling privileged case files. Document these tiers and select tools accordingly rather than applying a single solution across all roles.

Prerequisites

Before you begin, make sure you have the following ready:

Step 1 - Secure Communication Channels

End-to-end encrypted messaging forms the foundation of your communication stack. Signal remains the gold standard for secure mobile communication, but developers should consider additional layers for sensitive operations.

For group coordination, create Signal groups with strict membership protocols. Establish a verification process using safety numbers, never accept new members without verification through a separate channel. Configure Signal to automatically delete messages after 30 days:

Signal settings are UI-based, but you can verify configuration
Ensure "Disappearing Messages" is enabled for all groups
Set timer to 30 days for sensitive discussions

For code-savvy organizers, consider deploying your own Signal gateway using the Signal CLI. This allows integration with other tools while maintaining E2E encryption:

Sending Signal notifications via CLI wrapper
import subprocess

def send_signal_message(recipient, message):
    result = subprocess.run(
        ['signal-cli', 'send', '-m', message, recipient],
        capture_output=True,
        text=True,
        env={'HOME': os.environ['HOME']}
    )
    return result.returncode == 0

Registering Signal Without Linking to a Real Number

Community members who cannot safely register Signal with their personal phone number can use a VoIP number from a provider that accepts cash or cryptocurrency payment. MySudo (US-based) offers disposable phone numbers that can receive SMS verification codes. After registration, the VoIP number can be abandoned. Signal accounts persist independently of the registration number once set up.

Alternatively, Session requires no phone number at all. It uses the Signal protocol over an onion routing network. The tradeoff is that Session’s network is smaller and message delivery can be slower. For community members who need a secure channel but cannot risk linking a phone number, Session is the safer choice. See the self-hosted Matrix Synapse server guide for an organization-controlled messaging alternative.

Step 2 - Set Up Encrypted Storage and Document Management

Undocumented community members often need to store sensitive documents securely. Implement a zero-knowledge encryption system using Cryptomator or similar tools that encrypt files before they touch any cloud service.

For developers building custom solutions, use the OpenPGP standard with hardware-backed keys:

Generate a GPG key with secure parameters
gpg --full-generate-key --rsa4096
Store private key on hardware token (YubiKey, etc.)
gpg --export-secret-keys | ccrypt > backup.cpt

Create a secure document handling workflow:

  1. Receive documents only through encrypted channels
  2. Store using Veracrypt containers with strong passphrases
  3. Never sync sensitive files to cloud services without encryption
  4. Use secure deletion (shred) when disposing of documents

VeraCrypt for Community Member Document Vaults

VeraCrypt hidden volumes are particularly valuable for immigration casework. A hidden volume stores sensitive documents behind one passphrase while a decoy volume stores plausible-but-non-sensitive content behind a different passphrase. If a device is seized and an activist is pressured to unlock it, they can provide the decoy passphrase. The existence of the hidden volume is cryptographically undetectable.

Create a hidden volume from the VeraCrypt GUI or CLI:

veracrypt --create /path/to/container.vc \
  --size=2G \
  --encryption=AES-Twofish \
  --hash=SHA-512 \
  --filesystem=FAT \
  --volume-type=hidden

The wizard prompts for both the outer (decoy) and hidden volume passphrases separately. Keep the outer volume populated with genuine-looking but non-sensitive content. empty outer volumes are a tell.

Step 3 - Secure the Network and VPN Infrastructure

Protecting network traffic is critical when organizing in spaces with surveillance. Deploy your own VPN server using WireGuard for minimal overhead and maximum security:

WireGuard server configuration example
[Interface]
PrivateKey = <server-private-key>
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -A FORWARD -o wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <client-public-key>
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 25

Configure client devices to route all traffic through the VPN by default. This prevents metadata leakage about visited websites and protects against local network interception.

Host your WireGuard server in a jurisdiction with strong privacy laws (Switzerland, Iceland, or the Netherlands are common choices) and pay for the VPS with cryptocurrency or a privacy-respecting payment method. Avoid US-based hosting providers for an organization actively working against federal enforcement actions. servers hosted in the US are subject to National Security Letters, which prohibit the provider from notifying you that access has been requested.

Step 4 - Device Hardening for Field Work

When meeting community members in the field, your devices become high-value targets. Implement these hardening measures:

Mobile Device Protocol:

macOS hardening via MDM or script:

Disable iCloud and automatic backups for sensitive folders
defaults write com.apple.backupd AutoBackup -bool false

Enable FileVault with institutional recovery key
fdesetup enable

Set secure sleep mode (require password immediately)
pmset -a sleep 0
pmset -a displaysleep 0

For Android devices used in field work, GrapheneOS is the strongest option. It removes Google Play Services entirely, implements hardened memory allocation, and supports a secondary “duress PIN” that wipes the device or opens a clean profile when entered. Purchase Android hardware with cash when possible and activate it over a VPN, never over a SIM that identifies you.

Step 5 - Metadata Protection

Metadata can reveal sensitive information even when content is encrypted. Address these vectors:

Photo Metadata - Strip EXIF data before sharing any images from community events:

from PIL import Image

def strip_metadata(image_path):
    image = Image.open(image_path)
    data = list(image.getdata())
    image_without_exif = Image.new(image.mode, image.size)
    image_without_exif.putdata(data)
    image_without_exif.save(image_path)

For batch processing, ExifTool is faster and handles more formats:

Strip all metadata recursively from a directory
exiftool -all= -r /path/to/event-photos/

Email Headers - Use email services that strip metadata by default, or configure your own mail server to remove identifying headers:

Postfix configuration for header filtering
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
/etc/postfix/smtp_header_checks:
/^Received:.*/    IGNORE
/^X-Originating-IP:/    IGNORE
/^User-Agent:/    IGNORE

ProtonMail strips originating IP addresses from outbound emails and is end-to-end encrypted between ProtonMail accounts. For outbound email to non-ProtonMail recipients, the message content is encrypted in transit via TLS but not end-to-end. use PGP attachments for truly sensitive case information sent to external contacts.

Step 6 - Operational Security Practices

Technical tools work only within a framework of consistent operational security:

Communication Protocols:

Documentation:

Incident Response:

Legal Hold Considerations

If your organization is engaged in litigation or anticipates legal proceedings, coordinate with legal counsel before implementing aggressive data deletion policies. Deleting records subject to a legal hold can constitute obstruction. The correct approach is to work with your attorney to identify which categories of records fall under hold requirements, then apply aggressive deletion only to communications not covered by the hold. Compartmentalization between case files and operational communications helps keep these categories clean.

Step 7 - Secure Meeting Practices

When meeting undocumented community members, create physical security:

Faraday bags prevent passive IMSI catcher surveillance (stingrays) that can identify all phones in an area even without active interception. A basic Faraday bag costs under $20 and is effective when the phone is fully powered down or in airplane mode with the bag sealed. Test your Faraday bag by placing a phone inside, sealing it, and attempting to call. no ring confirms the bag is working.

Troubleshooting

Configuration changes not taking effect

Restart the relevant service or application after making changes. Some settings require a full system reboot. Verify the configuration file path is correct and the syntax is valid.

Permission denied errors

Run the command with sudo for system-level operations, or check that your user account has the necessary permissions. On macOS, you may need to grant terminal access in System Settings > Privacy & Security.

Connection or network-related failures

Check your internet connection and firewall settings. If using a VPN, try disconnecting temporarily to isolate the issue. Verify that the target server or service is accessible from your network.

Frequently Asked Questions

How long does it take to immigration activist?

For a straightforward setup, expect 30 minutes to 2 hours depending on your familiarity with the tools involved. Complex configurations with custom requirements may take longer. Having your credentials and environment ready before starting saves significant time.

What are the most common mistakes to avoid?

The most frequent issues are skipping prerequisite steps, using outdated package versions, and not reading error messages carefully. Follow the steps in order, verify each one works before moving on, and check the official documentation if something behaves unexpectedly.

Do I need prior experience to follow this guide?

Basic familiarity with the relevant tools and command line is helpful but not strictly required. Each step is explained with context. If you get stuck, the official documentation for each tool covers fundamentals that may fill in knowledge gaps.

Is this approach secure enough for production?

The patterns shown here follow standard practices, but production deployments need additional hardening. Add rate limiting, input validation, proper secret management, and monitoring before going live. Consider a security review if your application handles sensitive user data.

Where can I get help if I run into issues?

Start with the official documentation for each tool mentioned. Stack Overflow and GitHub Issues are good next steps for specific error messages. Community forums and Discord servers for the relevant tools often have active members who can help with setup problems.

Related Articles