The Impossible Calculus: When Documentation Is Both Risk and Accountability
This is Part 2 of a two-part series on data security for communities documenting ICE enforcement. Part 1 explored how standard data security frameworks were built for unauthorized access threats, not the expansion of state power that treats community itself as the threat. It examined which humanitarian tactics transfer to domestic organizing and which don’t, when the work requires being present, being visible, being seen as a witness.
*Note: I’m definitely not an expert in data security or risk, particularly in this space. I’d love thoughts and corrections if something I’ve noted needs addending.
For an administration that ran on the idea of small government, what’s unfolding in Minneapolis represents an extraordinary expansion of state power into the most basic civic activities: watching, talking to your neighbors, knowing your rights, helping someone exercise theirs. These are not radical acts but rather the ordinary functioning of a society where people look out for each other. The fact that they now carry risk is not a sign that communities have become threatening but rather that the state has decided community itself is the threat.
Part 1 examined how this differs from both standard data security frameworks and humanitarian contexts. This piece explores the specific technical vulnerabilities that can’t be secured away, why standard frameworks fail to address them, and how communities are navigating impossible choices.
The Technical Reality: What Encryption Actually Protects
When communities in Minneapolis coordinate through Signal to document ICE raids, they’re making a reasonable choice: use encrypted communication to protect their organizing. The FBI’s announcement that they’re investigating Signal users suggests this protection is working - if the FBI could simply read the messages, there would be no need to investigate who’s using the app. But understanding what Signal actually protects, and what it doesn’t, matters for making informed decisions about risk.
Signal protects the content of your messages through end-to-end encryption, which means that even Signal cannot read what you’re saying to each other. The FBI cannot intercept your messages and read them, and ICE cannot access the content of your coordination. This is real protection, and it’s why Signal is better than unencrypted alternatives.
But encryption doesn’t protect context, and context is where the vulnerability lies.
Metadata is the data about the data: not what you said, but when you said it, to whom, how often, from where. This information isn’t encrypted because it can’t be - it’s what makes communication function. Your phone needs to know who to send the message to, the network needs to route it, and Signal’s servers need to facilitate the connection. Signal minimizes this metadata more than most messaging apps, but some is unavoidable. The question is: what can authorities learn from metadata alone, and why does that matter for communities organizing accountability work?
The answer is: metadata reveals patterns of coordination, and patterns are enough to map networks and identify organizing activity even without knowing what anyone said.
Your phone connects to Signal’s servers, and the network sees that connection. This means authorities with access to network data know you’re using Signal, when you’re using it, and how often. When multiple people in the same area all start using Signal more frequently at the same time, that pattern is visible. When usage spikes correlate with enforcement actions - say, a raid at a school during morning drop-off - that correlation can be mapped. You don’t need to read anyone’s messages to understand that organized watching is happening.
If authorities seize your phone, they can see your Signal contacts even if they can’t read your messages. This is why the device seizure problem compounds the metadata problem: they can identify everyone in your network, map relationships between people, and determine who coordinates with whom based purely on contact lists and timing patterns. If several people in a network all become active on Signal within minutes of each other, repeatedly, and that timing correlates with ICE activity, the pattern becomes evidence of organized watching.
Location data makes these patterns even clearer. Even if Signal doesn’t track location, your phone does through cell tower connections, GPS if location services are enabled, and WiFi networks you connect to. If your phone was at a school during an ICE raid, and you were active on Signal at that time, and you messaged people who then showed up, the pattern tells a complete story without anyone reading a single message: coordination happened, people responded, witnesses arrived.
This is network analysis, and it doesn’t need content. It needs connections and timing. Who talks to whom creates a network graph. When people talk reveals coordination. Where people are when they talk shows geographic distribution. How often people talk indicates trust and role. The FBI doesn’t need to break Signal’s encryption to map an organizing network; they need metadata, which is much easier to access than encrypted content.
Understanding this changes how you think about Kash Patel’s announcement. He’s not claiming the FBI has broken encryption. He’s saying they’re watching who uses it, when, and with whom. The investigation isn’t about reading messages but about mapping networks through metadata. This is effective counter-surveillance: make people aware that using secure tools itself makes them visible, and you create fear around the very act of organizing.
So where does this leave communities trying to create accountability? Using Signal is still better than using unencrypted communication because the content of your coordination stays private - what you’re planning, who witnessed what, specific details of organizing remain inaccessible without breaking encryption that hasn’t been broken. The humanitarian tactics from Part 1 still apply: using secure communication protects the substance of your organizing even when the fact of coordination is visible.
But you need to understand what you’re protecting and what you’re accepting. Your use of Signal is visible. Your network is visible. Your patterns of coordination are visible. That visibility can be used for counter-surveillance even without accessing message content. The choice isn’t between perfect security and no security - it’s between different kinds of exposure with different kinds of consequences.
When Your Device Becomes Evidence
Understanding metadata matters because it shapes how you think about the next vulnerability: what happens when your phone itself is taken. This isn’t a hypothetical concern. Communities documenting ICE enforcement are engaged in direct observation of law enforcement, which means they’re present during raids, during detentions, during enforcement actions. They’re visible. And being visible with a phone out makes you a target not just for counter-surveillance but for device seizure.
The threat isn’t losing your phone to theft or accidentally leaving it somewhere. The threat is targeted seizure by the actors you’re documenting. When you film ICE enforcement, when you coordinate community surveillance of raids, when you exercise constitutional rights to observe law enforcement, you become a target for counter-surveillance, and counter-surveillance includes taking your device.
ICE has authority - claimed or actual, legal or not - to seize devices. The FBI has announced investigation of Signal users in Minneapolis. These are powerful state agencies with forensic capabilities and legal claims to access, operating faster than courts can determine whether those claims are valid. This is why the timing problem from Part 1 matters here: enforcement happens before legal protections can be invoked, which means device seizure can happen before you have any opportunity to challenge it.
What’s at risk when your device is seized tells you why this matters more than any other vulnerability. It’s not just your messages. It’s all your contacts - friends, family members, other organizers and activists. It’s location data and map history showing where you’ve been and who you’ve met with. It’s message history across all apps, email history dating back years, browser history, bookmarks, and saved passwords. It’s all your photos, including images of other people whose faces are now in law enforcement databases without their consent. It’s calendar events showing who you meet with, when, and where. It’s documents, even from encrypted tools if you’re signed in to your account.
This is why encryption alone doesn’t solve the device seizure problem. Encryption protects your data from remote access, but when someone has your physical device, the question becomes: can they get into it? And in most cases, they can.
If you use biometric unlocks - Face ID or fingerprint sensors - you’ve created a compellable vulnerability. Law enforcement can physically force you to unlock your device with your face or finger. Courts have generally held that biometric unlocks aren’t protected by the Fifth Amendment the way passwords are. You can be required to provide your fingerprint or look at your phone. You cannot be required to divulge a password you’ve memorized. This means if you use biometric unlock and ICE seizes your device while you’re detained, they can unlock it, and once unlocked, encryption doesn’t help. They have access to everything on the device as if it were unencrypted.
Passwords provide more protection, but not complete protection. A strong password that you don’t share, that isn’t written down anywhere, that exists only in your memory creates a barrier. Authorities can demand you provide it, but if you refuse, they have to get into the device another way. Getting in other ways exists through forensic tools like Cellebrite and GrayKey, which can exploit vulnerabilities in phone operating systems. They don’t work on every device or every operating system version, but they work on many. If your device can be unlocked this way, your password protection becomes temporary - it buys time, not permanence.
Cloud backups create another path around device encryption. If your phone backs up to iCloud or Google, and those backups aren’t separately encrypted, authorities can request those backups from Apple or Google through legal process. They don’t need your device. They don’t need to break encryption. They request the backup, and the company provides it. Signal doesn’t use cloud backups by default, but many people enable them for convenience. If you’ve backed up your Signal messages to iCloud, those messages are accessible through Apple regardless of encryption on your device. Photos, contacts, location history, app data - all of it syncs to the cloud unless you’ve explicitly disabled it, which means even if your device itself is secure, your cloud accounts may not be.
The timing problem makes all of this worse. ICE doesn’t announce they’re coming. Device seizure happens during raids, during detentions, during enforcement actions. You’re filming a raid, agents approach, your device is seized. This happens in seconds, not minutes. By the time you realize you need to wipe your phone, it may already be too late - you’re detained, your device is taken, and you don’t have the opportunity to access it, let alone wipe it. Remote wipe capabilities exist, but they require either automatic triggers or someone else with access to wipe your device for you. Automatic triggers can create false positives, and remote access by someone else requires that person knowing you’ve been detained and acting quickly. Both options can be blocked if the device is placed in a Faraday bag or airplane mode immediately upon seizure, which law enforcement knows to do.
Even deleted data isn’t necessarily gone. When you delete a file on your phone, the operating system marks that space as available but doesn’t immediately overwrite it. Forensic recovery tools can access deleted data until it’s been overwritten, which means if you deleted sensitive messages last week, they may still be recoverable from your device today.
Understanding all of this changes how you think about the device you’re using to create accountability. The same phone that lets you film ICE enforcement, coordinate with others, and document violations is also a comprehensive record of your organizing, your relationships, and your movements. Standard data security advice says: use strong passwords, enable encryption, control access. That advice helps against remote threats but doesn’t address what happens when the device is physically taken by actors with forensic tools and legal claims to access it.
The Core Problem: Why Standard Frameworks Can’t Solve This
The technical vulnerabilities laid out in the previous sections aren’t failures of implementation. They’re not problems you can solve by following best practices more carefully or using better tools. They’re fundamental to the work itself, which is why standard data security frameworks can’t address them.
Standard data security advice follows a logic: identify your threats, implement protections proportional to risk, minimize what you collect, secure what you keep. The calculus assumes you can reduce risk through better security practices. But what happens when better security practices can’t reduce the core risk? When the work of creating accountability inherently creates exposure that no technical measure can eliminate?
Take the device question, which every community member faces. You have three options, and understanding why none of them eliminates risk reveals the impossible position communities are in.
Use your primary phone. This seems like the obvious choice - you have all your tools, all your contacts, all your documentation capabilities. You can film clearly, coordinate immediately, document comprehensively. Your primary phone has the apps you’re familiar with, the contacts you need, the documentation history that lets you track patterns over time. But this choice means that if your device is seized, you lose everything. Your entire digital life becomes accessible. Everyone you know is exposed through your contact list. Years of organizing are compromised through your message history and calendar. The documentation you created for accountability becomes evidence of your network, evidence of coordination, evidence that can be used for counter-surveillance of everyone you communicate with.
Use a secondary phone. This reduces what can be seized, which is the whole point - if your device is taken, the damage is contained. You’re not carrying your entire digital life to an action where seizure is likely. But this choice means you lose documentation continuity. You have to remember to switch devices before every action. You have to maintain two phones, clear data after each use, manage separate accounts and contacts. Most importantly, you have to clear data after each action, which means losing the documentation that creates accountability. The evidence of violations gets destroyed to protect you from the consequences of documenting them. You’re trading comprehensive documentation for reduced exposure.
Use no phone. This protects you from device seizure entirely. No device can be seized if you’re not carrying one. But this choice means you can’t film, can’t coordinate, can’t document. You abandon the only accountability mechanism that exists. ICE operates without witnesses. Constitutional violations happen without record. The entire purpose of being present - to make enforcement visible, to create accountability through documentation - becomes impossible.
This same impossible calculus applies to every decision communities face. How much do you document? If you document everything, you create comprehensive evidence of constitutional violations that could support legal challenges and make enforcement visible. But you also create files that can be seized, metadata that maps your network, and patterns that expose your organizing. If you document minimally, you reduce what can be seized, but you lose the evidence. The violations happen without record, the accountability mechanism is weakened, and the very purpose of being present is undermined.
How do you coordinate? If you coordinate through encrypted channels, you protect the content of your communications - what you’re planning, who witnessed what, specific details remain private. But you create metadata patterns that map your network, and your use of encryption itself is flagged as suspicious. The FBI announces investigation of Signal users precisely because encrypted coordination is effective. If you coordinate through unencrypted channels, you avoid the suspicion around encryption, but your communications are accessible to anyone with network access. Your plans are visible before you execute them, and your organizing is compromised before it happens.
How visible do you make yourself? If you’re visible as a witness, you create accountability through your presence. Filming makes you seen, and being seen makes enforcement visible. Visibility is the entire point - you cannot create accountability without witnesses, and witnesses must be present and visible. But being visible makes you a target for counter-surveillance, for investigation, for seizure. If you try to be invisible, you protect yourself from being targeted, but invisible witnessing doesn’t create accountability. ICE operates as if no one is watching, and the violations happen without witnesses.
Humanitarian data security, as explored in Part 1, could say: minimize what you collect, protect what you keep, reduce exposure wherever possible. That advice worked because the essential purpose - assessing needs, reporting to donors - could be accomplished with reduced documentation. Organizations could interview people after they fled rather than during active violence. They could use remote sensing instead of direct observation. They could document indirectly without being present when harm happened. The learning could still happen. The accountability to donors could still be maintained.
Minneapolis can’t do this. The essential purpose IS the documentation. Creating accountability of ICE requires direct observation of ICE. You cannot hold law enforcement accountable for constitutional violations without witnessing those violations. You cannot document what ICE does without being present when they do it. You cannot create transparency without being visible as a witness. The exposure is required. Being seen is the point.
Data sovereignty frameworks face a similar limitation, though for different reasons. These principles were developed to address power imbalances between those who collect data and those whose data is collected. The OCAP principles (Ownership, Control, Access, Possession) say: communities own information about themselves collectively, communities control how their data is collected and used, communities have the right to access and physically hold their data. These principles work when you’re negotiating with external actors about their collection and use of data about you. They assume you can refuse consent, set terms, and assert rights that the other party at least theoretically recognizes.
But Minneapolis communities aren’t negotiating with external researchers about data collection. They’re creating data about themselves for accountability, and they’re facing domestic legal authority that claims the right to seize it. You cannot negotiate terms with ICE about whether they can take your device during a raid. You cannot refuse consent to FBI investigation when they announce they’re investigating Signal users. You cannot set conditions on how seized data will be used when federal agencies claim legal authority that supersedes any community assertion of rights. There’s no higher jurisdiction to appeal to, no international framework that constrains domestic law enforcement, no multi-jurisdictional leverage that creates space to assert data sovereignty. The sovereignty is asserted but not recognized. The control is claimed but not protected.
This is why the calculus becomes impossible. Every choice that creates accountability also creates exposure. Every protection that reduces one risk increases another. The work itself - documenting ICE enforcement to create accountability - inherently exposes you to the actors you’re trying to hold accountable, and those actors have authority (claimed or actual) to seize your devices, detain you, investigate your organizing, and disrupt your work faster than any legal protection can be invoked.
The question isn’t “how do I implement better security practices?” The question is: “which risks am I willing to accept in order to create accountability?” Risk device seizure in order to film? Risk metadata exposure in order to coordinate? Risk investigation in order to use encryption? Risk visibility in order to witness? Or flip it: risk losing documentation in order to protect devices? Risk slower coordination in order to reduce metadata? Risk communication compromise in order to avoid encryption suspicion? Risk enforcement happening without witnesses in order to protect yourself?
Standard data security frameworks assume you can secure your way to safety. Implement better practices, use stronger encryption, minimize data collection, control access more tightly. The logic is: better security equals less risk. But when the threat is the work itself, when documentation creates both accountability and exposure, when security measures that reduce one risk increase another, the calculus is impossible. You cannot secure your way out of this. You can only choose which exposures to accept in order to do work that requires exposure.
How much risk are you willing to accept in order to create accountability when creating accountability inherently exposes you to powerful actors with authority to seize, detain, investigate, and harm? There is no framework that solves this. There are only choices about which risks to carry in order to do work that cannot be done without risk.
What Communities Are Actually Doing
Understanding that the core problem can’t be solved doesn’t mean communities are helpless. It means the response has to be different - not eliminating risk but choosing which risks to accept and preparing for them. Communities organizing under threat have developed practical responses that acknowledge the impossible calculus and work within it.
Secondary Phones: Harm Reduction, Not Perfect Security
The most common response is the secondary phone, and understanding why this has become widespread reveals both what it accomplishes and what it costs. The logic is straightforward: don’t bring your primary phone to actions where seizure is likely. This isn’t about achieving perfect anonymity or eliminating all risk - it’s about harm reduction in a context where exposure is required for the work.
A secondary phone (sometimes called “burner phone light”) reduces what law enforcement can extract if your device is seized. If you’re filming an ICE raid and agents confiscate your phone, they don’t get your entire contact list, your years of message history, your email going back forever, your photos of everyone you know, your calendar of who you’ve met with and when. They get a phone with minimal information on it: the contacts and messages from that specific organizing context, the documentation from recent actions, the coordination relevant to this work. If they install spyware on this device, your primary phone remains clean. If forensic tools extract deleted data, they’re extracting from a device you’ve been regularly clearing rather than from your entire digital life.
This protection extends beyond you. Your primary phone contains contacts for friends, family members, co-workers, people who aren’t involved in this organizing and shouldn’t be exposed by your participation in it. It contains messages with other organizers about sensitive topics, photos of people at actions who might not want their faces in law enforcement databases, calendar events that reveal patterns of meetings and coordination over time. Using a secondary phone means that if your device is seized, you’re not compromising everyone else in your network. You’re protecting the people you’re organizing with, not just yourself.
The setup requires some investment of time and money but isn’t technically complex. Get an unlocked phone - used phones work fine, often $60 or less, sometimes free if someone can donate one. Buy a SIM card and prepaid plan in cash from a physical store rather than online to avoid linking it to your primary identity. Create a separate email account through Proton Mail that isn’t connected to your real name or your primary accounts. Use that email to register with your cell provider and with Apple or Google for the app store. Don’t use your real email or phone number to register anything on this device. Install Signal, install a secure browser, install encrypted maps apps.
The operational discipline matters more than the technical setup. Before each action: make sure your phone number is still active, check that you have minutes or data left if you’re not on unlimited, charge your phone, download offline maps for the areas where enforcement is likely. After each action: clear all app data. Remove Signal message threads and leave groups that this phone doesn’t need to be part of anymore. Clear browser history and map navigation history. If your phone was confiscated, consider getting a new one rather than assuming a factory reset removed any spyware that might have been installed, which can take agents just minutes to do.
This approach has real costs that need to be weighed against the protection it provides. Secondary phones require resources: $60-100 upfront plus ongoing costs for the prepaid plan. You need to maintain two devices, remember to charge both, remember which one to bring where. You need discipline to actually use the secondary phone instead of your primary when it’s more convenient to just bring the phone that’s in your pocket. Most importantly, you need to clear data after each action, which means you lose documentation continuity. The comprehensive record of enforcement patterns, the evidence of violations building up over time, the documentation that could support legal challenges - all of that gets destroyed to protect you from the consequences of creating it.
But the alternative is carrying your entire digital life to every action where device seizure is a realistic threat, which means everyone you know becomes exposed if your device is taken, and all your organizing becomes visible if your device is unlocked. The secondary phone isn’t perfect protection, but it reduces harm in a context where some harm is unavoidable.
The More Technical Approach: Data-Only SIMs
For those with more technical capacity, data-only SIMs offer better economics long-term. You pay once, top up when needed, and the plan never expires because it doesn’t include a phone number, texting, or calling - just data. The tradeoff is complexity: you need a temporary number to register accounts with Apple, Google, and Signal, and you need to give people your Signal username instead of a phone number. But you gain persistence without worrying about whether your number will expire, and you reduce ongoing costs. This approach requires more technical knowledge but works well for people who can manage the setup and are organizing long-term rather than responding to immediate crises.
Cell-Site Simulators: The Surveillance You Can’t Control
Understanding these practical responses helps, but there’s another layer of surveillance you can’t protect against with device security alone, and understanding this reveals the limits of technical measures. Even if you use a secondary phone, even if you clear data after every action, cell-site simulators create exposure you cannot control.
Cell-site simulators, also known as Stingrays or IMSI catchers, masquerade as legitimate cell-phone towers and trick phones within a certain radius into connecting to them rather than to real towers. Your phone naturally connects to whatever signal appears strongest, which is a feature of how cellular networks work - you want your phone to connect to the best available signal. Cell-site simulators exploit this by broadcasting signals stronger than legitimate cell sites or by manipulating flaws in cellular protocols to force phones to disconnect from real towers and connect to the simulator instead.
Once your phone connects, it reveals your location and transmits your IMSI - your International Mobile Subscriber Identifier, which is unique to your SIM card. If the simulator downgrades your connection to 2G, which many can do, it can potentially intercept call metadata, the content of unencrypted calls and texts, and some data usage like websites visited. Some simulators can do even more: divert calls and texts, edit messages, spoof caller identity. And you have no way to know any of this is happening.
Law enforcement uses these devices to locate specific phones or to gather the IMSI of everyone in a specific area. Some simulators are small enough to fit in a police cruiser or on an officer’s vest, which means they can be deployed anywhere enforcement operates. They can capture data from up to 10,000 phones at a time, which means everyone in a several-block radius around an ICE raid could have their phone identifier captured, their location logged, their presence at that location recorded, without any of them knowing it happened.
ICE uses cell-site simulators. So do the FBI, DEA, Secret Service, and U.S. Marshals. The FBI has attached them to airplanes to track suspects from the air, gathering massive amounts of data about innocent people in the process. A 2023 investigation revealed that ICE, DHS, and the Secret Service have used cell-site simulators many times without following their own rules on deployment or getting warrants, which means even internal guidelines meant to constrain use aren’t reliably followed.
Cell-site simulators have been deployed at protests. Miami-Dade Police apparently first purchased one in 2003 to surveil protestors at a Free Trade conference. They’re suspected to have been used during 2020 protests against police violence. This means the technology isn’t reserved for major criminal investigations - it’s used for monitoring civic activity, for mapping who attends what kind of organizing, for creating records of presence that persist long after any particular action ends.
What this means for communities documenting ICE raids is that your phone’s unique identifiers can be captured, creating a permanent record of every action you attend, even with a secondary phone, even with Signal, even with all the security measures in place. If a cell-site simulator is deployed near an ICE raid you’re documenting, your phone connects to it automatically because your phone is designed to connect to the strongest signal available. You have no way to know it happened. Most people can’t tell whether their phone’s signals have been accessed. The secondary phone protects you from what’s on the device if it’s seized, but it doesn’t protect you from your presence being logged if a simulator is nearby.
Cell-site simulators also disrupt communications within up to a 500-meter radius, interrupting important calls and even emergency 911 calls. When you’re documenting an ICE raid and trying to coordinate with others, your phone might be connecting to a simulator rather than a legitimate tower, which means your communications might be compromised and your coordination might be intercepted without you knowing. The very tools you’re using to create accountability might be actively monitored by the actors you’re trying to hold accountable.
This surveillance relies on vulnerabilities in our communications systems that the government should be helping to fix rather than exploiting. The problem isn’t that cellular networks connect to the strongest signal - that’s how they’re designed to work, and it’s a feature that serves users under normal circumstances. The problem is that this feature is being weaponized against communities exercising constitutional rights, against people watching, against people talking to their neighbors, against people helping someone they know exercise their rights. Basic civic activities now carry surveillance risk because the state has decided that community itself is the threat.
The use of cell-site simulators has been shrouded in secrecy, which tells you something about how law enforcement views their use. Police have used them without warrants, obtained deceptive court orders without explaining the true nature of surveillance, and withheld information from defense attorneys and judges about how evidence was actually gathered. Prosecutors have accepted plea deals to hide their use and have dropped cases rather than reveal information about the technology. The FBI has told police officers to recreate evidence from the devices to preserve secrecy, which means even when simulators are used, the official record may not reflect that use.
Some states now require warrants for cell-site simulators. California law requires a warrant except in emergencies. A recent Congressional Oversight Committee report called on Congress to pass laws requiring warrants nationwide. But in many jurisdictions, no warrant is required, and even where warrants are required, they’re often obtained through deception about what the technology actually does. The legal protections are inconsistent and often ineffective.
There is no device-level security that protects against this. You cannot configure your phone to refuse connection to a cell-site simulator because your phone is designed to connect to the strongest available signal. You cannot encrypt your IMSI because it has to be transmitted for your phone to connect to the network. You cannot prevent your location from being captured because connecting to a cell site inherently reveals your location. The vulnerability is in the cellular network itself, not in your device’s security settings, which means all the careful work you do to secure your device doesn’t protect against this particular threat.
Understanding this helps you see why the practical responses communities have developed - secondary phones, careful operational discipline, clearing data after actions - reduce some risks but can’t eliminate the fundamental tension. Creating accountability requires documentation. Documentation requires presence. Presence with a phone creates exposure through metadata, through device seizure, through cell-site simulators, through surveillance technologies that are designed to capture your presence even when you’re using tools designed to protect your communications. The tactics reduce harm. They don’t eliminate it.
What Actually Helps: Questions, Not Answers
This series has outlined a threat model that standard data security frameworks weren’t built to address. Physical seizure by actors claiming legal authority. Counter-surveillance by state agencies. Enforcement happening faster than courts can intervene. Documentation itself becoming grounds for investigation. An expansion of state power that treats watching, talking to neighbors, knowing your rights, and helping others exercise theirs as suspicious rather than civic.
The frameworks help with some threats. Encryption protects message content against unauthorized access. Access controls limit who can see what on shared systems. Data minimization reduces the total amount of information at risk. These are real protections that matter. But they can’t solve the core tension: creating accountability requires documentation, and documentation creates exposure to the very actors you’re trying to hold accountable. No technical measure eliminates this tension because the exposure is required for the work.
So what actually helps when you can’t secure your way to safety?
Not prescriptive advice that promises safety if you follow all the steps. Not a checklist where completing every item means you’ve eliminated risk. Not a framework that resolves the impossible calculus by finding the one right answer that balances everything. Those approaches assume the problem can be solved, but as the previous sections have shown, it can’t. The problem is inherent to the work.
What helps is clear thinking about risk. Understanding what you’re protecting and what you’re accepting. Making informed choices about which exposures to carry in order to do work that requires exposure. This means asking questions that force you to be explicit about tradeoffs rather than pretending the tradeoffs don’t exist.
What are you trying to protect? This sounds obvious, but it matters because “protect everything” isn’t possible, and different answers lead to different choices about which protections to implement. Are you primarily trying to protect your contacts - the people in your network who shouldn’t be exposed by your organizing? Then a secondary phone makes sense, even though it costs money and operational overhead. You’re accepting reduced documentation continuity in order to protect the people you’re organizing with. Are you primarily trying to protect documentation - the evidence of violations that could support legal challenges or create public accountability? Then a primary phone with strong security, cloud backups to separate encrypted accounts, and copies distributed to trusted people makes more sense, even though it means your contacts are exposed if your device is seized. You’re accepting greater personal risk in order to preserve comprehensive documentation.
The point isn’t that one choice is right and the other wrong. The point is that you can’t protect everything equally, so being explicit about priorities helps you make choices that align with what matters most to you and to the work you’re doing.
What risks are you willing to accept? You cannot eliminate risk while creating accountability. You can only choose which risks to carry. Being clear about this helps you prepare for consequences rather than being blindsided when they arrive. If you’re willing to risk device seizure because filming everything and documenting comprehensively matters more than protecting your device, then prepare for that risk: use a strong password not biometric unlock, disable cloud backups for sensitive apps, have a plan for what happens if you lose access to your device. Know what legal support is available. Know what your rights are if detained. Know what can and can’t be compelled. The risk doesn’t go away, but preparation means you’re not improvising in the moment when the seizure happens.
If you’re willing to risk metadata exposure because real-time coordination matters more than hiding network patterns, then prepare for that risk: understand what metadata reveals, vary timing when possible to avoid predictable patterns, use multiple devices when necessary to obscure direct connections, accept that some exposure is unavoidable and focus on protecting the most sensitive coordination. The FBI can still map your network, but you’ve made informed choices about what level of visibility you’re accepting in order to coordinate effectively.
If you’re willing to risk investigation because being visible as a witness matters more than staying off federal radar, then prepare for that risk: know your rights thoroughly, have legal support ready before you need it, understand what can and can’t be compelled in interrogations, document the fact that you’re being targeted if you are. The investigation can still happen, but you’re not surprised by it and you have resources to respond.
What can you distribute so it’s not all on you? Humanitarian organizations learned this through hard experience: don’t centralize risk in one person, because if that person is targeted, everything is compromised. Distribute documentation across multiple people so that if one device is seized, others still have evidence. Share knowledge about patterns and tactics across the network so that if one person is detained, others can continue the work. Coordinate through multiple channels so that if one is monitored or compromised, communication can continue through others.
Communities doing this work can apply the same principle. Different people film from different angles, which means enforcement can’t suppress all documentation by targeting one person. Documentation gets shared immediately so it’s not all on one device and seizure doesn’t mean loss of all evidence. Coordination happens through multiple channels so that compromise of one doesn’t eliminate all ability to communicate. Knowledge about ICE patterns and tactics is distributed rather than centralized so that losing one person doesn’t mean losing institutional knowledge about how enforcement operates.
Distribution has costs. More people exposed means more people at risk. More devices that could be seized means more potential points of compromise. More coordination channels means more metadata patterns for authorities to map. But distribution also means enforcement can’t silence accountability by targeting one person, can’t eliminate documentation by seizing one device, can’t disrupt organizing by investigating one coordinator. The tradeoff is worth it when the alternative is fragility that makes the entire operation dependent on individuals who can be targeted.
What do you know that helps you decide? ICE doesn’t operate randomly. They tend to target specific locations at specific times. They use similar tactics across actions. They follow patterns that communities can learn by watching them. This knowledge doesn’t eliminate risk, but it helps you assess risk before each action and make different choices based on different circumstances.
If ICE has been active in a specific area recently, if enforcement has been happening at a particular school during morning drop-off, if federal presence in a neighborhood is elevated, that’s high risk. You might decide to bring a secondary phone not your primary, minimize who’s present, have legal support actively ready rather than just on call. You might decide to focus on pattern documentation rather than comprehensive filming, or to prioritize getting people to safety rather than maximizing evidence collection. The risk is higher, so the precautions are greater.
If there’s been no recent enforcement in an area, if this is observation rather than direct presence during a raid, if federal activity is at normal baseline, that’s lower risk. You might decide a primary phone is acceptable risk because the likelihood of seizure is lower and comprehensive documentation matters. You might decide that more people being present is worth it because the chance of mass detention is minimal. You might prioritize evidence collection because the immediate threat is lower.
The knowledge doesn’t eliminate risk, but it helps you make informed choices about which risks to accept when. It helps you calibrate your response to actual threat level rather than operating at maximum precaution all the time, which is exhausting and unsustainable and eventually leads to important documentation not happening because people are too worn down by constant maximum-security posture.
What support do you have? You cannot do this work alone, which is true both operationally and psychologically. Operationally, you need people who check in, who know you’re going to an action and expect you back, who know what to do if you’re detained, who can wipe your device remotely if needed, who have copies of documentation if yours is seized. This is infrastructure, not just emotional support - these are operational necessities that make the work possible.
Psychologically, you need people who understand the impossible position you’re in, who can help you think through tradeoffs when every choice carries costs, who can remind you why the work matters when the risks feel overwhelming, who can help you stay grounded when the surveillance and counter-surveillance and investigation announcements are designed to create fear. Support infrastructure isn’t technically a data security measure, but it’s what makes risk sustainable over time. You can accept exposure when you’re not carrying it alone. You can document enforcement when you know someone will notice if you don’t come back. You can continue the work when you have people who understand both why it matters and what it costs.
What are you learning as you do this? Every action teaches you something about the actual threat rather than theoretical threat. Where ICE actually shows up, not where you fear they might. How they actually operate, not how you imagine they might. What actually gets seized versus what gets threatened. What actually gets used in investigations versus what creates fear without follow-through. What legal challenges actually work versus what sounds good but doesn’t hold up. What protections actually help versus what creates false confidence.
Treat this as continuous learning rather than static implementation of fixed procedures. What you know today about risk will change as you learn more through direct experience. The protections you implement now might need adjustment as the threat evolves and as you learn which threats are real and which are theoretical. The calculus you make this week might be different next month based on what you’ve learned about actual consequences versus feared ones.
Static frameworks don’t work for evolving threats. What helps is staying alert to what’s actually changing, adjusting protections based on what you’re actually learning, and sharing knowledge across the community so everyone benefits from everyone’s experience rather than each person learning the same lessons individually.
Conclusion
Communities across Minneapolis have been exercising their constitutional right to observe law enforcement in public spaces. Standing outside schools during morning drop-off. Monitoring courthouses. Watching for enforcement vans. Recording when ICE shows up. Making sure no one is taken without someone knowing, without someone documenting, without someone bearing witness. Someone to take care of the cars that are abandoned, often dangerously in the middle of the streets. This cannot happen without witnesses.
Standard data security frameworks were built for one threat model and don’t address this one. Humanitarian contexts taught tactics that help reduce some risks, but they can’t solve the fundamental tension. Communities documenting ICE aren’t reporting to donors - they’re creating accountability of powerful actors through direct observation, visible presence, being seen as witnesses. You cannot create accountability without documentation. You cannot document without devices. Devices create exposure. Exposure is unavoidable.
The calculus is impossible. Every protection that reduces one risk creates another. Every security measure has costs that might undermine the work itself. There is no choice that eliminates risk while still doing the work. What actually helps is not a framework that promises security but clear thinking about impossible choices: understanding what you’re protecting and what you’re accepting, knowing which risks you’re willing to carry, distributing exposure so it’s not all on one person, using knowledge to make informed decisions, building support infrastructure that makes risk sustainable, learning continuously as the threat evolves.
For an administration that ran on the idea of small government, this represents an extraordinary expansion of state power into the most basic civic activities. Watching. Talking to your neighbors. Knowing your rights. Helping someone exercise theirs. These are not radical acts but rather the ordinary functioning of a society where people look out for each other. The fact that they now carry risk is not a sign that communities have become threatening but rather that the state has decided community itself is the threat.
Enforcement happening without witnesses is enforcement without accountability. And accountability matters enough to accept the risk that comes with creating it.
Read Part 1 for the full exploration of how standard data security frameworks and humanitarian tactics address (or fail to address) the threat of authorized seizure and counter-surveillance by powerful state actors.
Anthralytic is a social impact and evaluation studio helping mission-driven teams amplify their impact.
