State Digital Surveillance Risk Landscape

Executive Summary

Insikt Group assesses that government digital surveillance activities pose a high or very high risk in 31 countries, where state actors exploit telecommunications infrastructure, homegrown and commercial spyware, and artificial intelligence (AI)-powered tools to monitor foreign nationals and business travelers with little to no legal accountability. A further 55 countries categorized as medium risk frequently deploy less-sophisticated surveillance capabilities to target political opposition and dissent –– highlighting the need for organizations to adopt appropriate mitigation measures in jurisdictions with limited oversight mechanisms and track records of surveillance targeting foreign entities or supporting domestic repression.

Insikt Group has identified five broad categories of digital surveillance capabilities built in-house or acquired by governments: network interception, endpoint compromise, platform-level access, public space surveillance, and data aggregation. The risk of a government abusing these capabilities is almost certainly higher in jurisdictions lacking independent oversight mechanisms or clear delineations of the legal, necessary, and proportional use of these capabilities, in line with international standards.

Foreign nationals and business travelers who fail to adequately understand and prepare for digital surveillance risks prior to traveling or conducting operations in a given location can face significant personal and organizational damages, including sensitive data breaches, IP theft, targeted intelligence operations, reputational harm, and increased risks from physical threats or detention.

As such, individuals traveling abroad and their respective organizations should implement mitigation measures to protect sensitive data, commensurate with the level of state surveillance risk in the destination country. These measures range from maintaining standard security hygiene in lower-risk environments to using sterile, non-corporate devices when operating in high-risk jurisdictions.

Key Findings

• Insikt Group assesses that there are “high” or “very high” levels of digital surveillance risk in 31 countries due to their use of advanced surveillance capabilities against foreign businesses, travelers, and government critics, with limited to no oversight.
• A further 74 countries have “medium” levels of digital surveillance risk. While 55 of these countries are not known to have deployed advanced surveillance capabilities, there is evidence that their governments have deployed less sophisticated surveillance measures for a variety of purposes, which may include monitoring political opposition, human rights activists, and journalists. The remainder (19) of countries in this category possess advanced surveillance capabilities, but are not known to typically use them in violation of national or international laws.
• By exploiting control over telecommunications infrastructure and online platforms, governments can conduct mass, indiscriminate monitoring of traffic and user data. The risk of abuse of network interception and platform-level access is almost certainly greatest where judicial authorization requirements and procedural safeguards are weak.
• The proliferation of commercial spyware, AI-powered public security infrastructure, and increasing collection of biometric and personal data almost certainly enables governments to build comprehensive digital profiles of individuals and leverage them for targeted surveillance operations.
• Digital surveillance that is not subject to robust oversight and does not abide by the principles of legality, necessity, and proportionality very likely incurs heightened operational, reputational, and legal costs for organizations and individuals, including the loss of sensitive data, the proliferation of cyber vulnerabilities, and legal and physical risks.

Components of Surveillance Risk

Insikt Group regularly assesses risks to business travelers and foreign nationals from government-run digital surveillance operations in 193 countries using Recorded Future’s Country Risk analytic framework. Customers can access Country Risk analysis by querying for State Surveillance Notes in the Recorded Future Intelligence Operations Platform. State Surveillance Notes assess the overall level of state surveillance risk in a given country based on three primary categories:

• Surveillance Capabilities: The ability of intelligence services, law enforcement agencies, or other state-affiliated or directed entities to undertake digital surveillance, and the scope of these digital surveillance capabilities. This category includes the capabilities of a variety of state and state-nexus actors, including specialized surveillance agencies with broad access to digital infrastructure, state-affiliated groups that deploy spyware for cyber espionage, and individual law enforcement units that carry out traditional wiretapping.

• History of Digital Surveillance Operations: A government’s historical willingness to carry out unlawful, arbitrary, or overbroad digital surveillance operations. This can include surveillance that violates national law — such as government entities monitoring communications without appropriate authorization — but also covers surveillance that may be sanctioned under national legislation but violates international principles of legality, necessity, and proportionality.

• Oversight Mechanisms: The existence and efficacy of judicial, legislative, or independent oversight bodies that approve and monitor a government’s digital surveillance operations for compliance with domestic and international law.

A comprehensive evaluation of state surveillance risk in a country requires a composite assessment that takes into account all three categories. For example, a country purchasing high-profile spyware may not, by itself, indicate a high level of risk to business travelers or foreign nationals, provided that the government has a good track record of respecting domestic and international privacy protections and has strong judicial and legislative oversight of intelligence and security agencies. In contrast, a country with less advanced capabilities, but strict control over internet infrastructure and few restrictions on the government’s ability to collect user data, likely poses a greater risk to travelers’ and foreign nationals’ data security.

Insikt Group assesses whether a country’s history of digital surveillance constitutes a risk to foreign nationals and travelers based on its alignment with international principles on privacy and digital rights. Article 12 of the United Nations (UN) Universal Declaration of Human Rights establishes that no individual “shall be subjected to arbitrary interference with his privacy, family, home, or correspondence”. A 2022 UN General Assembly resolution on privacy in the digital age states that

“unlawful or arbitrary surveillance and/or interception of communications, as well as the unlawful or arbitrary collection of personal data, hacking and the unlawful use of biometric technologies, as highly intrusive acts, violate the right to privacy” and that states should ensure that any interference with this right is consistent with principles of “legality, necessity, and proportionality.”

“Legality,” in this formulation, requires that surveillance or interception be prescribed by “a legal framework, which must be publicly accessible, clear, precise, comprehensive and non-discriminatory.” Surveillance must also be necessary to further the purposes identified in corresponding law, take the least intrusive form required to do so, and be proportionate in scope to the interest being protected.

Key Components of State Digital Surveillance Risk

Table 1: State surveillance risk level is a function of not only a jurisdiction’s surveillance capabilities, but also its history of deployment of those capabilities and oversight mechanisms (Source: Recorded Future)

Applying these criteria, and based on data collected from 2024 to 2026, Insikt Group has assessed the level of risk associated with state digital surveillance in 193 countries:

• Six countries (3%) –– Belarus, China, Iran, Myanmar, North Korea, and Russia –– are “very high risk,” denoting evidence of advanced surveillance capabilities, a lack of independent oversight, regular surveillance targeting foreign businesses and travelers, and widespread suppression of political opposition or dissent.
• 25 countries (13%) are “high risk,” indicating evidence of moderate to advanced surveillance capabilities, limited independent oversight, and the use of surveillance tools to repress domestic political opposition, activism, or reporting critical of the government.
• 74 countries (38%) are “medium risk,” either indicating evidence of advanced surveillance capabilities that are not typically used in violation of national or international laws (19 countries), or evidence of less advanced capabilities that are frequently employed to suppress political dissent and activism (55 countries). While countries in this risk tier may have established systems for oversight or judicial review, government surveillance operations do not always abide by their purview.
• 65 countries (34%) are “low risk,” indicating evidence of moderate to advanced surveillance capabilities exercised under strong oversight with established records of avoiding unlawful or arbitrary surveillance (39 countries), or evidence of limited surveillance capabilities (26).
• 23 countries (12%) are “very low risk,” indicating minimal ability to conduct digital surveillance, well-established oversight mechanisms, and no indications of surveillance abuses.

Figure 1: State surveillance risks by country from medium to very high risk based on data collected from 2024 to 2026 (Source: Recorded Future)

– Read more