LETU IT KnowledgeBase

Child pages
  • International Travel with Technology
Skip to end of metadata
Go to start of metadata


On This Page
Introduction

This web page provides information to help you travel securely with computers and other electronic devices.

Your electronic devices can contain your personal information, unpublished research, intellectual property, and other and confidential LETU information. Devices that are stolen or compromised result in the compromise of stored information as well.

Also keep in mind that when traveling to a foreign country, your electronic devices and the information they contain are at greater risk.

  • Many foreign countries do not have laws against technical surveillance
  • Some foreign governments help their domestic corporations collect competitive intelligence
  • Confiscations and "inspections" of electronic devices aren't uncommon. If this happens, you should assume your data has been copied

In testimony before the Senate Select Committee on Intelligence, James R. Clapper, the Director of National Intelligence, stated that foreign intelligence services from China, Russia, and Iran "have launched numerous computer network operations targeting U.S. Government agencies, businesses, and universities" and are "aggressive and successful purveyors of economic espionage against the United States."

These intelligence services are targeting higher education in particular. The FBI has published a white paper detailing University-specific attacks, as well as published an article about hacking travelers with eye-opening statements:

  • [One savvy traveler] "leaves his cellphone and laptop at home and instead brings 'loaner' devices, which he erases before he leaves the United States and wipes clean the minute he returns."
  • "What might have once sounded like the behavior of a paranoid is now standard operating procedure for officials at American government agencies, research groups and companies that do business in China and Russia - like Google, the State Department and the Internet security giant McAfee."
  • "If a company has significant intellectual property that the Chinese and Russians are interested in, and you go over there with mobile devices, your devices will get penetrated," said Joel F. Brenner, formerly the top counterintelligence official in the Office of the Director of National Intelligence.
  • Mandiant, a leader in the forensic analysis of Advanced Persistent Threats, recently published a report on nation-state sponsored espionage of the sort seen by Google, Apple, Yahoo, and The New York Times.

Planning for safe digital travel involves analyzing the risk versus your business requirements, taking into account the value of the data you carry with you as well as the data and services to which your accounts have access.

Examples of data that should be left on campus or afforded exceptional protection include information that might be construed as sensitive by the host government, and any Confidential or Sensitive Information as defined by LETU.

The only truly secure option is to abstain from digital device use during your travels.

Recommendations for International Travel

RED RECOMMENDATIONS: FOR TRAVELERS VISITING EXTREMELY SENSITIVE DESTINATIONS AND/OR USING EXTREMELY SENSITIVE DATA

Before your trip:

  • Contact LETU IT to discuss your trip and appropriate precautions to take with devices and data
  • If traveling to a country which disallows encryption products, work with IT to prepare a “loaner” device

During your trip:

  • If you need to share data with fellow faculty/staff from your university, use encrypted flash drives to transfer data back and forth
  • Take a loaner "dumbphone" (no data storage) instead of your smartphone
  • Shut down devices when not in use (do not use sleep or hibernate features)
  • Keep your device(s) on your person at all times — remember that hotel safes may be compromised

After your trip:

  • Erase and reformat the hard drive, especially on a loaner device
  • Wipe data from a temporary "dumbphone"

YELLOW RECOMMENDATIONS: FOR TRAVELERS VISITING MODERATELY SENSITIVE DESTINATIONS OR USING MODERATELY SENSITIVE DATA

Before your trip:

  • Ensure your device is encrypted (if permitted by the nation to which you are traveling)
  • Password-lock auto-encrypts iPhones and Windows Phones; Android users should manually enable encryption
  • Laptops: Use BitLocker for hard drive encryption on Windows; use FileVault on Mac OS systems
  • "Sanitize" your laptop to remove any sensitive data
    • A product such as Identity Finder can assist this process
    • Only take data necessary for the specific trip
    • Consider taking a temporary device such as a loaner laptop or prepaid phone

During your trip:

  • When using shared Wi-Fi, stay connected to LETU's VPN.
  • Do not use "shared" computers at a business center or kiosk, etc.

After your trip:

  • Consider changing passwords for all services/systems you used from overseas

GREEN RECOMMENDATIONS: BASELINE SECURITY FOR ALL TRAVELERS, FOREIGN OR DOMESTIC

Before your trip:

  • Ensure data is backed up on a server, drive, or other device NOT making the trip
  • Ensure your PC is patched and the antivirus software updated
  • Disable Bluetooth and Wi-Fi on your devices, and only turn them on when in use

During your trip:

  • Assume your data on any wireless network can be monitored, and act accordingly. Use a VPN whenever possible, especially while on public networks and/or when accessing sensitive data
  • NEVER let anyone else borrow or use your devices
  • Do not borrow any devices (e.g. a USB drive) for use on your computer
  • Do not install any software on your PC
  • Be aware of "shoulder surfers" — anyone physically monitoring the use of your device
  • Keep your devices under your physical control or secured in a proper location when they are not. Never check devices or storage devices in luggage

After your trip:

  • Perform a full virus and malware scan
Encryption

All University-owned laptops must be encrypted. However, in some countries you need permission before you can bring in an encrypted laptop or other device.

In addition some encryption software requires a licence before it can be exported from the USA (but not the standard products the University uses: BitLocker and FileVault)

USA export controls requires licensing for the export of restricted encryption software and hardware. However, mass market products which are freely available to the public, such as BitLocker and FileVault which are used on Microsoft and Apple computers within the University, are not subject to export control.

Countries which you can freely enter with an encrypted laptop

Some countries allow individuals to enter with encrypted devices, without the need to seek any licence or permission. These ‘Permitted Countries’ grant individuals a "personal use exemption" to freely enter with encrypted laptops, as long as the individual does not create, enhance, share, sell or otherwise distribute the encryption software during his/her stay in the relevant Permitted Country. A list of Permitted Countries (as of 2011) can be found in the Appendix at the end of this document.

Although you do not need a licence to take an encrypted laptop into the Permitted Countries, upon entry you may still be asked to divulge the contents of your laptop, including decrypting the laptop. See the 'Recommendations for International Travel' section above for further advice in this regard.

Countries for which you need permission to enter with an encrypted laptop

Countries that do not feature on the list of Permitted Countries will normally only grant import permission on the production of an import licence. Licenses are usually obtained in advance through application to the government of the country in question. Please check with the Embassy or Consulate of the country you are intending to visit well in advance of your intended departure. Please note that even with a licence, you may be asked to decrypt your device at the port of entry.

Taking an encrypted device to certain countries without possession of the appropriate licences could violate both USA export controls and/or the import regulations of the country to which you're traveling. This could result in the confiscation of the device, fines and/or other penalties. The laws of a country can change at any time. Therefore, before traveling internationally, it is important to ensure that you have the most up-to-date information about traveling with encrypted devices.

University employees who have a need to travel to a country which does not permit the import of an encrypted device without a permit or licence are responsible for obtaining such permission before taking an encrypted device to such a country. This is the default approach and we recommend that this is explored in preference to the other options below. A list of such countries can be seen in the Appendix at the bottom of the page.

What to do if you cannot satisfy encryption export or import control requirements 

If you are not able to meet the import or export requirements for a country you are about to visit, LETU IT recommends the following:

  1. Travel with an unencrypted device. However, traveling with an unencrypted device is acceptable only in the following scenario:
    • There is no data whatsoever held locally on the laptop and it is used only as a terminal to access other services, so that as the user travels they are able to access email, personal and shared folders which remain on University servers and, in the event the device is lost or stolen no data would be lost. If you are a member of the University's faculty or staff, you can checkout a "loaner laptop" from LETU IT for $5/day.  A loaner laptop is a notebook that is preloaded with standard University software, but does not contain data that could put the University at risk if the laptop is lost or stolen. In the event a checked out device is lost or stolen, the individual to whom the device is checked out would be responsible for replacing that device at cost to his/her department.
Mobile Data

With the prevalence of global-ready phones, many students and faculty will be interested in having voice and data access on their mobile devices.

  • Only certain phones are compatible; each carrier keeps up-to-date records of which countries it serves
  • Data transfer in foreign countries can be very expensive. It is important to set up applications to use as little data as possible (downloading only message headers, not automatically downloading attachments, etc.)
  • The major U.S. telecoms provide tips to their users on managing data usage while overseas: AT&TVerizon
Appendix

Permitted Countries

The following countries have signed an agreement permitting an individual traveler to bring an encrypted laptop into the country under a "personal use" exemption, as long as the traveler does not create, enhance, share, sell or otherwise distribute the encryption technology while visiting.

  • Argentina
  • Australia
  • Austria
  • Belgium
  • Bulgaria
  • Canada
  • Croatia
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Japan
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • New Zealand
  • Norway
  • Poland
  • Portugal
  • Republic of Korea
  • Romania
  • Slovakia
  • Slovenia
  • South Africa
  • Spain
  • Sweden
  • Switzerland
  • Turkey
  • United Kingdom
  • United States

 

Restricted Countries


The following nations, including two Wassenaar signatories indicated by an asterisk (*), do not recognize a "personal use exemption".  Before traveling to these countries with an encrypted device, you will need to apply to their specified governmental agency for an import license:

  • Belarus - a license issued by the Belarus Ministry of Foreign Affairs or the State Center for Information Security of the Security Council is required
  • Burma (Myanmar) - a license is required, but licensing regime documentation is unavailable. Contact the US State Department for further information
  • China - a permit issued by the Beijing Office of State Encryption Administrative Bureau is required. You can either apply for the permit on your own, or contact our McAfee authorized distributor
    • In particular, the "Great Firewall of China" can pose an unpredictable and undocumented hindrance to travelers
  • Hungary - an International Import Certificate is required. Contact the US State Department for further information
  • Iran - a license issued by Iran's Supreme Council for Cultural Revolution is required
  • Israel - a license from the Director-General of the Ministry of Defense is required.  For information regarding applicable laws, policies and forms, please visit the following website:http://www.mod.gov.il/pages/encryption/preface.asp
  • Kazakhstan - a license issued by Kazakhstan's Licensing Commission of the Committee of National Security is required
  • Moldova - a license issued by Moldova's Ministry of National Security is required
  • Morocco - a license is required, but licensing regime documentation is unavailable. Contact the US State Department for further information
  • *Russia - licenses issued by both the Federal Security Service (Federal'naya Sluzhba Bezopasnosti - "FSB") and the Ministry of Economic Development and Trade are required. License applications should be submitted by an entity officially registered in Russia. This would normally be the company that is seeking to bring an encryption product into Russia
  • Saudi Arabia  - it has been reported that the use of encryption is generally banned, but research has provided inconsistent information.  Contact the US State Department for further information
  • Tunisia - a license isued by Tunisia's National Agency for Electronic Certification (ANCE) is required
  • *Ukraine - a license issued by the Department of Special Telecommunication Systems and Protection of Information of the Security Service of Ukraine (SBU) is required

Since laws can change at any time, please check with the US State Department before travelling internationally to ensure that you have the most up-to-date information.  Additional information about international encryption controls can be found at the following websites:

http://rechten.uvt.nl/koops/cryptolaw/index.htm

http://www.wassenaar.org/introduction/index.html

 

Embargoed Countries

  • Cuba
  • Iran
  • North Korea
  • Sudan
  • Syria

If you must travel to one of the five embargoed countries, you may be able to obtain the appropriate export license, but the process can take, on average, ninety days for review. The Department of Commerce’s Bureau of Industry and Security and the Office of Foreign Assets Control (OFAC) within Dept. of Treasury accept applications for licenses to export encryption products and technologies. If you cannot obtain an export license, see the section above entitled "What to do if you cannot satisfy encryption export or import control requirements."

  • Link to any related KB articles or External Links

There is no content with the specified labels

Acknowledgments

Other good information is maintained by HEISC: https://spaces.internet2.edu/display/2014infosecurityguide/Security+Tips+for+Traveling+Abroad