International Travel with Technology

Body

IT KnowledgeBase : International Travel with Technology

Created by Davis, Michael, last modified by Johnson, Ken on Nov 22, 2019
 

This web page provides information to help you travel securely with computers and other electronic devices.

Your electronic devices can contain your personal information, unpublished research, intellectual property, and other and confidential LETU information. Devices that are stolen or compromised result in the compromise of stored information as well.

Also keep in mind that when traveling to a foreign country, your electronic devices and the information they contain are at greater risk.

  • Many foreign countries do not have laws against technical surveillance
  • Some foreign governments help their domestic corporations collect competitive intelligence
  • Confiscations and "inspections" of electronic devices aren't uncommon. If this happens, you should assume your data has been copied

In testimony before the Senate Select Committee on Intelligence, James R. Clapper, the Director of National Intelligence, stated that foreign intelligence services from China, Russia, and Iran "have launched numerous computer network operations targeting U.S. Government agencies, businesses, and universities" and are "aggressive and successful purveyors of economic espionage against the United States."

These intelligence services are targeting higher education in particular. The FBI has published a white paper detailing University-specific attacks, as well as published an article about hacking travelers with eye-opening statements:

  • [One savvy traveler] "leaves his cellphone and laptop at home and instead brings 'loaner' devices, which he erases before he leaves the United States and wipes clean the minute he returns."
  • "What might have once sounded like the behavior of a paranoid is now standard operating procedure for officials at American government agencies, research groups and companies that do business in China and Russia - like Google, the State Department and the Internet security giant McAfee."
  • "If a company has significant intellectual property that the Chinese and Russians are interested in, and you go over there with mobile devices, your devices will get penetrated," said Joel F. Brenner, formerly the top counterintelligence official in the Office of the Director of National Intelligence.
  • Mandiant, a leader in the forensic analysis of Advanced Persistent Threats, recently published a report on nation-state sponsored espionage of the sort seen by Google, Apple, Yahoo, and The New York Times.

Planning for safe digital travel involves analyzing the risk versus your business requirements, taking into account the value of the data you carry with you as well as the data and services to which your accounts have access.

Examples of data that should be left on campus or afforded exceptional protection include information that might be construed as sensitive by the host government, and any Confidential or Sensitive Information as defined by LETU.

The only truly secure option is to abstain from digital device use during your travels.

 

RED RECOMMENDATIONS: FOR TRAVELERS VISITING EXTREMELY SENSITIVE DESTINATIONS AND/OR USING EXTREMELY SENSITIVE DATA

Before your trip:

  • Contact LETU IT to discuss your trip and appropriate precautions to take with devices and data
  • Ensure you are configured to use MFA and confirm that it is operating correctly before you leave the US.
  • If you require the ability to use your LETU cell phone during your trip, contact LETU IT well in advance to ensure you are on an international cell phone plan before you leave
  • If traveling to a country which disallows encryption products, work with IT to prepare a “loaner” device

During your trip:

  • If you need to share data with fellow faculty/staff from your university, use encrypted flash drives to transfer data back and forth
  • Take a loaner "dumbphone" (no data storage) instead of your smartphone
  • Shut down devices when not in use (do not use sleep or hibernate features)
  • Keep your device(s) on your person at all times — remember that hotel safes may be compromised
  • Never use "shared" computers at a business center or kiosk, etc to access any LETU system (including email or TS1).

After your trip:

  • Erase and reformat the hard drive, especially on a loaner device
  • Wipe data from a temporary "dumbphone"

YELLOW RECOMMENDATIONS: FOR TRAVELERS VISITING MODERATELY SENSITIVE DESTINATIONS OR USING MODERATELY SENSITIVE DATA

Before your trip:

  • Ensure your device is encrypted (if permitted by the nation to which you are traveling)
  • Password-lock auto-encrypts iPhones and Windows Phones; Android users should manually enable encryption
  • Laptops: Use BitLocker for hard drive encryption on Windows; use FileVault on Mac OS systems
  • "Sanitize" your laptop to remove any sensitive data
    • A product such as Identity Finder can assist this process
    • Only take data necessary for the specific trip
    • Consider taking a temporary device such as a loaner laptop or prepaid phone

During your trip:

  • When using shared Wi-Fi, avoid transmission of LETU data except through secure connections such as TS1/Remote Desktop Services.
  • Never use "shared" computers at a business center or kiosk, etc to access any LETU system (including TS1).

After your trip:

  • Consider changing passwords for all services/systems you used from overseas

GREEN RECOMMENDATIONS: BASELINE SECURITY FOR ALL TRAVELERS, FOREIGN OR DOMESTIC

Before your trip:

  • Ensure data is backed up on a server, drive, or other device NOT making the trip
  • Ensure your PC is patched and the antivirus software updated
  • Disable Bluetooth and Wi-Fi on your devices, and only turn them on when in use

During your trip:

  • Assume your data on any wireless network can be monitored, and act accordingly. Use TS1 whenever possible, especially while on public networks and always when accessing sensitive data
  • NEVER let anyone else borrow or use your devices
  • Do not borrow any devices (e.g. a USB drive) for use on your computer
  • Do not install any software on your PC
  • Be aware of "shoulder surfers" — anyone physically monitoring the use of your device
  • Keep your devices under your physical control or secured in a proper location when they are not. Never check devices or storage devices in luggage

After your trip:

  • Perform a full virus and malware scan

 

All University-owned laptops must be encrypted. However, in some countries you need permission before you can bring in an encrypted laptop or other device.

In addition some encryption software requires a licence before it can be exported from the USA (but not the standard products the University uses: BitLocker and FileVault)

USA export controls requires licensing for the export of restricted encryption software and hardware. However, mass market products which are freely available to the public, such as BitLocker and FileVault which are used on Microsoft and Apple computers within the University, are not subject to export control.

Countries which you can freely enter with an encrypted laptop

Some countries allow individuals to enter with encrypted devices, without the need to seek any licence or permission. These ‘Permitted Countries’ grant individuals a "personal use exemption" to freely enter with encrypted laptops, as long as the individual does not create, enhance, share, sell or otherwise distribute the encryption software during his/her stay in the relevant Permitted Country. A list of Permitted Countries (as of 2011) can be found in the Appendix at the end of this document.

Although you do not need a licence to take an encrypted laptop into the Permitted Countries, upon entry you may still be asked to divulge the contents of your laptop, including decrypting the laptop. See the 'Recommendations for International Travel' section above for further advice in this regard.

Countries for which you need permission to enter with an encrypted laptop

Countries that do not feature on the list of Permitted Countries will normally only grant import permission on the production of an import licence. Licenses are usually obtained in advance through application to the government of the country in question. Please check with the Embassy or Consulate of the country you are intending to visit well in advance of your intended departure. Please note that even with a licence, you may be asked to decrypt your device at the port of entry.

Taking an encrypted device to certain countries without possession of the appropriate licences could violate both USA export controls and/or the import regulations of the country to which you're traveling. This could result in the confiscation of the device, fines and/or other penalties. The laws of a country can change at any time. Therefore, before traveling internationally, it is important to ensure that you have the most up-to-date information about traveling with encrypted devices.

University employees who have a need to travel to a country which does not permit the import of an encrypted device without a permit or licence are responsible for obtaining such permission before taking an encrypted device to such a country. This is the default approach and we recommend that this is explored in preference to the other options below. A list of such countries can be seen in the Appendix at the bottom of the page.

What to do if you cannot satisfy encryption export or import control requirements 

If you are not able to meet the import or export requirements for a country you are about to visit, LETU IT recommends the following:

  1. Travel with an unencrypted device. However, traveling with an unencrypted device is acceptable only in the following scenario:
    • There is no data whatsoever held locally on the laptop and it is used only as a terminal to access other services, so that as the user travels they are able to access email, personal and shared folders which remain on University servers and, in the event the device is lost or stolen no data would be lost. If you are a member of the University's faculty or staff, you can checkout a "loaner laptop" from LETU IT for $5/day.  A loaner laptop is a notebook that is preloaded with standard University software, but does not contain data that could put the University at risk if the laptop is lost or stolen. In the event a checked out device is lost or stolen, the individual to whom the device is checked out would be responsible for replacing that device at cost to his/her department.

 

Other good information is maintained by HEISC: https://spaces.internet2.edu/display/2014infosecurityguide/Security+Tips+for+Traveling+Abroad

 

Details

Details

Article ID: 121954
Created
Fri 12/4/20 11:06 AM
Modified
Mon 1/11/21 10:40 AM