Travel Guidance
While traveling, there can be no expectation of physical or technical privacy or security. All information sent electronically can be intercepted and in some countries hotel rooms are often searched (National Counterintelligence and Security Center). To limit risk, travelers must take actions before they leave, while traveling, and upon returning.
In 2010, Intel sponsored a report that found that approximately one-third of all lost laptops occur while traveling. Among lost or stolen laptops, nearly all were permanently lost (95%). A lost laptop can result in replacement costs, data breach investigations, lost intellectual property, lost productivity, legal ramifications, and consulting and regulatory expenses.
The following travel guidance was derived from Research & Education Networks Information Sharing & Analysis Center (REN-ISAC)’s International Travel Checklist, and provides steps that should be taken to reduce risk of, and mitigate consequences for, a lost/stolen/compromised device, credentials, or unintended disclosure of data (breach). This guidance does not supersede project requirements and/or restrictions on travel as stipulated by, but not limited to: Standard Operating Procedures (SOP), Technology Control Plans (TCP), or Federal or State regulations.
Travel Guidance
Physical Security
Travel Light! If you don’t need it, don’t take it with you. Less is best.
| Review the U.S. State Department’s Travel Advisories list and the Country Information for anticipated destination(s). |
| Contact the Office of Research Compliance (ORC) to gain awareness of national data protection laws in your home and destination countries. |
| Contact the Office of Research Compliance (ORC) to gain the knowledge necessary to follow policies for using various devices, institutional data, and institutional resources. |
| Share the list of individuals and entities you will be communicating and collaborating with the Office of Research Compliance (ORC). ORC will ensure these individuals or entities are not restricted or barred by the U.S. Government. Consequences for transferring or transacting with a Restricted Party are severe. |
| Contact the Office of Research Compliance (ORC) to identify and understand the risks and expectations regarding export-controlled information. |
| Research personal, criminal, and cyber risks in the country or region you’re visiting. |
| Purchase and pack privacy screen filters, portable chargers, and country specific plug adapters. |
| Create an inventory of your devices to compare to upon return. |
| Be aware that border and/or customs agents may search your devices multiple times and copy data therein. Agents may be authorized to search and retain electronic devices without probable cause. Agents may also ask for access to social media profiles, email, and similar accounts when entering or exiting a country, including the U.S. Understand that legally confiscated electronic devices may not be returned for months and passwords should be changed as soon as securely possible when provided during a search. Refusing a search request can result in consequences that vary by location. |
Technical Security
Consult with University of Maine System Information Technology (UMS:IT) with this Technical Security checklist if additional support is needed.
| Consult with your campus IT staff, the Information Security Office (ISO), or ARCSIM about special concerns regarding your technology or your destinations. |
| See if low-cost, loaner devices are available to mitigate the risk of losing more valuable equipment. |
| Turn on two-factor authentication where available and with credentials intended for use while traveling. |
| Contact UMS:IT to request forwarding of office phone voicemails to email. |
| If encryption is legal in the country you are visiting, ensure your devices have full disk encryption. If a device is encrypted when lost or stolen, the data is significantly more secure. A lost or stolen unencrypted device may put UMS at risk of monetary fines in the event of a breach. |
| If encryption is illegal, or not permissible to be brought to the country that you are traveling to, then consider bringing a wiped (erased) and unencrypted device. |
| Use institutionally approved data storage. See Permitted and Restricted Systems for Data Storage and Data Processing for more guidance. |
| Refrain, when possible, from using any cloud-based storage while abroad. |
| Backup all data prior to travel, and take only essential data with you. Remove any confidential or restricted data from your devices. Traveling with certain types of data can result in violation of export control, national security regulations, or UMS policy. Consider removing unpublished data. |
| Make sure your antivirus program is updated and performing regular updates and scans. |
| Update your operating system to all of the latest security patches. |
| Install software updates/patches and all needed application software before you leave. Use a trusted and secured network (e.g., eduroam, VPN) and a valid source. |
| Uninstall unnecessary applications and ensure that necessary applications have the latest security patches. |
| Check your cell phone coverage and international data plan options. |
| Consider using a non-smartphone when traveling internationally. A non-smartphone that will only be used for making calls is ideal. If not, backup your device and reset it to factory default settings to clear personal information. |
| Enable the University of Maine’s VPN access. Be aware some countries block VPN. Talk to UMS:IT for alternatives if needed. |
| Use complex passwords instead of PINS or codes for screen locks on your device. |
| Clear your internet browser of history, caches, cookies, URLs, and temporary internet files. All web browsers should be set to automatically clear browsing history and cache after each session. |
| Update voicemail greetings and automatic email replies, as appropriate. |
Physical Security
Be aware of your surroundings. Watch for those looking over your shoulder or potential thieves.
| Keep safe by carrying only necessities, keeping bags zipped, and practicing situational awareness. |
| Do not leave electronic devices unattended. Protect electronic devices by keeping them secure, locked, and hidden from sight when not in use. Do not check them with luggage and do not assume they are secure if left in a hotel room. |
| Protect RFID-enabled devices and bank cards with RFID shielded containers. |
| Report stolen devices to your native embassy or consulate and other appropriate authorities immediately. |
| Protect your data by using privacy screen filters and avoiding public discussions of sensitive data. Again, be aware of your surroundings. |
Technical Security
Assume everything you do on your devices is being monitored, and adjust your actions accordingly.
| Be wary of charging stations; use wall outlets with your own chargers or external batteries instead. There may be a hostile computer on the other end of the wire. |
| Do not use unknown storage devices. These can silently deploy malware onto your device. |
| Avoid using courtesy computers in business centers. Be aware that keyloggers, “shoulder surfing” and cameras pointed toward keyboards are common ways that credentials are compromised. |
| Disable Wi-Fi, Bluetooth, and GPS when not needed on all devices. |
| Always use VPN access or a viable alternative if permissible and not blocked by the country you are traveling to. |
| Don’t connect to unknown resources like Wi-Fi access points and Bluetooth devices. |
| Avoid using public Wi-Fi, computers, or devices. Assume locally provided technology, such as wireless networks, may be vulnerable to attacks or have risky security settings. In some countries they’re even controlled by security services. |
| If you must connect to wireless hotspots or unsecured networks without a VPN, then do not enter or transmit sensitive information while connected. Be sure that the web site you are connecting to has the correct URL. Nefarious actors use public WiFi to steal sensitive information by redirecting your connections to sites that aren’t protected by a secure connection. Disconnect and forget the hotspot or network when done. |
| Keep track of what credentials you use while traveling. If you are on an extended trip, change your credentials periodically and only while connected to a secure network (e.g., eduroam, VPN). Never use the same password for multiple services. |
| Use two-factor authentication whenever possible. |
| Don’t install software updates or patches unless connected to a trusted and secured network (e.g., eduroam, VPN) and a valid source. |
| Choose private browsing when accessing websites. |
| Clear your internet browser of history, caches, cookies, URLs, and temporary internet files after each use. |
| Report incidents to UMS:IT as soon as possible if there is any indication that your device or data have been compromised. |
Physical Security
| Confirm all inventoried devices are accounted for. Notify UMS:IT if there were any lost or stolen devices. |
Technical Security
| Review banking and credit card statements for unauthorized transactions. |
| Restore your cellular device to its previous state (from the backup). |
| Scan devices for unusual activities with the help of UMS:IT. |
| Provide feedback to UMS:IT on what did and did not work well. |
| Reestablish normal systems and safeguards with the help of UMS:IT. If possible, all devices should be wiped (erased) and rebuilt upon your return, as all devices taken abroad should be considered compromised. |
| Resume your weekly or monthly data check and back up routines as normal. |
| Change your passwords for all services that were accessed while abroad. |
| Reset voicemail greetings and automatic email replies. |
International Travel Considerations
U.S. Export Control Laws
Traveling into a foreign country with physical materials, equipment, data, or software is considered to be “exported” from the U.S. by the United States Department of Commerce. Smart phones, tablets, and laptops are examples of devices that are regulated and “exported”. Accessing export-controlled information through a network is also considered exporting data to a foreign country. This also includes any intermediate destinations in foreign countries, such as an airport layover. Some foreign governments have regulations that permit the seizure of travelers’ computers and the review of their contents. U.S. Customs officials are also authorized to review the contents of travelers’ laptops without probable cause and can be held upon return (Harvard and International Travel). Awareness of U.S. export laws can be obtained through communication with the Office of Research Compliance (ORC). Travel without an export license when required is a violation of federal law. Criminal penalties can include up to 20 years of imprisonment and $1 million in fines per violation and civil monetary fines can reach up to $300,000 per violation (Bureau of Industry and Security).
You must contact the Office of Research Compliance (ORC) if you intend on bringing or remotely accessing any of the following:
- Devices, equipment, or computer software with export restrictions
- Devices, systems, or software designated as classified or specifically designed or modified for military or space applications
- Defense articles or technical data subject to the International Traffic in Arms Regulations (ITAR) (CUI Category: Export Controlled)
- Controlled technical information or technology (CUI Category: Controlled Technical Information)
Uncertainty on travel to a foreign country can be mitigated through communication with the Office of Research Compliance (ORC).
International Travel & Encryption
Encryption should be enabled on devices (laptops, desktops) that are purchased and set up through UMS:IT. It is illegal in some foreign countries to use encryption on devices. Be mindful of the laws of other countries. If traveling to a nation that prohibits encrypted devices, travelers should consider bringing a wiped (erased) and unencrypted device that is free of any sensitive information.
The use of encryption is covered by the Wassenaar Arrangement, which has a membership of 42 countries, most of which allows travelers to have encrypted devices, as long as the traveler does not “modify, sell, or distribute the encryption software.”
International Travel & Presenting at Conferences
Carefully consider what information is disseminated or discussed while abroad. Any information provided about the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing, and use of defense articles is an export control violation. Avoid discussing unpublished research. Do not use removable media (jump drives, flash memory storage, portable storage devices, etc.) given at conferences, as they may introduce malware into your system.
International Travel with Mobile Phones
All major cellular companies provide guidance to their users on managing data usage while overseas. Consider using a non-smartphone. A non-smartphone that will only be used for making calls is ideal. If not, review the National Security Agency’s Mobile Device Best Practices, and backup your device and reset it to factory default settings to clear personal information prior to traveling. Only place applications on the device that are absolutely necessary. If feasible, consider using a temporary email address. Have the device scanned by UMS:IT and reset to factory default settings upon return.
Travel Resources
- U.S. State Department maintains a consolidated Travel Advisories list and Country Information tailored to safety in specific destinations
- Harvard provides guidance on Electronic Device Searches at Airports and Border Crossings
- Federal Trade Commission provides Online Privacy and Security guidance
- EDUCAUSE provides an updated list of resources for traveling abroad
- The National Security Agency (NSA) provides guidance on mobile device best practices
- Stanford maintains a useful Property Control Checklist for determining if a device is exempt from export control
- Stanford maintains an Export Controls Decision Tree to determine any export compliance considerations
- The referenced regulation for “TMP” is under eCFR :: 15 CFR 740.9 — Temporary imports, exports, reexports, and transfers (in-country) (TMP).
- The referenced regulation for “BAG” is under eCFR :: 15 CFR 740.14 — Baggage (BAG).
- Bert-Jaap Koops home page, Crypto Law Survey, provides travel tips and tools, with a focus on global regulations on cryptography.
- In 2011, The FBI published a white paper on the Targeting of Sensitive, Proprietary, and Classified Information on Campuses of Higher Education
Additional Travel Guidelines
- The preceding travel checklist was derived from REN-ISAC’s Effective Practice: Cybersecurity for the International Traveler
- The National Counterintelligence and Security Center provides guidance on overseas travel with electronic devices
- EDUCAUSE provides recommendations for international travel by sensitivity, under the heading Recommendations for International Travel
- Stanford’s Guidelines for International Travel
- Stanford maintains a list of High Risk Countries and Recommendations for Travelers to High Risk Countries
- Stanford maintains Recommendations for Travelers to Lower Risk Countries
- Princeton University, Office of Information Technology, Encryption and International Travel answers common questions.
- University of Georgia, Office of the Vice President for Research, Export Control, International Travel answers three key questions.
- Purdue’s 5 Questions To Ask Before Taking Your Laptop Abroad and Guidelines for Traveling Internationally
- University of Michigan’s IT Security Guidelines for Domestic & International Travelers
- Harvard’s International Data Security Guidance and International Travel: Electronic Devices and Encryption Software Guidance