Whether you are traveling internationally or domestically, it's important to know how to protect your devices and data while you travel. Criminals know that many of us let down our guard while we are traveling, choosing convenience over security. See the best practices and tips below and on the "Workplace Security" tab to improve your safety and security when traveling.
Technology Travel Tips
Bring Only the Devices You Can't Live Without
Can You Leave Your Personal Device at Home?
Backup All Your Files and Remove Everything You Don't Need
Protect Yourself With Unique and Strong Passwords
Check Your Cell Phone Plan
Download and Update Your Software and Apps
Install and Test eduroam
Install and Test KU Anywhere (VPN)
Turn Off Wireless
Turn Off File Sharing and Print Sharing
Turn Off Auto-Connect
Configure Your Devices for "Infrastructure" Networks Only
Make it Easier to Find Lost/Stolen Devices with Tracking Apps
Delete Your Voicemail
Reset All Your Passwords
Traveling with KU Data
If you plan to travel abroad with sensitive data, contact the KU IT Security Office for assistance with the following:
International Travel with Encrypted Devices
Is encryption software legal where you’re going? Be sure all the information and software on your device can be safely and legally transported to another country. The KU IT Security Office can help you understand your responsibilities for transporting encryption software. Below are answers to frequently asked questions about International Travel with Encrypted Mobile Devices:
International Travel with Encrypted Mobile Devices FAQs
Note that devices transported across international borders may be subject to official review by the government of your destination country. This may mean customs officials seize your device, make a complete copy of it, and retain that copy after the device is returned to you. You may or may not be allowed to be present while this inspection occurs. Be aware that your device may be compromised during this process.
Countries participating in the Wassenaar Arrangement include: Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, United Kingdom and the United States.
NOTE: The Russian Federation and Ukraine agreed to many of the Wassenaar Arrangement’s provisions, but they do not currently permit personal use exemptions.
- You must spend no more than 12 months outside the United States.
- The items you take with you must be under the “effective control of the traveler” AT ALL TIMES. This means the equipment, software, and data you take with you cannot be shipped as unaccompanied baggage. For example, you cannot stow external hard drives, flash drives, etc., in your checked baggage.
- Travel to Iran, Syria, Cuba, North Korea, or Sudan is not permitted. The status of Cuba is currently under review.
If travel to one of the five embargoed countries is required, you may be able to obtain the appropriate export license. The process takes 90 days for review, on average. Applications for licenses to export encryption products to embargoed countries are reviewed by the Department of Commerce’s Bureau of Industry and Security and the Office of Foreign Assets Control (OFAC) within the Department of Treasury.
Both personal (BAG) and organizational (TMP) exemptions apply to the encryption technology in Microsoft’s Bitlocker (Windows) and Apple’s FileVault (Mac OS X).
The following nations, including two Wassenaar signatories indicated by an asterisk (*), do not recognize a "personal use exemption." Before traveling to these countries with an encrypted laptop, you will need to apply to their specified governmental agency for an import license:
- Belarus: A license issued by the Belarus Ministry of Foreign Affairs or the State Center for Information Security of the Security Council is required.
- Burma (Myanmar): A license is required, but licensing regime documentation is unavailable. Contact the U.S. State Department for further information.
- China: A permit issued by the Beijing Office of State Encryption Administrative Bureau is required.
- Hungary: An International Import Certificate is required. Contact the U.S. State Department for further information.
- Iran: A license issued by Iran's Supreme Council for Cultural Revolution is required.
- Israel: A license from the Director-General of the Ministry of Defense is required. For information regarding applicable laws, policies and forms, please check the Israel Ministry of Defense website ».
- Kazakhstan: A license issued by Kazakhstan's Licensing Commission of the Committee of National Security is required.
- Moldova: A license issued by Moldova's Ministry of National Security is required.
- Morocco: A license is required, but licensing regime documentation is unavailable. Contact the U.S. State Department for further information.
- *Russia: Licenses issued by both the Federal Security Service (FSB) and the Ministry of Economic Development and Trade are required. License applications should be submitted by an entity officially registered in Russia. This would normally be the company that is seeking to bring an encryption product into Russia.
- Saudi Arabia: At has been reported that the use of encryption is generally banned, but research has provided inconsistent information. Contact the U.S. State Department for further information.
- Tunisia: A license issued by Tunisia's National Agency for Electronic Certification (ANCE) is required.
- *Ukraine: A license issued by the Department of Special Telecommunication Systems and Protection of Information of the Security Service of Ukraine (SBU) is required.
Since laws can change at any time, please check with the U.S. State Department » before traveling internationally to ensure that you have the most up-to-date information. Please see "References" at the bottom of this section for more information on domestic and international cryptography laws.
In the event that you are unable to meet export or import restrictions for a country you plan to visit, you have options.
Work with your IT Support Staff to obtain a loaner laptop. This computer will be imaged with the standard image and software, but will not have whole disk encryption installed. You should not load any sensitive data of any kind on the loaner laptop.
Request to have encryption removed from your laptop. If you choose this option, you are required to remove all sensitive information from the system prior to travel. This option must be approved by your Dean or Vice Provost, and the KU IT Security Officer. The IT Security Office will work with TSC staff to ensure that all sensitive information has been removed and that the laptop has been properly secured prior to you being allowed to travel with it.
- Take with you only what you need. If you can manage your trip without a laptop, tablet, and/or smartphone, leave them at home.
- Remove all data that is not essential to your travel or that is export restricted.
- Before you go, work with your IT Support Staff to ensure your laptop is fully patched, Sophos antivirus is up to date, and (if allowed at your destination) that the hard drive is encrypted and Sophos SafeGuard is installed.
- Ensure smartphones and tablets are encrypted (if allowed) and protected by a passcode, passphrase, or biometric, such as a fingerprint or facial recognition. Remove all unneeded data, apps and accounts from the device prior to travel. Register your device with a locator service such as Find My iPhone/iPad or Android Device Manager, so that it can be wiped remotely if lost or stolen.
- If permitted by your destination country, all USB flash drives, external hard drives, and other external storage should be encrypted. These devices should remain with you at all times and should be transported in carry-on luggage.
- Do not use USB-based public charging stations. “Juice jacking” attacks can install malware on your mobile device and/or copy data from your device. Only use chargers you brought with you from home and know to be good.
If you must have nternet access during travel to these countries, do not take your normal mobile devices with you. Purchase a pre-paid phone (aka a “burner phone”) and inexpensive laptop specifically for your travel to these two countries. Upon your return to the United States, these devices should be inspected for compromise, then sanitized and destroyed by IT Security Office staff.
Travelers from the United States, particularly those involved in STEM research, are known to be priority targets for cyber-attack and/or surveillance. Additionally, university administrators, faculty who participate in political or religious activism, and fluent speakers of the local language may also be targeted.
While you are in these countries, assume that all of your communications are being intercepted, including voice calls, text messages, and internet traffic you believe is encrypted such as HTTPS connections and connections via a VPN service.
Things to consider if traveling to Russia or China:
- NEVER ALLOW THE DEVICE OUT OF YOUR PHYSICAL CUSTODY, even for repairs.
- Integrated laptop cameras and microphones should be physically disconnected. If possible, purchase a laptop without these features.
- Install a privacy screen to discourage “shoulder surfing.”
- Disable all file sharing protocols.
- Disable Wi-Fi, Bluetooth, and infrared, if not needed.
- Set up a temporary email account for your travels. Abandon and delete this account after your trip. Do not use this account to send or receive sensitive information.
- Consider Tor and other censorship circumvention tools to be compromised. Their use may be monitored. If you choose to use them, you may be punished or expelled from the country.
- Consider all USB drives, CD/DVDs, email attachments, shortened URLs, QR codes, etc., to be hostile. Do not scan QR codes, click links, open attachments, or insert any removable media into your computer. Do not bring these devices back to the United States with you.
- Clean out your wallet. Remove anything that is non-essential for your travels. RFID-enabled cards should be carried in an RF-shielded sleeve to prevent them from being surreptitiously scanned.
- Assume that discarded items such as CD/DVDs, USB drives, notes, and other documents will be retrieved from the trash for analysis.
- Powered-off cellphones can still be used for geolocation and monitoring. Remove cell phone batteries when not in use.
Educause: Designing IT Guidelines for Global Travel »
Princeton Information Security Office »
Crypto Law Survey »
International Crypto and Encryption Law map »
Export Information on Sophos Products »
Wassenaar Arrangement »
University of Rhode Island Office of Information Security: Travel to China or Russia »