Although this has passed largely unnoticed, international travel with electronic devices has become risky. Crossing a border makes normal protection of those electronic devices impossible.

When you re-enter the country, for example, U.S. Customs and Border Protection has been searching through and copying the contents of laptops for several year², ordering users to divulge passwords and encryption keys as necessary in order to do so. Furthermore, such acts have been repeatedly upheld by U.S. courts.

Other countries are following our lead in this area. Refusal to comply may result in a number of negative consequences, such as the seizure of the device or being denied entry into the host country. The mere presence of encryption is now seen as suspicious. In fact, many countries that Wayne State University faculty frequently travel to restrict the importation and use of cryptography tools within their borders, and that greatly increases the danger if your laptop is lost or stolen.

Once in another country, risks to sensitive data go beyond the mere risk of theft of your device. Digital espionage is a growing concern and researchers are often the target. The goal isn't always the data you have on you at the time, but also what you may have access to when you return. Many attackers will wait for a while after breaking into your laptop, so you may not have any indication you've been hacked until it's too late.

These guidelines are thus meant to provide researchers engaging in international travel with some recommended precautions and measures that can be taken in order to protect software, sensitive research materials or other university data.

• What should I do to protect University software and data before leaving for international travel?
  • Check to see if the country you're traveling to has restrictions on the use of encryption. Some countries do not allow cryptography tools to be imported or used within their borders without a license, or in some extreme cases, at all. For example, China, Israel, and Russia all have restrictions on the import and use of encryption tools. A listing of the encryption import and export restrictions for most countries can be found at http://www.cryptolaw.org/³. If the import of encryption tools is restricted, and there is no personal use exception, follow the other recommendations in this guide to secure any sensitive data you may be taking with you. We strongly recommend the use of loaner laptops when traveling to countries where the import of encryption tools are restricted (see next bullet).
  • Whenever possible, arrange to use loaner laptops and handheld devices while traveling. While not always easy, this is perhaps the single most significant and effective step you can take. It vastly reduces the likelihood that theft or compromise will expose historical or archived data not relevant to the current trip. It also means that, upon your return, the device can be easily erased, helping mitigate the risks of what are known as advanced persistent threats. Loaner laptops are available through your local IT technical support office. If obtaining a loaner device is not possible, there are some other precautions you can take. Some are relatively simple, while others require technical expertise:
• What are the simple ways to protect my data when I'm traveling abroad?
  • Do not store sensitive data on any internal or external local media (thumb drives, CD's or DVD's, portable hard drives). Thieves target travelers and, because of legal issues surrounding the use of encryption as well as customs and border checkpoints, you might not be able to utilize encryption to protect data stored on physical media as you would be able to inside the U.S.
  • Do not store any passwords to services or accounts on the device outside of applications designed to securely store and handle credentials (e.g. do not use Notepad or Excel⁴). Some applications that are suitable for this are 1Password, Lastpass, and Keepass.
  • Configure your web browser not to save credentials (passwords and user IDs). Use the private browsing features in modern web browsers to prevent data and credentials from being cached locally by your web browser. IE, Chrome, and Firefox all support private browsing.
  • Log into as few online services as possible, particularly your bank accounts, utilities, and other sites that require passwords. Not only does this reduce the amount of ways attackers could try to compromise you, but it reduces the number of passwords you have to change on return.
• What more can I do if I'm willing to get my hands dirty inside my computer?
  • Purchase a new hard drive and swap it with the one currently in the device. Install a fresh copy of the operating system and only the applications that will be necessary on your trip. Store the old hard drive securely on campus and put it back in when you return.
  • For extended-duration trips, utilize a Self-Encrypting Drive (SED) with a BIOS password. It's possible that over time you will accrue local copies of any sensitive data you work with in the form of temporary files, backups, cached data, etc. even if you don't intentionally save sensitive data to your device. Using a SED with a BIOS password allows you to quickly enable and disable the password protection to go through border checkpoints while still keeping the data encrypted at rest.
  • Live CDs (bootable operating systems on a CD or USB) are freely available for many distributions of Linux. This can provide a pristine, unchanged operating environment at every boot up - and if something does happen, fixing it is as simple as rebooting again. Modern Linux versions with appropriate user interfaces now rival Windows and Mac as relatively user-friendly and easy to learn.
• How should I get to data I need when I'm abroad?
  • Do not load sensitive data on your device. Instead, leave sensitive data stored securely on Wayne State servers and access it remotely only via secured communications (e.g. use the VPN to access that data). The VPN provides a secure and encrypted way of connecting to websites by providing an encrypted 'tunnel' from your laptop through Wayne State and onwards.
  • If you need to use specialized software or access large data sets that you have access to on your local workstation, remote desktop may be a viable option. This would let you connect to and interact with your desktop from a remote location as if you were here.
• What settings should I have on my laptop when traveling?
  • Make sure all applications are fully updated with the latest security patches. Uninstall unnecessary and unused applications - these only serve to present a larger attack surface. Configure the applications you do require to automatically update and/or notify you of available updates, if such features are present. Special concern should be given to ensuring that applications used to interact with web services, such as web browsers (Firefox, IE, Chrome), Adobe Acrobat and Flash, Silverlight, Java, etc., are fully up-to-date. These applications are increasingly being targeted by malware authors over operating system vulnerabilities because so many users fail to patch them consistently.
  • Make sure your laptop is password protected, and do not log in as 'Administrator'. Follow the principle of least privilege. While traveling you will likely be connecting to many new, probably poorly managed, and potentially unsafe networks (e.g. in airports and hotels). Expect to be targeted by malicious users on these networks. Do not use an administrator account as your primary user account. A surprising amount of malware and browser exploits can be defeated by something as simple as running as a non-administrative user account. The University of Texas has posted a guide to not using Administrative accounts at U of Texas Guide to administrative rights on your computer, and the Helpdesk or your local tech support person can help with this.
• What should I think about when using wireless connections abroad?
  • Be careful what networks you connect to. Anybody can bring up a wireless network and call it whatever they want, hoping to lure unsuspecting travelers into connecting. This is especially an issue at airports and hotels, where people have come to expect wireless connectivity. Ask an employee at the place of business if they provide WiFi and if so what the network name is. Don't connect to rogue networks - this can make it easy for someone to intercept and even alter your communications.
    • Turn off wireless when your device is not in use or when network connectivity isn't required. This keeps your device from broadcasting its presence looking for available networks, as well as associating with an unauthorized network that may share the name of one you have connected to in the past.
    • Do not automatically join any wireless networks from laptops or cell phones. Manually pick the specific network you want to join.
    • Turn off Bluetooth when it's not actively being used.
  • Keep track of what credentials you use to interact with services. You'll want to change these when you return. Do not use the same password for multiple services, so that if one account is compromised it does not lead to the compromise of others.
  • Follow the WSU Guidelines for keeping your mobile device safe. Make sure you have the basics, such as a working backup, up-to-date anti-virus, software firewall, etc.
    • Follow the University of Texas' hardening guides for handheld devices
• What should I do when I get back home?
  • Very simply, assume that you have been compromised while traveling abroad and act accordingly. It can be very difficult to determine if a device has been compromised. Don't trust the applications on your device and do not use the device to do work or connect to services on campus.
    • If you didn't travel with a loaner device or a new hard drive, format and reinstall the operating system and applications.
  • Change all passwords that you used to access any services. Refer to the list you made while traveling to make sure you change them all. Remember to pick strong, complex passwords and do not reuse the same password for multiple services.
  • Restore your devices to their pre-travel state. Namely, turn off any services that you enabled specifically to facilitate your work while traveling (e.g. remote desktop).

1. These guidelines have been adapted from those developed by the University of Texas, and are used with permission. The original is available at https://wikis.utexas.edu/display/ISO/International+Travel+Guidelines
2. http://www.washingtonpost.com/wp-dyn/content/article/2008/02/06/AR2008020604763.html
3. The information provided on this website is not intended to exhaustively list the applicable foreign law and regulations and is not a substitute for legal advice. Questions about a specific country's import restrictions on encryption tools should be directed to the Export Control Office.
4. Although note that you can set an Excel file to be password-protected, which would be a safe way to keep your passwords, as long as you remember the password.