IT Security When Traveling
Criminals know that many of us let down our guard while we are traveling, choosing convenience over security. Whether you are traveling internationally or domestically, it's important to know how to protect your devices and data while you travel.
In some cases, there are legal and regulatory requirements related to security, intellectual property, technology transfer, etc., that international travelers must follow. For additional safety, security and export compliance related information prior to international travel, please contact the Office of Global Operations & Security (GOS). Visit the GOS website or contact them at gos@ku.edu.
Traveling with KU Data
If you plan to travel abroad with sensitive data, contact the KU IT Security Office for assistance with the following:
Duo App and International Travel
If you will be traveling internationally, prepare in advance to use Duo to access KU systems outside the United States:
- We encourage you to contact the IT Security Office at itsec@ku.edu for a Duo consultation prior to international travel.
- If your current mobile device isn't configured for service in your destination country, you will only be able to receive push notifications if you are connected to WiFi.
- If you will be using an alternate mobile device during your travels, be sure to add it to your Duo account as a secondary device.
- If you don't have cell service or WiFi when traveling, you can use passcodes generated by the Duo app on your mobile device.
- If you can receive texts on your mobile device, you can request a set of 10 passcodes to be used for logging in. You can request the passcodes prior to departure, and they will be valid for 30 days.
- As a final option, you can request a hardware token that generates passcodes when traveling. Contact the IT Security Office at itsec@ku.edu for more information.
- Configure access to your mobile device with a biometric (fingerprint or facial recognition), passcode or other log in method to prevent unauthorized access to Duo if your device is lost or stolen.
- Duo may not be authorized for use in some countries (e.g.,Cuba, Iran, North Korea, Sudan, Syria, and the Crimea region of Ukraine). Please contact the Office of Global Operations & Security (GOS) at at gos@ku.edu if traveling to a restricted country.
Technology Travel Tips
Bring Only the Devices You Can't Live Without
The fewer devices you bring, the less work to prepare and configure your devices to be used outside the United States and restore them when you get back.
Backup All Your Files and Remove Everything You Don't Need
This goes for all your devices—laptops, tablets and phones. In the event your device is lost, stolen or hacked, the amount of information on your device will largely determine the severity of the problem. Talk to your IT Support Staff to see if your department has a loaner device they can configure for travel.
Check Your Cell Phone Plan
Contact your cell phone service provider to learn about your options for international roaming and data charges. Consider turning off cellular data usage on your phone to avoid excessive costs.
Download and Update Your Software and Apps
Make sure you have antivirus software installed, updated and running properly on your devices. Faculty and staff workstations should already have antivirus applications installed.
Install and Use KU Anywhere (VPN)
The KU Anywhere virtual private network (VPN) service allows faculty and staff secure remote access to resources on the KU network, such as a department file server, from a computer that is not connected to the KU network, but is connected to the internet.
Make it Easier to Find Lost/Stolen Devices with Tracking Apps
Consider turning on or purchasing tracking/device finder applications in case your laptop, tablet or phone is stolen.
Turn Off File Sharing and Print Sharing
Turn off “file sharing” and “print sharing” features. It’s harder for hackers to access your data if they can’t see your device.
Configure Your Devices for "Infrastructure" Networks Only
Configure your wireless card to use “infrastructure networks” only. Avoid connecting to “peer-to-peer” networks, also known as “hot spots” or “ad hoc” networks.
Turn Off Auto-Connect
Turning off your “auto-connect” feature will keep you from accidentally connecting to a potentially dangerous network.
Install and Use eduroam
KU faculty, staff and students can log into the Wi-Fi networks of other eduroam member institutions anywhere in the world, simply by using their KU Online ID and password. Accessing eduroam is similar to accessing secure JAYHAWK wireless when you’re on campus.
International Travel with Encrypted Devices
Is encryption software legal where you are going? Be sure all the information and software on your device can be safely and legally transported to another country. The KU IT Security Office (ITSO) can help you understand your responsibilities for transporting encryption software. Contact ITSO at itsec@ku.edu or 785-864-9003.
International Travel with Encrypted Mobile Devices FAQs
It depends upon your destination(s). The United States and other countries have limited the import, export, and use of encryption products due to the fact that they can be used to conceal illegal activity. Taking your device with encryption software installed to certain countries could constitute a violation of U.S. export law or the import regulations of your destination country. Violating domestic or foreign laws in this manner could result in your equipment being confiscated, and in fines or other penalties.
Note that devices transported across international borders may be subject to official review by the government of your destination country. This may mean customs officials seize your device, make a complete copy of it, and retain that copy after the device is returned to you. You may or may not be allowed to be present while this inspection occurs. Be aware that your device may be compromised during this process.
The Wassenaar Arrangement contains provisions that allow a traveler to freely enter participating countries with encrypted devices under a “personal use exemption.” This exemption requires that you do not create, enhance, share, sell, or otherwise distribute the encryption technology while you are there.
Countries participating in the Wassenaar Arrangement include: Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, United Kingdom and the United States.
NOTE: The Russian Federation and Ukraine agreed to many of the Wassenaar Arrangement’s provisions, but they do not currently permit personal use exemptions.
When Americans travel abroad, the U.S. Department of Commerce considers equipment, software, and data possessed by the traveler to be “exported” from the United States to the traveler’s destination(s). The exemptions from Export Administration Regulations are similar for devices owned by an organization (TMP exemption) and devices owned by you personally (BAG exemption):
- You must spend no more than 12 months outside the United States.
- The items you take with you must be under the “effective control of the traveler” AT ALL TIMES. This means the equipment, software, and data you take with you cannot be shipped as unaccompanied baggage. For example, you cannot stow external hard drives, flash drives, etc., in your checked baggage.
- Travel to Iran, Syria, Cuba, North Korea, or Sudan is not permitted. The status of Cuba is currently under review.
If travel to one of the five embargoed countries is required, you may be able to obtain the appropriate export license. The process takes 90 days for review, on average. Applications for licenses to export encryption products to embargoed countries are reviewed by the Department of Commerce’s Bureau of Industry and Security and the Office of Foreign Assets Control (OFAC) within the Department of Treasury.
Both personal (BAG) and organizational (TMP) exemptions apply to the encryption technology in Microsoft’s Bitlocker (Windows) and Apple’s FileVault (Mac OS X).
The following nations, including two Wassenaar signatories indicated by an asterisk (*), do not recognize a "personal use exemption." Before traveling to these countries with an encrypted laptop, you will need to apply to their specified governmental agency for an import license:
- Belarus: A license issued by the Belarus Ministry of Foreign Affairs or the State Center for Information Security of the Security Council is required.
- Burma (Myanmar): A license is required, but licensing regime documentation is unavailable. Contact the U.S. State Department for further information.
- China: A permit issued by the Beijing Office of State Encryption Administrative Bureau is required.
- Hungary: An International Import Certificate is required. Contact the U.S. State Department for further information.
- Iran: A license issued by Iran's Supreme Council for Cultural Revolution is required.
- Israel: A license from the Director-General of the Ministry of Defense is required. For information regarding applicable laws, policies and forms, please check the Israel Ministry of Defense website ».
- Kazakhstan: A license issued by Kazakhstan's Licensing Commission of the Committee of National Security is required.
- Moldova: A license issued by Moldova's Ministry of National Security is required.
- Morocco: A license is required, but licensing regime documentation is unavailable. Contact the U.S. State Department for further information.
- *Russia: Licenses issued by both the Federal Security Service (FSB) and the Ministry of Economic Development and Trade are required. License applications should be submitted by an entity officially registered in Russia. This would normally be the company that is seeking to bring an encryption product into Russia.
- Saudi Arabia: At has been reported that the use of encryption is generally banned, but research has provided inconsistent information. Contact the U.S. State Department for further information.
- Tunisia: A license issued by Tunisia's National Agency for Electronic Certification (ANCE) is required.
- *Ukraine: A license issued by the Department of Special Telecommunication Systems and Protection of Information of the Security Service of Ukraine (SBU) is required.
Since laws can change at any time, please check with the U.S. State Department before traveling internationally to ensure that you have the most up-to-date information.
In the event that you are unable to meet export or import restrictions for a country you plan to visit, you have options.
Work with your IT Support Staff to obtain a loaner laptop. This computer will be imaged with the standard image and software, but will not have whole disk encryption installed. You should not load any sensitive data of any kind on the loaner laptop.
Request to have encryption removed from your laptop. If you choose this option, you are required to remove all sensitive information from the system prior to travel. This option must be approved by your Dean or Vice Provost, and the KU IT Security Officer. The IT Security Office will work with TSC staff to ensure that all sensitive information has been removed and that the laptop has been properly secured prior to you being allowed to travel with it.
- Take with you only what you need. If you can manage your trip without a laptop, tablet, and/or smartphone, leave them at home.
- Remove all data that is not essential to your travel or that is export restricted.
- Before you go, work with your IT Support Staff to ensure your laptop is fully patched, antivirus is up to date, and (if allowed at your destination) that the hard drive is encrypted is installed.
- Ensure smartphones and tablets are encrypted (if allowed) and protected by a passcode, passphrase, or biometric, such as a fingerprint or facial recognition. Remove all unneeded data, apps and accounts from the device prior to travel. Register your device with a locator service such as Find My iPhone/iPad or Android Device Manager, so that it can be wiped remotely if lost or stolen.
- If permitted by your destination country, all USB flash drives, external hard drives, and other external storage should be encrypted. These devices should remain with you at all times and should be transported in carry-on luggage.
- Do not use USB-based public charging stations. “Juice jacking” attacks can install malware on your mobile device and/or copy data from your device. Only use chargers you brought with you from home and know to be good.
If you must have internet access during travel to these countries, do not take your normal mobile devices with you. Purchase a pre-paid phone (aka a “burner phone”) and inexpensive laptop specifically for your travel to these two countries. Upon your return to the United States, these devices should be inspected for compromise, then sanitized and destroyed by IT Security Office staff.
Travelers from the United States, particularly those involved in STEM research, are known to be priority targets for cyber-attack and/or surveillance. Additionally, university administrators, faculty who participate in political or religious activism, and fluent speakers of the local language may also be targeted.
While you are in these countries, assume that all of your communications are being intercepted, including voice calls, text messages, and internet traffic you believe is encrypted such as HTTPS connections and connections via a VPN service.
Things to consider if traveling to Russia or China:
- NEVER ALLOW THE DEVICE OUT OF YOUR PHYSICAL CUSTODY, even for repairs.
- Integrated laptop cameras and microphones should be physically disconnected. If possible, purchase a laptop without these features.
- Install a privacy screen to discourage “shoulder surfing.”
- Disable all file sharing protocols.
- Disable Wi-Fi, Bluetooth, and infrared, if not needed.
- Set up a temporary email account for your travels. Abandon and delete this account after your trip. Do not use this account to send or receive sensitive information.
- Consider Tor and other censorship circumvention tools to be compromised. Their use may be monitored. If you choose to use them, you may be punished or expelled from the country.
- Consider all USB drives, CD/DVDs, email attachments, shortened URLs, QR codes, etc., to be hostile. Do not scan QR codes, click links, open attachments, or insert any removable media into your computer. Do not bring these devices back to the United States with you.
- Clean out your wallet. Remove anything that is non-essential for your travels. RFID-enabled cards should be carried in an RF-shielded sleeve to prevent them from being surreptitiously scanned.
- Assume that discarded items such as CD/DVDs, USB drives, notes, and other documents will be retrieved from the trash for analysis.
- Powered-off cellphones can still be used for geolocation and monitoring. Remove cell phone batteries when not in use.