IT Security When Traveling

It depends upon your destination(s). The United States and other countries have limited the import, export, and use of encryption products due to the fact that they can be used to conceal illegal activity. Taking your device with encryption software installed to certain countries could constitute a violation of U.S. export law or the import regulations of your destination country. Violating domestic or foreign laws in this manner could result in your equipment being confiscated, and in fines or other penalties.

Note that devices transported across international borders may be subject to official review by the government of your destination country. This may mean customs officials seize your device, make a complete copy of it, and retain that copy after the device is returned to you. You may or may not be allowed to be present while this inspection occurs. Be aware that your device may be compromised during this process.

The Wassenaar Arrangement contains provisions that allow a traveler to freely enter participating countries with encrypted devices under a “personal use exemption.” This exemption requires that you do not create, enhance, share, sell, or otherwise distribute the encryption technology while you are there.

Countries participating in the Wassenaar Arrangement include: Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, United Kingdom and the United States.

NOTE: The Russian Federation and Ukraine agreed to many of the Wassenaar Arrangement’s provisions, but they do not currently permit personal use exemptions.

When Americans travel abroad, the U.S. Department of Commerce considers equipment, software, and data possessed by the traveler to be “exported” from the United States to the traveler’s destination(s). The exemptions from Export Administration Regulations are similar for devices owned by an organization (TMP exemption) and devices owned by you personally (BAG exemption):

• You must spend no more than 12 months outside the United States.
• The items you take with you must be under the “effective control of the traveler” AT ALL TIMES. This means the equipment, software, and data you take with you cannot be shipped as unaccompanied baggage. For example, you cannot stow external hard drives, flash drives, etc., in your checked baggage.
• Travel to Iran, Syria, Cuba, North Korea, or Sudan is not permitted. The status of Cuba is currently under review.

If travel to one of the five embargoed countries is required, you may be able to obtain the appropriate export license. The process takes 90 days for review, on average. Applications for licenses to export encryption products to embargoed countries are reviewed by the Department of Commerce’s Bureau of Industry and Security and the Office of Foreign Assets Control (OFAC) within the Department of Treasury.

Both personal (BAG) and organizational (TMP) exemptions apply to the encryption technology in Microsoft’s Bitlocker (Windows) and Apple’s FileVault (Mac OS X).

The following nations, including two Wassenaar signatories indicated by an asterisk (*), do not recognize a "personal use exemption."  Before traveling to these countries with an encrypted laptop, you will need to apply to their specified governmental agency for an import license:

• Belarus: A license issued by the Belarus Ministry of Foreign Affairs or the State Center for Information Security of the Security Council is required.
• Burma (Myanmar): A license is required, but licensing regime documentation is unavailable. Contact the U.S. State Department for further information.
• China: A permit issued by the Beijing Office of State Encryption Administrative Bureau is required.
• Hungary: An International Import Certificate is required. Contact the U.S. State Department for further information.
• Iran: A license issued by Iran's Supreme Council for Cultural Revolution is required.
• Israel: A license from the Director-General of the Ministry of Defense is required. For information regarding applicable laws, policies and forms, please check the Israel Ministry of Defense website ».
• Kazakhstan: A license issued by Kazakhstan's Licensing Commission of the Committee of National Security is required.
• Moldova: A license issued by Moldova's Ministry of National Security is required.
• Morocco: A license is required, but licensing regime documentation is unavailable. Contact the U.S. State Department for further information.
• *Russia: Licenses issued by both the Federal Security Service (FSB) and the Ministry of Economic Development and Trade are required. License applications should be submitted by an entity officially registered in Russia. This would normally be the company that is seeking to bring an encryption product into Russia.
• Saudi Arabia: At has been reported that the use of encryption is generally banned, but research has provided inconsistent information. Contact the U.S. State Department for further information.
• Tunisia: A license issued by Tunisia's National Agency for Electronic Certification (ANCE) is required.
• *Ukraine: A license issued by the Department of Special Telecommunication Systems and Protection of Information of the Security Service of Ukraine (SBU) is required.

Since laws can change at any time, please check with the U.S. State Department before traveling internationally to ensure that you have the most up-to-date information.

In the event that you are unable to meet export or import restrictions for a country you plan to visit, you have options.

Work with your IT Support Staff to obtain a loaner laptop. This computer will be imaged with the standard image and software, but will not have whole disk encryption installed. You should not load any sensitive data of any kind on the loaner laptop.

Request to have encryption removed from your laptop. If you choose this option, you are required to remove all sensitive information from the system prior to travel. This option must be approved by your Dean or Vice Provost, and the KU IT Security Officer. The IT Security Office will work with TSC staff to ensure that all sensitive information has been removed and that the laptop has been properly secured prior to you being allowed to travel with it.

• Take with you only what you need. If you can manage your trip without a laptop, tablet, and/or smartphone, leave them at home.
• Remove all data that is not essential to your travel or that is export restricted.
• Before you go, work with your IT Support Staff to ensure your laptop is fully patched, antivirus is up to date, and (if allowed at your destination) that the hard drive is encrypted is installed.
• Ensure smartphones and tablets are encrypted (if allowed) and protected by a passcode, passphrase, or biometric, such as a fingerprint or facial recognition. Remove all unneeded data, apps and accounts from the device prior to travel. Register your device with a locator service such as Find My iPhone/iPad or Android Device Manager, so that it can be wiped remotely if lost or stolen.
• If permitted by your destination country, all USB flash drives, external hard drives, and other external storage should be encrypted. These devices should remain with you at all times and should be transported in carry-on luggage.
• Do not use USB-based public charging stations. “Juice jacking” attacks can install malware on your mobile device and/or copy data from your device. Only use chargers you brought with you from home and know to be good.

If you must have internet access during travel to these countries, do not take your normal mobile devices with you. Purchase a pre-paid phone (aka a “burner phone”) and inexpensive laptop specifically for your travel to these two countries. Upon your return to the United States, these devices should be inspected for compromise, then sanitized and destroyed by IT Security Office staff.

Travelers from the United States, particularly those involved in STEM research, are known to be priority targets for cyber-attack and/or surveillance. Additionally, university administrators, faculty who participate in political or religious activism, and fluent speakers of the local language may also be targeted.

While you are in these countries, assume that all of your communications are being intercepted, including voice calls, text messages, and internet traffic you believe is encrypted such as HTTPS connections and connections via a VPN service.

Things to consider if traveling to Russia or China:

• NEVER ALLOW THE DEVICE OUT OF YOUR PHYSICAL CUSTODY, even for repairs.
• Integrated laptop cameras and microphones should be physically disconnected. If possible, purchase a laptop without these features.
• Install a privacy screen to discourage “shoulder surfing.”
• Disable all file sharing protocols.
• Disable Wi-Fi, Bluetooth, and infrared, if not needed.
• Set up a temporary email account for your travels. Abandon and delete this account after your trip. Do not use this account to send or receive sensitive information.
• Consider Tor and other censorship circumvention tools to be compromised. Their use may be monitored. If you choose to use them, you may be punished or expelled from the country.
• Consider all USB drives, CD/DVDs, email attachments, shortened URLs, QR codes, etc., to be hostile. Do not scan QR codes, click links, open attachments, or insert any removable media into your computer. Do not bring these devices back to the United States with you.
• Clean out your wallet. Remove anything that is non-essential for your travels. RFID-enabled cards should be carried in an RF-shielded sleeve to prevent them from being surreptitiously scanned.
• Assume that discarded items such as CD/DVDs, USB drives, notes, and other documents will be retrieved from the trash for analysis.
• Powered-off cellphones can still be used for geolocation and monitoring. Remove cell phone batteries when not in use.