University faculty, staff, and students, who travel internationally with laptops, phones, and other mobile devices, are subject to many risks, namely that of loss, seizure, or tampering. Please use these recommendations as a guide to reduce the risks associated with traveling with these devices. If you have any questions regarding these recommendations or where you are traveling, please contact UnivIT_SP@ur.rochester.edu.
Privacy, Censorship and Encryption
Depending on where you plan to travel abroad, electronic communication devices, may be subject to involuntary official governmental review and possible duplication of the hard drive’s contents.
The University requires the use of encryption on all University-owned devices. Use of encryption to protect information may be forbidden in some countries, you should check with University IT before you travel abroad to ensure compliance with foreign countries’ laws. And, if your encryption product allows you to “hide” information, those “hidden” areas can be detected, and you could be subject to criminal charges by the country’s government. Because it is difficult to monitor encrypted traffic, use of secure (“https”) websites and/or use of virtual private networks (VPNs) may be blocked by some countries.
Some countries may censor certain content or sites. Attempts to circumvent national censorship of websites, such as some mainstream western social media sites, is discouraged by the University. You should only use VPN to access necessary files and sites to conduct your business or studies. If you are found to be using a product to circumvent the blocking of censored websites, you may be warned, have your electronic devices confiscated, or you may become subject to criminal charges.
Personal privacy may not be respected. Even private spaces such as hotel rooms, rental cars, and taxis may be subject to video, audio, or other monitoring. This type of surveillance may be able to track your whereabouts, what you may be doing, what’s on your electronic device, and what you may be entering into it. Conversations either in person or on a phone may be monitored. Local colleagues may be required to report any conversations held with foreigners.
- Configure a password to logon to any devices you are taking. A password prevents others from accessing your data if your device is lost or stolen.
- Be sure that any device with an operating system and software is fully patched and up-to-date with all institutional recommended security software (e.g. Antivirus).
- Research your destination on the State Department website.
- Encrypt your devices, but check with University IT before you travel abroad to ensure compliance with foreign countries’ laws..
- When not in use, turn off or lock the devices.
- DO NOT store high-risk or moderate-risk data (e.g., social security numbers, protected health information, credit card numbers) on any devices you are taking with you.
- DO NOT copy high-risk or moderate-risk data to memory sticks or other easily lost media.
- DO store data that you need for your trip in a Box account or on the University’s network. You can access your files stored on the University’s network and other campus resources through the University VPN.
- Upon your return, immediately change your NetID password and the passwords of any accounts used while abroad. University IT may scan your device to ensure no malware is on it. Simply email UnivIT_SP@ur.rochester.edu to request your device be scanned.
Sometimes airport or other security officers will ask you to start your device to prove that it works. Comply by starting your system and entering the password yourself. If the security officer wants you to give them the password, state that it is University policy to NOT share passwords. If they still require you to provide the password to them, give them the password, and change immediately following the check.
Traveling to High Cyber-Risk Countries
Traveling with IT devices to some countries, most notably China and Russia, is considered high cyber-risk. The U.S. government has issued several advisories that travelers be aware that they could be targets of espionage activities when visiting these countries. Travelers are strongly encouraged to follow these recommendations:
- DO NOT travel with encrypted devices to China unless you have advance approval from China. China severely restricts the import of unapproved encryption. If you attempt to cross the border with an encrypted device, you may be asked for the decryption key or your device may be confiscated.
- The U.S. government prohibits traveling with encrypted devices to countries that are considered to support terrorism, namely Cuba, Iran, North Korea, Sudan, and Syria. DO NOT bring encrypted devices to these countries.
- Use caution when connecting a USB device to an unknown computer or charger as it may become infected with malware.
- Upon your return, immediately discontinue use of the devices. The hard drive of the devices should be reformatted, and the operating system and other related software reinstalled, or the device properly disposed of. Contact your help desk or your local IT administrator to assist you.
- Set Wi-Fi to “do not automatically connect to Wi-Fi” on all devices capable of wireless connections.
- DO NOT update your computer while connected to a public or hotel wireless network.
- Disable Bluetooth on your laptop, mobile phone, and other devices.
- Set your mobile device to be wiped after 10 login attempts. Backup your device before traveling in case your device is wiped.
- Tape over any integrated laptop cameras, or disable them to prevent a hacker from viewing you while you use your laptop.
- Ensure host based firewalls are configured and enabled on Windows and Mac laptops.
- Leave unneeded car keys, house keys, smart cards, credit cards, swipe cards, or fobs you would use to access your work place, or other areas, and any other access control devices you may have at home.
- Clean out your purse or wallet of any financial information such as bank account numbers, logins and passwords, any RFID cards (including U.S. Government Nexus “trusted traveler” cards) should be carried inside an RF-shielded cover.
- If you need to send and receive email while traveling, create a temporary “throw away” account on Microsoft Outlook or a similar service before you travel.