Skip to main content

Below are some introductory level explanations of the legal implications of traveling with technology, followed by a color-coded best practices framework for IT professionals when discussing travel with users.

Lastly, there are links to additional resources to assist in identifying travel risks.

Understanding United States Legal Frameworks and Impacts of Travel with Technology 1,2,3

When United States citizens travel abroad, the United States Department of Commerce considers physical materials, equipment, data, or software possessed by the traveler to be “exported” from the US to the traveler’s final destination, as well as any intermediate destinations (airport layover, etc.). So what technology can a traveler legally take to a foreign country?

Exemptions from the Export Administration Regulations (EAR) allow the transport of technology items to most foreign countries without a specific license from the U.S. Department of Commerce. There are exemptions that cover both organizationally owned devices, as well as personally-owned personal devices.The conditions for such exemptions include:

  • The traveler must spend no more than 12 months outside the United States.
  • Items must remain under the “effective control of the traveler” at all times.
    • “You maintain effective control over an item when you either retain physical possession of the item, or secure the item in such an environment as a hotel safe, a bonded warehouse, or a locked or guarded exhibition facility.” (Code of Federal Regulations, 15 CFR 772.1)
    • Cannot be shipped as unaccompanied baggage; i.e., no flash drives or tablets in a checked suitcase.
  • No travel to Iran, Syria, Cuba, North Korea, or Sudan.

You should not take with you any of the following without first obtaining specific advice from your local IT support, or the ITS Service Desk:

  • Devices, equipment, or computer software with export restrictions
  • Devices, systems, or software designated as classified or specifically designed or modified for military or space applications

An additional consideration when travelling, is that accessing export-controlled information via a network is also considered exporting data to a foreign country.

Understanding Foreign Legal Frameworks and Encrypting Devices1,2

In some countries, customs agents or police officers can and will confiscate user devices. They may require you to unlock or provide passwords for those devices. While your device is confiscated, it may be perfectly legal for those agents to search through your data and install or enable surveillance software. Additionally, the use of encryption on devices for data security is not universally legal in all foreign countries.

The use of encryption internationally is covered by the Wassennaar Arrangement. The following countries are members of the agreement, which allows travelers to bring encrypted devices into their nations as long as the traveler does not modify, sell, or distribute the encryption software:

  • Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey,  the United Kingdom and the United States

The following countries are not fully-participatory in the Wassenaar Agreement and have restrictions on traveling with encrypted devices. Travelers should be cautious when visiting these nations and should strongly consider bringing an un-encrypted “throwaway” device instead of their primary computer. Restrictions on encryption in these countries range from requiring a ministry of foreign affairs permit to carry an encrypted device to outright bans on using encryption technologies.

  • Belarus, Burma (Myanmar), Iran, Israel, Kazakhstan, Moldova, Morocco, Russia, Saudi Arabia, Tunisia, and the Ukraine

When University personnel travel to or through one of these nations, it is advisable to user “loaner” un-encrypted devices.

 

A Color-Coded Framework for Travel Recommendations1

RED recommendations: for travelers visiting extremely sensitive destinations and/or using extremely sensitive data YELLOW recommendations: for travelers visiting moderately sensitive destinations or using moderately sensitive data. GREEN recommendations: baseline security for all travelers, foreign or domestic
Before your trip:

  • Contact your local IT support, or the ITS Service Desk to discuss your trip and appropriate precautions to take with devices and data.
  • If traveling to a country which disallows encryption products, remove encryption from your PC or prepare a “loaner” device.

During your trip:

  • If you need to share data with fellow faculty/staff from your university, use encrypted flash drives to transfer data back and forth.
  • Take a loaner “dumbphone” (no data storage) instead of your smartphone.
  • Shut down devices when not in use (do not use sleep or hibernate features).
  • Keep your device(s) on your person at all times — remember that hotel safes may be compromised.

After your trip:

  • Erase and reformat the hard drive, especially on a loaner device.
  • Wipe data from a temporary “dumbphone.”
Before your trip:

  • Contact your local IT support, or the ITS Service Desk to discuss your trip and appropriate precautions to take with devices and data.
  • Ensure that your device is encrypted (if permitted by the nation to which you are traveling).
    • Password-lock auto-encrypts iPhones; Android users should manually enable encryption.
    • Laptops: Use BitLocker for Windows; use FileVault on OS X systems.
  • “Sanitize” your laptop by removing any sensitive data as defined by University policy (click HERE for sensitive data definitions).
    • Only take data necessary for the specific trip.
    • Consider taking a temporary device such as a loaner laptop or prepaid phone.

During your trip:

  • When using shared Wi-Fi, stay connected to your university’s VPN.
  • Do not use “shared” computers at a business center or kiosk, etc.

After your trip:

Consider changing passwords for all services/systems you used from overseas.

Before your trip:

  • Ensure data is backed up on a server, drive, or other device NOT making the trip.
  • Ensure you have a VPN client installed.
  • Ensure your PC is patched and the antivirus software updated.
  • Disable Bluetooth and Wi-Fi on your devices, and only turn them on when in use.
  • Notify IT staff of travel plans and locations; IT staff should strongly consider readying spare equipment for delivery in an emergency.

During your trip:

  • Assume your data on any wireless network can be monitored, and act accordingly. Use a VPN whenever possible, especially while on public networks and/or when accessing sensitive data.
  • NEVER let anyone else borrow or use your devices.
  • Do not borrow any devices (e.g. a USB drive) for use on your computer.
  • Do not install any software on your PC.
  • Be aware of “shoulder surfers” — anyone physically monitoring the use of your device.
  • Keep your devices under your physical control or secured in a proper location when they are not. Never check devices or storage devices in luggage.

After your trip:

Perform a full virus and malware scan

 

Additional Resources

Sources

1- Educause Review. Designing IT Guidelines for Global Travel.  https://er.educause.edu/articles/2015/8/designing-it-guidelines-for-global-travel

2 – The Wasserman Arrangement on Export Controls for Coneventional Arms and Dual-Use Goods and Technologies. Participating States. https://www.wassenaar.org/participating-states/

3 – Legal Information Institue, Cornell Law School. Definitions of terms as used in the export administration regulations (ear). https://www.law.cornell.edu/cfr/text/15/772.1