Guidance for IT Professionals Assisting Users with Travel
Below are some introductory level explanations of the legal implications of traveling with technology, followed by a color-coded best practices framework for IT professionals when discussing travel with users.
Lastly, there are links to additional resources to assist in identifying travel risks.
Understanding United States Legal Frameworks and Impacts of Travel with Technology 1,2,3
When United States citizens travel abroad, the United States Department of Commerce considers physical materials, equipment, data, or software possessed by the traveler to be “exported” from the US to the traveler’s final destination, as well as any intermediate destinations (airport layover, etc.). So what technology can a traveler legally take to a foreign country?
Exemptions from the Export Administration Regulations (EAR) allow the transport of technology items to most foreign countries without a specific license from the U.S. Department of Commerce. There are exemptions that cover both organizationally owned devices, as well as personally-owned personal devices.The conditions for such exemptions include:
- The traveler must spend no more than 12 months outside the United States.
- Items must remain under the “effective control of the traveler” at all times.
- “You maintain effective control over an item when you either retain physical possession of the item, or secure the item in such an environment as a hotel safe, a bonded warehouse, or a locked or guarded exhibition facility.” (Code of Federal Regulations, 15 CFR 772.1)
- Cannot be shipped as unaccompanied baggage; i.e., no flash drives or tablets in a checked suitcase.
- No travel to Iran, Syria, Cuba, North Korea, or Sudan.
You should not take with you any of the following without first obtaining specific advice from your local IT support, or the ITS Service Desk:
- Devices, equipment, or computer software with export restrictions
- Devices, systems, or software designated as classified or specifically designed or modified for military or space applications
An additional consideration when travelling, is that accessing export-controlled information via a network is also considered exporting data to a foreign country.
Understanding Foreign Legal Frameworks and Encrypting Devices1,2
In some countries, customs agents or police officers can and will confiscate user devices. They may require you to unlock or provide passwords for those devices. While your device is confiscated, it may be perfectly legal for those agents to search through your data and install or enable surveillance software. Additionally, the use of encryption on devices for data security is not universally legal in all foreign countries.
The use of encryption internationally is covered by the Wassennaar Arrangement. The following countries are members of the agreement, which allows travelers to bring encrypted devices into their nations as long as the traveler does not modify, sell, or distribute the encryption software:
- Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, the United Kingdom and the United States
The following countries are not fully-participatory in the Wassenaar Agreement and have restrictions on traveling with encrypted devices. Travelers should be cautious when visiting these nations and should strongly consider bringing an un-encrypted “throwaway” device instead of their primary computer. Restrictions on encryption in these countries range from requiring a ministry of foreign affairs permit to carry an encrypted device to outright bans on using encryption technologies.
- Belarus, Burma (Myanmar), Iran, Israel, Kazakhstan, Moldova, Morocco, Russia, Saudi Arabia, Tunisia, and the Ukraine
When University personnel travel to or through one of these nations, it is advisable to user “loaner” un-encrypted devices.
A Color-Coded Framework for Travel Recommendations1
RED recommendations: for travelers visiting extremely sensitive destinations and/or using extremely sensitive data | YELLOW recommendations: for travelers visiting moderately sensitive destinations or using moderately sensitive data. | GREEN recommendations: baseline security for all travelers, foreign or domestic |
Before your trip:
During your trip:
After your trip:
|
Before your trip:
During your trip:
After your trip: Consider changing passwords for all services/systems you used from overseas. |
Before your trip:
During your trip:
After your trip: Perform a full virus and malware scan |
Additional Resources
- State Department Travel Warnings – U.S. Department of State
- Study Abroad Office – UNC
- Traveling overseas with mobile phones, laptops, PDAs and other electronic devices – National Counterintelligence and Security Center
- Best Practices for Academics traveling overseas – FBI
Sources
1- Educause Review. Designing IT Guidelines for Global Travel. https://er.educause.edu/articles/2015/8/designing-it-guidelines-for-global-travel
2 – The Wasserman Arrangement on Export Controls for Coneventional Arms and Dual-Use Goods and Technologies. Participating States. https://www.wassenaar.org/participating-states/
3 – Legal Information Institute, Cornell Law School. Definitions of terms as used in the export administration regulations (ear). https://www.law.cornell.edu/cfr/text/15/772.1