International Travel

Assume that any device taken abroad may be compromised. Transmitting sensitive information while overseas carries significant risk.

• No expectation of privacy in internet cafes, hotels, offices, or public spaces
• Devices may be searched or copied while unattended
• Electronic communications can be intercepted
• Mobile devices can be used to track movements or record audio
• Malicious software may be inserted via any connection and transmitted back to UMB systems

Before taking any equipment abroad such as scientific instruments, computers, cellphones, or GPS units, you must verify that the items are not export-restricted based on your destination.

• Most most low-tech, commercially obtained items do not require an export license
• Traveling to or through comprehensively sanctioned countries (Cuba, Iran, Syria, Sudan, North Korea) almost certainly requires a license, even for everyday items like laptops or cellphones
• Refer to the Traveler Certification Letter and TMP/BAG guidance before travel

Reference information on international travel including TMP and BAG exemptions

CITS International Travel Tips

Increase your security precautions when visiting sensitive countries or areas (Middle East, China, Russia, and others). Recommendations for highest security include:

• Use clean laptops or other IT devices when available.
• Ensure systems are updated with the most recent security and malware definition files before travel.
• Remove all unnecessary UMB data and/or personal data from laptops or electronic devices before taking such devices overseas; take only what you need to complete the reason for your visit. If you cannot afford to lose it, or if the loss of the information or data would create a financial or reputational risk to you or the University, leave it at home.
• Remove ALL third-party proprietary, confidential, or sensitive data and all export-controlled data and materials from any electronic devices before travel.
• Remove any encrypted files and encryption-capable software, other than system-critical or software support encryption technologies (for instance, built-in Windows encryption resources). Encryption technologies are strictly controlled for entry and exit from countries such as China.
• Do not use any Wi-Fi connections from unknown third-party providers/sources.
• Always use VPN back into UMB systems; note that China prohibits the use of VPN unless specifically approved for use.
• Refrain from using publicly available Wi-Fi connections if possible, even if labeled as secure and/or requiring passwords for use, as these connection points are often subject to intrusion software risks such as keystroke loggers.
• To the extent possible, keep laptops/devices in your personal possession at all times.
• Never accept or attach unknown devices or drives (including flash/USB drives) because malicious code may be installed on such devices at any time, including at manufacture or after.
• Have your electronic devices scanned for malware upon return before making a connection to the UMB network.

In most countries, you have no expectation of privacy in internet cafes, hotels, offices, or public places.

• In some countries, hotel rooms are often searched.
• All information you send electronically — no matter the method — can be intercepted.
• Security services and criminals can track your movements using your mobile computing/electronic device and can even turn on the microphone in your computing/electronic device when you think it is off.
• Security services and criminals can insert malicious software into your computing/electronic device through any connection that they control. When connecting to your home or University systems or networks, this malware can be transmitted back to these systems as well.
• Transmitting sensitive information from abroad is risky.
• If your mobile computing/electronic device is examined, or if your hotel room is searched while you are not present, you should assume that your device’s data has been copied and/or compromised.

Source: Pennsylvania State University (edited)

You may freely take and openly share or discuss any data or information that:

• Results from Fundamental Research
• Qualifies under the Educational or Public Information Exclusions
• Qualifies under the Public Information Exclusion

You may not take or share data or information that is:

• Export-controlled technology or proprietary information
• Project data outside of Fundamental Research

All controlled or restricted data must be removed from devices (laptops, phones, PDAs, flash drives) before leaving the U.S.

Increase your precautions when traveling to sensitive countries or regions, including the Middle East, China, and Russia. Key best practices:

• Use clean devices when available and update all systems with the latest security and malware definitions
• Remove unnecessary UMB and personal data before travel
• Remove all third-party proprietary, confidential, or export-controlled data
• Avoid bringing encrypted files or software unless system-critical
• Avoid connecting to unknown Wi-Fi networks; use VPN to UMB systems
  • Note: China restricts VPN use without approval
• Keep laptops and devices in your personal possession at all times
• Never accept or attach unknown devices or drives
• Scan devices for malware upon return before reconnecting to UMB networks

Mobile and Data Security while Traveling Abroad

When presenting data/information in an international setting (including in the United States where the audience may include foreign nationals), you need to ensure that you limit your presentation to only information or data that is published, is publicly available, or qualifies as Fundamental Research. Be careful not to include or discuss any proprietary, unpublished, or export-restricted data or information as that may constitute an unauthorized export.

You are free to openly discuss any published or publicly available information or information generated as the result of Fundamental Research as long as the recipient is not a sanctioned or specially designated entity. It is important to remember that while the results/information resulting from Fundamental Research are not subject to export controls and can be shared without a license, any items, technology, or software generated under that Fundamental Research would be subject to export controls and may require an export license.

Any University research activity done outside the United States may not qualify for the Fundamental Research Exclusion and would therefore not be protected from export controls until the work is published or otherwise made publicly available. Before disclosing or sharing information or data resulting from international field work, it is important to ensure that the information is not export-restricted.

To ensure compliance with OFAC regulations prohibiting the University from providing material or financial assistance to any blocked or sanctioned individual or entity, any UMB activity that involves payment to a non-U.S. person, business, or organization must be verified against all appropriate sanctioned party and entity lists.