Travelling abroad

...University information

Travelling abroad with University information

Depending on the country you are visiting and the security arrangement at its borders, you may be asked to reveal the contents of your device or papers.

Overseas governments might have the right to access your information and you must be prepared to show it to their representatives (such as border control) on request. This can include insistence that you unencrypt your device or confiscation of your device.

For these reasons, you should avoid taking any Confidential information with you (check the University Information Classification and Handling Scheme). You should keep such information on your University filestore or York Google Drive and access it using the University virtual desktop service (VDS). There is still a risk that data traffic may be monitored and it is your responsibility to assess this risk.

If it is essential to take Confidential information abroad (physical or electronic), you must:

• seek permission first and consult the Records Manager if necessary (email records-manager@york.ac.uk)
• ensure a copy is stored securely at the University prior to your departure. This may be a physical copy or electronic back up on University servers as appropriate
• keep Confidential information to the minimum necessary for the duration of your visit
• keep the physical copy or device(s) secure
• be aware that there is a greater risk of your device being tampered with in some countries (eg attempts to install key logging hardware or software which would record your username and password irrespective of whether your device is encrypted)
• use official networks and wifi hotspots (such as the one in your host institution)
• consider encrypting any device the information is stored on and the files (but if you choose to do this you must follow the guidance given under Travelling abroad with encrypted devices and data)

...your devices

Travelling abroad with your devices

Before you go

Make sure you have:

• Considered the risks in travelling with an encrypted or unencrypted device and the safety of University information. Can you take an unencrypted device which has been cleared of confidential data and unnecessary software?
  • Travelling abroad with encrypted devices and data
  • Travelling with an unencrypted device
• Implemented all the User Commitments in the Policy for Safe use of University information on all devices
• Considered the risk of interference or tampering with your device in the country you are travelling to. There is no definitive list, but the Foreign and Commonwealth Office Foreign travel advice website indicates the general safety of travel in every country with links to the FCO Travel Advice Team.

When in customs

• Theft of your device: there are many distractions when going through security - opportunistic thieves only need a couple of seconds to take your device. Make sure you know where your device is at all times (including your mobile phone, which is especially vulnerable)
• Keep your device in sight: if Customs or other officials take your devices out of your view, you should consider the devices compromised and you should not use them until you have checked them for interference or malicious software.

Throughout your trip

If you follow the User Commitments in the Policy for Safe use of University information on all devices you will minimise risks to your device and information. There are some increased risks to your device when you travel:

• Be wary when charging your device: beware of free charging kiosks - they might be connected to devices which intercept your username and password when you connect your device
• Keep your device with you or lock it up: consider the risks of leaving your device behind, eg in a hotel room or conference venue. If you must do this, ensure the device is locked in an official secure place or safe
• Report a lost device immediately: contact the University Computer Emergency Response Team as soon as possible
• Do not connect to unsecure networks: do not use unsecure networks - in addition to internet cafes, be aware that hotel and conference centre networks and your friend's network may be insecure
• Do not connect to other devices: do not allow storage devices to connect to your device (including USB sticks; they may be infected without their owner's knowledge)
• Turn off your device: do not keep your device on when you're not using it, not even in sleep mode as it is still transmitting information. Switch off wifi, bluetooth and GPS when you don't need them

When you get back

The risk of your device being tampered with is higher when travelling abroad, especially in some countries. To ensure your device is safe to use on your return:

• Change your passwords: change your University password and all passwords for services you have accessed from the device as they may have been intercepted without your knowledge. As an extra precaution it is recommended that this done from a device separate to the one taken abroad
• Scan and clean your device: run a full scan for malware and follow any steps identified to clean your device. See the IT Services guidance on viruses and malware and if in doubt ask for help from IT Services.
• Consider having the device securely erased and rebuilt: depending on the type of travel you have undertaken this is the safest action for some countries where interference is more common

...encrypted devices & data

Travelling abroad with encrypted devices and data

Check whether your device is encrypted

If you are unsure whether your device is encrypted you can ask IT Services for help.

Be aware that:

• Some University managed mobile devices are encrypted, but you cannot assume this
• On some non-University managed devices, setting up password protected auto-locks automatically encrypts the device (eg iOS devices)
• You may have encrypted devices or data yourself
• Some USB memory sticks, hard drives, or other mobile devices may be encrypted.

UK export controls on encryption software and hardware

UK export controls require licensing for the export of restricted encryption software and hardware. However, mass market products which are available to the public, such as Sophos Safeguard, BitLocker (Microsoft devices), FileVault (Apple devices) and LUKS (used on Linux computers within the University), are not subject to export control.

If you use encryption software which is not a mass market product, it is likely that you will need to obtain what is known as a Cryptography Open General Export Licence (OGEL).

For more information see the UK Government advice on Export of cryptographic devices.

May I take my encrypted device when travelling abroad?

It depends. Because encryption products can be used for illegal purposes, including terrorist activity, many countries ban or severely regulate the import, export and use of encryption products.

Taking your device with encryption software or hardware (irrespective of whether you have implemented encryption) to certain countries without proper permission could violate import regulations of the country to which you are travelling, and could result in your device being confiscated, fines or other penalties.

A group of countries (referred to here as 'Permitted Countries') has negotiated a set of rules which attempt to facilitate travelling with encryption software. This is known as the Wassenaar Arrangement. One of its provisions allows a traveller to enter a participating country freely with an encrypted device in certain circumstances.

A University headed letter, stating that your device is encrypted using commercial encryption software and that the information is normal business information in relation to your role at the University, may be helpful in the event of questioning at border controls. See the example declaration letter at the bottom of this page.

Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies: encryption software falls under Category 5 - Part 2 of the 'Dual-Use Goods and Technologies' controls.

Countries which you can freely enter with an encrypted device

Permitted Countries allow individuals to enter them with encrypted devices without the need to seek any licence or permission.

These Permitted Countries grant individuals a personal use exemption to freely enter them with encrypted devices, as long as the individual does not create, enhance, share, sell or otherwise distribute the encryption software during his/her stay in the relevant Permitted Country.

The countries that support the personal use exemption include (at April 2015): Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, United Kingdom, United States.

Note that although the Russian Federation and the Ukraine agreed to many of the Wassenaar Arrangement's provisions, they currently do not permit personal use exemptions.

Remember that although you do not need a licence to take an encrypted device into the Permitted Countries you may still be asked to divulge the contents of your device, by logging in (which may put your username and password at risk) or unencrypting it.

You must assess the risks and consequences of this happening before departure.

See Travelling abroad with University information for more advice.

If in doubt ask IT Services for help.

Countries for which you need permission to enter with an encrypted device

Countries that are not on the list of Permitted Countries will normally only grant import permission on the production of an import licence. You will need to obtain a licence in advance through application to the government of the country in question.

Note that in countries where encryption is controlled you will need a licence irrespective of whether you have implemented encryption.

It is your responsibility to check with the Embassy or Consulate of the country you are intending to visit well in advance of your intended departure. Obtaining an import licence is likely to take longer than obtaining a visa for travel.

If you do not follow the requirements of the destination country you may:

• be prevented from entering the country
• suffer delays in customs
• have your devices confiscated (and possibly not returned): University information and devices would then be at risk
• in extreme cases, face detention or arrest.

You should also assess the risk that in applying for an import licence you may be advertising that you are carrying potentially confidential information on your device and in some countries this may increase the risk that your device may be tampered with.

Travelling with an unencrypted device may be an acceptable alternative in some circumstances.

Please note that even with a licence you may still be asked to divulge the contents of your device, by logging in (which may put your username and password at risk) or unencrypting it. You must assess the risks and consequences of this happening before departure.

See Travelling abroad with University information for more advice.

If in doubt ask  for help.

Declaration Letter

Print out a letter using your University letterhead paper and including the following text:

To whom it may concern,

I, [NAME AND POSITION] of the University of York ("University"), confirm that the bearer of this letter, [NAME], [POSITION], is travelling with a device which has been encrypted with standard freely available commercial encryption software by the University as it contains confidential personal or commercial information relating to the University.

Yours sincerely

[NAME]

Head of Department

University of York

...an unencrypted device

Travelling abroad with an unencrypted device

If in doubt ask for help from IT Services.

An alternative option is to travel with an unencrypted device. This is acceptable if the following two circumstances apply:

• There is no Confidential information held locally on the device. You must be able to answer 'No' to all the following questions:
  • Is the information personal data as defined by the UK GDPR?
  • Is the information classified as Confidential in the University Information Classification and Handling Scheme?
  • Is the information subject to a sponsor's non-disclosure agreement or government security standards that requires encryption?
  • Would the University suffer reputational damage if the information was disclosed or found unprotected?
  • Is the information valuable intellectual property of the University?
• Confidential information is only accessed via the University virtual desktop service (VDS).
  • This allows access to a virtual Windows desktop with no risk of University information being stored on your device accidentally
  • If your device is lost, stolen or confiscated the information cannot be accessed by someone else or lost
  • Use official networks and wifi hotspots (such as the one in your host institution) to reduce the risk of your communications being intercepted (it is still not 100% secure)

You should clear all personal information and unnecessary software and data from your device before travelling. Depending on the country you are travelling to you might:

• back up your device, delete the data stored on it and return it to factory default settings then copy selective information back to the device; you can restore the device on your return
• remove automatic access to your email accounts and document storage apps (eg Google Drive): confidential emails and documents might be shared with you at any time
• consider taking a non-smartphone that will be used only for making calls or a laptop or tablet which has minimal software on it.