Technology Guidelines for International Travelers
Traveling internationally can pose significant risks to information stored on or accessible through the computers, tablets and smartphones that we take with us. Some of the risk is associated with increased opportunities for the loss or theft of the device due to the increased amount of direct physical handling of the equipment by individuals outside the Princeton community, and just merely the distraction of traveling. Additionally, our devices are also put at risk because of the reality that they can only be put in contact with the Internet and ultimately with Princeton through networks that may be managed by commercial or national entities that either do not afford data transmissions an appropriate level of security or that actively monitor and capture network traffic either for competitive or malicious purposes.
Princeton’s Office of Information Technology (OIT) is working with members of our campus community and our colleagues at other institutions of higher education, and is reviewing security advisories from the United States government, to develop recommendations for protecting systems and information when traveling.
- No device can be protected against all possible forms of system and information compromise, especially when its members travel to countries that are deemed as high risk. So, we must assume that any devicetaken to a high risk country will be compromised in some, potentiallyundetectable way. The only truly secure option is to refrain from using digital devices when traveling.
- Information of particular interest to someone intent on compromising your devices not only includes business data but also the traveler’s ID and password that could be used to directly access Princeton’s systems and information resources.
- When a device is compromised, the attacker may install software on the device that could compromise other systems and data on the Princeton network when the traveler reconnects his or her device our network upon return, unless measures are taken to completely restore the device to its pristine state before the network connection is established.
In response to the above assumptions, our strategy is for international travelers to “travel light”, i.e., limit the amount of sensitive information that is stored on or accessible to any mobile device taken on the trip and to avoid contact with the Princeton network, primarily when traveling to high risk countries. Those traveling to countries that are not in the high risk list should consider applying similar principles to further reduce the risk to University information and systems.
(Click each guideline below to display/hide detailed information)
Preparing for your trip
Determine which, if any, of the countries you plan to visit are considered "high risk" destinations
The following list of "high risk" countries is a compilation of information presented on the U.S. State Department's regularly issued "Travel Warnings" and "Travel Alerts" web pages, and from other domestic and international sources in government, higher education and commerce.
List of "high risk" countries (as of October 24, 2013)
Know the sensitivity of the data that you will bring or access during your travels
Assess the sensitivity of the information that you are considering taking on your trip, and seek ways to limit the amount of sensitive information that you take with you to information for which there is no reasonable business alternative but to include. Examples of data that should be left on campus or afforded exceptional protection include information that might be construed as sensitive by the host government, and information defined as confidential or highly confidential by the University’s Information Security Policy.
Removing unnecessary confidential data from any device that you bring with you reduces the risk of exposure to anyone gaining physical access to the device.
Obtain an external email and network storage account through which you will access your email and data on the trip
Reviewing and sending email, and accessing presentations, spreadsheets and other documents are often the most common reasons for a traveler logging into the Princeton infrastructure. Each time that you log into Princeton increases the risk that your ID and password will be captured and used to compromise Princeton data and systems. Eliminating the need to access Princeton directly reduces the risk of compromise of University data.
Through your support staff, obtain an account for a University-approved third party email and shared drive service. Configure your Princeton email to forward any email messages directed to your Princeton account during your travels to the external email service. Forward any email messages you have stored in your Princeton mailbox that you may need for the trip to the external mailbox and move any other files that you may need for the trip to your external shared drive service. Any external account should have a different ID and password than your Princeton account.
Consider taking a loaner tablet or laptop rather than your University issued or personal device
OIT can provide staff and faculty with a loaner iPad (preferred) or a loaner laptop, allowing you to leave home the computer and other mobile devices that you use for your regular Princeton-related activities. If you load the loaner device only with systems and information that you need for the trip, you can better gauge and react to the risk associated with your travels. Often, as our regular business computers are used over time, they retain many confidential data files that are no longer necessary, but have since been forgotten and may carry significant risk. Additionally, traveling with limited amounts of data minimizes the possible loss to the University should the device be lost, stolen or compromised through the network.
Consider taking a loaner, simple cell phone for the trip instead of using a smart phone
Smart phones are just small computers that can carry a lot of information about how you access the University's systems and often do not provide a level of protection comparable to larger systems. Simple cell phones are a better choice when traveling to high risk countries. OIT has loaner cell phones available with international plans. Using a simple cell phone eliminates the risk of your phone becoming a back door into Princeton systems. With an international plan in place, the use of simple cell phones can also result in significantly reduced phone charges.
Request the loaner devices you have chosen for your travels
Additional information regarding the University's loaner program and how you can obtain a loner device can be found at the following web site:
If you would like to obtain a loaner device, a member of your department's technology support team or the OIT Help Desk (8-HELP) can assist you through the process.
Ensure that you are following best practices for protecting your devices and data, starting with a strong password on every device
Review and follow the best practices listed in "The Building Blocks of Safe Computing" website, also available in the form of a printable pamphlet. Understanding and following the best practices presented will help you reduce the risk to the data and devices you are carrying or have access to in your travels.
One of the most fundamental, safe computing practices is to ensure that each device with which you travel - laptop, tablet, phone - is protected with a strong password. It is sad to say that it is fairly common for an individual to have a laptop computer that is protected with a strong password and a mobile phone that can access email and other services that has no password protection at all creating a "back door". "The Building Blocks of Safe Computing" webpage and pamphlet provide tips for creating strong passwords that are easy to remember.
Visit the University's Travel website for information about hardware and software travel restrictions and other valuable information
Knowing the restrictions that countries place on transported hardware and/or software reduces the likelihood of your devices being confiscated or your trip being disrupted. The University's Travel website provides a wealth of legal and technology-related information for the international traveler.
In the hardware and software realm, export and import controls may apply to the hardware and software you may bring along with you. The United States restricts the transporting of certain types of hardware and software products to specific countries (referred to as "export controls"). Many other nations restrict the transporting of certain types of hardware or software into their country (referred to as "import controls").
Note - There are countries into which we cannot bring an encrypted device either due to United States export restrictions or import restrictions imposed by the destination country. Click here for more detailed information about the international export/import of encryption technology.
Things to remember while traveling
Avoid accessing the University directly with your Princeton ID and password
By not logging into Princeton applications while you travel, you eliminate the risk of your ID and password to Princeton being captured and used to compromise Princeton systems. You also reduce the amount of data that is retrievable if your mobile device is lost, stolen or otherwise compromised.
Therefore, keep your direct access to Princeton systems and information to an absolute minimum, preferably zero. Only access email through your external email account. Access the data you need for your trip from the external external storage service (e.g., Google drive). Allow a colleague to add files to your external network drive in case a file was forgotten during preparations.
Note - Using Remote Desktop or equivalent software to access your University desktop or other device from a high risk country should also be avoided as these transmissions may also expose valuable information.
Avoid using public workstations
The security of public workstations, especially in high risk countries, cannot be trusted. When you use a public workstation, anything that you enter into the system - IDs, passwords, data - may be captured and used, so limit your activity to activity to the devices that you bring.
Be aware of your surroundings when logging in or inputing data into your devices
There have been many cases where an ID, password or piece of confidential information had been compromised, not through the use of sophisticated technological techniques, but through mere observation. We have been informed by other higher education institutions that they had experienced numerous data compromises through mere observation.
Be diligent in protecting your devices against theft or loss, but if a theft or loss occurs let Princeton know as soon as possible
Traveling can be fraught with a variety of distractions - going through airport security, finding your way around town, getting used to cultural norms, etc.. Unfortunately, most instances when mobile computing devices are lost or stolen occur in the areas where the distractions are the greatest. Recognizing distracting situations and, when they occur, taking extra care to maintain your focus can prevent you from having to take the steps necessary to disable those devices and obtain replacements.
In case a mobile computing device or phone is lost or stolen, contact your Princeton technology support person or the OIT Help Desk at (609) 258-4611.
When you return
Change any passwords you may have used during your travels
When you return from your trip, change any passwords you may have used during your travels from a trusted device. When traveling, especially in high risk countries, the likelihood that your ID and password will be captured is high. While a password compromise for any length of time can result in financial and reputational loss, limiting the amount of time any captured password is usable provides protection against future attacks.
Restore the software on the systems with which you traveled to trusted versions
We must assume and are advised by national security services that, when our devices connect to a network in a high risk country, there is a high likelihood that the device will be compromised, and may have malicious software installed that can compromise information and other devices on the Princeton network when the device is reconnected to the University's network.
Upon your return, before reconnecting to the Princeton network, erase and wipe the hard drive and other components that store data and software for any device you used during your travels and reimage them with trusted software versions. This is standard practice for loaner devices, and should also be for your Princeton-owned or personally-owned devices.
The U.S. Department of State's Country Specific Information website
Allows a user to specify his or her destination country for which it provides information such as, the location of the U.S. embassy and any consular offices; whether you need a visa; crime and security information; health and medical conditions; drug penalties; and localized hot spots.
The FBI's Travel Tips brochure
Measures that the FBI recommends taking before, during and after traveling internationally in a compact, printable document.
US CERT's Holiday Traveling with Personal Internet-Enabled Devices website
Tips from the US Computer Emergency Readiness Team for protecting your mobile devices when traveling
Internet 2's Security Tips for Traveling Abroad website
A collection of institutional, governmental and other resources that provide guidelines for secure, international travel.