Skip over navigation

Data encryption

Encryption is a method of protecting data by converting it to a format that is unreadable by anyone except those with a special key. If sensitive or confidential information is exposed to unauthorized individuals, it is costly for both the University and for anyone whose identity may be stolen as a result of unauthorized access. Encryption plays a key role in our overall strategy for reducing this risk.

While using your computer, encryption software is as invisible as antivirus software. The technology has come a long way to ensure that you are not slowed down nor affected by its presence as you work.  The peace of mind that your data is protected is well worth the twenty minutes it takes to install it!

What types of data need to be encrypted?

By University policy, if a computer or mobile device stores any of the following information, that information must be stored on the device's hard drive in an encrypted manner using a product approved by the University's IT Security Officer:

  • Information protected by general privacy laws about you or anyone else, also known as personally identifiable information or "PII".  PII includes Social Security Numbers, other national IDs, dates or places or birth, mothers' maiden names, credit card numbers, banking or investment account numbers, driver’s license numbers, health insurance policy IDs, passport and visa numbers, tax information, and any other identifying code that can be used for identity theft purposes. 

    NOTE - If a device (institutional OR personal) with University-entrusted PII is lost or stolen, the University must determine whose information is on the device and, for each individual, his or her permanent state/country of residence.  The privacy laws in each state/country of residence may require the University to notify the state's/country's affected residents and, in some cases, to notify other parties (e.g., the Attorney General, the press) and/or to provide credit protection.  However, most privacy laws waive or reduce these obligations, if it can be proven that the PII on the lost or stolen device is encrypted.
     
  • Additional student information, e.g., student admission applications and supporting documents, student grading information, student dissertations, reader’s reports, student financial support documents, student health records, disciplinary information.
  • Additional faculty/staff information:  e.g., University and employee ID numbers, CVs, resumes, employment applications, personnel files, performance reviews, benefits information, salary,  personal contact information.
  • Alumni and donor contact information and non-public gift amounts
  • Applications for employment (hired or not hired)
  • Protected research
  • Information covered by non-disclosure agreements
  • Princeton internal memos and e-mail
  • Completed Princeton forms, e.g., travel and expense documents
  • Privileged attorney-client communications
  • Digital copies of signatures
  • Non-public University business documents, e.g., contracts, reports, budgets, plans, financial information, policies and procedure manuals
  • Any data obtained through a University or departmental system that requires an ID and password for access

 

Encryption and international travel

May I take my encrypted laptop when traveling internationally?

It depends.  Because encryption products can be used for illegal purposes, including terrorist activity, the United States and many of the countries that you may visit may ban or severely regulate the import, export and use of encryption products.  So, taking your laptop with encryption software to certain countries without proper authorization could violate U.S. export law or the import regulations of the country to which you are traveling, and could result in your laptop to be confiscated, in fines or in other penalties.

Over the past fifteen years, a group of nations negotiated a set of rules attempting to facilitate traveling with encryption software known as the "Wassenaar Arrangement."  One of its provisions allows a traveler to freely enter a participating country with an encrypted device under a "personal use exemption" as long as the traveler does not create, enhance, share, sell or otherwise distribute the encryption technology while visiting. 

The countries that support the personal use exemption include:  Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, United Kingdom and the United States.

Although the Russian Federation and the Ukraine agreed to many of the Wassenaar Arrangement's provisions, they currently do not permit personal use exemptions.

What U.S. export regulations do I need to satisfy when leaving the country with my encrypted laptop?

The encryption functionality within McAfee's Data Protection Suite, has been granted an “ENC/Unrestricted” license exception with the U.S. Department of Commerce. 

This exception allows us to transport or ship a University-owned or personally-owned computer that has one of our approved encryption products installed to any country as long as the computer remains under our effective control, EXCEPT for the following countries defined in the Department of Commerce’s Export Administration Regulations:

  • Cuba,
  • Iran,
  • North Korea,
  • Sudan, and
  • Syria.

If you must travel to one of the five embargoed countries, you may be able to obtain the appropriate export license, but the process can take, on average, a ninety days for review.  The Department of Commerce’s Bureau of Industry and Security and the Office of Foreign Assets Control (OFAC) within Dept. of Treasury accept applications for licenses to export encryption products and technologies.

If you cannot obtain an export license, see the section below entitled "What can I do if I cannot satisfy encryption export or import control requirements?"

What countries have encryption import and use restrictions and how can I obtain an import license?

The following nations, including two Wassenaar signatories indicated by an asterisk (*), do not recognize a "personal use exemption".  Before traveling to these countries with an encrypted laptop, you will need to apply to their specified governmental agency for an import license:

  • Belarus - a license issued by the Belarus Ministry of Foreign Affairs or the State Center for Information Security of the Security Council is required.
  • Burma (Myanmar) - a license is required, but licensing regime documentation is unavailable. Contact the US State Department for further information.
  • China - a permit issued by the Beijing Office of State Encryption Administrative Bureau is required. You can either apply for the permit on your own, or contact our McAfee authorized distributor.
  • Hungary - an International Import Certificate is required. Contact the US State Department for further information.
  • Iran - a license issued by Iran's Supreme Council for Cultural Revolution is required.
  • Israel - a license from the Director-General of the Ministry of Defense is required.  For information regarding applicable laws, policies and forms, please visit the following website: http://www.mod.gov.il/pages/encryption/preface.asp.
  • Kazakhstan - a license issued by Kazakhstan's Licensing Commission of the Committee of National Security is required.
  • Moldova - a license issued by Moldova's Ministry of National Security is required
  • Morocco - a license is required, but licensing regime documentation is unavailable. Contact the US State Department for further information.
  • *Russia - licenses issued by both the Federal Security Service (Federal'naya Sluzhba Bezopasnosti - "FSB") and the Ministry of Economic Development and Trade are required. License applications should be submitted by an entity officially registered in Russia. This would normally be the company that is seeking to bring an encryption product into Russia. 
  • Saudi Arabia  - it has been reported that the use of encryption is generally banned, but research has provided inconsistent information.  Contact the US State Department for further information.
  • Tunisia - a license isued by Tunisia's National Agency for Electronic Certification (ANCE) is required. 
  • *Ukraine - a license issued by the Department of Special Telecommunication Systems and Protection of Information of the Security Service of Ukraine (SBU) is required.

Since laws can change at any time, please check with the US State Department before travelling internationally to ensure that you have the most up-to-date information.  Additional information about international encryption controls can be found at the following websites:

http://rechten.uvt.nl/koops/cryptolaw/index.htm

http://www.wassenaar.org/introduction/index.html

What can I do if I cannot satisfy encryption export or import control requirements?

If you are not able to meet the import or export requirements for a country you are about to visit, we recommend one of the following two options:

  • If you are a member of the University's faculty or staff, you can request a "loaner laptop" from OIT.  A loaner laptop is a computer that is preloaded with standard University software, but does not contain data that could put the University at risk if the laptop is lost or stolen.  Click here for more information about the laptop loaner program.
  • Remove the encryption software from your laptop prior to traveling.  PLEASE NOTE - If you choose this option, your laptop must be scanned by a member of OIT or your support staff to ensure that no confidential or highly confidential University information resides on the laptop's hard drive.  Any confidential or highly confidential information found on your laptop must be removed before your hard drive is decrypted per the University's Information Security Policy.

 

Frequently asked questions

Who will install encryption software on my computer?

An OIT representative or your local departmental support representative must install laptop encryption.  Contact your local department support representative or the OIT Help Desk at 8-4357(HELP) to request encryption.

What changes will I see after encryption software is installed?

Nothing! After encryption software has been installed, you will log into your laptop with your NetID and password as before.

How much power and memory will encryption take while I am working?

Once the initial process of encrypting your hard drive is complete the impact of the encryption software is negligible.

Does the software encrypt as I type or when I click "Save"?

As soon as a new file is opened for creation, the encryption process begins because the entire hard drive is encrypted. This happens before the application does a “save” of the file.

What types of files will be encrypted?

Your entire local hard disk is encrypted – even unused, empty space. This means that while the operating system accesses any local files (reads/writes) those files are always in an encrypted state. If files are copied, moved, or backed up to network storage they are automatically decrypted as they are copied, moved or backed up. All local files are encrypted – text files, an access database file, a local SQL/Mysql/Oracle database file – all files!

Will people be able to read my e-mail attachments?

Yes. Attachments are encrypted when they are stored on your local hard drive. However once the file is attached to an e-mail it becomes decrypted (within the e-mail). This means the recipient will be able to open the file. The original attached local file is still encrypted.

What if I need the encryption software removed?

If a machine needed to be un-encrypted, please contact your local department support representative who will ensure the encryption is done properly according to standard procedures.

Will local databases (Oracle/Access) be encrypted?

Yes, as long as the file is located on the hard disk that is encrypted. If the file is located on a network database server, then NO. Database files that are encrypted and then moved to a network database server are decrypted as they are moved off the machine. There is no impact to files/tools used to run scripts (e.g. cognos, .cpg files)