By Christopher Penido
November 6, 2012
Checklists are often useful when planning for a trip. They can keep you from finding yourself at the airport counter without your passport or at a hotel with an incompatible cell phone charger. But while travelers are mostly worried about what physically goes into their luggage and carry-ons, most don’t give the proper attention to preparing their electronic devices for travel.
International travelers are, no doubt, accustomed to having their luggage inspected at border crossings. What many are unfamiliar with, however, is how customs inspections relate to electronic devices and the data stored on them. Due to recent federal court decisions, the U.S. Department of Homeland Security has been granted broad latitude in conducting warrantless and suspicion-less search and seizures of electronic devices at U.S. ports of entry.
According to the American Civil Liberties Union, more than 6,600 electronic devices were seized and inspected at U.S. ports of entry between October 2008 and June 2010, and in some cases, confiscated by the government. These devices included personal and business laptops, smart phones, tablets, SD cards, MP3 players, and digital cameras, among others. In some cases, the content of these devices was searched and copied before being returned to their owner.
It should be noted that the risk of having your electronics seized at a U.S. border is relatively low (roughly 1 out of 90,000 travelers are selected for secondary screening, and from that group, an even smaller fraction have their devices inspected). What is of greater concern, though, are the required inspections at borders in foreign countries and territories, where the laws often differ starkly from those in the U.S. and where non-citizens may have fewer rights to contest such activities. Know your rights and proceed with caution if you should find yourself in this situation.
Because of the potential problems that can arise at the border, it is highly recommended that NYU employees not travel with work-related materials on electronic devices. If you need to work while traveling, request a “loaner” laptop or mobile device from your department. The device should be scrubbed of all data and store only the software and services that you will absolutely need to work while traveling. If your department does not have loaner devices available, you should consider preparing your device(s) in advance.
Start by securing your device(s) using NYU’s general security tips for computers and mobile devices. In cases where you need access to “confidential” or “protected” data, as defined by the University’s Data Classification Table, consider storing and accessing it remotely on departmental file servers: Webspace, Files 2.0, or NYU Docs/Drive. This preventive step greatly mitigates the resultant risk if sensitive data falls into the wrong hands as a result of your device being inspected or going missing. As a general rule, ”restricted” data should never be stored on any paper, removable media, or electronic device.
Encrypting data on your computer – be it files, volumes, or the entire hard drive – is an added layer of protection in the event of loss or theft. You can easily encrypt computers (using PGP, TrueCrypt, or native built-in solutions for Windows and OS X), smart phones and tablets (see the “Enable Encryption” section for your device on the Secure Your Smart Phone web page). Note that certain countries, such as Russia and China, have laws forbidding encrypted devices and content from entering their countries without prior government approval, so proceed with caution and research your destination’s electronic laws prior to taking steps to encrypt your device.
Travelers often neglect to make sure that their electronic devices, including any software and data (pictures, music, movies, documents, etc.) they contain, are legally permitted in the country they are entering. Some nations have laws forbidding certain materials from crossing their borders, which can result in fines or possibly even imprisonment and seizure of goods. For example, Russia places restrictions on the use of GPS technology. You should check with the U.S. Department of State travel website and familiarize yourself with the laws of your destination country prior to departure.
Another wise precaution when traveling is to share your itinerary with your coworkers and close relatives so that they can monitor your travel and be ready to assist you in the event of an emergency. To facilitate this, the University has created NYU Traveler, a website where you can not only book your rail, airfare, hotel, and car reservations, but record your itinerary in order to receive up-to-the-minute information of potential threats to your safety during your travels. In addition to allowing the University to contact you in order to render aid in the event of an emergency, NYU Traveler allows you to share your itineraries with colleagues and family.
You should also consider the security of devices left in your hotel room. While a hotel safe is provided for you to store valuables and electronics, keep in mind that hotel staff still have access to that safe. Therefore, hotel safes should not be considered entirely secure. In addition, the moment you step out of your room, any individual that can gain entry to your room can gain access to your unsecured electronics and copy their contents without leaving a trace. This is why prior to leaving your devices unguarded, you should immediately and securely delete any sensitive data you may have downloaded onto your device since embarking on your trip.
If you have access to mobile data while abroad, either using your home nation’s cellular international data services or by popping a pre-paid SIM card into an unlocked phone or tablet, remember that foreign networks could also pose risks to your devices and data. In some countries, cell phone carriers work very closely with the intelligence branches of the local government; there have been reports of electronic wiretapping of mobile networks.
Over the last five years, there have also been several reports of cellular service providers attempting to surreptitiously install spyware onto client’s mobile devices by tricking users into installing necessary “updates.” In these cases, smart phone users were prompted to install an “important update” in order to continue using the cellular network. Once installed, this malicious piece of software (i.e., malware) began to copy the contents of the device, such as e-mails, text messages, notes, passwords, and keystrokes, and then send it to a remote server. This issue came to light when certain cellular carriers in the Middle East and Asia used this method on BlackBerry users. Since data transmitted from BlackBerry devices is normally encrypted, this attack allowed cellular carriers to copy that data before it was encrypted.
For security reasons, it’s best to avoid installing cellular network updates while traveling. When updating your smart phone with the latest security patches, do so from a secure, trusted network (preferably prior to departure in your home country). Moreover, it’s safer not to use foreign networks, whether fixed or wireless, for transmitting any sensitive information without first considering alternative means of communication or, at the very least, taking the extra step to better secure the network connection using VPN.
After reading all of these warnings, you might feel compelled to not take anything that uses a battery on your next trip. Though it would certainly be possible, the reality is that we need our gadgets to make it through the day in today’s global, networked world. So next time you travel, before you finish jumping up and down on your luggage trying to close the zipper, we suggest you review our handy checklist on securing your electronic devices (see sidebar: "Secure Traveling Checklist").
Christopher Penido is a Network Security Analyst in ITS Technology Security Services. He specializes in security awareness training for NYU employees and students. He has an especially strong interest in mobile device security and global information security policies.
Editor's note: The content in this article is provided for informational purposes only and does not constitute legal advice. The author accepts no liability for the content or for the consequences of any actions taken on the basis of the information provided.