Asked what devices faculty and staff should take along on international travels, Andy Weisskopf readily responds "a newspaper and a book."
The ISU information security officer is only half-joking. Crossing international borders with phones, laptops and e-readers is becoming increasingly risky. Electronic devices can be searched, copied or compromised almost anywhere -- at customs, inside locked hotel rooms or wherever there's Wi-Fi.
Such security breaches may have serious consequences for the university and individuals. Research may be stolen or federal export control laws broken. On a personal level, travelers may lose passwords, credit cards and other personal info to identity thieves.
If you plan to travel abroad this summer, for business or pleasure, Weisskopf and Matt House, export control administrator in the office for responsible research, offer these tips for keeping private information safe.
International Travel and Information Technology, Office for Responsible Research
Size up your risk
How likely are you to become the target of sophisticated electronic spying? The measure of risk increases if you're a recognized, published expert in STEM fields such as defense, industry or technology. More risk accrues if you're traveling to a country known for state-sponsored espionage. To protect your information, you'll certainly need to take extra precautions before, during and after travel.
If you don't fit into the above categories, there might not be quite as much interest in the contents of your laptop. The risks exist, however, just on a smaller scale. House puts it this way: "The dangers you'll see going into places like Dublin, Berlin and Ottawa are probably the same dangers you'll find in New York City or Los Angeles. Someone may try to pilfer your data. It just isn't state-sponsored."
Pack as if customs officers will be reading your email
If you're within 100 miles of a U.S/international border, federal customs officials have the right to confiscate and search your electronic devices. This includes phones, laptops, flash drives and e-readers. It's good reason to pare down the information in all devices.
If possible, leave the smart devices at home
Smart phones, tablets and e-readers -- basically any devices with Wi-Fi capability -- pose more risks than other devices. Consider traveling instead with less-capable devices. Old phones or laptops, disposable phones or departmental loaners are good choices.
These devices should be as lean as possible. That means removing everything that isn't essential -- software programs, contacts, phone numbers, documents. Culling confidential and personal information is very hard to do on a folder-by-folder basis. You'll most certainly miss hidden or cached data and passwords. It's best to back up the device (if you want to keep the old info), reformat the hard drive and add back the software and files you'll need for the trip.
House said smart devices pose a special danger to those whose research is subject to federal export controls -- laws designed to keep certain technologies and information from foreign nations. Researchers are well aware that they can't travel with export controlled materials, he said. Yet, the smart phones they carry across borders may contain all the data, logins and passwords spies need to gain access to the controlled data.
Sponsored data must stay home
All data and software that was specifically designed or modified for military or space use cannot be taken out of the United States. Additionally, do not travel with data protected by a nondisclosure agreement. Don't take Iowa State or sponsor-loaned equipment out of the country unless it is critical to your research. And while you’re out of country, never access secure servers or databases that contain sensitive or export-controlled information.
Use flash drives -- but only your own
Flash drives, which are easy to keep with you at all times, are a good alternative to storing data on the laptop. One caution: Don't insert your flash drive into computers other than your own. And don't plug any devices into your computer that you didn't bring with you. Unfortunately, complementary flash drives at conferences should be thrown away.
Encryption is good, but not necessarily secure
While some types of encryption are prohibited under export control laws, commercially available encryption technologies (like Window's BitLocker and Mac's FileVault) are allowed in most countries and are a good way to add extra protection to the contents of laptops and flash drives. However, in some countries you can be compelled to decrypt files and, in a few countries, carrying encrypted devices and files is illegal without a license from their governments.
When possible, stay off the grid
If you don't need access to the Internet, turn off wireless connections in your devices. It's much harder to break into non-networked devices.
Don't trust public Wi-Fi or computers
"The thing you have to be concerned about is there are people who put up Wi-Fi with the intention of intercepting everything you're doing," Weisskopf said.
Assume that any business you conduct over the Internet could be monitored. Don't use public Wi-Fi or shared computers in hotels and public areas to sign into university or personal sites.
If you must sign onto Iowa State sites, use the VPN
To connect to Iowa State sites with your Net-ID, be sure to use the university's virtual privacy network (VPN). Download and install the AnyConnect VPN software prior to traveling.
Get a temporary email account
If possible, remove your regular email accounts from your devices. Set up a temporary account and use that during your trip.
Keep devices with you, always
It's not safe to leave your laptop and other devices in your hotel room. They can be stolen or physically tampered with. Data can be copied. Perhaps worse, they can be infected with spyware that doesn't activate until you're back home. Basically, all your devices -- flash drives, laptops, phones -- should be with you all the time.
Investigate your destination
Know the safety and security concerns for your destination countries. The U.S. State Department website contains up-to-date information.
When you get home, quarantine devices and change passwords
Don't connect your devices to a network until they have been thoroughly inspected by IT staff for malware and viruses. Some malware doesn't activate until it connects to your home network.
Change your passwords for all sites and systems that you accessed while traveling.