Traveling Internationally with Technology

Oklahoma State University has instituted several practices to remain in compliance with government regulations on foreign travel, exports of controlled equipment, technical data, software, and technology. All faculty, staff, and students are required to follow these policies, laws, and regulations when working in, or traveling to, a foreign country. International travel for university related activities requires registration through OSU Global.

Any travel involving embargoed and/or highly sanctioned countries and regions is subject to the Department of Treasury, Office of Foreign Assets Control (OFAC) regulations and may require a license from the U.S. government. OFAC and other regulations apply to U.S. citizens and permanent residents wherever located, foreign nationals located inside the United States, and entities organized under the laws of the United States. Individuals with dual U.S. citizenship are considered “U.S. persons”. Always visit the Embargoed and Sanctioned Countries page for more detailed information prior to traveling. Other U.S. government jurisdictions may also have regulations concerning hand carrying and/or shipping certain items, software, technology, information, and/or data.

When presenting at a conference, only publicly available information or published information can be shared. If the presentation includes any data, technical data, or information that is confidential in nature or not for public dissemination, a license from the Federal Government may be required. Contact the Research Security Office (RSO) prior to the conference taking place.

Always consult the Research Security Office (RSO) before planning travel to or engaging with individuals in anEmbargoed and/or Sanctioned Country.

Guidelines and Advice When Traveling to a Foreign Country

Export controlled data or technology is not to be accessed while traveling without an export license or other government authorization obtained through the University’s Research Security Office in advance of travel.

Always follow these tips when traveling to a foreign country or any high-risk country with a laptop, tablet, cell/smartphone, smartwatch, PDA and/or any other computing device:

• Before Traveling

  • It is recommended that a backup of any device you take with you be made before you travel. For example, if you are obligated to obtain a SIM card for the country you are visiting in order to utilize your device, it is recommended that you do a device reset to factory default settings when you return to ensure that the device has not been contaminated with spyware, malware, or other malicious code.

  • If you must take any University owned computing devices to CHINA (INCLUDING HONG KONG), RUSSIA, OR VENEZUELA, an EEI filing must be completed through the Research Security Office for all University owned computing devices that are shipped, hand carried, or in any way destined to these countries. PLEASE NOTE, If the computing device is controlled, an export license is also required.

  • University equipment, technology, controlled-computing devices or technical information CANNOT be taken to any country that appears on the U.S. Department of Defense list of proscribed countries (which includes China), nor may any export-controlled data be accessed from within those countries.

  • When possible, use your computing device through your cellphone’s mobile hotspot. If your current data plan has usage restrictions, many mobile carriers offer temporary unlimited data options that can be added to your account during travel.

  • Export Controlled items, technical data, and/or technology cannot be shipped, or hand carried when traveling internationally without applicable licenses and prior approval from the Research Security Office.

  • Less is best. Take the least amount of information and data and the fewest devices possible.

  • If it is absolutely necessary to have computing devices, contact Research Information Technology Security at research-security@okstate.edu for a loaner laptop if traveling to any high-risk country.

  • Sanitize your devices to clear them of documents or media that could be perceived as provocative or inflammatory by certain governments.
  • Install updates to your software and operating systems to prevent cyber criminals from exploiting known bugs.
  • Ensure that your passwords are strong, complex, and unique.
  • Enable 2-step verification on your personal accounts, if available. Note: Duo—the third-party tool that OSU uses for 2-step verification—blocks authentications from OFAC-sanctioned countries and regions.
  • Download and set up device managers like Find my iPhone/iPad/Mac and Find My Device (for Android) to locate your device if lost or stolen and erase it remotely if needed.
  • Take your own charging cables.
  • Create a full backup of the device, media, and any data before traveling to a device you will leave at home in case the device is lost, stolen, seized or destroyed.
  • Be sure to clean out your purse or wallet, particularly if you normally carry notes about various accounts or passwords.
• During Travel

  • U.S. travelers are believed to be priority targets for cyber-attack and monitoring/surveillance, particularly if they are known to be engaged in classified or proprietary research in a STEM (science, technology, engineering and mathematics) discipline. Institutional leaders, those who are politically or religiously active, fluent speakers of the local language and individual tourists may also be actively targeted; however, all Americans should assume that they are potentially at risk if traveling to China and other countries of concern.

  • The FBI advises to avoid using free charging stations in airports, hotels or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead. Do not use USB-based public battery charging stations; the USB interface to your device may allow the charging station to do more than just supply power.

  • If you find yourself without your own charging cable and must charge your device, use a "data blocker" https://a.co/d/fDVhETJ that gets put in line with the USB cable in the event you have to use a charger that it is not yours or was purchased internationally.

  • Export-controlled data or technology cannot be accessed while traveling without an export license or other government authorization.

  • Information that is not published nor publicly available should never be shared with any individuals who are not part of the project team.

  • DO NOT travel with encrypted devices to China unless you have advance approval from China. China severely restricts the import of unapproved encryption. If you attempt to cross the border with an encrypted device, you may be asked for the decryption key, your device may be confiscated, and your risk the possibility of being prosecuted or falsely imprisoned. A permit issued by the Beijing Office of State Encryption Administrative Bureau is required*.

  • Because encryption products can be used for illegal purposes, including terrorist activity, the United States and many of the countries that you may visit may ban or severely regulate the import, export and use of encryption products. So, taking your laptop with encryption software to certain countries without proper authorization could violate U.S. export law or the import regulations of the country to which you are traveling, and could result in your laptop to be confiscated, in fines or in other penalties*.

  • A group of nations negotiated a set of rules attempting to facilitate traveling with encryption software known as the "Wassenaar Arrangement. "One of its provisions allows a traveler to freely enter a participating country with an encrypted device under a "personal use exemption" as long as the traveler does not create, enhance, share, sell or otherwise distribute the encryption technology while visiting. Click here to view the countries that support the personal use exemption.

  • Set Up an Email Forward Before You Leave - You may wish to set up an automatic forward so all of your OSU emails are sent to a second email address that you can more easily access in China (currently, it appears that most email services except Gmail are accessible, such as Yahoo and Hotmail). Make sure to regularly check the spam folder on your second email account as some email providers route forwarded messages there.

  • Turn off Wi-Fi and Bluetooth when not in use.

  • Only connect to trusted networks and turn off “connect automatically.”

  • Use the VPN when connecting to Wi-Fi or wired network.

  • Do not use public charging stations.

  • Do not put your computing devices in a checked bag or leave it unattended.

  • Hotel safes are not safe.

  • Be aware of your surroundings.

  • Make sure several people have your travel itinerary and know how to get in touch with you.

  • Enroll in the US State Department Smart Travel Enrollment Program (STEP) which notifies the nearest U.S. Embassy or Consulate of your travel plans. This allows you to receive vital information from the U.S. Embassy in China and connects you with the embassy in case of an emergency. It also allows you to report any suspicious incidents you experience to them. Nationals of other countries should investigate if their home countries provide similar services.
    

  • While abroad, register with the nearest U.S. Embassy or Consulate and please report any suspicious incidents you experience to them.

  • When presenting at a conference, only publicly available information or published information can be shared. If the presentation includes any data, technical data, or information that is confidential in nature or not for public dissemination, a license from the Federal Government may be required.

  • When taking your own technology to China, please be aware of the security risks to you and the networks you may access while traveling. Additionally, returning home with technology such as a laptop, tablet, cell/smartphone, smartwatch, PDA or any other computing device and reconnecting to your home or work networks opens a broader community to risks (such as computer viruses) that can be avoided. Be aware that standard antivirus software may not detect when a device has been compromised.

  • If you absolutely cannot travel without personal technology, consider buying a low-tech laptop and/or cell phone you can use and dispose of before leaving China or immediately upon your return to the United States. Never connect that device to your home or work networks.

  • If you are travelling without your own laptop, you may be tempted to use a computer in a cyber cafe or hotel business center; however, those systems have a very high probability of being infected with malware (which may capture anything you type, including your username, password, credit card information, etc.), or of being routinely and actively monitored by national authorities. Therefore, never use shared computers in cyber cafes or hotel business centers, or systems belonging to other travelers, colleagues, or friends.

  • If you are absolutely unable to be offline for the duration of your travel, do not take your normal day-to-day devices with you. Use a new temporary device, such as an inexpensive new laptop or a throw-away prepaid cell phone purchased just for that trip, instead. Be sure that any such new system is fully patched, and has strong security software installed, but otherwise minimize what it contains, and while abroad, minimize your use of that system. Ensure it requires a long/complex password for access, and keep it completely off (not just sleeping or hibernating) when you’re not actively using it, and keep it in your physical possession at all times. Assume anything you do on that system, particularly over the Internet, will be intercepted (in some cases, encrypted network traffic may be decrypted).

  • Tape-over, block, or obscure integrated cameras on the device.

  • Physically disconnect or disable integrated microphones on the device.

  • Install a privacy screen on the device to discourage so-called “shoulder surfing” where someone can easily read an unprotected screen “over your shoulder.”

  • Disable all file sharing.

  • Disable all unnecessary network protocols (such as Wi-Fi, Bluetooth or infrared).

  • Do not travel with unneeded door keys, smart cards, USB format PKI hard tokens, one time password crypto fobs, and similar access control devices.

  • If traveling with RFID cards (including U.S. Government Nexus “trusted traveler” cards), they should be carried inside an RF-shielded cover.

  • If you need to send or receive email while traveling, consider creating a temporary “throw away” account on Yahoo or a similar service before you travel.

  • Do not send any sensitive messages via email.

  • Avoid making or receiving voice calls, using voice mail, using IM or SMS, or sending or receiving faxes while traveling

  • If you don’t want to be geographically tracked, or you’re trying to have a confidential, in-person conversation, batteries must be removed from cell phones. Even powered-off cell phones may be able to be turned into surreptitious monitoring and geolocation devices.

  • Any/all CDs, DVDs, thumb drives, attachments, links and “QR” cell phone bar codes obtained while traveling should be considered potentially hostile and infected with malware.

  • Do not buy new hardware while traveling that you intend to use upon return.

  • Do not buy or download any new software while traveling.

  • Do not have any of your electronic devices “repaired” or “worked-on” while traveling.

  • Any discarded items (such as notes, documents, diskettes/CDs/DVDs) may be retrieved, analyzed and potentially exploited.

  • So-called censorship circumvention tools (including Tor) may be blocked or supply imperfect anonymity; the use of such tools may attract official attention and result in you being investigated and punished or expelled.

  • Guides, drivers, and interpreters may report on your activities.

  • Beware of attempts to put you in embarrassing or compromising positions while traveling. You may be targeted for eventual extortion.

  • If arrested, taken into custody, or interrogated, do not make any statements or sign any documents, particularly if they are written in a language you don’t know. If you are a U.S. citizen, ask to have the U.S. Embassy or Consulate notified of your detention at once and to speak to a U.S. consular officer.

  • We recommend you follow all federal laws and regulations and encourage filing any required documentation and ensure an export control license is requested if applicable for any personal device. More information for personal travel recommendations may be found at the U.S. Department of Commerce Census Bureau and Export Administration Regulations.

• Upon Returning to the U.S. from traveling

  • Immediately discontinue all use of that temporary system, and have it reviewed for indications that it may have been compromised abroad.

  • Do not connect any USB, external device, click on links or cell phone/PDA’s QR bar codes obtained abroad.

  • Run antivirus software to scan your device for malware and follow the instructions to correct any issues.

  • Reset and change all passwords for all accounts you may have used abroad offline or through Wi-Fi and unsecured guest network including hotel, universities, organizations, public places, and even “private” networks from friends or colleagues.

  • The system should then be sanitized and disposed of immediately.

  • If University owned equipment, any loaner equipment provided must be returned to the Research Information Technology Security area.

Before traveling to these countries with an encrypted laptop, you will need to apply to their specified governmental agency for an import license:

• Belarus

  A license issued by the Belarus Ministry of Foreign Affairs or the State Center for
  Information Security of the Security Council is required.

• Burma (Myanmar)

  A license is required, but licensing regime documentation is unavailable. Contact the U.S. State Department for further information.

• China

  A permit issued by the Beijing Office of State Encryption Administrative Bureau is required.

• Hungary

  An International Import Certificate is required. Contact the U.S. State Department for further information.

• Iran

  A license issued by Iran's Supreme Council for Cultural Revolution is required.

• Israel

  A license from the Director-General of the Ministry of Defense is required.

• Kazakhstan

  A license issued by Kazakhstan's Licensing Commission of the Committee of National Security is required.

• Moldova

  A license issued by Moldova's Ministry of National Security is required.

• Morocco

  A license is required, but licensing regime documentation is unavailable. Contact the U.S. State Department for further information.

• Russia
  Licenses issued by both the Federal Security Service (FSB) and the Ministry of Economic Development and Trade are required. License applications should be submitted by an entity officially registered in Russia. This would normally be the company that is seeking to bring an encryption product into Russia.
• Saudi Arabia
  It has been reported that the use of encryption is generally banned, but research has provided inconsistent information. Contact the U.S. State Department for further information.
• Tunisia
  A license issued by Tunisia's National Agency for Electronic Certification (ANCE) is required.
• Ukraine
  A license issued by the Department of Special Telecommunication Systems and Protection of Information of the Security Service of Ukraine (SBU) is required.

The Department of Commerce’s Export Administration Regulations forbids the export of any encrypted device to any of the 5 countries listed below.

• Cuba
• Iran
• North Korea
• Sudan
• Syria