Protecting data when going abroad

According to a report prepared by the American Civil Liberties Union, travellers must be aware that laptop and other electronic device can be subject to seizure without a legal warrant when crossing into the USA. The devices seized and searched includes laptops, cell phones, cameras, hard drives, flash drives, and even DVDs. Border officials may copy all data from any device, or even confiscate the device. Some key figures:

  • Between October 2008 and June 2010, over 6500 people traveling to and from the United States had their electronic devices searched at the border.
  • Between October 2008 and June 2009, cell phones were the most commonly searched electronic devices, followed by laptops and digital cameras.
  • Between July 2008 and June 2009, border agents transferred data found on travelers' electronic devices to other federal agencies over 280 times. Half of the time, these unnamed agencies asserted an independent basis for retaining or seizing the data.

Other governments may similar policies.

In France, ANSSI, the government service in charge of IT security, has published a document (PDF), providing advice to people travelling abroad. Here is a summary of the relevant bits of the French checklist, as will as some general advice from other sources:

The most important precautions is what you do before setting out on a business trip that requires you to cross the borders of other countries carrying a computer or other digital media:

  1. Review your company's policy about exporting documents.
  2. Review applicable laws of the destination country.
  3. If possible, only carry digital devices dedicated to travel (computers, smartphones, external storage etc. that is not in ordinary use). Make sure that any digital media you're carrying do not contain any data not strictly needed for the trip.
  4. Backup all of your data before leaving and keep the backup in a safe place.
  5. Avoid carrying sensitive data. Instead, use a VPN to access a secured remote directory to retrieve the data securely when arriving at the destination.

Here is what to do if your devices are seized by customs or other government officials:

  1. If you are requested to hand over login credentials or ciphering keys, cooperate immediately. Refusing may lead to legal problems in a foreign jurisdiction, or at least result in your being detained until you cooperate. Border officials have plenty of time, you may not.
  2. If you are made to hand over login credentials or ciphering keys, as soon as you're released, inform your company IT staff and managers so due actions can be taken (revoking corresponding accesses, passwords, certificates, etc.) and discuss the issue with them to determine the way to proceed since the seized then returned devices may be infected with spyware and can no longer be trusted.

During the trip, be aware of the following:

  1. When traveling, apply a distinctive sign/sticker on the computer, suitcase, and accessories to facilitate tracking and avoid any accidental exchange.
  2. Use a screen filter to avoid shoulder surfing during travel.
  3. Never leave your computer or handheld device unattended – not even for a moment.
  4. Always use VPN when you're using WiFi to access the Internet.
  5. When using WiFi, make sure file and printer sharing is turned off. On MS Windows, you can do this by setting the location to “Public Network” when prompted during connection.
  6. Do not plug any digital media (e.g. a USB key or a CD-ROM) you receive from others into your own device before checking it for malware. You should not use this type of digital media to exchange documents or files with people you do not trust.
  7. Do not plug your cellphone into the free public USB or other wired chargers, as these may inject malware into your phone via the wired port.
  8. Border crossings are a two way passage. When preparing for the return trip, ensure that you have properly cleaned you devices. First, upload any data you need to keep to a secured remote directory using VPN. Then, wipe the files from your devices. Delete the browser's history, cache and cookies. Delete temporary files. Delete all call, messages and voicemail history. Delete all information about used networks (WiFi accesses, proxies, etc.).

After you've returned, you should be aware of the following:

  1. If your devices have been seized, in contact with foreign devices such as a USB key or charger, or otherwise out of your control, do not plug them back into your company network unless they has been checked for malware.
  2. Change all passwords you used during the trip.