Foreign Travel with Computers & Other Electronic Devices
Anytime we travel with computers and other electronic devices, whether domestic or abroad, the threat of a cyber security attack increases. International travel also raises unique export compliance risks associated with such devices. Most of the time, if you're traveling to another country with a university-owned laptop, containing typical office productivity software, you will probably not need an export license as long as the equipment is always under your immediate effective control and returns to the U.S. within a year. However, you should check with the System Export Control Office for further advice if you are traveling to an embargoed country; or you have a non-retail-grade encryption software installed; or the device includes EAR- or ITAR-controlled technical data; or the hardware that is unusually sophisticated.
Traveling outside the U.S. with laptops, tablets, smart phones or storage devices involves special considerations and may require an export license:
- Hardware. Generally speaking, computer hardware is not subject to tight restrictions, as long as the hardware returns to the US. However, there are limitations on "high performance" computers exported to embargoed countries.
- Software. Most commercial and public domain software is often already licensed for export—this can be confirmed by checking with the vendor (e.g., www.microsoft.com/exporting/). The most significant restrictions pertain to encryption software. Commercially-available software (including the VPN software provided by your institution) can be installed on devices that otherwise qualify for the exemptions listed below. Non-commercial encryption software in source code or object code is likely to be restricted; please check with the System Export Control Office (605-394-1687) if you have questions.
- Controlled data. If you are working on a project that involves EAR or ITAR controlled technologies, your device may contain controlled technical data that cannot be shared with foreign parties without a license. It is strongly recommended that you not take a device with such data outside the U.S. If you do, it is critical that you inform the System Export Control Office if such data may have been compromised while traveling due to the device being lost, stolen, or outside your control.
- Other private data. Aside from export control laws, University policies regarding protection of student, financial, and HIPAA-controlled data recommend that such data not be stored on devices taken outside the U.S.
If the computer or other equipment is owned by the university, the equipment as well as any pre-loaded encryption software may be eligible for License Exception TMP (Temporary Exports). To qualify for this exception, the equipment:
- Must be a "tool of the trade"
- Must remain under your "effective control" while overseas. This means that it must remain in your personal possession or in a locked hotel safe (a locked hotel room is not sufficient) at all times.
- Must be returned to the U.S. (or destroyed) within 12 months.
- May not be taken to embargoed countries
If you personally own the equipment, it may qualify for License Exception BAG (Baggage). To qualify for this exception, the equipment and pre-loaded encryption software must be for your personal use in private or professional activities. "Strong" encryption software may also qualify for this exception, unless the travel (or traveler) involves embargoed countries.
You should not take with you ANY of the following without first obtaining advice:
- Data or information received under an obligation of confidentiality or is otherwise classified.
- Data or analyses that result from a project for which there are contractual constraints on the dissemination of the research results.
- Computer software received with restrictions on export to or on access by foreign nationals.
- Devices or equipment received with restrictions on export to or on access by foreign nationals.
- Private information about research subjects.
- Devices, systems or software that was specifically designed or modified for military or space applications.
Beyond export laws and regulations, you should also be aware that traveling with electronic devices may result in unexpected disclosure of personal information. Certain countries are known for accessing files upon entry, so you should be extremely careful about any proprietary, patentable, or sensitive information that may be stored on your device. (For certain countries, this includes material that might be perceived as graphic or culturally inappropriate.) Homeland Security personnel may also decide to inspect your laptop upon return to the U.S., in which case everything on the device is subject to inspection. In the United States, the inspectors may take possession of those items for various periods of time, and even permanently depending upon the circumstances. The inspectors in other countries might do so as well. You should be wary about including on a laptop that you take overseas any financial or other personal information that you would not want viewed without your permission.
If your university-owned device contains controlled software or sensitive data—particularly data that may be controlled under ITAR or EAR regulations—we strongly recommend that you do not travel with it, especially internationally. If a laptop is to be used only for making presentations, consider taking a memory stick or storing the presentation on a cloud-based server instead. If you are using a laptop for other purposes (such as email), you can perhaps instead take a "clean" computer that does not include the restricted software, data, or other sensitive information.
Note Regarding E-mail
Technical data—including technical discussions about controlled technology projects—should not be transmitted, discussed or attached in email, whether international or domestic. If you have a mission-critical need to share information with your approved project team members, you should consult with your campus Information Security Office about the possibility of special arrangements.
Note Regarding Encryption
Encrypting your files, or the complete hard disk, is generally considered a best practice for data security. However, doing so when travelling internationally can create an additional set of issues. Some countries restrict the import of encrypted devices, and U.S. regulations prohibit the export of an encrypted device to embargoed countries. That is another reason to consider travelling with a "clean" device with only minimal software and no restricted data.
NOTE: As of March 2017, the Department of Homeland Security requires all passengers traveling on direct flights to the United States from 10 select airports to store all personal electronic devices (PEDs) larger than cell or smart phones in checked baggage. Items such as laptops, iPads, and cameras will not be allowed in carry-on luggage.
If you have questions, please check with Katie Ludvigson, System Export Controls Officer, 605-394-1687, firstname.lastname@example.org.
* Embargoed countries with restrictions on encryption currently include Cuba, Syria, Sudan, North Korea and Iran. Check with the Department of Treasury Office of Foreign Assets Control for the most up-to-date information.
See http://www.bis.doc.gov/index.php/policy-guidance/encryption/encryption-faqs for more information on encryption.