Mobile Device Security When Traveling or Conducting Field Research
It is important that you keep your personal and university-owned data secure as you travel, both domestically but especially overseas. Individuals, organized crime, and some foreign governments are increasingly aggressive about hacking into or stealing sensitive or proprietary data from mobile devices brought into the country by visiting scholars and researchers. Sensitive data may fall into the wrong hands as a result of your device being hacked into, inspected, confiscated, stolen or lost.
Putting a plan into place for securing your data will help you:
- protect sensitive information about your research subjects
- put proper security controls into place if you are applying for research grant money
- maintain proper security controls for the IRB approval or review process
- protect yourself and the university from liability regarding regulations that cover certain types of research data
- comply with non-disclosure agreements and access restrictions
For questions related to International Trafficking in Arms Regulations (ITAR) and Export Administration Regulations (EAR) compliance, please contact the Office of Research and Sponsored Projects (OSRP).
Faculty, staff, and researchers should be especially careful when accessing sensitive personal or university data when traveling. Extra precautions should be taken when traveling to high-risk locations, such as China. U-M employees should always start by securing their device using the general security tips provided in Protect U-M Data and Protect Personal Devices & Data. You can minimize the risk to loss or theft of the data on your mobile devices by taking some additional specific actions before, during, and after your trip, as specified here.
Before You Travel
- Submit travel information on U-M Travel Registry. University faculty, staff, and students are required to register their international travel plans when traveling for university-related purposes.
- If it's not necessary, don't travel with it.
- Ask your IT department for a loaner laptop. In preparation for travel, limit data on the loaner laptop to only that which is essential for the purpose of your travel engagement.
- Leave behind any devices or media that are not absolutely necessary.
- Do not save sensitive personal information like credit card numbers, passport information, or social security numbers on your device.
- If traveling to embargoed countries, leave MTokens behind (see below).
- Follow Export Control Regulations. According to Federal export control regulations, MTokens may not be transported or sent to embargoed nations identified by the Federal government.
- The following nations are on the embargoed list as of December 2013:
- Cuba, Iran, North Korea, Syria, Sudan
- For general questions about export control regulations, see the ORSP FAQ.
- If you have specific questions or need additional information, please contact the Office of Research and Sponsored Projects (ORSP) at email@example.com or 734-764-5500 and ask to be connected with the Export Compliance Officer.
- Inventory your data. It is important that you have an inventory of the data you are traveling with if your device is lost or stolen.
- Securely back up data stored on your device(s) or media. Backed up data should be stored onto media that will not be taken on the trip.
- Secure your device, as indicated in Protect Personal Devices & Data. Additional reminders for securing your device for travel include:
- Download and use the university's VPN client. The VPN provides an encrypted network for all network-computing needs. Test the VPN, and verify that you are familiar with how to use it.
- Disable Bluetooth
- Disable file and printer sharing
- Install a host-based firewall, and configure it to deny all inbound connections
- Be sure that all software is patched and updated, including the operating system, applications, and anti-virus software
- Run a full scan for malware, using anti-virus and anti-spyware tools. This serves as a baseline, ensuring that the system is clean of detectable malware prior to travel.
While You Are Traveling
- Use the U-M VPN for the most secure Internet connection whenever possible.
- Avoid using free wireless services.
- Assume that any computer network you use is insecure, including those of friends you are staying with, in business centers, at cyber-cafes, or in libraries.
- Never enter or access sensitive data when using a shared or public computer.
- Never accept software updates on hotel Internet connections or other public Wi-Fi. See related FBI advisory.
- Be aware that governments in some countries may copy data from your computer and/or log your Internet activity without your knowledge or consent. See Computing Guidelines for Traveling to High-Risk Locations for more information.
- Always use screen lockout when not using your device.
- On a Windows system, press Control-Alt-Delete and select Lock Computer from the list of options. When you return, you can unlock the computer with your login name and password.
- On a Macintosh OS X system, in the Security section of the System Preferences panel, select the check box beside "Require password to wake this computer from sleep or screen saver." Then go to the Desktop and Screen Saver section of the System and Preferences panel and turn on a screen saver.
- Keep your device with you, and physically secured
- To the extent possible, keep your devices close rather than leaving them behind in hotel rooms.
- Be discreet. For example, if possible, do not use an obvious laptop storage bag, as these may make you a more obvious target.
- Report an IT Security Incident if your device is lost or stolen.
- U-M faculty, staff, and researchers traveling abroad are required to immediately (or as soon as feasible) report suspected or actual breaches or compromises of sensitive university data. This includes incidents that involve loss, theft, or breach of personally owned devices that store or handle sensitive data.
- Contact local authorities to report the loss or theft.
- Contact the IT Service Center for assistance in changing your passwords.
When You Get Back
- Change your UMICH password immediately upon your return.
- Scan and clean your device. Run a full in-depth scan for malware, using anti-virus and anti-spyware tools. If any malware infections are detected, follow the remediation steps recommended by the antivirus tool.
Related Policies and Standards