Mobile Device Security When Traveling or Conducting Field Research
Protect your devices and data when you are away from home on personal or university business. This prevents sensitive data from falling into the wrong hands as a result of your device being hacked into, inspected, confiscated, stolen or lost. It also helps you comply with regulations that cover certain types of research and other sensitive data.
Faculty, staff, and researchers should be especially careful when accessing sensitive university data when traveling. Extra precautions should be taken when traveling to high-risk locations. U-M employees should always start by securing their device using the general security tips provided in Protect U-M Data and Protect Personal Devices & Data. You can minimize the risk to data by taking some additional specific actions before, during, and after your trip, as specified here.
Before You Travel
- Submit travel information on U-M Travel Registry. University faculty, staff, and students are required to register their international travel plans when traveling for university-related purposes.
- If you don't need it, don't travel with it.
- Ask your IT department for a loaner laptop or other device. Limit data on the loaner device to that which is essential. This is especially important if the country you are traveling to has encryption import restrictions that prevent you from encrypting data on your device. (See Use Caution When Traveling With Encryption Software.)
- Leave behind any devices or media that are not absolutely necessary.
- Do not save sensitive personal information such as credit card numbers, passport information, or social security numbers on your device.
- In your web browsers, clear your browsing history and other such stored information that you would not want others to access.
- If traveling to embargoed countries, leave MTokens behind (see below).
- Check for restrictions. Check to see if there are sanctions or local laws that will affect your access. For example, due to international sanctions, users are unable to access Google Apps from Crimea as of January 31, 2015. Some governments restrict access. See Computing Guidelines for Traveling to High-Risk Locations for additional recommendations.
- Secure your devices. See Instructions for Securing Your Devices and Data for instructions for securing smartphones, tablets, and laptops.
- Follow export control regulations. Export Controls is the body of federal law intended to prevent the transfer of sensitive items and technology to foreign nations, organizations, and individuals. It includes International Trafficking in Arms Regulations (ITAR) and Export Administration Regulations (EAR) compliance. For more information, including contact information for the university's export controls officer, see Export Control Compliance for University of Michigan Researchers. Also see Frequently Asked Questions about Export Regulations.
- Be aware that MTokens and both the Duo app and hardware tokens are subject to export control regulations. According to federal export control regulations, MTokens (hardware and software), the Duo app, and Duo hardware tokens may not be transported or sent to embargoed nations identified by the U.S. State Department. The following nations are on the embargoed list as of June 2016: Cuba, Iran, Crimea, North Korea, Syria, and Sudan. If you are traveling to any of those countries: Delete or uninstall your MToken software tokens and the Duo app from all devices, and leave your hardware tokens at your campus office.
- Inventory your data. It is important that you have an inventory of the data you are traveling with if your device is lost or stolen.
- Securely back up data stored on your device(s) or media. Backed up data should be stored onto media that will not be taken on the trip.
- Run a full scan for malware, using anti-virus and anti-spyware tools. This serves as a baseline, ensuring that the system is clean of detectable malware prior to travel.
While You Are Traveling
- Use a secure Internet connection. Choose Internet connections with greater security whenever possible.
- Your cellular carrier's network is your best choice.
- When using a wireless connection, turn on the U-M VPN, or the one appropriate for your campus.
- Avoid using free wireless services.
- Assume that any computer network you use is insecure, including those of friends you are staying with, in business centers, at cyber-cafes, or in libraries.
- Turn off wireless and Bluetooth when you are not using them.
- Never enter or access sensitive data when using a shared or public computer.
- Never accept software updates on hotel Internet connections or other public Wi-Fi. See related FBI advisory.
- Be aware that governments in some countries may copy data from your computer and/or log your Internet activity without your knowledge or consent. See Computing Guidelines for Traveling to High-Risk Locations for more information.
- Always use screen lockout when not using your device and require a password or passcode to unlock it.
- Keep your device with you and physically secured
- To the extent possible, keep your devices close rather than leaving them behind in hotel rooms; if your hotel has a safe, use it.
- Be discreet. For example, if possible, do not use an obvious laptop storage bag, as these may make you a more obvious target.
- Use the your web browser's private browsing or incognito feature. Check your browser's Help for instructions.
- When your are not using your devices, turn them off.
- Do not plug USB powered devices into public charging stations. Such stations can transfer malware to your device or download data from it. Instead, use your own charging cable to plug into an electrical outlet.
- Do not accept USB thumb drives or other removable media from any source.
- Report an IT Security Incident if your device is lost or stolen.
- U-M faculty, staff, and researchers traveling abroad are required to immediately (or as soon as feasible) report suspected or actual breaches or compromises of sensitive university data. This includes incidents that involve loss, theft, or breach of personally owned devices that store or handle sensitive data.
- Contact local authorities to report the loss or theft.
- Contact the IT Service Center for assistance in changing your passwords.
When You Get Back
Be aware that criminals may be far more interested in the sensitive data you have access to than any data you may have carried with you. Take steps when you return to prevent anyone who may have hacked into your computer or other devices or stolen your password from gaining access to the sensitive data you can access.
Related Policies and Standards