Travel exposes your information and devices to new environments and potentially greater risks. The following guidelines are for all travel, and they include further precautions if you are traveling internationally. They are designed to help you ensure compliance with university policy (see below).
International Travelers: University faculty, staff, and students traveling for university-related purposes are required to register their international travel plans on the U-M Travel Registry. It is recommended for domestic travel. Global Michigan provides very helpful additional information at Travel Resources.
For a quick overview of travel tips, watch Video: Safe Computing When Traveling.
Before You Travel
If you don't need it, don't travel with it.
- Leave behind any devices or media that are not absolutely necessary.
- Do not save sensitive personal information such as credit card numbers, passport information, or Social Security numbers on your device.
- Clear your web browsing history and similar stored information.
If you have not done so already, turn on two-factor authentication and verify the options you will use.
- Students, alumni, and retirees can turn on two-factor for Weblogin to protect their personal information in Wolverine Access, as well as U-M Google, U-M Box, Canvas, and more. It is automatically turned on for all current faculty, staff, student employees, and sponsored affiliates.
- Plan which Duo options you will use while traveling and enroll in them if needed. See Traveling With Two-Factor (Duo) for a one-page reference chart. There are export control restrictions when traveling to Cuba, Iran, North Korea, Sudan, Syria, and the Crimea region of Ukraine.
- Turn on two-factor to protect your personal accounts. See Two Factor Auth (2FA) for a list of websites and services and whether or not they offer two-factor protection. Websites that work with an authenticator app can use the Duo Mobile app.
Inventory and back up your data, and check for malware.
- Inventory the data you will be traveling with in case your device is lost or stolen.
- Securely back up data stored on your device(s) or media.
- Run a full scan for malware using anti-virus and anti-spyware tools to ensure that the device is clean of detectable malware prior to travel.
International Travelers: Take a loaner device or a clean, personal device. Make sure it is encrypted.
- Ask your IT department for a loaner laptop or other device if you need to work while traveling. This is perhaps the simplest computing solution for an international trip.
- A loaner device for international travel is typically encrypted. It must be encrypted if you are taking sensitive U-M data on it, even when traveling to countries with restrictions on encryption. See below for specific tips for travel to countries with laws or restrictions related encryption.
- A loaner device provides basic computing capabilities, such as the Microsoft Office suite, web browsers, and the U-M VPN.
- Consider taking a clean, personal device that has been wiped of sensitive institutional, research, and personal information.
- Encrypt your device.
- Purchase an encrypted flash drive from the U-M Computer Showcase if you will need a flash drive for removable storage.
International Travelers: Prepare to use cellular data, download materials, and for limited access.
- Check with your phone carrier about international roaming and data plans. You may be able to use your phone for tethering to connect your computer to the internet instead of using public WiFi.
- Download online materials you may need in case you cannot access U-M Google, U-M Box, YouTube, Google, Facebook, Twitter, blogs, and other websites that are blocked in some countries. Also download and install a VPN client before you leave; in some countries it may be difficult or impossible to download one. (See Use a Secure Internet Connection for VPN download links and details.)
- Notify people in advance that you may not be able to read and respond to email. Some governments restrict access to Google Apps. Due to international sanctions, for example, users are unable to access Google Apps from the Crimea region of Ukraine.
- Get alternate accounts if you are going to a country that is known to block some services. Having accounts in multiple providers (Google, Yahoo, Hotmail, etc.) increases the likelihood that at least something will be accessible.
- Set up an email forwarding address. You may wish to set up a forwarding address in MCommunity to have email that is sent to your @umich.edu address forwarded automatically to one or more email addresses of your choice (Google, Yahoo, Hotmail, etc.). For detailed instructions, refer to Forwarding or Redirecting Your U-M Email Using the MCommunity Directory.
International Travelers: Determine whether your activities, travel destinations, hardware, or software fall under export control regulations.
- Export Controls is the body of federal law intended to prevent the transfer of sensitive items and technology to foreign nations, organizations and individuals. It includes International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), and Office of Foreign Assets Control (OFAC) compliance. For more information, including contact information for the university's export control officer, see Export Control Compliance for University of Michigan Researchers.
- The following actions may present export control issues that must be planned for when travelling abroad:
- Taking certain devices, hardware, software, or regulated data (particularly encryption software)
- Providing certain services
- Meeting with certain people
- The Duo app and hardware tokens are encryption items that are subject to export control regulations. The U-M Export Control Program has determined that the Duo Mobile app and hardware tokens themselves are controlled to Cuba, Iran, North Korea, Sudan, Syria, and the Crimea region of Ukraine. See the Export Control Program’s “Tools of Trade” License Exception for country-specific guidance.
- Sometimes an export license issued by the U.S. government is required. Violations of export control laws carry severe civil and criminal penalties. The U-M Export Controls Office is the authoritative source for interpretation of regulations and providing support in obtaining licenses or license exceptions. Consult the office as early as possible in your travel planning if you conduct export controlled research or if you may fall under an export control requirement.
International Travelers: Specific tips for travel to countries with laws or restrictions related to Internet access or encryption (for example, China, Russia).
Prepare the device you will take with you ahead of time:
- Recommended option: An unencrypted device with all sensitive U-M data removed, preferably a loaner laptop or other device from your IT department.
- An alternative or additional option: A personal device that does not contain sensitive U-M data. Some devices, such as iPads and iPhones, are encrypted and cannot be unencrypted. Foreign governments are not known to confiscate devices with mass-market encryption, although there is some level of risk.
- If you must take sensitive U-M data: Encrypt your device. This applies to U-M loaner devices or personal devices. See Encrypt Your Data and your unit IT support for instructions on encrypting your device. We recommend that you not take sensitive U-M data to high-risk locations.
Get a mobile phone for temporary use on your trip:
- Take an unlocked phone and purchase a pre-paid SIM card for cellular service from a shop in the airport, metro station, hotel, or convenience store.
- Rent or buy a phone at the airport or hotel when you arrive.
Print this two-page reference document to take with you: Device Security Guidance for International Travel, Including Countries With Laws or Restrictions Related to Encryption.
International Travelers: Do not depend on having online access to U-M Google and cloud-based resources.
Some cloud-based services, including U-M Google, are blocked by countries, organizations, or networks. In some places, network access is inconsistent and unreliable. If your destination country does not have consistent internet or access to cloud-based services, prepare in advance by printing backup copies of vital documents or other information that you need to have while you are traveling.
For more information, refer to International Access to U-M Google and Cloud-Based Resources.
International Travelers: Change your UMICH (Level-1) password to one that will be used only during your trip. Also change any other passwords you expect to use while traveling.
While You Are Traveling
Use a secure internet connection—cellular network or secure WiFi with VPN—and turn it off when not in use. (Some nations, such as Russia and China, have banned or intend to ban the use of VPNs.)
- Use your cellular carrier's network as your first choice for an Internet connection, if possible. See Use a Secure Internet Connection.
- Avoid using public and free WiFi services. When using a WiFi connection, even in hotel rooms, turn on U-M’s Virtual Private Network (VPN) or the specific VPN for your campus. (Some nations, such as Russia and China, have restricted access to, banned, or intend to restrict access to or ban the use of VPNs.)
- Use eduroam WiFi access when visiting other institutions. Eduroam is available to students, faculty and staff when visiting other universities and colleges and throughout the world. Before traveling, use the WiFi setup tool to configure eduroam. Full access to U-M resources is available when using eduroam.
- Assume that any computer network you use is insecure, including those of friends you are staying with, as well as those in business centers, at cyber cafés, or in libraries.
- Never enter or access sensitive data when using a shared or public computer.
- Use the web browser's private browsing or incognito feature when using a shared or public computer to prevent it from saving a record of what you visit and download.
- Disable Bluetooth, WiFi, and GPS when not in use to limit potential unauthorized access to your device or data.
Keep your device with you and physically secured.
- Keep your devices close rather than leaving them behind in hotel rooms. Do not leave your devices unattended, although hotel safes are acceptable, including hotel room safes.
- Be discreet. For example, if possible, do not use an obvious laptop storage bag, as these may make you a more obvious target.
Do not download or transfer data or software to your device.
- Do not accept USB thumb drives or other removable media from any source.
- Never accept software updates on public WiFi or hotel Internet connections. See related FBI advisory.
- Do not charge your device with public USB ports or public charging cables. The cord you use to charge your device could be used to send data from your device to hackers.
Report an IT Security Incident if your device is lost, stolen, or you suspect you have been hacked or compromised.
Follow the guidelines in Report an IT Security Incident to immediately report stolen or lost items.
- U-M faculty, staff and researchers traveling abroad are required to promptly report suspected or actual breaches or compromises of sensitive university data. This includes incidents that involve loss, theft, or breach of personally owned devices that store or handle sensitive data.
- Contact local authorities to report the loss or theft.
- Contact the IT Service Center for assistance in changing your passwords.
International Travelers: Respect the laws and regulations of other countries.
- Some nations have banned or intend to ban the use of VPNs. Russia and China are two such nations. Using VPN services could put you at risk of being accused of cyber espionage or other crimes. At present, who is affected by the bans, when they take effect, and how they might be implemented are unclear.
- Do not attempt to illegally bypass VPN blocks from locations in China and elsewhere. That could put you at risk of being accused of cyber espionage or other crimes.
- Be mindful that many websites may be inaccessible to your colleagues. If you collaborate in countries where censorship is in effect, you and your colleagues are subject to their laws and regulations.
International Travelers: Protect sensitive and export controlled data.
- If you have any doubts about the security of systems, connections, or devices while traveling, do not access sensitive data—even when using a university VPN.
- Do not use a personal, non-U-M-Google account to share sensitive institutional data as noted in Use of Personal Accounts and Data Security and the Personal Account page in the Sensitive Data Guide to IT Services.
International Travelers: Take extra precautions to secure your devices during travel to countries with laws or restrictions related to encryption.
Do not leave your devices in a hotel safe. They could be accessed by hotel staff.
International Travelers: Use U-M Virtual Sites (virtualsites.umich.edu) for remote access to computers on the U-M campus with the same software as Campus Computing Sites Windows workstations.
When You Return
Change your UMICH (Level-1) password—and any others you used—immediately upon your return.
Scan and clean your device.
International Travelers: Wipe (erase) your device when you return.
Have your IT department completely wipe your device and install a new image to ensure no hidden spyware returns with you and infects the U-M computing environment. Taking a loaner device makes it easier to take this precaution without losing information you wish to keep.
Enjoy your trip, and keep your devices and data safe. It's good for you and the U!
Applicable University Policies
You are responsible for complying with the policies and standards below. The requirements on this page help you meet that responsibility.
- Responsible Use of Information Resources (SPG 601.07)
- Institutional Data Resource Management Policy (SPG 601.12)
- Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33)
- Unit-Specific Requirements for Self-Management of Personally Owned Devices that Access Sensitive Institutional Data (DS-07)
- Information Security Incident Reporting (SPG 601.25)