Safe Travels: Mobile Device and Data Security on the Road

By Christopher Penido

Checklists are often useful when planning for a trip. They can keep you from finding yourself at the airport counter without your passport or at a hotel with an incompatible cell phone charger. But while travelers are mostly worried about what physically goes into their luggage and carry-ons, most don’t give the proper attention to preparing their electronic devices for travel.

Your data is subject to search, too

International travelers are, no doubt, accustomed to having their luggage inspected at border crossings. What many are unfamiliar with, however, is how customs inspections relate to electronic devices and the data stored on them. Due to recent federal court decisions, the U.S. Department of Homeland Security has been granted broad latitude in conducting warrantless and suspicion-less search and seizures of electronic devices at U.S. ports of entry.

According to the American Civil Liberties Union, more than 6,600 electronic devices were seized and inspected at U.S. ports of entry between October 2008 and June 2010, and in some cases, confiscated by the government. These devices included personal and business laptops, smart phones, tablets, SD cards, MP3 players, and digital cameras, among others. In some cases, the content of these devices was searched and copied before being returned to their owner.

It should be noted that the risk of having your electronics seized at a U.S. border is relatively low (roughly 1 out of 90,000 travelers are selected for secondary screening, and from that group, an even smaller fraction have their devices inspected). What is of greater concern, though, are the required inspections at borders in foreign countries and territories, where the laws often differ starkly from those in the U.S. and where non-citizens may have fewer rights to contest such activities. Know your rights and proceed with caution if you should find yourself in this situation.

Preparing your data for travel

Because of the potential problems that can arise at the border, it is highly recommended that NYU employees not travel with work-related materials on electronic devices. If you need to work while traveling, request a “loaner” laptop or mobile device from your department. The device should be scrubbed of all data and store only the software and services that you will absolutely need to work while traveling. If your department does not have loaner devices available, you should consider preparing your device(s) in advance.

Start by securing your device(s) using NYU’s general security tips for computers and mobile devices. In cases where you need access to “confidential” or “protected” data, as defined by the University’s Data Classification Table, consider storing and accessing it remotely on departmental file servers: Webspace, Files 2.0, or NYU Docs/Drive. This preventive step greatly mitigates the resultant risk if sensitive data falls into the wrong hands as a result of your device being inspected or going missing. As a general rule, ”restricted” data should never be stored on any paper, removable media, or electronic device.

Encrypting data on your computer – be it files, volumes, or the entire hard drive – is an added layer of protection in the event of loss or theft. You can easily encrypt computers (using PGP,TrueCrypt, or native built-in solutions for Windows and OS X), smart phones and tablets (see the “Enable Encryption” section for your device on the Secure Your Smart Phone web page). Note that certain countries, such as Russia and China, have laws forbidding encrypted devices and content from entering their countries without prior government approval, so proceed with caution and research your destination’s electronic laws prior to taking steps to encrypt your device.

Travelers often neglect to make sure that their electronic devices, including any software and data (pictures, music, movies, documents, etc.) they contain, are legally permitted in the country they are entering. Some nations have laws forbidding certain materials from crossing their borders, which can result in fines or possibly even imprisonment and seizure of goods. For example, Russia places restrictions on the use of GPS technology. You should check with the U.S. Department of State travel website and familiarize yourself with the laws of your destination country prior to departure.

Take steps for personal safety

Another wise precaution when traveling is to share your itinerary with your coworkers and close relatives so that they can monitor your travel and be ready to assist you in the event of an emergency. To facilitate this, the University has created NYU Traveler, a website where you can not only book your rail, airfare, hotel, and car reservations, but record your itinerary in order to receive up-to-the-minute information of potential threats to your safety during your travels. In addition to allowing the University to contact you in order to render aid in the event of an emergency, NYU Traveler allows you to share your itineraries with colleagues and family.

Once you’ve arrived at your destination, consider the physical and network security of the location at which you connect your device(s). After leaving the airport, most of us check e-mail, voice messages, surf the Web, and call home. More often than not, these kinds of “electronic re-connections” occur inside hotels, using the provided networks. However, these networks are usually not designed for secure communication, and the hotel’s policies will usually provide such disclaimers in their network’s terms of use. As such, you should take preventive steps to ensure that connections to work resources back at NYU do not openly take place over these insecure and untrusted networks. Instead, you should first connect to NYU’s VPN service before accessing NYUHome, NYU E-mail, your office computer via a remote connection, or any other University resource. The great thing about VPN is that this technology is very easy to implement and is available not only for laptops, but for smart phones and tablets as well.

You should also consider the security of devices left in your hotel room. While a hotel safe is provided for you to store valuables and electronics, keep in mind that hotel staff still have access to that safe. Therefore, hotel safes should not be considered entirely secure. In addition, the moment you step out of your room, any individual that can gain entry to your room can gain access to your unsecured electronics and copy their contents without leaving a trace. This is why prior to leaving your devices unguarded, you should immediately and securely delete any sensitive data you may have downloaded onto your device since embarking on your trip.

Maintaining security on mobile devices

If you have access to mobile data while abroad, either using your home nation’s cellular international data services or by popping a pre-paid SIM card into an unlocked phone or tablet, remember that foreign networks could also pose risks to your devices and data. In some countries, cell phone carriers work very closely with the intelligence branches of the local government; there have been reports of electronic wiretapping of mobile networks.

Over the last five years, there have also been several reports of cellular service providers attempting to surreptitiously install spyware onto client’s mobile devices by tricking users into installing necessary “updates.” In these cases, smart phone users were prompted to install an “important update” in order to continue using the cellular network. Once installed, this malicious piece of software (i.e., malware) began to copy the contents of the device, such as e-mails, text messages, notes, passwords, and keystrokes, and then send it to a remote server. This issue came to light when certain cellular carriers in the Middle East and Asia used this method on BlackBerry users. Since data transmitted from BlackBerry devices is normally encrypted, this attack allowed cellular carriers to copy that data before it was encrypted.

For security reasons, it’s best to avoid installing cellular network updates while traveling. When updating your smart phone with the latest security patches, do so from a secure, trusted network (preferably prior to departure in your home country). Moreover, it’s safer not to use foreign networks, whether fixed or wireless, for transmitting any sensitive information without first considering alternative means of communication or, at the very least, taking the extra step to better secure the network connection using VPN.

Secure traveling checklist

After reading all of these warnings, you might feel compelled to not take anything that uses a battery on your next trip. Though it would certainly be possible, the reality is that we need our gadgets to make it through the day in today’s global, networked world. So next time you travel, before you finish jumping up and down on your luggage trying to close the zipper, we suggest you review our handy checklist on securing your electronic devices.

  1. Borrow an NYU loaner laptop or mobile device that contains no personal or work-related data. If one is not available, remove any sensitive data from your devices before departure.
  2. Before you depart, copy required work files to one of NYU’s file storage services so that you can securely access them via VPN while traveling.
  3. Secure your laptop, smart phone, or tablet with a strong password, OS security updates, and antivirus, anti-spyware, and firewall software.
  4. Set up VPN on your laptop and mobile devices. Use it to connect to any University-related resource such as NYUHome and NYU E-mail.
  5. If legally permitted in your destination country, consider encrypting your laptop’s hard drive or its contents usingPGP, TrueCrypt, or the native built-in solutions for Windows and OS X. Do the same for your smart phones and tablets, if they support it.
  6. Register your itinerary with NYU Traveler and notify your supervisor and immediate relatives about your travel plans. Avoid divulging this information to the public via social networks or through online forums.
  7. Remain vigilant about the physical security at your place of stay. Securely delete any newly downloaded data on your device prior to leaving your electronics unguarded.
  8. Verify that the data, software, and hardware on your devices are not in violation of any U.S. or local laws.