By Alain Espinosa
According to the U.S. National Travel & Tourism Office, almost 73 million U.S. citizens traveled abroad in 2016. While most of us have adapted to the travel restrictions implemented by the Travel and Safety Administration (TSA), there is an often-overlooked facet to travel — protecting your privacy and data.
Remember the days in which we had briefcases filled with important and often confidential documents? A wise traveler going abroad would ensure that only the most essential documents were included as a part of the contents. Few travelers worried about their paper data being stolen. You held the briefcase by your side and probably even had a combination or key lock on it. It was unlikely, unless you traveled to a few specific countries, that a foreign government would demand to see your documents and run copies through a copying machine. Fast forward to 2017. A great deal of your data now resides on your laptop, tablet and/or phone. Not only may some of your confidential data reside on those devices, but chances are that those devices have the ability to access all of your data remotely. Your corporate data isn’t tucked away safely behind the four walls of your business anymore or securely locked in a briefcase. It travels with you, in a pocket, carry-on or checked baggage. It is also a target for foreign governments and businesses.
How can you protect your privacy and data while traveling? The following list of ideas and safeguards should help with protecting your data from foreign adversaries, criminals and cyber hobbyists.
#1. Know the Law
Take some time to research the laws that govern the land you will visit, especially those regarding electronic devices. Remember, the moment you leave the U.S., you essentially leave behind your Constitutional rights as an American. It didn’t take long to find one story after another describing travelers who were asked to surrender their electronic devices to foreign officials and provide passwords to unlock them. In most of those situations, the host government provided an ultimatum — either surrender the device and password or be turned away. On several occasions, the ultimatum carried future implications, such as 5-year travel bans for those who chose not to provide the credentials. If you’re taking a personal trip, it would be wise to search the Internet for specific laws governing search and seizure along your route and at your final destination. However, if you’re traveling for business, start by visiting your IT security and legal departments and inquire about foreign travel. Ideally, they will have a foreign travel policy that provides guidance and procedures.
#2. Leave it Behind
I suspect you figured this one out already. It sounds simple, but the absolute most effective way of preventing your data from getting into the wrongs hands is to not travel with any of it or with devices that have access to it. If at all possible, leave your laptop, tablet and phone at home. If you’ll require Internet access and/or a telephone, then buy what is commonly referred to as a burner phone or device. A burner device is simply a device (e.g. a phone, tablet, laptop, etc.) that has not been used to connect to your data at all (very important!) and is only utilized overseas for a specific purpose (like making calls) and is then discarded upon return. Burners are now relatively affordable to purchase, shouldn’t hurt your pocketbook and can be used in a disposable manner.
For example, let’s say you’re traveling to China, which happens to be a country infamous for stealing intellectual property (see Report to Congress on Foreign Economic Collection and Industrial Espionage, Oct. 2011). You may need to make phone calls during your trip, access certain documents, and check your email. In this case, you or your company should purchase an inexpensive smartphone with the appropriate network capabilities for China. You may be better off waiting to purchase the phone SIM until you arrive, but if at all possible purchase that here as well. If you need a tablet, then consider one of many low-cost options available. While they won’t be as powerful or feature-rich as your usual device, the point here is to purchase only what you need. If you prefer a laptop, then a great option is to purchase a Google Chromebook. While it isn’t a full-featured laptop, Chromebooks offer a unique set of features, including limitations on what programs can be installed on the laptop. Everything you do on a Chromebook runs off the Internet and thus makes it much more difficult for adversaries to plant software on it. Chromebooks also have a feature that allows you to easily revert the machine to factory fresh condition, essentially wiping out all the data stored on it (which is already encrypted). An immensely important step in using any of these “burner” type of devices is to ensure that you do not use them to access your data or network prior to your trip. By doing so, you introduce a digital footprint onto the device which can then be used by a foreign government.
#3. Best Practices for Accessing Data
Let’s suppose that leaving it behind won’t work for you. You may need to access emails, documents and make phone calls while abroad. First, let’s talk about accessing data by using the burner device option.
Your best bet is to isolate the data you’ll need to access. For example, let’s say you have several documents you need to access while on your trip. Rather than connecting into your company’s corporate network and accessing your entire cache of files in order to view the select group, copy those files (if permissible by your corporate policy) to a file-sharing site such as DropBox. Be sure to use a password for that account that you don’t utilize for any other service. This way you can access them without potentially giving away access to the rest of your network or documents. Worst-case scenario, the adversaries will only be able to view that specific set of files. Upon return, reset your password immediately and discontinue use of that repository.
Your email is a little more complicated if it is necessary to use your corporate address to communicate with your business partners. Your IT department may be able to give you a temporary account that is branded and not a Yahoo or Gmail account, which wouldn’t look very professional when communicating with potential business partners. If that isn’t feasible, then change your password on a specific day. Say you arrive in China on Monday and depart on Wednesday — have your IT department either disable or reset your password on Wednesday, or on the very last day you’ll need access. Assume, for the sake of email and anything else covered here, that the foreign government will be able to view your activities.
C. Transporting Data:
Some of you may be thinking that these strategies work great for some, but in your case you may need to actually carry the data with you on a laptop, tablet, or USB drive. In this case, your risk will likely increase 100-fold. Sorry for the grim outlook, but let’s look at ways that you can best protect your data. Whatever device you take, make sure that prior to departing, all the software has been updated to the most current version and patches. You don’t need to give the bad guys an easy way in via some exploit that is publicly available. Encrypt your entire device in layers. What do I mean by layers? Let me walk you through a hypothetical scenario: Let’s say you arrive in China with your laptop and the border agents insist that you log into your device. If you encrypted your entire drive (which I highly recommend), then that defense is automatically defeated if you acquiesce to their demand. However, there are some steps you can take to throw a bit of a smokescreen. There are encryption tools you can utilize to hide folders and encrypt them separately from your entire drive. In this case, the border agent will think that you have complied by providing the encryption password to your laptop. They may even proceed to copy the contents, while unaware that you have hidden folders that are encrypted with an entirely different password and key combination. This can technique can be achieved on a laptop or external drive.
D. Internet Access:
Whether you take a burner device or your own hardware, you may have the need to access the Internet. Do not use public WiFi regardless of the entity that offers it. That subject can be an entirely separate article of its own. Your best bet abroad is to use the hotspot feature of your burner phone/device. While still vulnerable to eavesdropping, it makes it much harder for the prying eyes to figure out which of the millions of SIM cards you are using. An added recommendation is to purchase a VPN plan prior to traveling and use the VPN to connect from your device to the Internet. This will provide you with a layer of security, but please don’t interpret this as a surefire way of keeping your data private — it too can be defeated.
E. Physical Security:
Your hotel room is not a private sanctuary — consider it a public place. And consider the hotel-provided safe as a decoration. There are a myriad of products you can purchase to hide valuables, from fake shaving cream cans to phony shoes with removable heels. Ideally, don’t leave anything (whether digital or paper) behind in your hotel room. Take everything with you. If you can’t, then consider resorting to the aforementioned products to hide devices. Ultimately the best protection is not only to carry it with you, but to carry it in a bag that shields your devices from electronic interference. The unfortunate reality is that your devices can be compromised wirelessly and need not come into physical contact with anyone.
F. Returning Home:
There are several important steps to take once you return home. Consider whatever device you took on your travels to be tainted. If you can dispose of it, then do so. Whatever you do, don’t reintroduce it to your network (home or work). USB drives are inexpensive enough that you can just take a hammer to it and deposit it in your garbage. But this may not be feasible with a tablet, phone or laptop. If it isn’t already a part of your corporate policy, then ask your IT department to wipe the device completely and reinstall everything. Be sure to change all the passwords you utilized while traveling as well. It is important to note that contrary to popular belief, wiping your devices doesn’t completely eliminate threats. As an example, there is sophisticated malware that now attaches to certain areas of your hardware and can remain there regardless of how many times you wipe away the software.
#4. Social Media
Social media has become a significant reconnaissance tool of our adversaries. Refrain from advertising that you are traveling abroad on social media. There is no need to give bad guys a heads-up. Foreign governments have become very adept at using social media to create comprehensive attack vectors. They can easily influence a variety of factors upon your arrival. I’m not going to James Bond you here, but I will mention one: Reverting back to my China travel example, with the proper reconnaissance and preparation, you could easily end up in a taxi that was predestined for you. The car can be outfitted with acoustic listening devices and digital forensic equipment. While you innocently type away at your phone or tablet, surf the net, or charge your phone using the car’s USB port — your data is being siphoned away. Keep an eye on the social media accounts of your children, family and friends as well. While you may not advertise the trip, they may do so without your knowledge.
Aside from the technical and social guidance provided here, it is also suggested that whenever traveling abroad you inform the corresponding U.S. Embassy of your travel plans. You never know when you may need their help. Please note that this advice comes from years in IT and experience with a large variety of entities that have dealings that are very complex. For the record, these recommendations and perspectives are not from a paranoid state of mind — I’m a firm believer that everyone should be properly informed and educated in taking reasonable precautions. Please always follow your company policies; this advice is not meant to circumvent them. Technology evolves quickly, so stay vigilant and informed and whatever you do, don’t think that it can’t happen to you. A lot of the digital espionage tools go undetected, so it is easy to drop your guard and for it to seem that you dodged a bullet when in reality the adversary has a foothold on your data without your knowledge.
Alain Espinosa is a seasoned veteran in cybersecurity best practices for businesses and individuals. In his 21-year career, Espinosa has worked at Google and Siemens and has consulted for Lexus and Cisco. Currently, Espinosa is the program director at Cyber Defense Labs and founder of Prepare.How, which educates and equips individuals, businesses, and organizations to protect themselves and their data in today’s ever-evolving threat landscape. He also serves on the Board of Directors for INMA.