Advice for the traveler
The Information Security Office in conjunction with Global Business Services and the Office of International Affairs has established a list of high risk countries for which particular measures are recommended. Please consult our Recommendations for Travelers to High Risk Countries for concise, practical guidance on how to protect yourself and the University while traveling. Similar guidance is available for those traveling to lower risk destinations in the Recommendations for Travelers to Lower Risk Countries.
Digital traveling dangers
In testimony before the Senate Select Committee on Intelligence, James R. Clapper, the Director of National Intelligence, stated that foreign intelligence services from China, Russia, and Iran "have launched numerous computer network operations targeting U.S. Government agencies, businesses, and universities" and are "aggressive and successful purveyors of economic espionage against the United States."
These intelligence services are targeting higher education in particular. The FBI has published a white paper detailing University-specific attacks, as well as a published an article about hacking travelers with eye-opening statements:
- [One savvy traveler] "leaves his cellphone and laptop at home and instead brings 'loaner' devices, which he erases before he leaves the United States and wipes clean the minute he returns."
- "What might have once sounded like the behavior of a paranoid is now standard operating procedure for officials at American government agencies, research groups and companies that do business in China and Russia - like Google, the State Department and the Internet security giant McAfee."
- "If a company has significant intellectual property that the Chinese and Russians are interested in, and you go over there with mobile devices, your devices will get penetrated," said Joel F. Brenner, formerly the top counterintelligence official in the Office of the Director of National Intelligence.
- Mandiant, a leader in the forensic analysis of Advanced Persistent Threats, recently published a report on nation-state sponsored espionage of the sort seen by Google, Apple, Yahoo, and The New York Times.
Planning for safe digital travel involves analyzing the risk versus your business requirements, taking into account the value of the data you carry with you as well as the data and services your accounts have access to.
Examples of data that should be left on campus or afforded exceptional protection include information that might be construed as sensitive by the host government, and any non-public data listed in the table on the Stanford Data Classification Guidelines page.
The only truly secure option is to abstain from digital device use during your travels.
International travel, Stanford research, and export control
In the world of international travel and business operations, export is a technical term with a very precise definition. "Export" means to send or take regulated tangible items, software or information out of the United States in any manner, including international handcarries. Your smart phone, tablet, and laptop are examples of devices that are regulated and are often "exported" by this definition.
Unlike the export of information resulting from fundamental research, the export of tangible items such as laptops and other digital storage devices are always subject to U.S. export control regulations. Similarly, the encryption technology contained in most Stanford digital storage devices is always subject to U.S. export controls. So depending on the destination and the technology contained in one’s device, an export license may be required. For example, export licenses are generally required when encryption technology and hardware are taken to countries under comprehensive U.S. trade sanctions (Iran, Cuba, Sudan). Travel without an export license when required is a violation of federal law.
Since export compliance is an individual traveler's responsibility when traveling with Stanford laptops and other digital storage devices, Stanford’s export control program has created several tools to assist the Stanford research community in flagging potential circumstances when an export license is required. A Property Export Control Checklist helps identify situations when an item such as a laptop and its contents may be excepted from licensing requirements. In addition, Stanford’s Export Controls Decision Tree walks a traveler through a step-by-step process to spot potential export compliance issues. The Decision Tree also serves to certify Stanford’s compliance with export regulations when a license is not required.
Export compliance certification for all international shipments and handcarries, including Stanford researcher temporary travel with Stanford-owned or controlled laptops and other digital devices, is a research policy requirement found in Chapter 8 of the Research Policy Handbook. Export compliance certification by Stanford non-research employees or for travel with personally owned laptops and digital storage devices is not required. Further information can be found in Dean Arvin’s memorandum to faculty and staff entitled Documentation Requirements for Export Controls.