When planning international travel — whether for Stanford business or personal time — it's important to consider how you can securely access information from your devices. This guide summarizes best practices to ensure your data is protected before, during, and when you return from your travel abroad.
While the Information Security Office (ISO) offers recommendations around device security and data protection, we urge you to visit the Stanford International Affairs website to check specific pre-travel country risk assessments.
If your device is lost or stolen while traveling, notify Stanford right away.
The U.S. government has identified pervasive threats to information security from certain countries deemed “high risk.” If you're traveling to the following high-risk locations, be aware that there is no presumption of privacy. This means that you should assume all data is accessible by local government and non-governmental actors and that information can be compromised.
**Countries with a significant number of entities and individuals on government restricted and/or denied party lists.
Before you travel
What to pack? In terms of devices, the Stanford Information Security Office recommends bringing only the equipment needed to do your work. Below you’ll find device recommendations that range from best, most secure options to the minimum required actions that help keep devices secure and your data protected.
Best: Travel light
Borrow through Travel Loaner Program. If you're traveling to a country categorized as Level 3, 4, or Other by the U.S. Department of State Travel, we strongly recommend that you leave your current devices behind and travel with a Stanford-provided Travel Loaner kit. Through the Travel Loaner Program, you can borrow an encrypted, pre-loaded iPad Pro, Macbook Pro, or Surface Pro to use in place of your own computer. The loaner device will allow you to manage email, view your calendar, run presentations, edit documents, and connect to university websites. The devices are set up specifically for your use and wiped back to factory settings when you return.
Connect through Virtual Private Network (VPN). Download an install Stanford’s remote access VPN client. This will allow you to securely connect to Stanford’s network as if you were on campus.
Leave the mobile phone at home. Consider whether you can travel without your mobile phone, and if you can get by with a Wi-Fi-only device, like a loaner iPad. If the trip is short or to areas with higher risk ratings, the best security option is to travel without your mobile phone. For two-step authentication, you can use a the Duo Mobile app on an iPad or a security key - no network or cellular connectivity required.
Good: Travel with less data
Bring a new or wiped laptop. If you cannot travel without a full laptop, another option is to take a new or freshly rebuilt machine and load only the data you’ll need for this trip. You’ll need to make sure that the machine is encrypted before you go. To get started on encrypting your device, go to the Encrypt Your Devices webpage.
Use encrypted USB drives. Whenever possible, leave USB drives at home. These are easily lost and easily corrupted. If you must travel with a USB device, be sure that it’s encrypted.
Get a temporary mobile device. For mobile devices, we recommend borrowing a device in the country, using an unlocked phone with a local SIM card, or renting/buying a phone at the airport or hotel when you arrive.
Minimum: Travel encrypted
If you must take your own device(s), be sure to follow these additional steps before you go.
Do not plug your phone into charger kiosks. There may be a hostile computer on the other end of that innocent-looking wire.
Avoid using public workstations as they cannot be trusted. Assume that anything that you enter into the system may be captured and used.
Do not leave your devices unattended. Even hotel safes are not secure.
Don’t connect to unknown resources like Wi-Fi access points and Bluetooth devices.
What should I do if asked to provide my password to my laptop or other device and I have patient data or PHI on it?
We suggest that you not provide your password. Rather, unlock the machine for the Customs and Border Protection (CBP) agent if you are compelled to do so.
Our understanding is that CBP cannot make you provide your password, but that they do have some rights to inspect your electronic devices.
“Compelled” could be due to subpoena, a CBP agent showing you the section of the law that provide CBP a right to require you to unlock your device for inspection, or circumstances are such that you believe you have little other viable option.
How can I comply with Customs and Border Protection, but not release PHI?
If you unlock your device for inspection before turning over the device let the CBP agent know that you are affiliated with Stanford (clinician, researcher, student, etc.) and have HIPAA-protected health information on the machine. To that end, you request that CBP limits their review to exclude the protected health information (PHI).
Also, try your best to obtain the name and title of each CBP person reviewing your device.
Tell CBP that federal law requires you have to keep a listing of all disclosures of patient information to third parties. This is why you are asking for their name/title.
Try to inform the agent and obtain names/titles before you turn over the device. If you cannot get names/titles, then get the best information you can and submit that information to email@example.com as soon as you can.
Can I take my laptop in my carry-on if I travel internationally?
Yes, you can take your laptop with you in the cabin on international flights. The March 21, 2017 U.S. Department of Homeland Security (DHS) ban on electronic devices larger than a cell phone or a smart phone from cabins on airplanes entering the U.S. from certain airports has been lifted. DHS will require increased screening procedures for all flights entering into the U.S. in the weeks and months to come.
What should I do if my device is confiscated?
Obtain the name and title of the individual confiscating your device.
Obtain a “receipt” or comparable written documentation that describes the device confiscated, under what authority, for what purposes, by whom and whom to contact regarding return of the device.
If your device contains PHI, let the agent know that you are affiliated with Stanford (clinician, researcher, student, etc.) and have HIPAA-protected health information on the machine.
Where can I find more information about export control?