INFORMATION SECURITY GUIDELINE March 2020
Security Considerations for International Travel with Mobile Devices Introduction
1. Special considerations may apply when encrypted devices are taken outside Canada. Employees should understand these restrictions to avoid the confiscation of their device, or other penalties.The following information is for reference only; all faculty and staff should contact the countries that they are planning to visit to determine what the requirements are in those jurisdictions.
2. This guideline has been issued by the Chief Information Officer to supplement the Encryption Requirements standard. Compliance with this guideline is recommended, but not mandatory.
3. The best way to avoid issues is to remove any encryption software from the device prior to travelling. Please note that you can only do this if you remove all High and Very High Risk Information from the device as well. It is much more secure to log in remotely to servers than to carry High or Very High Risk Information with you. However, if you must have High or Very High Risk Information saved on your device, then encryption is mandatory under the Encryption Requirements standard. For faculty and staff who need them, the University typically makes “loaner laptops” available for travel purposes but this varies amongst faculties and departments. Canadian Export Controls on Encryption Products
4. Because encryption products can be used for illegal purposes, including terrorist activity, Canada restricts the export of some encryption products to the following countries: Cuba, Iran, North Korea, Sudan, and Syria. Travellers visiting these countries may not have encryption products installed on their computers unless they have a special export license; check with IT Security for more details. Foreign Import Controls on Encryption Products
5. Some countries ban or severely regulate the import and use of encryption products.
6. Under a set of rules known as the “Wassenaar Arrangement”, travelers may freely enter a participating country with an encrypted device under a “personal use exemption” as long as the traveler does not create, enhance, share, sell or otherwise distribute the encryption technology while visiting. The countries that support the personal use exemption include: Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, United Kingdom and the United States.
7. The following nations do not recognize a “personal use exemption”. Before traveling to these countries with an encrypted device, travelers will need to apply to the specified governmental agency for an import license:
a.Belarus – a license issued by the Belarus Ministry of Foreign Affairs or the State Center for Information Security of the Security Council is required.
b.Burma (Myanmar) – a license is required, but licensing regime documentation is unavailable.
c.China – a permit issued by the Beijing Office of State Encryption Administrative Bureau is required. The laws in China vary from province to province where the customs officers or border guards make their own interpretation of what encryption means.
d.Hungary – an International Import Certificate is required.
e.Iran – a license issued by Iran’s Supreme Council for Cultural Revolution is required.
f.Israel – a license from the Director-General of the Ministry of Defense is required.
g.Kazakhstan – a license issued by Kazakhstan’s Licensing Commission of the Committee of National Security is required.
h.Moldova – a license issued by Moldova’s Ministry of National Security is required.
i.Morocco – a license is required.
j.Russia – licenses issued by both the Federal Security Service (Federal’naya Sluzhba Bezopasnosti – “FSB”) and the Ministry of Economic Development and Trade are required. License applications should be submitted by an entity officially registered in Russia. This would normally be the company that is seeking to bring an encryption product into Russia.
You can access Wi-Fi hotspots almost anywhere these days. While it’s a convenient way to connect to the internet (often for free), it’s not as safe as you may think. You may not know who set it up, how secure it is, or who else is connecting to it. There are significant security risks when connecting to an unknown Wi-Fi hotspot. It’s relatively easy, for example, for a malicious actor to see everything you type and every site you visit on an unsecured network.
Where you can’t use your phone’s internet connection instead, there are some simple things to consider and steps you can take to protect your data and personal details when accessing a publicly available Wi-Fi hotspot.
Check Whether You Can You Trust the Provider
While no publicly accessible Wi-Fi network is entirely secure when you do use them, try to stick to well-known networks (for instance, those provided by the store or coffee shop you’re in). Ask yourself why someone would provide a free service and whether they might have a nefarious reason for doing so.
Some hackers use hotspot names that are similar to the names of the location you’re in use. If unsure, ask an employee for the name of the hotspot that they provide.
Don’t automatically connect to any available free hotspots – in fact, it’s good practice to disable this feature on your phone or other devices. For instance, some devices can join other unencrypted wireless networks without your intervention and transfer information; it’s a good idea to close apps you’re not using and/or limit their ability to go online in the background.
Try Not to Access Sensitive Information While Browsing
Even where a trusted source provides a Wi-Fi hotspot, some forms of attack (called ‘man in the middle’) can eavesdrop on your online activity by intercepting data between your computer and the hotspot’s router. The best way to protect yourself against this attack is to use websites that implement encrypted communication (which are labelled HTTPS rather than HTTP). You can also use a Virtual Private Network (VPN) which does the same thing for all your communications (see below).
The best thing to do is assume that someone is listening to (or watching) your web browsing and limit the browsing you do so that it does not include providing personal or sensitive information such as your email address or phone number. In particular, do not conduct tasks like electronic banking or making purchases online through an insecure network as your financial details could be stolen.
Turn Off File Sharing Options and Avoid Downloads
You should disable features on your device that enable easy file-sharing, printer, or network access (such as Airdrop). This ensures that no-one can access your files or send files you don’t want to your device. You should also avoid sending any files that you don’t want anyone else to have access to. As stated above, the best thing is to assume that someone can see these files. Also, don’t download files or install applications or apps when using a hotspot unless it’s necessary.
Using a VPN
If you deal with sensitive information and need to access Wi-Fi regularly (such as when traveling), then the best option is to use a VPN service. VPNs encrypt all data traveling to and from your device through a secure server, and they make it almost impossible to intercept and read your data. While this is best practice for business users and others that deal with sensitive information, it’s probably not a practical option (and not free) for the average user who wants to use a Wi-Fi hotspot from time to time.
The next-generation Wi-Fi security protocol (WPA3) will include built-in security protections for accessing networks through wireless hotspots. Until then, keep the above points in mind when accessing an unknown Wi-Fi network to ensure your security.
0.00 average based on 0 ratings