Information Security Guidance for International Travel with Mobile Devices
TRU employees should understand the restrictions that apply when encrypted devices are taken outside Canada to avoid the confiscation of their device, or other penalties. The following information is for reference only; it is the responsibility of all faculty and staff to determine the unique requirements of specific jurisdictions.
The TRU Information Security Committee has issued this guideline to supplement the Mobile Device, SmartPhone, and Information Classification Standards. Questions about this guideline may be referred to firstname.lastname@example.org.
Providing Passwords to Law Enforcement Officials
- In many countries, customs or other law enforcement officials are authorized to require travelers to unlock a device or produce a password. Refusal to comply may result in denial of entry, arrest, or confiscation of the device. Your personal safety comes first. If asked by an official to unlock a device or provide a password, TRU employees should advise the official that the device contains confidential University information. If the official persists, the employee should comply with the demand. In such cases, the employee should make reasonable efforts to keep the device in sight at all times, and should change passwords and report such access to the TRU Privacy Office as soon as possible.
How to Avoid Problems
- The best way to avoid issues is to remove any confidential TRU information and encryption software from the device prior to travelling. It is much more secure to log in remotely to TRU servers through https://vpn.tru.ca than to carry confidential information with you. However, if you must have confidential information saved on your device, then encryption is mandatory under the Information Classification Standard. Note that some countries may block access to certain sites and the use of VPNs. Never try to circumvent these controls as it may result in legal action against you.
Consider Wiping Your Devices and Changing Passwords When You Return Home
- Consider wiping your device and changing your passwords upon your return in order to mitigate the risk that some unauthorized programs or malware were installed during your travels.
Canadian Export Controls on Encryption Products
- Because encryption products can be used for illegal purposes, including terrorist activity, Canada restricts the export of some encryption products to the following countries: Cuba, Iran, North Korea, Sudan, and Syria. Travellers visiting these countries may not have encryption products installed on their computers unless they have a special export license; check with TRU IT Security for more details.
Foreign Import Controls on Encryption Products
- Some countries ban or severely regulate the import and use of encryption products. Under a set of rules known as the "Wassenaar Arrangement”, travelers may freely enter a participating country with an encrypted device under a "personal use exemption" as long as the traveler does not create, enhance, share, sell or otherwise distribute the encryption technology while visiting. The following countries support the personal use exemption: Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, United Kingdom and the United States.
- The following nations do not recognize a "personal use exemption". Before traveling to these countries with an encrypted device,
travelers will need to apply to the specified governmental agency for an import license:
- Belarus - a license issued by the Belarus Ministry of Foreign Affairs or the State Center for Information Security of the Security Council is required.
- Burma (Myanmar) - a license is required, but licensing regime documentation is unavailable.
- China - a permit issued by the Beijing Office of State Encryption Administrative Bureau is required. The laws in China vary from province to province where the customs officers or border guards make their own interpretation of what encryption means.
- Hungary - an International Import Certificate is required.
- Iran - a license issued by Iran's Supreme Council for Cultural Revolution is required.
- Israel - a license from the Director-General of the Ministry of Defense is required. For the applicable laws, policies and forms, see the following website: http://www.mod.gov.il/.
- Kazakhstan - a license issued by Kazakhstan's Licensing Commission of the Committee of National Security is required.
- Moldova - a license issued by Moldova's Ministry of National Security is required.
- Morocco - a license is required.
- Russia - licenses issued by both the Federal Security Service (Federal'naya Sluzhba Bezopasnosti - "FSB") and the Ministry of Economic Development and Trade are required. License applications should be submitted by an entity officially registered in Russia. This would normally be the company that is seeking to bring an encryption product into Russia.
- Saudi Arabia - it has been reported that the use of encryption is generally banned, but research has provided inconsistent information.
- Tunisia - a license issued by Tunisia's National Agency for Electronic Certification (ANCE) is required.
- Ukraine - a license issued by the Department of Special Telecommunication Systems and Protection of Information of the Security Service of Ukraine (SBU) is required.
- In addition to import controls, some countries have regulations restricting the use of encryption. The most prominent are France, South Africa, China and Russia. For more information see: Export permits for cryptographic items.
- Since laws can change at any time, check before travelling to ensure that you have the most up-to-date information. Additional information about international encryption controls can be found at the following websites:
Information Classification Standards
Mobile Device Standard