Travelers should limit the amount of sensitive information that is stored on or accessible to any mobile device taken on the trip, and travelers should avoid contact with the Princeton network in general, specifically when traveling to high risk countries (see U.S. State Department's Alerts and Warnings).
NOTICE (August 2022): The Information Security Office, working under the current guidance of the US Department of the Treasury and in partnership with the Princeton Office of Research Projects and Administration (ORPA), prohibits the campus community from accessing University systems from the Office of Foreign Asset Control (OFAC) sanctioned countries without prior review and approval by Export Controls in ORPA. For more information, view the Prohibition of Unauthorized Access form OFAC Sanctioned Countries position paper.
Traveling can pose significant risks to information stored on or accessible through computers, tablets and smartphones. Some of the risk is associated with increased opportunities for the loss or theft of the device and just merely the distraction of traveling. Additionally, our devices are put at risk because they will use networks that may be managed by entities that monitor and capture network traffic for competitive or malicious purposes.
Preparing for your trip
Identify "high risk" countries you plan to visit
Visit the U.S. State Department's Alerts and Warnings web page to identify "high risk" countries you plan to visit. Please also refer to the position paper referenced above.
Understand the sensitivity of any data you bring or access
Seek ways to limit the amount of sensitive information that you take on your trip. Examples of data that should be left on campus or afforded exceptional protection include information that might be considered sensitive by the host government, and information defined as confidential or highly confidential by the University’s Information Security Policy. Removing unnecessary confidential data from any device reduces the risk of exposure to anyone gaining access to the information.
OIT Loaner Program*
The OIT loaner program will provide loaner devices, such as an iPad and cell phone for use during your trip.
Loaner iPad: OIT can provide a loaner iPad, allowing you to leave your computer and other mobile devices at home. These loaner devices come loaded with basic tools such as Microsoft Office and limit the amount of data you have, which minimizes the risk should the device be stolen or lost.
Loaner Cell Phones: Smartphones can carry a lot of information about how you access the University's systems and often do not provide a level of protection comparable to larger systems. Simple cell phones are a better choice when traveling to high risk countries. OIT has loaner cell phones available with international plans. Using a simple cell phone eliminates the risk of your phone becoming a vector into Princeton systems. With an international plan in place, the use of simple cell phones can also result in significantly reduced phone charges.
Visit the University's OIT Loaner Program page to view additional information. If you would like to obtain a loaner device, contact a member of your department's technology support team or the OIT Support and Operations Center at 8-HELP or email@example.com.
* Please note that the OIT Loaner Program is available to faculty and staff. The program is also available to students who are traveling internationally in support of University research.
Travel Service Email Accounts**
Request a temporary email account to use while traveling and your emails will be forwarded to the temporary account for the duration of the trip. This account helps protect your information and Princeton's systems because you will not directly be accessing Princeton with your ID and password. At the end of your travels, the temporary email account will be deleted. To request a temporary email account, contact a member of your department's technology support team or the OIT Support and Operations Center at 8-HELP or firstname.lastname@example.org.
** Please note that travel service email accounts are available to faculty and staff while traveling to high risk destinations. The accounts are also available to students who are traveling internationally in support of University research.
Follow guidelines for protecting your devices and data
Review and follow the best practices listed on our Safe Computing page. Understanding and following these practices will help you reduce the risk to the data and devices you are carrying or have access to in your travels.
Learn about hardware and software travel restrictions
Knowing the restrictions that countries place on transported hardware and/or software reduces the likelihood of your devices being confiscated or your trip being disrupted. The University's Travel website provides a wealth of legal and technology-related information for the international traveler.
In the hardware and software realm, export and import controls may apply to the hardware and software you may bring along. The United States restricts the transporting of certain types of hardware and software products to specific countries (referred to as "export controls"). Many other nations restrict the transporting of certain types of hardware or software into their country (referred to as "import controls").
Please note that there are countries into which we cannot bring an encrypted device either due to United States export restrictions or import restrictions imposed by the destination country. Please visit the Encryption and International Travel page for additional details.
Things to remember while traveling
Avoid accessing the University directly with your Princeton ID and password
By not logging into Princeton applications while you travel, you eliminate the risk of your ID and password to Princeton being captured and used to compromise Princeton systems. You also reduce the amount of data that is retrievable if your mobile device is lost, stolen or otherwise compromised.
Therefore, keep your direct access to Princeton systems and information to an absolute minimum, preferably zero. Access the data you need for your trip from the external storage service (e.g., Princeton Google Drive). Allow a colleague to add files to your external network drive in case a file was forgotten during preparations.
Please note that using Remote Desktop or equivalent software to access your University desktop or other device from a high risk country should also be avoided as these transmissions may also expose valuable information.
Enable multi-factor authentication wherever available
Enable multi-factor authentication wherever it is available, especially when it comes to sensitive data. Multi-factor authentication (MFA), also referred to as two-factor authentication or two-step verification, is a security method in which a user is granted access after successfully presenting two or more pieces of evidence to authenticate or login to a system or application. MFA is a very effective method for protecting your accounts from cyber criminals by making it impossible for them to use your accounts even if your password is stolen. The University uses Duo for multi-factor authentication, and it can be used on many personal accounts as well.
Avoid using public workstations
The security of public workstations, especially in high risk countries, cannot be trusted. When you use a public workstation, anything that you enter into the system - IDs, passwords, data - may be captured and used, so limit your activity to the devices that you bring.
Be aware of your surroundings when logging in or inputting data into your devices
There have been many cases where an ID, password or a piece of confidential information had been compromised simply by watching the person input the information. Be discrete when entering your ID and passwords.
Notify Princeton if a theft or loss occurs
Traveling can be fraught with a variety of distractions - going through airport security, finding your way around town, getting used to cultural norms, etc. Unfortunately, most instances when mobile computing devices are lost or stolen occur in the areas where the distractions are the greatest. Recognizing distracting situations and, when they occur, taking extra care to maintain your focus can prevent you from having to take the steps necessary to disable those devices and obtain replacements.
In case a laptop or mobile device is lost or stolen, contact a member of your department's technology support team or the OIT Support and Operations Center Help Desk at 8-HELP or email@example.com.
When you return
Change any passwords you may have used during your travels
When you return from your trip, change any passwords you may have used during your travels from a trusted device. When traveling, especially in high risk countries, the likelihood that your NetID and password will be captured is high. Quickly changing a compromised password helps prevent future attacks on that account. Visit the Princeton Service Portal to change your University password.
Restore the software on the systems with which you traveled to trusted versions
According to National Security Services, when our devices connect to a network in a high risk country, there is an increased likelihood that the device will be compromised and have malicious software installed. This software then can compromise information and other devices on the Princeton network when the device is reconnected to the University's network.
Upon your return before reconnecting to the Princeton network, erase and wipe the hard drive and other components that store data and software for any device you used during your travels and reimage them with trusted software versions. This is standard practice for loaner devices and should also be for your Princeton-owned or personally-owned devices. Contact the OIT Support and Operations Center at 8-HELP or firstname.lastname@example.org.
Assumptions when traveling
- No device can be protected against all possible forms of system and information compromise, especially when its members travel to countries that are deemed as high risk. So, we must assume that any device taken to a high risk country will be compromised in some, potentially undetectable way. The only truly secure option is to refrain from using digital devices when traveling.
- Information of particular interest to someone intent on compromising your devices not only includes business data but also the traveler’s ID and password that could be used to directly access Princeton’s systems and information resources.
- When a device is compromised, the attacker may install software on the device that could compromise other systems and data on the Princeton network when the traveler reconnects his or her device to our network upon return, unless measures are taken to completely restore the device to its pristine state before the network connection is established.
The U.S. Department of State's Country Specific Information website: Allows a user to specify his or her destination country for which it provides information such as, the location of the U.S. embassy and any consular offices; whether you need a visa; crime and security information; health and medical conditions; and local laws.
The FBI's Travel Tips brochure: Measures that the FBI recommends taking before, during and after traveling internationally in a compact, printable document.
US CERT's Holiday Traveling with Personal Internet-Enabled Devices website: Tips from the US Computer Emergency Readiness Team for protecting your mobile devices when traveling.
Internet 2's Security Tips for Traveling Abroad website: A collection of institutional, governmental and other resources that provide guidelines for secure, international travel.
FAQs - Searches of Electronic Devices at the Border document: Questions and answers concerning searches of electronic devices at the border.