Information security guidelines for abroad travelling
Precautions against government actors
This guide is written specifically for business trips but is equally suitable for students’ trips and exchange periods. Protecting one’s privacy is vital for everyone.
1. Leave your secrets at the workplace
Travelling for work increases the risk of becoming a victim of theft or a data breach. All confidential and valuable files and messages should be removed from your device before you take it with you. The files you need while travelling can be saved on a network drive or cloud storage and retrieved with your computer only if you need them. Consider bringing a separate, “empty” device or telephone with you if you have one. If your device contains the University’s email account, check your emails for classified messages. If you cannot delete them, think whether the University’s email account needs to be always installed on your device.
2. The rights of authorities during your trip
In many countries, border control authorities have the right to demand the unlocking of disk drives and disk protections, even the handing over of passwords to all kinds of accounts without any specific suspicion of criminal activity. In the main, a foreign country can do what it wants with the data. It is usually impossible to refuse to hand over a password, so it is better if the existence of an account is hidden. If you do not need them at the border, clear your phone of any extra social networking accounts and email services. Authorities’ rights or readiness to act are particularly high in the US, Russia, and China.
3. Beware of free network connections.
Use VPN for everything during your trip. Install the University’s VPN software (EduVPN) on your devices before the trip. Install and ensure the use of Eduroam before your trip if it is available for use it in your destination.
When travelling in Scandinavia, the Baltic countries or other EU countries, we recommend using a mobile data connection. It is reasonably priced and the most secure connection.
If you travel in a country where mobile connections are expensive, beware of free WiFi networks. Refuse the installation of any add-on feature or service on your device. If a network is available at your hotel, business premises or host organisation, please check with the staff before login that the network really belongs to the hotel/business premises/host organisation. During longer trips, consider getting a local data connection already at the airport. Alternatively, take a GOODSPEED modem with you from the IT Helpdesk, which enables you to connect to a reasonably priced data connection also from countries outside EUROPE.
Confirmation alerts and other error messages should be taken seriously, for example, when using wireless networks. You do not normally get alerts about the University’s services, meaning that you should be sceptical of such warnings and not just accept them outright.
Do not use public computers for any purpose to avoid any of your passwords or data falling into the wrong hands.
At the very least, always switch off the following when you are not using them:
- voice control or speech recognition
- WLAN or WiFi connection
- location services
- sharing a connection or hotspot
4. Make sure your computer has up-to-date software, anti-virus functions, hard disk encryption and that it can be locked.
It is not always enough to be careful because someone may steal your computer or break into it. Make sure that no data can get out of the device without unlocking it. Protect your password and mobile device security code from prying eyes and ears. Never leave the device alone for a moment and never let anyone else have it. Even a locked device can be broken into in no time if a professional wants to break in and has enough time to do it. Find out about your hotel’s service for keeping valuable property and use it. (The Finnish Security and Intelligence Service recommends that you always keep your computer with you.) Consider purchasing a privacy screen for your computer if you use it in the presence of others.
Make a careful backup of your devices before you travel. Be prepared that you may, for one reason or another, need to completely empty your device after your trip and do a clean installing from the backup. Make sure you can buy a new device from a local shop if yours is stolen or broken during your trip.
5. Check the services in your destination prior to your trip and be prepared for something to go wrong.
If possible, find out in advance where you can get help (eg a new device and a local connection) if your own devices are stolen or they break down. Contact the University immediately to close your user account if it is stolen. A new SIM card may be sent to those who are taking a longer trip. Take your bank’s user account and password with you in case you must reset the password of your TUNI account. Change the password of your TUNI account immediately if something strange happens to your device.
Change the password at id.tuni.fi
6. Social media
Consider whether you need to share information or photos from your business trip on social media.
If you decide to share information or photos:
- Share what you have done rather than what you will do.
- Consider whether it is necessary to share precise location information.
- Ask others for permission to share information or pictures about them.
General security guidelines apply when you are travelling. When it comes to the security of services and user accounts or profiles, pay particular attention to managing passwords and user IDs. Do not use the same password in different services. It is also important to think critically about using the same username for different services. Do not use the same login (eg Facebook login) to log in to different services. Use multi-factor authentication for the most critical services.
7. Precautions against state actors in some countries
In some countries, authorities have considerable powers, resources, and willingness to exercise technical control over all tourists and even citizens. In some countries, university students may be of particular interest.
The Finnish Security and Intelligence Service points out in its guidelines:
“Your job can make you an interesting target for intelligence operations at home and when you travel abroad. The interest may concern the documents and devices you bring with you and the conversations you have – whether on the phone or face-to-face.”
“If you work eg in politics, civil service or the world of business, you may be an interesting target for intelligence operations. Foreign intelligence services are interested in eg the different areas of Finnish politics, and Finnish research, technology and their development.
If a stranger approaches you and wants to talk about your job, please take into account that there may be an ulterior motive besides a sincere wish to make friends. Consider what you want to share with strangers.”
In most cases, for example in China, surveillance is based on extensive and almost seamless personal identification camera systems and databases, monitoring of online traffic and communications, and other technical or social means of surveillance. These systems reliably identify people by their face, voice and even gait, and build up a comprehensive map of a person’s movements and contacts with other people. In such countries, it is reasonable to assume that the authorities know where each traveller is in real time, with whom they are interacting, and what they are communicating with others.
Monitoring can also extend to the traveller’s own devices, the social media accounts they use, and almost anything else, depending on what is customary or possible in each country. The traveller usually has no possibility to protect him or herself or to refuse the authority’s measures or demands. For the time being, the likelihood of breaking into a device is low, but the consequences would be severe if the device contained private images, communications, or data.
It is most vital to protect:
- your privacy
- data for which the University is responsible
- your own research data if you have it with you or have access to it while you travel
Before your trip:
- consider very carefully which data you take with you
- consider which data can be accessed from your device
- also consider whether there is anything in your TUNI mailbox that should not be taken with you
If in an authoritarian destination country, you must use its social media apps or other country-specific official apps, it must be assumed that all their use is actively monitored by the authorities. The application may also embed unwanted features such as location tracking and copying the address book or other accounts in your device. Turning on the microphone and camera may also be possible. Do not allow the synchronisation of your address book or use of the microphone if possible. It may be difficult to uninstall such an application. It must be removed from the device upon return by wiping the entire device clean if necessary.
It is best not to take the phone or computer you normally use for your most private communications to avoid the risk that your private life ends up in a foreign country's database with all your family photos, communication history and details. It should be remembered that these can be used for years to come.
When travelling to China in particular, you should seriously consider including a separate low-cost smartphone in your travel budget so that you have access to useful applications there without the risk of your private life or work data falling into the wrong hands. The same applies if you need to use Chinese communication and service applications in Finland; you should avoid using them on your personal or work phone. They must not be installed on your workstation.
Accessing the services of the universities community without your own devices is usually not possible while travelling, so you will need to take some device with you.
- Connect to home only with your own devices, do not enter your TUNI password on any other device.
- Consider investing in a dedicated mobile device for your trip.
- Be prepared to wipe your device clean after your trip and to restore it from the backup you made before you left.
- If the device has been in someone else’s possession (eg a government agency) for a while, assume that it could have been broken into or copied with all its contents. The border authority usually has no other valid reason to take the device away from the traveller.
- Use VPN if possible.
- If VPN does not work, use only the portal www.office.com and/or email.
- Do not use it if there are verification alerts at the beginning of the connection*.
- Beware of links sent to you in a message, use unsecured web pages with caution. Links sent in a message are a well-known way to break into smartphones.
If anything strange occurs, report the incident to tietoturva [at] tuni.fi or it-helpdesk [at] tuni.fi, +358 294 520 500
8. If your device is stolen during your trip
- Report the theft to the local police. Bring a copy of the report of the offence with you.
- Change your password on id.tuni.fi. If you are unable to do this, contact IT-Helpdesk and ask them to reset the password for you.
- Report the theft to IT-Helpdesk
- After you return to Finland contact tietoturva [at] tuni.fi () and draft and send a written account of the incident to this address.
- We also report all thefts separately here in Finland.
* Things to note about web page certification
If you receive an alert that a certificate associated with your university network connection is new or invalid, it means that you are connected to a proxy server or the login page of an online service. Do not press OK and do not enter any passwords. Use your web browser to check whether you have direct access to the servers of the Universities community.