Data Protection & Export Control Laws
Please read this page in its entirety.
Data protection is of particular concern when traveling abroad due to a.) foreign regulations on data protection can be stricter than U.S. regulations; b.) loss of devices while traveling abroad; and c.) some foreign governments and groups specifically target research data, particularly when crossing borders and in transit (US fourth amendment protections do not apply while crossing U.S. international borders). To minimize the risk of data loss and disclosures, please review the following considerations provided by the U. S. government:
- In most countries you have no expectation of privacy in Internet cafes, hotels, offices, or public places. Hotel business centers and phone networks are regularly monitored in many countries. In some countries, hotel rooms are often searched.
- All information you send electronically – by fax machine, personal digital assistant (PDA), computer, or telephone – can be intercepted. Wireless devices are especially vulnerable.
- Criminals and security services can track your movements using your mobile phone or PDA and can turn on the microphone in your device even when you think it’s off. To prevent this, remove the battery.
- Third parties can also insert malicious software into your device through any connection they control. They can also do it wirelessly if your device is enabled for wireless. When you connect to your home server, the “malware” can migrate to your business, agency, or home system, can inventory your system, and can send information back to the security service or potential malicious actor.
- Malware can also be transferred to your device through thumb drives (USB sticks), computer disks, and other “gifts.”
- Transmitting sensitive personal, research, government, or proprietary information from abroad is therefore risky. Connect via VPN.
- While corporate and government defense officials are most at risk, but don’t assume you’re too insignificant to be targeted.
- Criminals are adept at “phishing” – that is, pretending to be someone you trust in order to obtain personal or sensitive information.
- If a customs official demands to examine your device, or if your hotel room is searched while the device is in the room and you’re not, you should assume the device’s hard drive has been copied.
Before You Travel
- If you can do without the device, don’t take it.
- Don’t take information you don’t need, including sensitive contact information. Consider the consequences if your information were stolen by a competitor or foreign government.
- If you must take it, back up all information you take; leave the backed-up data at home.
- If feasible, use a different mobile phone or PDA from your usual one and remove the battery when not in use. Have devices examined by the UMass Boston IT Department when you return.
- Make sure a valid Property Pass is on record with the UMass Boston Property Department.
- For university-issued devices, make note of the barcode and service tag (Dell) or serial number (Apple, etc.).
Prepare Your Device
- Create a strong password (numbers, upper and lower case letters, special characters – at least 8 characters long). Never store passwords, phone numbers, or sign-on sequences on any device or in its case.
- Change passwords at regular intervals (and as soon as you return).
- Download current, up-to-date antivirus protection, spyware protection, OS security patches, and a personal firewall.
- Encrypt all sensitive information on the device. (But be warned: In some countries, customs officials may not permit you to enter with encrypted information.)
- Update your web browser with strict security settings.
- Disable infrared ports and features you don’t need.
- VPN Access – confer with the UMass Boston IT Department for VPN set-up on your computer
While You're Away
- Avoid transporting devices in checked baggage.
- Use digital signature and encryption capabilities when possible.
- Don’t leave electronic devices unattended. If you have to stow them, remove the battery and SIM card and keep them with you.
- Don’t use thumb drives given to you – they may be compromised. Don’t use your own thumb drive in a foreign computer for the same reason. If you’re required to do it anyway, assume you’ve been compromised; have your device cleaned as soon as you can.
- Shield passwords from view. Don’t use the “remember me” feature on many websites; re type the password every time.
- Be aware of who’s looking at your screen, especially in public areas.
- Terminate connections when you’re not using them.
- Clear your browser after each use: delete history files, caches, cookies, URL, and temporary internet files.
- Don’t open emails or attachments from unknown sources. Don’t click on links in emails. Empty your “trash” and “recent” folders after every use.
- Avoid Wi-Fi networks if you can. In some countries they’re controlled by criminals and security services; in all cases they’re insecure.
- If your device or information is stolen, report it immediately to Eden Medaglia, the UMass Boston IT Service Desk, and your department head/departmental property custodian; provide them with the make, model, UMass Boston barcode number and service tag (Dells) or serial # (Apple, etc.) of the missing device. When possible, a report should be filed with the local Police Authority and a copy of the report should also be provided to the above.
When You Return
- Change your password.
- If you believe your device may have been compromised contact the UMass Boston IT Department to clean it.
Export Control Laws
It is the responsibility of all campus community members to review export control regulations and adhere to their requirements.
International travel on behalf of the university may be subject to export control regulations due to the technology, equipment, software, and technical data (in physical, digital or voice-transmitted form) being taken out of the country, and/or due to the travel destination. Regardless of export controls applicability, your responsibility is to maintain effective physical security of the university-owned equipment, software, and/or data. The most effective means of maintaining security over an item is to retain physical possession of the item.
Export Control Laws are broad and have implications for a host of university operations. Restrictions are based upon: specific commodities, technologies, and services; end-users; and countries. In addition, various departments and secretariats maintain lists of entities and individuals subject to various sanctions, embargoes, and debarments. Licenses are required for many activities in the following countries: Crimea, Cuba, Iran, Sudan, Syria, and North Korea. If you plan to travel to any of these countries, contact Matthew Meyer. Note that travel abroad with technical data, technology, software, or information controlled for United States (U.S.) export purposes is prohibited, and you will need a license or documentation of an exemption prior to the travel.
You must obtain prior approval via an Export Controls License from the applicable federal agency (e.g., U.S. Departments of State, Commerce, or Treasury) if you are traveling internationally with export-controlled items or information and/or to an embargoed country. Please contact Matthew Meyer with any questions regarding a federal license.
In most situations, you will not need to obtain permission from the government nor take any special actions to comply with export rules because the items/information are not controlled for the destination; or the materials are considered “tools of the trade” for your discipline.
Temporary Travel & "Tools of the Trade" Exception
International travel for less then one year (i.e., temporary) qualifies for a “tools of trade” license exemption if all of the following apply:
- Laptops and other computing and data storage devices are standard, off-the-shelf products and are broadly available; and
- The operating system and any encryption capabilities are of the kind that are preloaded on the computers and do not allow for user revisions to enhance communications security capabilities; and
- All of the application programs are general, commercially available software that either do not perform technical analyses; or, are scientific or engineering programs that are commercially available for general purposes (e.g., for electric field calculations not associated with a specific product); and
- All of the data stored on the computers or storage devices is publicly available (e.g., published in journals or on the web). Data and analyses from research that ordinarily would be published and are not restricted by contract from general dissemination can be treated as publicly available; and
- You have no reason to believe that there are export constraints on any of the equipment, software, data or information that would apply to your intended travel; and
- The travel is not to a sanctioned country per the U.S. Treasury Department, such as:
- North Korea
Items That Require Guidance Prior to Travel
Do not travel with ANY of the following without first obtaining specific advice from Matthew Meyer:
- Data or information received under an obligation of confidentiality
- Data or analyses that result from a project that has contractual constraints on the dissemination of the research results
- Computer software, devices, or equipment received with restrictions on export to or access by foreign nationals
- Private information about research subjects
- Devices, systems, and/or software that were specifically designed or modified for military or space applications
- Intellectual property
For additional assistance with export control matters please contact the Office of Research and Sponsored Programs or by calling 617.287.5370.