All travellers should begin by carefully considering whether they actually need to take a device with them. For example, those packing for vacation should leave their employer’s devices at home unless on call, or another legitimate business requirement exists.
The impact of device loss or theft must be evaluated. Are laptops, phones, tablets, and USB drives encrypted? Are strong passwords or biometric authentications enabled? Is all data backed up? Have unnecessary files been removed? Travellers should minimize the potential for data exposure and permanent loss.
International travel involves additional considerations: Border enforcement agencies in many countries, including Canada and the United States, have asserted the right to examine and even make copies of electronic information. This practice is enabled by outdated legislation that governments are reluctant to modernize. Travellers who refuse to hand over passwords and decryption keys risk being detained, having devices seized, and being denied entry into foreign countries.
Adding further legal and ethical complications, a border official opening an application on a phone or tablet with mobile network connectivity may accidentally or intentionally trigger the retrieval of data via the network. Was the officer searching data actually stored on the device, or where they using the device to view private data on a remote server? Travellers should assume that remote data accessible from the device may be viewed during a search.
It is difficult to provide definitive security advice on this issue. On one hand, the United States recently reported that it searches approximately one hundredth of one per cent of mobile devices. Many travellers are comfortable with these odds, especially if they feel they have nothing to hide, and a search would only result in a minor invasion of privacy. Others, including professionals with a duty to protect client information, journalists, and those who fear being targeted, may find the prospect of officers viewing and copying their emails, contacts, photos, documents, instant messages, and social media posts so highly invasive that they are not willing to take the risk.
If leaving the device at home, or purchasing another for travel is not an option, users can log the phone or tablet out of all accounts, and delete the applications that use them. (A logged out Facebook, Dropbox, Tinder, or Google Mail app may unnecessarily result in additional questions or requests for credentials.) A more extreme option is to back-up the mobile device, reset it to factory defaults prior to travel, and restore it at the destination. Both Android and iPhone devices include backup and restore functionality that make this possible, but bandwidth availability and restore times may be problematic.
Notebook computers present additional challenges, including the potential for forensic recovery of deleted personal or corporate data. A ChromeBook may be appropriate for some travellers. (http://itincanadaonline.ca/index.php/columnists/eric-jacksch/1583-chromebook-for-international-business-travel). A future column will explore the use of laptop-format thin clients for travel.
There are a few easy ways to reduce cybersecurity risks while on the road. A personal firewall (including those built into Linux, OS X, and Windows 10) and up-to-date anti-virus software are essential. Other suggestions include using a VPN and a DNS-based security service such as Cisco Umbrella (formerly OpenDNS).
Many companies advise employees not to leave electronics unattended in hotel rooms. While that might be possible during some business trips, taking a laptop to the gym or pool can be tricky. Most hotels offer in-room safes; some are reasonably secure, while others are not. Even safes from reputable manufacturers are vulnerable to surreptitious access if appropriate management controls are not in place. There is usually no practical way for travellers to tell the difference.
As a general rule, using an in-room safe is preferable to locking electronics in a suitcase. Most zippered suitcases can be rapidly opened and reclosed without visible damage, even when the zippers are locked together. There are two types of locking bags that can help travellers protect their electronic devices.
Pacsafe offers a series of theft-resistant travel bags. Their Travelsafe product, available in 5 and 12 litre sizes, is essentially a wire-mesh nylon bag with a steel cable drawstring that can be secured to a fixed object such as a water pipe. Once valuables are secured inside, a thief would have to either break the lock, cut the steel cable, or cut the steel mesh in multiple places to access the contents. The supplied lock is essentially an oversized “TSA approved” suitcase lock and is likely the product’s weak point. The Travelsafe has a carrying handle, but would look out of place around the pool and perhaps draw unwanted attention. At approximately $100, this product is more suitable for securing valuables inside a hotel room. An upgraded lock should make the bag difficult to break into without a serious pair of wire cutters.
Taking valuables to the pool or beach prevents theft from an unoccupied hotel room, but exposes them to snatch-and-run opportunists. LocTote’s Flak Sack is a drawstring backpack made of a soft, yet highly slash-resistant fabric. In addition to the rope drawstrings, it features a flat nylon drawstring with an embedded steel cable that can be used to secure the bag closed and lock it to a post, beach chair, or other fixed object. It has a water resistant coating and interior pocket to help protect contents. A determined thief could likely penetrate it with the point of a strong knife and slowly hack through the fabric, but that would take more time than criminals are willing to risk in a busy beach or pool setting. Overall, the Flak Sack is more comfortable to carry than the Travelsafe, reasonably fashionable, and much more discrete. At US $179, it is also a twice as expensive.
While virtual and physical products can definitely help, nothing replaces careful preparation, good judgement, and vigilance when travelling with tech.
Have a security question you’d like answered in a future column? Please send me an email.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…