I travel all over the world for my job, and for my hobbies. Although there are still plenty of places I haven't been, I've visited enough foreign countries that I don't deny it when someone calls me a world traveler. Over the years, I've experienced my fair share of foreign spying. I know what it's like to be snooped on.
I'm no longer surprised when I suddenly get gobs of spam from a country I've visited. My best guess is that someone in the country intercepted my email and recorded my email address. I still get porn spam in Arabic and ads for weight loss products in Mandarin. I've had my laptop and USB keys searched at countless borders.
An eye-opening moment: On one trip to an Asia-Pacific country, while I was taking a shower in my hotel room, I saw someone insert a USB key into my unlocked laptop. I yelled and jumped out of the shower, and the intruder ran out of the room, leaving his USB key behind. On it was a remote backdoor Trojan. That someone believed I was significant enough to spy on made me feel pretty important. It also taught me to be much more careful with my laptop.
Besides keeping your eyes and ears open, what else can you do to protect your privacy and data when traveling? After discussing the topic recently with Salo Fajer, CTO of cybersecurity firm Digital Guardian, I put together the list below. After spending just a brief time with Fajer, I realized we shared a lot of the same ideas on protecting our data from foreign adversaries, but he had a few I hadn't thought of.
#1. Know your rights before you go
First, and foremost, know your rights and laws before you go to a foreign country. Just as you must know the currency and exchange rate and when to tip, you need to know the legal rights that a particular country might have to your data.
It might surprise you to learn that your normal privacy rights, not to mention your Constitutionally protected rights as a U.S. citizen, go away at the border. Border crossings are a legal no-man's land, where each country's laws often do not apply. One of my Canadian co-workers, who traveled to the United States dozens of times a year, was once asked at the border to turn on his laptop, provide his encryption key, and let the border authorities copy his laptop's digital contents. He initially refused because his laptop contained private customer data that he legally could not provide ... or so he thought.
The border guards told him that if he did not provide the data he would be immediately prevented from entering our country for five years. He called our company's lawyers and they recommended that he provide the encryption key and give the border guards access to the data.
One little tip I gained from that experience is to double encrypt my data. I use a full disk encryption product that is readily apparent to anyone who turns on my computer. But I use a second encryption product to encrypt my most critical data a second time. I have changed the directory path, icon, and executable names so that they look like they belong to a common, run-of-the-mill program. Turns out that if the border guards don't know something is double encrypted, they don't ask for the second set of encryption keys. It's a cryptographer's variation of “Don't ask, don't tell.”
#2. Protect copied data
I'm a big fan of data encryption schemes like Microsoft's Active Directory Rights Management Service that encrypt the data from unauthorized eyes no matter where it is copied. So even if the border guards or spies get to your data, they are unlikely to be able to review it later on.
#3. Leave the data home
Better yet, leave the data at home. These days, all my data is stored in the cloud. Before traveling, I just delete the local copy after disabling the sync feature, so that there is no data on my laptop in the first place. I do all my updates and edits on cloud-based copies when I'm away, and then re-enable the local cache when I return home. Or I use the same method, but take another device that never had the data on it in the first place.
#4. Always choose the most secure network option
Whether you're traveling foreign or domestic, you should always choose the most secure network option available. Be wary of all free Wi-Fi and Bluetooth connections. Make sure you're connecting only to official Wi-Fi offerings and not fake hacker Wi-Fi access points. Better yet, if you can't be sure you're using the right open Wi-Fi network, use your cell phone's tethering feature.
#5. HTTPS is your friend
Make sure all of your web surfing, or at least your surfing to the websites you use authentication with, is protected by TLS-enabled HTTPS. You don't want bad guys sniffing your connections. Make sure that any wireless connections you use don't try to place fake digital certificates on your computer in an attempt to man-in-the-middle the connections. It's more common these days than ever.
Also, it's important to remember that your 2FA (two-factor authentication) methods may not work, especially if your 2FA option uses your cell phone or messaging and your cell phone's voice or data service doesn't work.
#6. Use a VPN
Use your corporate VPN whenever possible. If your VPN connection uses split-tunneling, understand which traffic is secure and which is not secure. Fajer uses his own personal VPN router when traveling to make sure all connections are protected. Personally, I'm a big fan of Anonabox.
#7. Use privacy screens
I'm very old school. When I travel I always make sure I have a good privacy screen over my laptop display to keep prying eyes from reading what I'm reading or typing. 3M makes some of the most versatile and secure privacy screens you'll find.
#8. Use throwaway accounts
I try not to use other people's computers, but there are times when using other computers is necessary or at least very useful. When I use those computers, I often use temporary, throwaway email and cloud storage accounts when I travel. For example, I send my airline tickets to print to a throwaway account so I can pick up and print the tickets on hotel computer equipment. Hotel computers are obvious targets for malware and keystroke recording equipment. If you print that ticket from a throwaway account that you'll never use again, who cares if someone can access it after you leave?
#9. Lock your device
It goes without saying that you should lock your computing devices anytime you aren't using them -- even in your own hotel room when you're using the shower.
#10. Make sure your device is secure
Don't take your regular device along on trips if you don't have to. But regardless of whether the computer is your normal device or just a travel one, you want it as secure as possible. It should be securely configured, have all security patches applied, and have a host-based firewall, and host intrusion prevention software, as well. He also said to make sure that you turn off any file or network sharing features.
#11. Don't broadcast your current location
Lastly, while this isn't exactly a travel tip, don't share your current location with the world. This happens all the time when people use social media. Maybe it's the paranoia gripping me, but I've never understood my friends letting everyone know when they are out of the country, advertising that either their house is empty or that their spouse or kids are home alone. I love to share my pictures and adventures on social media, but I wait until I'm home and able to protect my assets and loved ones.
If you travel, whether halfway around the world or halfway across the state, you must take special care to make sure your data and devices stay secure. If you don't take precautions, it's only a matter of time before you get burned.