When traveling overseas it is important to remain mindful of Export Control regulations. Please review the following materials and complete the license exception certifications as needed.
When leaving or entering the United States electronic devices may be subject to search without reasonable suspicion, and although there is some current case law to suggest that the Department of Homeland Security must demonstrate reasonable suspicion in some cases before ordering travelers to disclose their passwords or encryption keys, it remains a risk. Likewise, some other countries have laws allowing seizure and search of electronic devices, including coerced disclosure of passwords or encryption keys. Even where electronics are not seized and searched pursuant to law there remains a substantial risk that the contents of those devices may still be compromised. For example, see this article about cyber-espionage in China.
University employees should take appropriate measures to safeguard sensitive data, including but not limited to:
- Not taking any sensitive data that is not absolutely necessary. This may mean taking an alternate “clean” computer that has never held sensitive information.
- Backing up all sensitive data before traveling and encrypting files and requiring a password for access.
When taking an international trip it is important to consider (1) the materials and information you are taking with you; (2) your destination country; (3) those you may be collaborating with; and (4) the purpose of any collaboration.
Where Are You Going?
The United States imposes economic and trade sanctions and embargoes against certain countries for reasons of national security and foreign policy. In the most comprehensive sanctions even travel to that country may be prohibited, in other cases travel may be several restricted. The list of sanctioned countries is subject to change. Please check the Treasury Department’s Sanctions Program Resource Center and see if your destination is currently subject to sanctions. If you are traveling to a sanctioned country please contact the University Export Control Officer at 208-426-1258.
If you intend to visit Iran, North Korea, Cuba, Syria or the Sudan please contact us immediately at 208-426-1258 to speak with the University Export Control Officer.
License Exception Certifications
When you leave the country, everything you take is an export, including devices, software, and data. Depending on the export classification of those items and technology you may or may not generally need a license to export them to another country. For example, your Dell or Apple laptop are likely controlled for export (ECCN 5A992 for hardware/software bundles or 4A994 for just the hardware), as are mass market software products such as Windows OS, Mac OS, Adobe Acrobat, etc. (ECCN 5D992). However, there are two widely employed license exceptions that come into play.
If you own the device, the BAG exception allows you to take the device and software for your personal use as “tools of trade” when you travel, with the condition that you must bring it back to the United States with you (EAR §740.14(b)(4)). This exception can be used for any destination country, but not for all items. If you are traveling to a country classified in the E:1 Group (Terrorist-supporting Countries) (currently Cuba, Iran, North Korea, Sudan, and Syria), you cannot use the BAG exception for encryption items and software subject to EI controls on the Commerce Control List, a subset of the 5×002 classifications (EAR §740.14(f)). If you are traveling to these destinations you need to contact the University Export Control Officer at 208-426-1258 before you go.
If the items you are exporting are owned by Boise State University, the TMP exception allows you to take the device and software “for use in a lawful enterprise or undertaking of the exporter” to countries other than those same E:1 countries (EAR §740.9(a)(2)(i)).
Tips for Foreign Travel with Electronic Devices
The Office of the National Counterintelligence Executive has developed a tip sheet available at http://ncsc.gov/industry/travel/index.html.
Warning About Bringing/Using Encryption Products in China
An article from the November 2011 issue of WorldECR, a Journal of Export Controls and Compliance, notes that China adopted laws known as the “Encryption Regulations” in 1999. These laws were adopted by China’s State Council, the highest level of China’s government, and they bar the manufacture, use, sale, import, or export of any item containing encryption without prior government approval. These laws are phrased very broadly, and although there have been statement by subordinate agencies suggesting that they were not intended to be applied to mass-market products with incidental encryption, the agencies issuing these statements are not at the level of China’s State Council.
As such it is strongly recommended that no sensitive or personal data be brought into China on electronic devices. Rather than employing encryption bring clean devices if you must bring electronics with you.