Travelling to a High Risk Country

We strongly recommended you access data remotely via Web Access or using Queen Mary’s “Appsanywhere” service. However, if you do have to move data, ensure that is it encrypted. This includes data stored on a device’s hard drive, USB, or SD cards.

Data considered sensitive must be protected by UK law. If you intend to use patient or medical trials data, please contact your departmental Data Protection Officer or the Joint Research Management Office (JRMO) for advice and guidance. Unpublished research data or results are considered sensitive in terms of value to both Queen Mary (QM) and the individual. Please refer to the JRMO website for more detailed information about the risks of research data.

For technical protections that could be applied, please contact QM Information Security team

Ensure all available updates are applied prior to travel to reduce the vulnerability of your device. This includes the basic operating system, applications, and device firmware such as the BIOS. It’s always advisable to keep your device up to date because this reduces the number of ways it might be vulnerable to attack. It’s also best to do any updates in an environment you trust. So, make sure all available updates are applied before you travel.

Don’t install unnecessary software on any device that you might have to take to an environment you can’t trust.

Software packages often contain components that can access data they shouldn’t need to access for their advertised purpose. The simplest way of dealing with this problem is to refrain from installing any unnecessary software packages.

Don’t access any IT service that may be controlled by any person, company, organisation, or state that you can’t trust. This applies to any IT service anywhere in the world, but it’s especially important where the people or company operating such a service can themselves by plausibly coerced by nation states to support their aims. This includes foreign-controlled social media services. For further guidance on accessing QM services via your web browser, please refer to the Loan Laptop Guide.

Public Wi-Fi services can also be more of a risk than they first appear. It costs money to operate such a service, and unless there is a clear reason for the operator to provide the Wi-Fi service, the operator will be making money some way or another, usually by selling information about the users of the service.

 Here are some suggestions on what to look out for:

• Make sure the operating system firewall facility is turned on. This helps protect your machine from attacks over the network. It can also help prevent data leakage from your device.
• If you must log in to the service with a working e-mail account, your account, and other details of what you do are likely to be sold.
  • • Any relationships between the Web services you access using that Wi-Fi service can be useful for targeting advertising. This isn’t a big risk but it’s surprising how much data can be gleaned from large-scale data mining of this sort of data.
    • There are identifiers for your individual machine that are not obvious to you, and these can be collected and correlated between different sessions on different Wi-Fi services, leaking more data about what you are using that might first appear.

Many more modern devices draw power or are charged via USB interfaces. Inserting USB devices that you can’t trust is a very real risk. But it is not always at all easy to be sure that a device that claims to be a charge point is only a charge point. This applies especially to devices that use a USB-C socket.

You can reduce the risk here by:

• • Taking your own USB charger and plugging it into the mains power yourself.
  • Taking your own USB charging cable that picks up power from the charger but explicitly blocks the capability to transfer data. These cables are more expensive for USB-C because the data wires are used to negotiate fast charging and cannot be blocked by simply not connecting those pins of the cable.

If you are required to reveal any passwords, change them as soon as you can safely. You should also notify your service provider as soon as possible; this includes QM and any personal service providers such as your bank. You should bear in mind that if anyone has obtained access to any of your devices this means they could have access to any saved account credentials stored on your device, for example in your Web browser. One of the simplest things that can reduce the risk to both QM and yourself, is to use a clean device with the minimum amount of data (including registrations with social media) and then have that device wiped by ITS when you return to remove any malware that might have been introduced to the device during the trip

Don’t carry personal data you do not need. It is very common that border authorities are permitted by local law to demand that you decrypt any device carrying data that you carry across a national border; this includes the UK border authorities. If you have any data that you do not wish such authorities to see, perhaps because it is critical of that government, and especially if it is illegal in that country, don’t carry it across a border where it can be inspected. This applies both when entering and leaving a country. It is worth remembering in this context that this can apply to any device be it a computer, tablet, smartphone, or memory device like a USB drive.  And “data” includes text, photos, audio recordings, movies, and even traditional printed or hand-written material.

Make sure your travel itinerary is known by someone in the UK. In the event if something does happen to you, someone else will be able to raise an alarm with QM and the authorities if you are unable to communicate.