It's important that you're aware of the potential information and data security risks you may encounter while abroad - including those from overseas governments and security services.
What are the potential risks?
Depending on where you're going, you may face issues such as unreliable and insecure Wi-Fi connections; restricted access to popular services (such as internet based email services, Wikipedia, social media sites); government monitoring of communication services such as Skype; hotel staff or government officials accessing electronic devices left in hotel rooms.
Your conversations may not be private or secure. Many countries do not have legal restrictions against technical surveillance. Many overseas security services have means of screening incoming visitors to their countries to identify persons of potential intelligence interest. In some countries, they may seek to identify individuals who could assist them in accessing, directly or indirectly, information or persons of interest, whether immediately or at some stage in the future. They may also have well established contacts with hotels and common hosts that can assist in various forms of monitoring you.
You should have no expectation of privacy in cafes, hotels, aeroplanes, offices, or public spaces. All information you send electronically can be intercepted and retained, especially wireless communications. Security services and criminals can also track your movements using your mobile phone – often you are asked for mobile numbers on visa and entry application forms - and can turn on the microphone on your device even when you think it is turned off.
Intellectual property
While the University of Edinburgh’s policy is that any intellectual property produced by a student is owned by that student, many of our exchange partners and other activity hosts have different approaches. In some cases, an institution will own any intellectual property produced by a student while there. You should familiarise yourself with your host’s policy ahead of any exchange, study, work or research period abroad.
What can you do to protect yourself?
- Be sceptical of “money for nothing” offers and opportunities that seem “too good to be true” while abroad – they almost always are
- Be cautious of those who show undue, unusual or heightened interest in your personal or family background, friends and your future career plans
- Be careful of those offering free or preferential treatment particularly those involving any government processes such as issuing visas and residence permits
- Be mindful of how you share personal information and what you reveal about yourself - particularly through social media
- Properly report money or compensation you receive whilst overseas and report suspicious or unusual activity to the University’s Study and Work Away team or your Student Support Officer.
- Trust your instincts. If it doesn't feel right – report it - let someone know.
What precautions should you take?
You will find lots of information on IT security and staying safe online on the University's Information Services website:
You should familiarise yourself with the information available there which includes guidance on:
- securing mobile devices
- encryption
- malware
- antivirus
- backing-up your data
- phishing
- secure passwords
- protecting against theft, loss and breakage
You may want to consider booking onto one of the Information Security Awareness Sessions available through IS:
Information Security Awareness Sessions
Below are three graded levels of security from good to best. You should consider which level of security is appropriate for you depending on the security risks which may be present in your host country.
- Only travel with the minimum information you need
- Use encryption, but be prepared to decrypt devices or files at border control points if asked to by local officials. This may involve you unlocking your device or opening the file and showing content to the official. If possible, you should remain with your device once unlocked (it is recognised that this may not always be possible)
- Make sure mobile devices are secured, data is backed up, software is up to date and unneeded data removed
- Leave current devices behind and take a newly built encrypted device with you. Use a new mobile phone that won’t be used for University business when back in the UK. Either get this before you go or when you get there – do not store any University data on these devices
- Use VPNs to connect to the Internet and especially University resources.
- Make use of secure remote access technology if you need to access data
- Do not store any University data on any device you take with you – use OneDrive or University shared drives and access via a VPN
- Do not use mobile devices that allow storage or connection to removable devices such as USB – make sure these are disabled before you travel
- Only connect to the Internet and University services via a VPN
- Do not check emails or remotely access any other services that store University data (such as MyEd) via insecure connections – always use a VPN.
The following information provides guidance on what to do before, while, and after you travel:
- Ensure that you can uniquely identify all your devices (stickers, specific marks etc) to prevent any attempt to substitute them.
- Ensure that you are using strong passwords for all your devices
- Identify all passphrases/passwords saved on your devices and remove any that are not needed whilst you are away. Consider using a password manager to securely store any passwords you do need – examples of available managers are listed on the Information Security website.
- Back up all your University data to University managed storage.
- If you need to take University data with you, ensure this is the minimum needed for the specific trip and remove any data that is not needed, particularly any commercially sensitive data or data containing personal identifiers.
- Consider setting up specific folders in OneDrive and setting controls to allow access for individuals with whom you may need to share information when away. Limit what information is stored in these folders.
- Set up multi factor authentication (MFA) on all services where this is an option (Office365, Gmail, Facebook, etc)
- Clear local browser and download cache/history files
- Disable all unnecessary services on your devices, including USB ports, Wi-Fi and Bluetooth if possible
- Ensure that all devices are fully updated with the latest OS and App updates.
- Ensure that you have enabled encryption for your device. Check that your country of destination allows encrypted devices to be taken in and out.
For guidance on the above see:
- Keep all laptops, mobile devices and chargers in a safe place at all times and do not leave unattended in a public place. Where possible, carry these in hand luggage whilst travelling
- Think twice about all ‘normal’ actions: use common sense and a higher degree of suspicion to consider whether someone may be attempting to steal or subvert information
- Only enter University username and passwords into your own device, eg do not use University credentials in internet cafes. If you have to do this, ensure you fully log out of any services (such as Office365) one you have finished using them, delete the browser cache and close the browser. Change your password the next time you are on a safe device.
- Only use your own chargers, never one that you have borrowed. Similarly, do not use public charging points in cafés, airports etc
- Disable microphones and cameras in laptops (ensure that you know how to do this for the specific device you are taking with you as this may be different for each type of laptop)
- Do not use or accept removable media such as USB sticks, external hard drives or anything that can plug into your device
- Use your limited access OneDrive folder to share information when away, to avoid the need for use of removable media. Grant additional access to individuals as-needed and remove data after it has been shared, after scanning for viruses
- Be aware of your surroundings if holding sensitive conversations – assume that your calls and discussions are being monitored
- Never lend you devices to anyone (other than known colleagues)
- Do not connect to any public Wi-Fi hotspots using your own University credentials. If the access point needs an email address and password, use ‘traveller@ed.ac.uk’ with password ‘y’ (this account has been created specifically for this scenario and cannot be used for anything else). If the hotspot seeks to download anything to your device or says it has sent a link to the address you entered – do not use it as it is likely that it is trying to download malware
- Use VPNs to access University services and sensitive data that is not publicly available
- If your device or charger has been lost or stolen during your time abroad, consider them to be compromised and arrange for data to be restored from a device that was NOT with you. Reset all passwords/passphrases that you may have used whilst away - you should do this for University accounts and for any personal accounts you accessed.
More information
University of Edinburgh policies and guidance relating to travel