Skip to content Skip to site navigation Skip to service navigation

Recommendations for International Travel

Plan ahead to protect your data while traveling abroad

When planning international travel — whether for Stanford business or personal time — it's important to consider how you can securely access information from your devices. This guide summarizes best practices to ensure your data is protected before, during, and when you return from your travel abroad.

While the Information Security Office (ISO) offers recommendations around device security and data protection, we urge you to visit the Stanford International Affairs website to check specific pre-travel country risk assessments. ​

If your device is lost or stolen while traveling, notify Stanford right away. 

High-risk cybersecurity & privacy countries

The U.S. government has identified pervasive threats to information security from certain countries deemed “high risk.” If you're traveling to the following high-risk locations, be aware that there is no presumption of privacy. This means that you should assume all data is accessible by local government and non-governmental actors and that information can be compromised.

High-risk countries
  • Afghanistan
  • Algeria
  • Belarus
  • Burma/Myanmar
  • Cambodia
  • Central African Republic
  • China
  • Cuba*
  • Cyprus
  • Egypt
  • Eritrea
  • Ethiopia
  • Guinea
  • Hong Kong
  • Iran*
  • Iraq
  • Liberia
  • Libya
  • Niger
  • North Korea*
  • Russia 
  • Sierra Leone
  • Somalia
  • South Sudan
  • Sudan
  • Syria*
  • Taiwan
  • Ukraine/Crimea and Donbas Regions*
  • Venezuela
  • Yemen

*Travel to, or activity within, these countries may require authorization from the United States Government. Please contact with any questions or concerns.

Before you travel

What to pack? In terms of devices, the Stanford Information Security Office recommends bringing only the equipment needed to do your work. Below you’ll find device recommendations that range from best, most secure options to the minimum required actions that help keep devices secure and your data protected.

Best: Travel light
  • Borrow through Travel Loaner Program. If you're traveling to a country categorized as Level 3, 4, or Other by the U.S. Department of State Travel, we strongly recommend that you leave your current devices behind and travel with a Stanford-provided Travel Loaner kit. Through the Travel Loaner Program, you can borrow an encrypted, pre-loaded iPad Pro, Macbook Pro, or Surface Pro to use in place of your own computer. The loaner device will allow you to manage email, view your calendar, run presentations, edit documents, and connect to university websites. The devices are set up specifically for your use and wiped back to factory settings when you return. 
  • Connect through Virtual Private Network (VPN). Download an install Stanford’s remote access VPN client. This will allow you to securely connect to Stanford’s network as if you were on campus.
  • Leave the mobile phone at home. Consider whether you can travel without your mobile phone, and if you can get by with a Wi-Fi-only device, like a loaner iPad. If the trip is short or to areas with higher risk ratings, the best security option is to travel without your mobile phone. For two-step authentication, you can use a the Duo Mobile app on an iPad or a security key - no network or cellular connectivity required.
Good: Travel with less data
  • Bring a new or wiped laptop. If you cannot travel without a full laptop, another option is to take a new or freshly rebuilt machine and load only the data you’ll need for this trip. You’ll need to make sure that the machine is encrypted before you go. To get started on encrypting your device, go to the Encrypt Your Devices webpage
  • Use encrypted USB drives. Whenever possible, leave USB drives at home. These are easily lost and easily corrupted. If you must travel with a USB device, be sure that it’s encrypted.
  • Get a temporary mobile device. For mobile devices, we recommend borrowing a device in the country, using an unlocked phone with a local SIM card, or renting/buying a phone at the airport or hotel when you arrive.
Minimum: Travel encrypted

If you must take your own device(s), be sure to follow these additional steps before you go.

Laptops:

Mobile devices:

  • Go to mydevices.stanford.edu and click on your phone model. Under Device Information, look for Encryption Status. If your phone is not encrypted, please enroll it in Stanford Mobile Device Management (MDM) program. Contact the University IT Service Desk at 5-HELP (650-725-4357) or your local IT for additional support on enrollment. 
  • Enroll it in an international rate plan to avoid incurring exorbitant roaming charges.
  • Save your data, reset to factory defaults, and restore your backup when you return.

Voicemail: 

Submit a help request to forward your voicemail to email. This saves you from having to dial into your voicemail account, potentially revealing your voicemail

While you travel

Dos

  • Be aware of your surroundings. Watch for those looking over your shoulder or potential thieves.
  • Disable broadcast services like Wi-Fi access points, Bluetooth devices, and GPS when not needed.
  • Use private browsing whenever possible (Chrome, Firefox, Safari, Edge).
  • Use Stanford VPN access whenever possible.
  • If your device(s) are lost or stolen, notify Stanford right away.

Don'ts

  • Do not plug your phone into charger kiosks. There may be a hostile computer on the other end of that innocent-looking wire.
  • Avoid using public workstations as they cannot be trusted. Assume that anything that you enter into the system may be captured and used.
  • Do not leave your devices unattended. Even hotel safes are not secure.
  • Don’t connect to unknown resources like Wi-Fi access points and Bluetooth devices.

FAQs

What should I do if asked to provide my password to my laptop or other device and I have patient data or PHI on it?
  • We suggest that you not provide your password. Rather, unlock the machine for the Customs and Border Protection (CBP) agent if you are compelled to do so.
  • Our understanding is that CBP cannot make you provide your password, but that they do have some rights to inspect your electronic devices.
  • “Compelled” could be due to subpoena, a CBP agent showing you the section of the law that provide CBP a right to require you to unlock your device for inspection, or circumstances are such that you believe you have little other viable option.
How can I comply with Customs and Border Protection, but not release PHI?
If you unlock your device for inspection before turning over the device let the CBP agent know that you are affiliated with Stanford (clinician, researcher, student, etc.) and have HIPAA-protected health information on the machine. To that end, you request that CBP limits their review to exclude the protected health information (PHI).
  • Also, try your best to obtain the name and title of each CBP person reviewing your device.
  • Tell CBP that federal law requires you have to keep a listing of all disclosures of patient information to third parties. This is why you are asking for their name/title.
  • Try to inform the agent and obtain names/titles before you turn over the device. If you cannot get names/titles, then get the best information you can and submit that information to privacy@stanford.edu as soon as you can.
Can I take my laptop in my carry-on if I travel internationally?
Yes, you can take your laptop with you in the cabin on international flights. The March 21, 2017 U.S. Department of Homeland Security (DHS) ban on electronic devices larger than a cell phone or a smart phone from cabins on airplanes entering the U.S. from certain airports has been lifted. DHS will require increased screening procedures for all flights entering into the U.S. in the weeks and months to come.
What should I do if my device is confiscated?
  • Obtain the name and title of the individual confiscating your device.
  • Obtain a “receipt” or comparable written documentation that describes the device confiscated, under what authority, for what purposes, by whom and whom to contact regarding return of the device.
  • If your device contains PHI, let the agent know that you are affiliated with Stanford (clinician, researcher, student, etc.) and have HIPAA-protected health information on the machine.
Where can I find more information about export control?
Look up your travel destination on the International Affairs Risk Ratings webpage to determine if the country is flagged for specific export control regulations. You'll be directed to contact Steve Eisner, Stanford's Export Control Office, at steve.eisner@stanford.edu.
I'm planning travel to a country where visitors have reportedly experienced a range of information security and privacy issues. What specific issues should I be aware of ahead of my travel?

A few issues reported by travelers, particularly to the People's Republic of China, include:

  • Access to services that we take for granted like Gmail and other Google apps, Wikipedia, and Yahoo Web Mail are often blocked altogether or filtered.
  • Those using VPNs reported that they are often cut off for hours at a time.
  • Hotel staff and government officials can access hotel room safes, so don't expect that a computer or mobile device left in a hotel safe will be secure.
To get more information about individual countries and risk ratings, visit the International Affairs website.

Additional support

Report a lost or stolen device

If your device is lost or stolen while traveling, notify Stanford right away.