Information security when traveling

What can happen:

• Conversations can be overheard or screens (mobile phone or laptop) can be observed and read, or a video can be recorded while entering the password in order to obtain it.
• Wi-Fi networks are monitored and recorded.
• Many rooms are equipped with audio and video surveillance.
• Some countries also monitor encryption by intercepting and listening to communications.
• In some cases, local representatives of cloud/VPN and communication providers are subject to mandatory surveillance.
• Charging devices or even charging cables can contain eavesdropping hardware that, in addition to charging the device, can infect it with malware, download content, or capture passwords.

What can help:

Even at low risk:

• Always be aware of your surroundings when speaking and which information you are handling. Headphones often create a sense of isolation, even though others may still be able to listen.
• Privacy screen protectors for smartphones and laptops ensure that screen contents are only visible from a direct viewing angle.
• If the country allows VPN use, continuous use of the UZH VPN is recommended.
• Instead of passwords, login can be done using fingerprint or facial recognition (the new ZI laptops support this). This has other disadvantages, but prevents passwords from being observed during entry.
• Do not use unknown Wi-Fi networks (preferably none at all).

From a medium risk level:

• Do not charge phones or laptops using foreign or public charging cables or adapters, as they may contain data interception devices or install malware.
• Never enter passwords on public or unknown devices such as internet cafés, hotel PCs, or similar situations.
• Carry important data in your hand luggage so you can keep track of it. Suitcases are opened and searched.

From a high risk level:

• Ideally, do not take or process any sensitive information.

What can happen:

• If, in the event of theft, the information on the device, access credentials, or configured connections (VPN, etc.) are not sufficiently secured or cannot be remotely erased, they may fall into the hands of thieves, who may then sell or publish them.
• This could lead to further attacks or data breaches.

What can help:

Even at low risk:

• Theft must be reported immediately.

From a medium risk level:

• Do not take any information that is not absolutely necessary. It should be well encrypted (if encryption is not prohibited in the country) or managed under the control of an IT department at UZH so that the data can be deleted in case of emergency.

What can happen:

• The VPN cannot be established.
• Using a VPN may lead to arrest.

What can help:

Even at low risk:

• Use a VPN whenever possible

From a medium risk level:

• Find other (legal) ways to secure data in advance before returning.

From a high risk level:

• Do not have a VPN installed on your devices.

What can happen:

• Certain types of encryption are not permitted in some countries or may attract unwanted attention.
• Encrypted storage devices can already lead to inconvenience, confiscation, or arrest at the airport.

What can help:

From a high risk level:

• Avoid taking obvious encryption tools or hardware if possible.

What can happen:

• At the airport, you may be forced to unlock your laptop with your password to prove that you can actually use it.
• The laptop may be confiscated or be out of your control for a certain period of time.
• The surrender of passwords, access credentials, information, or hardware may be strictly enforced (including threats of coercive detention).
• In such scenarios, information on carried devices may fall into the hands of the respective country, VPN access to UZH may be compromised allowing access to the network, hardware may be fitted with surveillance and tracking software, passwords may be extracted, or laptops may be confiscated for weeks.

What can help:

Even at low risk:

• Do not take any information that is not absolutely necessary.

From a medium risk level:

• Do not configure a VPN from the outset and do not take any information (even if encrypted, no KeePass files, no passwords stored in the browser, etc.) that must not fall into the hands of the respective country.
• Important (sensitive) information that must be taken can be encrypted in such a way that, under coercion, a password can be provided that only reveals seemingly important data. The truly relevant data can be encrypted with a second password in such a way that its existence cannot be proven. Some encryption software supports this.

What can happen:

• Passwords may be extracted.
• Some countries have the technical capability to decrypt laptop encryption or encrypted data.
• Hardware may be equipped with surveillance and tracking software.

What can help:

From a medium risk level:

• Take a specially prepared laptop, completely reinstall it immediately after passing through the airport, and reinstall it again after returning before reconnecting it to the internal network.
• Transfer important data separately to UZH.

What can happen:

• At the airport, passport information is linked with technical identifiers (MAC address of the laptop, IMEI and IMSI of the powered-on phone). (The laptop identifier can be determined via airport Wi-Fi, and the phone and SIM identifiers via an IMSI/IMEI catcher.)
• This allows the user of the laptop or phone to be identified at any time or their location to be determined within the respective country.
• If the telecommunications provider is under state control, phones can be hacked, monitored, and tracked by the provider. This can continue even after leaving the country and back in the home country.

What can help:

Even at low risk:

• While abroad, watch for sudden errors or crashes of devices. The forced installation of surveillance software often leads to error messages or crashes.

From a medium risk level:

• Do not take your main phone with you; transport it securely and switched off at the airport.