Data Frisk? Another Reason to Travel with a Clean Laptop
Latest Travel Restrictions for Laptops
Experiencing a body frisk at airport security is…awkward, at least for many people. Now apply that to your laptop or tablet, and all the data that typically exists on such devices. For scientists, engineers, researchers, and university faculty that data easily includes scientific data or information. With the latest travel restrictions and export controlled technology from the U.S. Department of Homeland Security regarding laptops, tablets, and other larger devices on certain flights from certain Middle East countries, there may now be, as a NY Times article expressed it, an increased risk of a “data frisk” with “additional surveillance opportunities” as the affected devices are placed into checked baggage.
Export compliance requirements under the U.S. Commerce Department’s Export Administration Regulations (EAR) are already complex. Compliance to the licensing requirements on export controlled technology that is described on the EAR’s Commerce Control List (CCL) is challenging for universities and companies. However, the reality is that there are indeed situations where a Bureau of Industry and Security (BIS) license is required before certain technical data or information can be taken outside the U.S. – even when the data resides electronically on a traveler’s laptop. Now imagine that a laptop which contains export controlled technology is taken on a round trip flight to, for example, Riyadh, Saudi Arabia (one of the affected locations.) And, per the new requirements, that laptop is placed into the traveler’s checked baggage en route back to the U.S. Getting nervous? Was a BIS license needed for that export controlled technology to be exported to Saudi Arabia?
Bring a Clean Laptop
As part of their export controls compliance program, many universities and companies suggest, but do not require, that faculty and researchers bring “clean” laptops to ensure they are scrubbed of any export controlled technology. The recent federal requirement reinforces that it’s wise, at minimum, to follow this best practice. Furthermore, export compliance leaders may now want to consider a mandatory clean laptop when traveling to one of the destinations affected by the travel restrictions.
To Encrypt or Not to Encrypt?
In the scenario we are imagining, it’s worth considering: was a BIS license really needed? The “Definitions” Final Ruling from the Commerce Department in 2016 created a carve out for technology that is encrypted “end-to-end” per specified protocols. With proper encryption, taking that data out of the U.S. might not be considered an “export” by BIS. So if a clean laptop is not a practical solution for traveler’s at your university or company, another option to explore is encryption that meets the standards specified in the Definitions Final Ruling.
With these ideas in mind, an increased risk of a data frisk may still be unsettling – especially if the list of affected airports is expanded. But at least it’s less likely to uncover an inadvertent export controls violation by international travelers.