Critical: Assume your network activity is observed and your devices can be inspected. Foreign carriers, hotel networks, and border officials may have authority and capability to monitor traffic, copy data, or compel device access. Plan around these possibilities before you travel rather than during.
This article describes the technology preparations University students, faculty, and staff should make before international travel, the practices to follow while abroad, and the steps to take on return. The right level of caution depends on where you're going and what you'll be doing. Use the risk table below to calibrate, then follow the phase-by-phase guidance.
Determine Your Risk Level
Not all international travel carries the same risk. The advice below is organized by traveler workflow, but the depth of preparation should match the destination. Three rough tiers cover most cases.
Travel risk tiers, examples, and the baseline preparation expected at each level
| Risk Tier |
Typical Examples |
Baseline Preparation |
| Standard |
Conference travel to allied or low-risk destinations; tourism not involving University data. |
Standard device hygiene, current OS and antivirus, PittNet VPN installed, credentials reviewed. |
| Heightened |
Extended stays, travel involving Sensitive data, travel to destinations with elevated cybersecurity or surveillance concerns. |
All Standard practices plus minimized data on device, hardware-token MFA considered, post-travel password change and device review. |
| High-Risk |
Travel to the People's Republic of China, embargoed or sanctioned countries, or any destination on the Office of Trade Compliance restricted list. |
Loaner device strongly recommended. Coordinate with the Office of Trade Compliance and Pitt Digital Security before departure. Device erase and rebuild on return. |
Note: Don't self-classify high-risk travel.
Country status changes with U.S. trade policy. Confirm the current tier for your destination with the
Office of Trade Compliance or
Global Operations before you finalize plans.
Before You Travel
Select a section below to expand its guidance.
π Register Your Trip and Coordinate with Pitt Offices All Travelers
Several Pitt offices need to know about your travel for safety, compliance, and support reasons. Coordinate early.
- Register your trip through the Pitt Travel Registry. Required for graduate students and staff. Strongly encouraged for faculty. Students participating in Study Abroad register through that office instead.
- Office of Trade Compliance determines whether your destination, equipment, software, or data require an export authorization. Allow several weeks if a license is needed.
- Office of International Services (ois.pitt.edu) supports international students, scholars, and employees with immigration and re-entry questions.
- Pitt Digital Security should be notified for any High-Risk travel involving University data, even on a loaner device. Contact through the Technology Help Desk.
π» Choose the Right Device All Travelers
The best protection against device compromise abroad is to travel with a device that doesn't contain anything sensitive in the first place.
International Loaner Program
For Heightened or High-Risk travel, request a loaner laptop or smartphone through the International Loaner Program. Loaner devices come pre-configured with Pitt-approved software, are wiped on return, and don't carry your accumulated history. Submit requests at least 10 working days before departure.
Note: Monitoring coverage differs by device.
University accounts are continuously monitored for suspicious sign-in activity regardless of your location. University-onboarded devices, including loaners, receive additional endpoint protection. Personal devices used for University work do not have that device-level coverage.
If You Must Travel with Your Own Device
Where a loaner isn't practical, treat your own device as if it will be compromised. Specifically:
- Confirm full-disk encryption is enabled β
BitLocker on Windows, FileVault on Mac, the default on current iOS and Android.
- Patch the operating system and all applications.
- Verify antivirus is current. Pitt-supported options are documented in the Antivirus Software article.
- Uninstall applications you don't need for the trip. Each installed app is potential attack surface.
- Set your browser to clear history and cache on close.
π Manage Your Credentials All Travelers
Most University data lives in cloud services now. The risk during travel has shifted from data sitting on the device to credentials and active sessions that can reach the data. Plan accordingly.
Password Manager
The University supports 1Password. Before you travel, consider creating a separate travel-specific vault containing only the credentials you'll actually need on the trip. Sign out of 1Password before crossing borders, so an unlocked device doesn't grant access to your full vault.
Multifactor Authentication
- Verify Duo is enrolled on a device you're taking with you, and that it actually works from a non-campus network.
- Consider a Duo hardware token for High-Risk travel. A hardware token doesn't depend on cellular coverage or push delivery, which is helpful when carriers and networks behave unpredictably. Request one through the Help Desk before departure.
- Avoid putting both factors on the same device when you can. Authenticator apps and password vaults living on one phone means one compromised phone equals full account takeover.
Reduce Active Sessions
Before departure, sign out of services you won't use on the trip. Every active session is a credential that's already passed authentication and can be reused if the device is taken.
π§Ή Remove Data and Apps You Don't Need All Travelers
The cleanest device is the safest device. For local data and applications:
- Restricted data (SSNs, payment card data, PHI, FERPA-protected records) should not travel with you unless explicitly authorized by the data steward and Pitt Digital Security. See the Data Risk Classification guidance.
- Sensitive data (unpublished research, employment records, student grades) should be removed unless directly needed for the work you're doing on the trip.
- Export-controlled software, technical data, and documentation may not legally leave the U.S. without authorization. Coordinate with the Office of Trade Compliance.
- Personal information with high recovery value if lost (saved passwords in browsers, downloaded financial statements, personal photos with location metadata) should be moved off the device or backed up and removed.
For mobile devices specifically:
- Back up the device locally, then reset to factory and selectively restore only what you need. On return, restore from your local backup.
- Limit email synchronization. Reduce the amount of mail and the number of accounts synced to what's strictly necessary.
- Use a strong passcode (six digits or longer, or alphanumeric). Avoid four-digit codes.
π Plan How You'll Connect All Travelers
Wi-Fi options in order of preference:
- Eduroam at participating institutions abroad. Use your Pitt credentials. Authenticated and encrypted, and available at most universities globally. See the PittNet Wi-Fi article.
- Cellular data with an international plan from your carrier, or an eSIM from a reputable local provider. Generally safer than open hotel or cafe Wi-Fi.
- Trusted private Wi-Fi tunneled through the PittNet VPN (GlobalProtect). Install and test the VPN before departure.
Avoid: hotel business-center computers, internet cafes, shared kiosks, and public charging stations. Open Wi-Fi in airports, hotels, and cafes should be treated as observable even when password-protected.
Note: USB charging stations are not safe.
Public USB ports can carry data as well as power. Use your own charger plugged into a wall outlet, or carry a USB data blocker.
While You're Abroad
π‘ Daily Practices All Travelers
- Keep devices in your physical custody. Do not leave laptops or phones in hotel rooms, conference centers, or borrowed offices. If officials remove your device from your sight at any checkpoint, consider it compromised.
- Use Eduroam or PittNet VPN for anything sensitive. Casual browsing on hotel Wi-Fi is fine; anything involving University credentials or data should be tunneled.
- Be aware of your surroundings when entering passwords or PINs. Shoulder-surfing is a real attack vector, particularly in airports and conference venues.
- Disable Bluetooth and Wi-Fi when not in use. Modern devices need Bluetooth for accessories, so disable it when you're not actively pairing or transferring. Don't leave Wi-Fi searching for networks while you're moving around.
- Don't plug in unknown USB devices, cables, or storage β and don't connect University devices to unknown ports. This includes "found" USB drives and unfamiliar charging cables.
- Limit what you do. If you don't need to access a service while abroad, don't. Every additional service touched is another password to change on return.
- Report suspected compromise immediately. Call the Technology Help Desk at 412-624-HELP (4357) and ask for Pitt Digital Security. Pitt's security team is available 24/7.
π Border Crossings and Device Inspection Operational Awareness
Border officials in many countries β including the United States β have broad authority to inspect electronic devices, demand passwords or biometric unlocks, and copy data. The Office of International Services notes that refusing CBP access on return to the U.S. may result in a determination of inadmissibility for non-citizens.
Operational Practices
- Power devices off before crossing rather than leaving them locked and running. A fully powered-off device requires a passcode to unlock; a powered-on device may be unlockable with biometrics, which have weaker legal protection in U.S. courts than passcodes.
- Sign out of cloud services and password managers before crossing. An authenticated session on an unlocked device exposes everything that session can reach.
- Carry minimum data. A loaner device with no personal history is significantly easier to hand over than your daily-driver laptop.
- Document the inspection if it happens. Note the date, location, officer information if provided, what was inspected, and whether anything was copied or retained.
Note: Legal questions about specific inspection scenarios belong with the Office of University Counsel.
This guidance describes operational practices, not legal rights. If you have concerns about a specific situation, contact the
Office of University Counsel before travel. Non-citizens should also coordinate with the Office of International Services on re-entry planning.
When You Return
π Return Checklist All Travelers
- Change your University Computing Account password from a known-clean device. This step is non-negotiable regardless of risk tier.
- Change passwords for any other accounts you accessed while abroad β personal email, financial accounts, social media. The more services you used, the more accounts need rotation.
- Review your Duo enrolled devices in My Pitt. Remove anything you don't recognize or no longer use.
- If you used a loaner device, transfer any data you want to keep, then return it to Pitt IT within one week of arriving in the U.S. Do not connect a loaner to PittNet or any Pitt wired port on return.
- For Heightened or High-Risk travel, have your own travel device securely erased and rebuilt before returning it to general use. Coordinate with the Help Desk or your departmental IT.
- Report anything unusual. Unexpected password reset prompts, unfamiliar logins, devices that behave oddly, or any inspection event during travel should be reported to the Help Desk with a request for Pitt Digital Security.
If Something Goes Wrong
β Incident Response While Traveling
Report incidents as soon as you can β hours matter for containment. The Technology Help Desk reaches Pitt Digital Security 24/7.
|
1
|
Lost or stolen device. Call the Technology Help Desk immediately. Pitt Digital can disable account access and remote-wipe enrolled devices. For Pitt-owned property also report to your departmental administrator. |
|
2
|
Suspected compromise. If a device behaves unexpectedly, you notice unfamiliar logins, or a password reset arrives unprompted, stop using the device, change your password from a known-clean device, and call the Help Desk. |
|
3
|
Device inspected, copied, or retained at a border. Document the event. On return, treat the device as compromised β do not reconnect it to University networks until Pitt Digital Security has reviewed it. |
|
4
|
University data exposed. Any suspected exposure of Restricted or Sensitive data must be reported regardless of confirmation. Call the Help Desk and ask for Pitt Digital Security. Early reporting is what makes containment possible. |
Note: Reporting a suspected incident is never wrong. Pitt Digital Security would much rather investigate a false alarm than learn about a real one too late.
Additional Considerations for Researchers
Researchers face additional constraints under U.S. export control law and University trade compliance policy. The Office of Trade Compliance publishes detailed guidance; the items below summarize the most common considerations.
- Determine well in advance whether your destination, equipment, software, or data require an export authorization. Licensing can take several weeks.
- Conduct Restricted Party Screenings on the individuals and entities you'll be working with.
- Travel with a clean device. The International Loaner Program is built for exactly this case.
- Remove export-controlled technical data and software from your devices before leaving the U.S. Use secure-erase methods rather than ordinary file deletion. In some cases, swapping in a clean hard drive is more practical.
- Back up your data before departure and leave the backup in the U.S.
- Avoid accessing Pitt email or cloud storage from inside the destination country when possible.
- Do not exchange controlled information by phone, fax, email, or messaging.
- Carry business cards rather than data files for contact exchange.
Resources
University Resources
External Resources