Ernest Moret, a foreign rights manager for the French publishing house La Fabrique, boarded a train in Paris bound for London in early April. He was on his way to attend the London Book Fair.
When Moret arrived at St. Pancras station in the United Kingdom, two plainclothes cops who apparently said they were “counter-terrorist police” proceeded to terrorize Monet. They interrogated him for six hours, asking everything from his views on pension reform to wanting him to name “anti-government” authors his company had published, according to the publisher, before proceeding to arrest him for refusing to give up the passwords to his phone and laptop. Following his arrest, Moret was released on bail, though his devices were not returned to him.
The case, while certainly showcasing the United Kingdom’s terrifying anti-terror legislation, also highlights the crucial importance of taking operational security seriously when traveling — even when going on seemingly innocuous trips like a two-and-a-half-hour train ride between London and Paris. One never knows what will trigger the authorities to put a damper on your international excursion.
Every trip is unique and, ideally, each would get a custom-tailored threat model: itemizing the risks you foresee, and knowing the steps you can take to avoid them. There are nonetheless some baseline digital security precautions to consider before embarking on any trip.
Travel Devices, Apps, and Accounts
The first digital security rule of traveling is to leave your usual personal devices at home. Go on your trip with “burner” travel devices instead.
Aside from the potential for compromise or seizure by authorities, you also run the gamut of risks ranging from having your devices lost or stolen during your trip. It’s typically way less dangerous to just leave your usual devices behind, and to bring along devices you only use when traveling. This doesn’t need to be cost prohibitive: You can buy cheap laptops and either inexpensive new phones or refurbished versions of pricier models. (And also get privacy screens for your new phones and laptops, to reduce the information that’s visible to any onlookers.)
If you do need access to sensitive information while traveling, store it in a cloud account somewhere using cloud encryption tools like Cryptomator to encrypt the data first. Be sure to then both log out of your cloud account and make sure it’s not in your browsing history, as well as uninstall Cryptomator or other encryption apps, and only reinstall them and re-log in to your accounts after you’ve reached your destination and are away from your port of entry. (Don’t login to your accounts while still at the airport or train station.)
Just as you shouldn’t bring your usual devices, you also shouldn’t bring your usual accounts. Make sure you’re logged out of any personal or work accounts which contain sensitive information. If you need to access particular services, use travel accounts you’ve created for your trip. Make sure the passwords to your travel accounts are different from the passwords to your regular accounts, and check if your password manager has a travel mode which lets you access only particular account credentials while traveling.
Before your trip, do your research to make sure the apps you’re planning to use — like your virtual private network and secure chat app of choice — are not banned or blocked in the region you’re visiting.
Maintain a line of sight with your devices at all times while traveling. If, for instance, a customs agent or border officer takes your phone or laptop to another room, the safe bet is to consider that device compromised if it’s brought back later, and to immediately procure new devices in-region, if possible.
If you’re entering a space where it won’t be possible to maintain line of sight — like an embassy or other government building where you’re told to store devices in a locker prior to entry — put the devices into a tamper-evident bag, which you can buy in bulk online before your trip. While this, of course, won’t prevent the devices from being messed with, it will nonetheless give you a ready indication that something may be amiss. Likewise, use tamper-evident bags if ever leaving your devices unattended, like in your hotel room.
Sensitive information you may have on your devices doesn’t just mean documents, photos, or other files. It can also include things like contacts and chat histories. Don’t place your contacts in danger by leaving them on your device: Keep them in your encrypted cloud drive until you can access them in a safe location.
On the other hand, the region you’re traveling to may have draconian identification requirements in order to purchase a SIM. And, if you’re waiting to purchase a card at your destination, you won’t have phone access while traveling and won’t be able to reach an emergency contact number if you encounter difficulties en route.
Keep in mind that the travel precautions outlined here don’t just apply for your inbound trip, they apply just as much for your return trip back home. You may be questioned either as you’re leaving the host country, or as you’re arriving back at your local port of entry. Follow all of the same steps of making sure there is nothing sensitive on your devices prior to heading back home.
Taking precautions like obtaining and setting up travel devices and accounts, or establishing a temporary phone number, may all seem like hassles for a standard trip, but the point of undertaking these measures is that they’re ultimately less hassle than the repercussions of exposing sensitive information or contacts — or of being interrogated and caged.