Travel OPSEC

For those of you who travel through your country or around the world, this is a critical section to read. Travel is not as simple as getting a passport and getting on a plane. While it may work in some circumstances, every country has things it screens for regarding the people entering. This could mean your devices get taken and searched, you may be questioned, and in extreme cases, you may be imprisoned for things you've done or said that a foreign government didn't like. Disclaimer: I talk about this from the context of the US and its laws. You'll have to learn your country and local laws about what is and isn't legal when travelling, as well as laws of any country you want to go to.

It is now standard practice in most of the world, including the US, to use biometrics. This includes fingerprints, palm scanning, and facial recognition. While a US citizen can generally opt out of these practices for the time being, non citizens don't have this as an option, and in some countries, there's no option to opt out. This becomes a major hazard if a person has done something a government doesn't like. Take the case of Ksenia Karelina for example. When she travelled to Russia, her phone was taken and searched (likely a data dump was done with a device similar to Cellebrite). A search of the contents revealed she made a $51 donation to Ukraine, so she was sentenced to 12 years in prison.

Something important to understand - as an example, a US citizen might have the expectation of certain freedoms, no matter where they go - one of those being plausible deniability. While the US recognizes it and some other countries might, not all of them will, and the attempt to play dumb about an encrypted drive/messages/other contents could result in all devices being seized and the person being imprisoned with no recourse to get out. I've seen software such as VeraCrypt talk about how it can be used to create a hidden drive on a computer. If you are forced to allow a search and the customs agents are savvy enough, they may be able to tell encrypted data is being concealed on the computer. This could be a major hazard for you. I personally don't recommend travelling with anything other than burner devices unless you absolutely need access to certain data. The risks of being arrested are too high when a government could get mad about something innocent you texted someone or an item you bought.

If you do any kind of sensitive work such as AI research, chip design, or are a business executive, expect to be surveilled at all times by foreign intelligence services. This applies no matter what country you are visiting. Intel agencies excel at espionage, and people have been played in many ways. One of the most common ways is to use attractive women to seduce male targets. Whether you travel for business or personal reasons to another country, if you are in a high risk profession, your organization will likely have guidance for you to follow to help guard against this. Follow it and keep yourself out of trouble while abroad. You'll be in for a worse time than an average traveler if you get arrested.

You also need to be paying attention to the people around you as well, since it's not just the government that could give you problems. I've seen more videos on YouTube in recent years of people travelling to places like Columbia and posting videos of their crypto investments. They'll get catfished by someone feigning interest, only to get drugged and beaten, and in some cases, murdered. The best case scenario is they walk away alive and they lose access to their accounts and get their devices stolen. In many cases, the people travelling didn't do anything wrong, except for not having the street smarts to stay out of trouble in the local area. One of the biggest issues I've seen from a US perspective though is that Americans can be loud, rude, and obnoxious in foreign countries. There's no need for them to put targets on themselves, yet some just can't be bothered to not act stupid. Respect and knowing what areas to avoid goes a long way. NEVER antagonize the locals. Don't expect the SEALS to save you if you act reckless in a foreign country.

Beyond your devices, you also have to be prepared to potentially have someone monitor everywhere you stay. I won't go into the details of countermeasures in those cases, since I focus mainly on digital aspects, but you should consider learning how to check for hidden cameras, mics, etc, or at least operate with the presumption that some countries will monitor foreigners at all times.

Let's go over some of the finer details when you're preparing to travel…

Start with a threat assessment and local research:

If you're do work considered sensitive (some examples were given above), you need to include government agencies as possible adversaries. Average street criminals are always a given, no matter where you go or what you do. Learn ahead of time what the border controls are like. For example, when you enter the US, you have to allow customs agents to search your electronic devices and collect your biometric info (this is based on info I had at the time of writing this, and it's been this way for a while). If you refuse these, you won't be allowed into the country. In a case like this where they search your devices, assume they will use Cellebrite or something similar to make an entire copy of all your data. You should NEVER bring your daily driver devices to a country where this kind of screening will be done. You don't know what kind of information the government may have a problem with and it could end with you in prison for something you didn't think was an issue.

Next, research the current travel climate. Some countries such as the US have travel advisories that citizens can view to see if there's any caution that's recommended. These get updated frequently as changes happen in a country, such as civil war outbreaks, certain groups of people being targeted, etc. Part of this research should include what you can do with your devices. Multiple countries have banned the use of VPNs and it could results in arrest if you had one installed on your computer and you connected to one while abroad. Research other important laws as well, such as anything related to encryption and social media posts. There are countries where this is now becoming a large issue and people are being imprisoned for what should be considered free speech.

This is one of the most important parts - learn the customs of the country you're visiting before you get there. I cannot stress this enough - NEVER antagonize the locals. A foreigner being rude, either purposefully or accidentally, in another country will cause a lot of problems and could lead to death. Hide your power level when you're a guest in another country. If you're the type of person to wear designer clothes or high end watches, keep all that at home and be a generic looking visitor (gray man theory). Business trips may require different dress etiquette. It's okay in those cases, but should be kept to the bare minimum. If you've got anything on your social media you think could be controversial to foreign governments, scrub it ahead of your travel. Also, if you've got anything showing off your power level (photos of you with fancy cars), get rid of that as well. WARNING: Because of the massive dragnets used by governments to collect data on people all over the world, this may not be effective. If your profiles were part of a data collection process, a foreign government might already have this info readily searchable.

Preparing your devices/documents/other affairs:

As stated earlier, burner devices should always be used unless you absolutely need to bring a main device. Remember your data should be considered compromised the moment a customs agent plugs a cable into your devices. It could be loaded with malware and/or all data that you had on there is now copied into their database and stored permanently. If you decide on only burner devices, never use them to login to your accounts and keep them limited to casual use. If the devices were ever removed from your view or plugged into anything, my recommendation would be to get rid of them once your travel is over. As far as authentication methods, some people will say you should only use passwords and not biometrics, since you can't be compelled into giving a password. This only applies to the US in the context of US citizens. I'll stress again as I did earlier, the laws of your country are not the laws of every other country. If you tried this method in many countries, you would either be refused entry or be imprisoned for years on suspicion of being a spy.

Burner Devices

Note on burner devices: A "sterile" device (one that is clearly brand new and was just bought) could draw suspicion. It would be better to make your device look like it's had some use before you travel. Border agents are well aware of the burner device tactic. There's no need in drawing more suspicion than necessary.

Before you travel to another country, have your trip planned ahead of time on where you'll be going and staying. That doesn't mean you can't change things around while you're there, but you should have a solid plan beforehand. Spend time on forums to research what neighborhoods to avoid and what types of scams are used on foreigners. Once you've got this handled, put it to paper and contact your embassy that's in the country you're going to. Let them know what you'll be doing and when you'll contact them on return, so they can start checking around for you if they don't hear from you by then. Also give this info to either trusted family members or friends. Depending on the circumstances, you might want to get insurance as well in case you get captured and ransomed. If your captors can't get any money for your release, you could be executed.

Make sure all required documentation is in order. In most cases, this may just be a passport. Don't take anything more than you absolutely need, since it just increases your risk of a privacy incident. Be prepared for intense questioning by border agents. They may do a lot of searching into you and it could become high pressure when you're stuck in a room for hours in a country you aren't a citizen of. Note: There may be some cases where travel is such a high risk that it isn't worth it. Hundreds of millions of people travel on a yearly basis and only a tiny amount face major issues. If you're reading this site, you didn't get here by accident, so I'm presuming you have a higher threat model than a random person who lives life like a robot, hence the need for elevated privacy and security.

On the ground:

When you get to your destination, know what your rights are as a FOREIGNER of that country. In many cases, they will be highly limited and you should never expect to be treated the same way you would at your home. Many countries have laws that allow police to detain, search, and question anyone at anytime for any reason, and there's no way to refuse it. Since you're a guest, assume you have no legal standing in another country. Let's go back to the example of plausible deniability I listed above… If you are stopped at the border or inside the country after entry and the police find the existence of a hidden encrypted drive on your computer, you might not have the option of using plausible deniability. In some countries this would be viewed as obstruction, espionage, the assumption of guilt, and concealing evidence of a crime.

During your daily activities, you should be paying attention to your surroundings. The people around you may be going about their daily lives, or there could be one or several people in the crowd who've marked you and will attempt to rob/kidnap/scam you. If you're going to travel around the world, having a good understanding of human behaviors and warning indicators is a valuable skillset to have. Wearing generic clothes, being respectful, and not being loud and annoying will go a long way in not drawing unneeded attention to you.

Beyond that, I recommend investing some time in books/resources dedicated to more detailed nuances of physical security (e.g. using door wedges for your motel room) since this site is dedicated more to the digital realm. The rest of the info on this site is important and some of it is relevant to travel OPSEC, so I encourage further research.