What You Need to Know About Export Control and International Travel
- When traveling abroad on University business, certain items and activities may be export restricted depending on the item or the travel destination and may require that an export license or other governmental approval be obtained. Licenses that may be required pursuant to export control regulations can take up to several months to obtain and must be finalized prior to departure.
- Exports generally occur when:
- Physical items are transported across/outside the U.S. borders (regardless of whether they are shipped or hand-carried during travel);
- Electronic devices are taken for international travel containing controlled technical data or technology;
- Controlled technology, information, or data is shared/released to non-U.S. persons, inside or outside the U.S.
- Before you depart, consider each of the following (detailed in sections below):
- Where You're Going - to determine if your destination has sanctions or other restrictions
- What You're Taking With You - to determine whether a license, license exception, or other approval will be necessary
- Your Activities Abroad - to determine whether any activities would constitute an unauthorized export or a defense service requiring a license
- How to Protect Your Research & Data - to determine any relevant risks, safeguards, and best practices
- You should not take ANY of the following items abroad without first obtaining specific advice from the Office of Regulatory Services - Export Control:
- UTA-owned scientific equipment (other than a sanitized laptop computer, PDA, smart phone, or electronic storage device);
- Data or information received under an obligation of confidentiality;
- Data or analyses that result from a project for which there are contractual constraints on the dissemination of the research results;
- Devices, equipment or computer software with restrictions on export to or access by foreign nationals;
- Devices, systems, or software that were specifically designed or modified for military or space applications;
- Controlled unclassified information, or
- Classified information.
- For any travel conducted for University business, a travel authorization (TA) must be completed prior to the trip. See https://www.uta.edu/business-affairs/training/files/utshare-financial/Travel_and_Expenses/PowerPoint/Travel_and_Expenses%20PP.pdf for more information.
- UTA's policy on international travel is available here. From time to time, situations arise that make certain locations more or less high-risk, including restricted regions. Consult UTA's Business Affairs travel page as you plan your trip and before you leave for current information.
Consider Where You're Going
Check the U.S. Department of the Treasury Office of Foreign Assets Control (OFAC) website to determine whether your destination is covered by sanctions programs, also referred to as embargoes. Contact Regulatory Services - Export Control if you are traveling to an OFAC-sanctioned country to determine if a license is required.
Iran, Cuba, Syria, Sudan, North Korea and the Crimean Region of the Ukraine have extensive restrictions. Almost all research/scholarly activity in Iran is either prohibited or requires a license (including conferences). It may be possible to conduct research/scholarly activity in Cuba; however, it must meet very specific regulatory criteria. Contact Regulatory Services - Export Control before considering University travel to these destinations.
Restricted Parties and Screening
U.S. persons are prohibited from engaging in activities with individuals/entities that have been determined to be acting contrary to the interests of the United States, also known as restricted parties. In addition, U.S. persons are prohibited from engaging in financial transactions with certain individuals and entities.
Before traveling to a foreign country, you should request a screening of any known contacts against the federal restricted party lists. Contact Regulatory Services - Export Control to perform the screening.
Special Considerations for Travel to China or Russia
Travelers from the United States, particularly those involved in STEM research, are known to be priority targets for cyber-attacks and/or surveillance in China or Russia. See the section below "How to Protect Your Research & Data" for additional safeguards and security measures when traveling to these destinations.
Consider What You're Taking With You
When taking items abroad for University business, you will need to confirm whether they:
- do not have any export restrictions ("No License Required" or "NLR"), or
- qualify for a license exception ("TMP" or "BAG," see below), or
- require a license for export outside of the U.S.
This applied to all equipment such as computers, cell phones, flash drives, GPS units, specimens, etc., and any technology, data, or software on electronic devices. Regulatory Services - Export Control can help make this determination, and will handle the application process for any required licenses.
ITAR-Controlled Items (typically military/defense related and covered by a UTA Technology Control Plan)
You cannot take ITAR-controlled articles or technical data (documents, drawings, data, software) out of the country without a license from the Department of State, even if you have no intent to transfer the items to a non-U.S. person. Contact Regulatory Services - Export Control if you need to take any ITAR items or materials with you; otherwise, leave it behind and/or remove it from your devices.
EAR-Controlled Items (covers everything else in the U.S. that is not designated as ITAR)
In most cases, a U.S. person can take EAR-controlled items and software (including laptops or mobile devices) without a license ("NLR") or by using an available license exception ("TMP" and/or "BAG," see 15 CFR Part 740). A non-U.S. person cannot take EAR-controlled technology out of the U.S., even if they received it as an acceptable deemed export.
Fortunately, most low-tech commercially obtained items do not require an export license unless you are traveling to/through a comprehensively sanctioned country or providing access to your items to a citizen of one of those countries. For proprietary software or software that includes encryption, please check first with Regulatory Services - Export Control. Refer to the chart below for NLR equipment most commonly taken abroad.
Common Travel Items to Determine Eligibility for "No License Required" (NLR) Determination*
*Do NOT use this chart for travel to a sanctioned region like Cuba, Iran, North Korea, Sudan, Syria, or the Crimea region of Ukraine.
|ITEM||Export Control Classification # (ECCN)||LICENSED AUTHORITY|
|Dell Laptop (no encryption)||4A994||No License Required (NLR)|
|Mac Laptop||5A992||No License Required (NLR)|
|iPhones & iPads||5A992||No License Required (NLR)|
|Jump/Flash Drive (most)||3A991||No License Required (NLR)|
|Android Cell Phone/Tablets||5A992||No License Required (NLR)|
|Garmin GPS||7A994||No License Required (NLR)|
Available EAR License Exceptions if Ineligible for NLR
1 - License Exception for Temporary Export/Reexports ("TMP")
TMP applies if the equipment is University-owned and meet the requirements for "tools of the trade". This includes laptops, cell phones, PDAs, and other digital storage devices, as controlled under the EAR.
The TMP License Exception requires that items and related technology or software:
- Be used for PROFESSIONAL purposes in exporter's discipline
- Accompany the traveler or be shipped unaccompanied up to 1 month prior to departure
- Be fully consumed abroad or otherwise returned to the U.S. within 12 months
- Be kept under effective control while abroad (i.e., physical possession or kept in a hotel safe or other secured space or facility)
- Be protected to prevent unauthorized release of technology (i.e., use of secure VPN connections, encryption, password systems, and firewalls)
Note: The TMP License Exception does not apply to items shipped or carried to certain OFAC-sanctioned countries including Iran, Syria, Cuba, North Korea, or Sudan. It also does not apply to items, technology, data, or software regulated under ITAR, such as military or space items or technologies.
2 - License Exception for Baggage and Personal Items and Technology ("BAG")The Baggage License Exception (BAG) covers personal items such as personal effects, clothing, or electronic devices (i.e., laptops, smart phones).
The BAG License Exception requires that the items be:
- Owned by the individual or member of immediate family
- Limited to personal use of the individual or members of their immediate family traveling with them
- Consumed abroad or otherwise returned to the U.S.
- Not intended for sale or other disposal
Note: Does not apply to ITAR items. Can be applied to personally-owned tools, instruments, equipment, and technology for use in the trade, occupation, employment, vocation, or hobby of the traveler.
U.S. Customs officials are authorized to search or retain electronic devices including digital cameras, cell phones, media players, disk drives, etc., even without probable cause, to look for regulatory violations (including export control violations). To prepare for this possibility:
- Don't carry data you don't want others to see: medical records, data files from your research, financial information, photos, etc.;
- Don't carry the only copy of data you can't afford to lose (keep a copy in the U.S.);
- Have a "Plan B" if there is data you will need when you reach your destination;
- Consider taking a minimal device equipped with only ordinary, recognizable software and minimal data so any search can be fast and the consequence of a loss less disruptive.
Documentation of License Exceptions
If utilizing the TMP and/or BAG license exceptions, consider utilizing these certification forms to self-certify compliance with the exception requirements. It will also demonstrate to a customs officer that you are aware of the export control regulations.
The Wassenaar Arrangement contains provisions that allow a traveler to freely enter participating countries with encrypted devices under a "personal use exemption". This exemption requires that you do not create, enhance, share, sell, or otherwise distribute the encryption technology while you are there. Countries participating in the Wassenaar Arrangement include: Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, United Kingdom, and the United States.
The following nations, including two Wassenaar signatories indicated by an asterisk (*), do not recognize a "personal use exemption". Before traveling to these countries with an encrypted laptop, you will need to apply to their specified governmental agency for an import license:
- Belarus: a license issued by the Belarus Ministry of Foreign Affairs or the State Center for Information Security of the Security Council is required.
- Burma (Myanmar): a license is required, but licensing regime documentation is unavailable. Contact the U.S. State Department for further information.
- China: a permit issued by the Beijing Office of State Encryption Administrative Bureau is required. Encryption technologies are strictly controlled for entry and exit from China. Chinese Border Security retains the right to confiscate electronic devices with unauthorized encryption technology installed at time of entry to/exit from the country. It is recommended to remove any encrypted files and encryption capable software, other than system critical or software support encryption technologies (for instance, built-in Windows encryption resources).
- Hungary: an International Import Certificate is required. Contact the U.S. State Department for further information.
- Iran: a license issued by Iran's Supreme Council for Cultural Revolution is required.
- Israel: a license from the Director-General of the Ministry of Defense is required. For information regarding applicable laws, policies, and forms, please visit the following website: http://www2.mod.gov.il/pages/encryption/preface.asp
- Kazakhstan: a license issued by Kazakhstan's Licensing Commission of the Committee of National Security is required.
- Moldova: a license issued by Moldova's Ministry of National Security is required.
- Morocco: a license is required, but licensing regime documentation is unavailable. Contact the U.S. State Department for further information.
- *Russia: licenses issued by both the Federal Security Service (FSB) and the Ministry of Economic Development and Trade are required. License applications should be submitted by an entity officially registered in Russia. This would normally be the company that is seeking to bring an encryption product into Russia.
- Saudi Arabia: it has been reported that the use of encryption is generally banned, but research has provided inconsistent information. Contact the U.S. State Departmenr for further information.
- Tunisia: a license issued by Tunisia's National Agency for Electronic Certification (ANCE) is required.
- *Ukraine: a license issued by the Department of Special Telecommunication Systems and Protection of Information of the Security Service of Ukraine (SBU) is required.
Since laws can change at any time, please check with the U.S. State Department before traveling internationally to ensure that you have the most up-to-date information.
Consider Your Activities Abroad
In general, travel outside of the U.S. to attend a conference (but not to present) does not require a license. However, if you present at a conference, the material must be limited to topics that are not related to export-controlled items or technologies, unless that information is already in the public domain. Open seminars are usually not problematic unless they take place in a sanctioned country or involve restricted parties. Exchanges of technical information including academic discussions could require a license. Attendees should not share information that was not generated during the course of a fundamental research project, including confidential information shared by the sponsor of a research project.
When presenting data/information in an international setting (including in the U.S. where the audience may include foreign nationals), you need to ensure that you limit your presentation to only information or data that is published, or is publicly available, or the result of fundamental research. Be careful not to include or discuss any proprietary, unpublished, or export-restricted data or information as that may constitute an unauthorized export. Be careful of what you say during Q&A sessions or in conversation.
Providing any information about the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing, and use of defense articles is an export control violation.
Foreign Collaborations & Exchanges of Technical Information
Publicly available information or fundamental research can be shared with foreign colleagues as long as the recipients are not employees or representatives of the government of a sanctioned country, or restricted parties. The Office of Regulatory Services - Export Control can perform routine checks and clearances for foreign entities and individuals to help protect UTA institutionally, and faculty traveling, from inadvertent violations of export control laws and regulations.
Furnishing assistance (including training) to foreign persons, whether in the United States or abroad, in the design, modification, operation, or use of defense articles is a defense service. A defense service can include providing assistance through the use of public domain information. For example, providing the Turkish Ministry of National Defense with assistance on improving the fuel efficiency of battle tanks would be a defense service, even if the assistance was provided exclusively through the use of public domain information.
It is important to ensure that you do not export restricted information or provide any type of assistance to a restricted party. Our office can quickly determine if parties you intend to visit or collaborate with are on a restricted party list - contact Regulatory Services - Export Control for assistance.
Research & Instruction Abroad
Research and course instruction conducted outside of the U.S. may not qualify for the fundamental research exclusion. Export control regulations may apply until the work is published or is otherwise in the public domain. Before teaching a course or disclosing information outside of the U.S., it is important to ensure that the information is not subject to export control laws and regulations. For instance, when interacting with foreign persons, you cannot provide a "defense service" which includes providing technical "know-how" related to the design, development, production, manufacturer, assembly, operation, repair, testing, maintenance or modification of a defense article or dual-use technology.
Furnishing Financial Assistance
OFAC regulations prohibit providing material financial assistance or anything of value, including services, to any blocked or sanctioned country, individual, entity or organization, including a government agency of a sanctioned country. This can involve subcontracts, international suppliers, or payments to research participants. Regulatory Services - Export Control can help screen recipients to ensure they are not blocked.
How to Protect Your Research & Data
General Protections During Travel
- Follow guidance from the Department of Homeland Security's "Cybersecurity While Traveling Tip Sheet" and the Center for Internet Security's "Cybersecurity While Traveling".
- Comply with UTA's security requirements for remote access and mobile devices.
- Comply with UTA's guidance on Safeguarding Confidential Information.
- Some foreign governments have regulations that permit the seizure of travelers' electronic devices/computers and the review of their contents. U.S. Customs officials are also authorized to review the contents of travelers' laptops without probable cause and can be held until your return. To prepare for this possibility:
- Do not travel with private data that you do not want others to see (e.g., medical records, financial records, photos, data from research).
- Have a copy of your data in the U.S. in case it is lost or seized during inspection.
- Take electronic devices with ordinary software and minimal data to reduce the likelihood of a lengthy or disruptive search.
- Consider taking documentation to demonstrate to Customs your compliance with export regulations: Export Control License Exception (BAG) Certification Form and Export Control License Exception (TMP) Certification Form.
- Utilize "clean" laptops when possible; these may be available for loan in some departments.
- Before leaving, change all your passwords. Upon return, change the passwords for any accounts that were accessed while abroad.
- Utilize secure VPN and ensure systems are updated with the most recent security and malware definition files prior to travel.
- Do not use any Wi-Fi connections from unknown third-party providers/sources. Refrain from use of publicly available Wi-Fi connections if possible, even if labeled as secure and/or requiring passwords for use, as these connection points are often subject to intrusion software risks such as keystroke loggers.
- Never accept or attach unknown devices or drives (including flash/USB drives) as malicious code may be installed on such devices at any time, including at manufacture or after.
- Ensure smartphones and tablets are encrypted (if allowed by destination country; see section above, "Consider What You're Taking With You --> Encryption") and protected by a passcode, passphrase, or biometric, such as a fingerprint or facial recognition. Remove all unneeded data, apps, and accounts from the device prior to travel. Register your device with a locator service such as Find My iPhone/iPad or Android Device Manager so that it can be wiped remotely if lost or stolen.
- If permitted by your destination country, all USB flash drives, external hard drives, and other external storage should be encrypted (see section above, "Consider What You're Taking With You --> Encryption"). These devices should remain with you at all times and should be transported in carry-on luggage.
- Do not use USB-based public battery charging stations. "Juice jacking" attacks can install malware on your mobile device and/or copy data from your device. Only use chargers you brought with you from home and know to be good.
Research Data and Information
When traveling abroad, you are free to take and openly share or discuss any data or information that is published, in the public domain, is normally taught as part of a catalog course at UTA, or results from fundamental research. However, other types of information may be subject to export controls and should not be shared:
- Information that is proprietary or subject to approval by the sponsor of a research project (and therefore does not qualify as fundamental research)
- Confidential information provided by the sponsor of a research project
- Export-controlled technology related to items or equipment
- Information or data provided by U.S. Department of Defense agencies (AFRL, ONR, DARPA, AFOSR, etc.)
All controlled or restricted data or information should be completely removed from laptops, phones, PDAs, or other portable storage devices (e.g., flash drives) before you leave the U.S. If any of these types of information are necessary to take with you on international travel, contact Regulatory Services - Export Control prior to departure to help secure the necessary U.S. Government license(s) and sponsor approval. Note: export licenses can take months to obtain approval, so plan accordingly.
Special Considerations for Travel to China or Russia
Travelers from the United States, particularly those involved in STEM research, are known to be priority targets for cyber-attack and/or surveillance. Additionally, university administrators, faculty who participate in political or religious activism, and fluent speakers of the local language may also be targeted. While you are in these countries, assume that all your communications are being intercepted, including voice calls, text messages, and internet traffic you believe is encrypted such as HTTPS connections and connections via a VPN service. Extra safeguards in addition to the "General Protections" described above include:
- NEVER ALLOW THE DEVICE OUT OF YOUR PHYSICAL CUSTODY, even for repairs.
- Integrated laptop cameras and microphones should be physically disconnected. If possible, purchase/take a laptop without this functionality.
- Install a privacy screen to discourage "shoulder surfing".
- Disable all file sharing protocols.
- Disable Wi-Fi, Bluetooth, and infrared if not needed.
- Set up a temporary email account for your travels on a service such as Google's Gmail. Abandon and delete this account after your trip. Do not use this account to send or receive sensitive information.
- Tor and other censorship circumvention tools should be considered compromised. Their use may be monitored. If you choose to use them, you may be punished or expelled from the country.
- Consider all USB drives, CD/DVDs, email attachments, shortened URLs, QR codes, etc. to be hostile. Do not scan QR codes, click links, open attachments, or insert any removable media into your computer. Do not bring these devices back to the U.S. with you.
- Clean out your wallet. Remove anything that is non-essential for your travels. RFID-enabled cards should be carried in an RF-shielded sleeve to prevent them from being surreptitiously scanned.
- Assume that discarded items such as CD/DVDs, USB drives, notes, and other documents will be retrieved from the trash for analysis.
- Powered-off cellphones can still be used for geolocation and monitoring. Remove cell phone batteries when not in use.
- Remove any encrypted files and encryption capable software, other than system critical or software support encryption technologies (for instance, built-in Windows encryption resources). Chinese Border Security retains the right to confiscate electronic devices with unauthorized encryption technology installed at time of entry to/exit from the country.