_Part 13 of 18 in the Digital privacy for board directors series._
When you cross an international border, the legal and practical assumptions that govern your digital privacy at home change. Some borders change them very little. Some change them quite a lot. The board director who travels for work — and most do, several times a year — benefits from knowing the shape of the change before booking.
I am writing this post without the paranoid framing that some travel-privacy guidance carries. The practical reality is that the vast majority of international travel by UK board directors passes through without incident. The work of this post is to ensure the small minority of trips that could go wrong are anticipated.
What changes at the border
Three things shift when you arrive at a foreign customs checkpoint.
The legal authority over your devices. UK Border Force has the power to detain devices for examination under Schedule 7 of the Terrorism Act 2000, without suspicion, if the journey involves the UK. The US Customs and Border Protection has similar powers under its constitutional border-search exception, and may demand passwords. Australia, Canada, and several other Five Eyes jurisdictions operate broadly similar regimes. China, Russia, and several other jurisdictions go further — devices may be examined, copied, or replaced; entry without examination is not always available.
The legal weight of your communications. Your phone connecting to a foreign mobile network may produce metadata that is accessible to that country's intelligence services. Your messaging app's encryption usually remains intact (the content of WhatsApp, Signal, iMessage messages is end-to-end encrypted regardless of which network you are on). The metadata — who you communicated with, when, for how long — is materially more visible to the host state than it is at home.
The exposure of who you are. Your hotel registration, your conference badge, your transportation arrangements, often your passport scan, are now in the hands of organisations in another jurisdiction. The integrity of these systems is the host country's, not yours.
These are facts, not warnings. The practical implications depend on where you are travelling and what you are travelling for.
The country-tier framing
A simple four-tier framing that has held up well across the executives I advise.
Tier one (low-risk). Western Europe, Ireland, Scandinavia, Australia, New Zealand, Canada, Japan. Border controls similar to or weaker than the UK's; commercial-grade legal protections; functioning rule of law in matters of privacy. Standard travel posture is fine.
Tier two (medium-risk). United States, Singapore, South Korea, Israel, UAE. Robust border controls, plausible state interest in commercial intelligence, broad legal powers over visitors' devices. Standard travel posture with one or two adjustments below.
Tier three (high-risk). China, Russia, Saudi Arabia, Iran, North Korea (which most board directors will never have reason to enter), and several others. State interest in foreign business visitors is well-documented. Devices should be assumed to be examined or compromised; the clean device approach from the next post is appropriate.
Tier four (specific operational risk). Any jurisdiction where your firm has an ongoing dispute, sensitive commercial activity, or political exposure. The risk is not the country in general but the firm-specific overlay. The travel security team or your retained advisor should be consulted before each trip.
The tiers are not absolute. They shift over time. A trip to Hong Kong in 2018 was a different proposition from a trip to Hong Kong today. Refresh the framing for each trip rather than assuming a country's posture is static.
The four practical questions before each trip
Before a trip, ten minutes thinking through four questions:
What is the customs posture of the destination? Search device search at customs [country] and read the most recent two or three articles. The FCDO travel advice for the country includes some of this; specialist sites like Trip Advisor's travel forums sometimes have first-hand reports.
What is the firm's standing position on travel to this country? Most large firms have a travel security policy that lists the tiers and what is expected. If your firm does not, the conversation with whoever is responsible for risk and security is worth having before the trip.
What sensitive material would be on the device I am about to take? This is the question whose answer determines whether the standard take my laptop approach is acceptable or whether the clean device approach is needed.
What is my plan if a border asks me to unlock the device? Two answers are tenable. I will comply, and reset all the credentials when I return. Or I will not comply, and accept that I may not enter the country. Both are workable. The unworkable answer is I will work it out when I get there. The decision is much harder under stress at a customs counter than at home a week earlier.
What is reasonable to take, by tier
A guide.
Tier one trips. Your normal work laptop and phone. Normal cyber hygiene applies (disk encryption, MFA, current OS, the usual).
Tier two trips. Your normal devices, with two adjustments. The laptop should have its disk fully encrypted (it should anyway) and powered off across the border (encryption is stronger when the device is fully powered down than in sleep mode). The phone should be PIN-locked, with biometric unlock disabled at the border crossing if possible.
Tier three trips. A clean travel laptop and a clean travel phone. We cover this in the next post.
Tier four trips. As tier three, plus a specific briefing from the firm's security team before and after the trip.
The arrival posture
Once you are at the destination, three practical points.
The hotel network is not your home network. Many five-star hotels, particularly in tier-three jurisdictions, have hotel networks that are routinely monitored. Use a VPN for everything except the hotel's check-in portal. The NCSC's guidance on travel is clear: do not assume the hotel Wi-Fi is private.
The hotel room is not your home study. Devices left in the hotel room are accessible to housekeeping at minimum and, in some jurisdictions, to others. The hotel safe is a deterrent against opportunistic theft but not against state-level interest. If material is sensitive, keep the device on your person.
The phone-charger habit is real. Public USB charging ports at airports and hotels can, in principle, exfiltrate data from a phone plugged in for charging (juice jacking). The defence is to use a wall-socket adapter and your own cable, or a USB data-blocker (£10 on Amazon). Mostly relevant in tier-three jurisdictions; not paranoid in any.
The return posture
When you come home, three things.
Re-verify the integrity of any device that left. For tier-two and above, this is a real step — the device gets booted up, scanned, and (for tier three) reset and reset, and any data brought back from the trip gets reviewed before being moved onto your main systems.
Change passwords for any accounts accessed during the trip. For tier three, all of them. For tier two, the high-sensitivity ones.
Note anything unusual. A border interaction that felt different, a hotel-room sign that someone had been in, a phone behaving oddly. Most of the time the answer is coincidence. Sometimes it is not, and the note made on the day is the evidence the security team can act on later.
What this month looks like
Two pieces of work.
One: identify the next international trip on your calendar. Apply the four questions above. Decide which tier it sits in. Decide whether your standard posture is appropriate or whether an adjustment is needed.
Two: if you do not have a regular travel-security conversation channel with your firm or your retained advisor, this is a good time to open one. Most travel issues are easier to prevent than to manage from the destination.
In four weeks: the second travel post — clean devices, what to take, what to leave, and how to be a senior executive who is fully reachable but materially exposed only to what they choose to expose.