“Paranoia is just having the right information.”
― William S. Burroughs

The lawyer’s job is to discern risk and help their clients to avoid them. Put another way, we are both trained and paid to be paranoid.

When traveling to China, you must protect your data.
When traveling to China, you must protect your data.

Years ago, when I was in Tokyo on a particularly sensitive matter, I left my hotel room as I had done pretty much every day for the last 7-8 days and starting walking to my subway stop. Then for some reason I got a strange feeling about having left my laptop computer in my hotel room and I decided to return. When I did, there were two very well dressed men wearing black suits and ties looking at my turned on laptop. I immediately asked them (in English) what the ____ they were doing in my room and one of them responded in shockingly good English that they were with the hotel and just checking on my internet. To this day, I have little doubt that they were with Japan’s Secret Service.

I just read a lawyer-written article, Privacy Tip #15 – Protecting your privacy during holiday travel, that provides some good tips for maintaining your privacy when you travel. The article lists out the following, with my comments in italics:

  • Don’t leave your laptop, tablet. USB drive, other removable media or mobile phone in your car trunk. I never ever ever put anything in the trunk of a taxi or other car. I take it all with me and put it on the seat.
  • Don’t leave your laptop, tablet or mobile phone unattended on a plane or train. Agreed. In addition to this, you should make sure to constantly remove sensitive data from your devices and store it elsewhere
  • Use complex passwords on all devices so if you forget them or they are stolen, your data is not immediately vulnerable and accessible. This should go without saying.
  • Be careful not to store or leave your devices in the seat pockets of airplanes or trains. This is indeed a good thing to guard against. 
  • Destroy your travel documents (including boarding passes) when you are finished with them by shredding them. I rip mine up in the airplane and give half to the flight attendant and dump the other half in the first garbage can I see upon disembarking.
  • Lock your laptop and other mobile devices in your hotel safe. Hotel safes are not as safe as widely believed. Which is why stripping your devices of confidential information and using complex passwords is always critical.
  • Wipe your laptop before and after you travel to high risk areas such as China, Russia, the Ukraine, Iran or Iraq. Agreed. Just not sure there are any low risk areas. 
  • Use your VPN connection any time you are accessing your company information and not free wifi. Agreed. When I am out of the country, there are certain websites I will not check under any circumstances. I instead request that other lawyers or staff go to those sites for me and report back or I ask them to send me what I need. 
  • Frequently update your virus and firewall protections.  Good idea.

When going to China and to many other countries as well, I assume my hotel room and my phones (including my own cell phone) is bugged and my internet is monitored. I assume the worst and I take every measure I can to be careful. I have plenty of stories to tell involving people who were not careful about their data.

1. Many years ago, I was staying on the business floor of the Hotel Lotte in Pusan, Korea. Back then this floor had a couple of computers for its guests. I got on one of those computers (to read the news) and the first thing that popped up was a letter written by a Seattle company revealing information I know they would not have wanted me (or anyone else) to see. Someone from this company had written this letter on the computer (in Word format) and simply left it there. Not smart.

2. Many times I have gotten on the internet at an airport computer and been let right into someone’s webmail account. Not smart.

3. I once found a memory stick in the desk drawer of my hotel in Shanghai that contained an incredible amount of information on a European plastics company. Another time, on the floor of my hotel room in Los Angeles, I found a USB stick from a leading fashion company, listing out who at the company should be kept and who should be laid off. Not smart.

3. A stockbroker I know was sent an email by a rival stockbroker, urging my stockbroker friend to oppose some proposed law that would strike hard at those with massive net worth. The stockbroker who sent out this email cc’ed it to a half dozen or so of his clients and my friend figured these were people with the requisite massive net worth and he cold-called them for their business. He ended up getting a great client with this tactic. Not smart.

4. Many years ago, a client of ours discovered one of its employees was running a rival business within my client’s business. My client then arranged for this employee to bring his two company laptops to the office and then when the employee went out to lunch, my client locked him out. You would not even believe the stuff we found on those laptops. I am talking both business and personal. Very, very personal. Naked photos with mistress personal. Not smart.

5. Many years ago, I was going to a particular city in a former Communist country and my client and I agreed that, above all else, I should completely avoid meeting with or even talking to “Oleg” [made up name here]. I had to go to this city, but I was going to be there for only two days. I fly in, walk into my hotel lobby and, before I can even check in, two people come up to me and say that Oleg will be coming by to take me to dinner at 7:00 pm. I felt I had to go at that point and when I asked Oleg how he knew of my arrival, he said that he gets emailed the list of all foreigners as soon as they arrive. Oleg runs a very successful private business. The moral of this story is that you should never assume that you can go into a country completely unnoticed.

The New York Times did an article a few years ago, Traveling Light in a Time of Digital Thievery, detailing the steps Kenneth Lieberthal takes before going to China:

He leaves his cellphone and laptop at home and instead brings “loaner” devices, which he erases before he leaves the United States and wipes clean the minute he returns. In China, he disables Bluetooth and Wi-Fi, never lets his phone out of his sight and, in meetings, not only turns off his phone but also removes the battery, for fear his microphone could be turned on remotely. He connects to the Internet only through an encrypted, password-protected channel, and copies and pastes his password from a USB thumb drive. He never types in a password directly, because, he said, “the Chinese are very good at installing key-logging software on your laptop.”

What do you do to protect your data and your privacy when you travel?

 

  • Mark

    This seems to be the age of paranoia. I’m an ex-pat having lived in China for 14 years working in the IT industry with MIIT being one of our largest clients. I’m not as paranoid as some people because in all this time, I’ve never had an issue. However, I do take precautions that I would take in any country. Specifically:

    What I do:

    1. Skype is monitored in China so I don’t do any business conversations using it.
    2. VPN’s are problematic in China to begin with. They are constantly blocked for no apparent reason as, for the most part, ex-pats are the only ones who use VPN’s. Why do they do this? Because they can. When able, I use a VPN for all my web access and data transfer. At home, I use a VPN connection that is always up and running.
    3. When traveling, I use a fingerprint reader for my laptop. The laptop won’t boot without it. No, I don’t put my laptop in the hotel safe.
    4. I use 2-factor authentication on anything that offers it. This is a must.
    5. I use a password manager that is not only protected by a 20-character password but also by 2-factor authentication (I use LastPass but there are several good ones).
    6. I don’t turn off my my mobile phone (are you kidding) nor Wi-Fi. Why, because I use it. I use similar 2-factor authentication and VPN on my mobile phone. I am careful to keep my business conversations brief and as detailed as necessary.
    7. When traveling within China, the government knows where I’ve been and where I’m going so I don’t do anything out of the ordinary.

    When I first came to China and staying in hotels, I would put a drop of glue on each screw on the bottom of my laptop to see if anyone had tampered with it. Back in the olden days, I heard stories of PSB “agents” going into hotel rooms and installing key loggers on laptops. This isn’t the case these days. I don’t know anyone or have heard any valid stories to support this happening today.

    Data security in China is just a matter of being diligent and aware of your surroundings, just like any other country including the U.S.

    • Giacomo Marzolini

      Dear Mr Harris,by writing China, you mean only Mainland or even Macau and Hong Kong? Like most of the people, I have nothing to hide, but I’d rather keep personal conversations secret, with girlfriend or parents… I just find it really bothering.

      Another question to the above user called “Mark”: Do you think even Facebook Videocalls, Whatsapp or We Chat could be monitored? Thanks in Advance

    • Eric S Johnson

      Mark, can you share (privately) any evidence you have about Skype being monitored in China? (I’m not looking to prove/disprove/argue, just to learn.) johnson [at] drgroup [dot] net

  • goodwitheu

    Either you guys are a HELL of a lot more important than me, or you are paranoid old geezers. What are you designing rockets or Perpetual motion or something?! I don’t understand why you would go to most of these lengths… Ripping up your plane tickets and disposing 50% hahaha thats the funniest thing I’ve heard all day! Live well guys, and look out for that boogey man!

  • BlueApple

    I am much more paranoid when going to the United States than going (being) in China. Putting other factors aside, the United States are simply technologically more advanced and have much more resources than China that they can allocate for spying / intelligence gathering.
    Fortunately, most companies and private persons simply are not such important and don’t carry such valuable data that they attract the attention of the “men in black”.

    Well, in China … its in general about very very simple things
    – educate your staff not to talk about business in the lift, especially when a competitor has its office in the same building.
    – educate your staff not to talk about business on their cell phone in crowded places, especially not in meetings/conferences where your competitors are present.
    – educate your staff they should not assume a foreigner does not understand Chinese …

  • MichaelW

    Some time ago I worked in Beijing for a Chinese company and later found the boss had access to everything on my laptop and all my net surfing/email data. My laptop never worked the same again. And it’s not just in China. I later had a conversation with a Chinese IT guy who told me that it was routine and relatively easy for Chinese companies to hack their western counterparts/competitors.

  • Peter gardner

    Dan, Mark, very good points in both your comments, I would only add I carry a minimum of Bank or credit cards in a RFID safe wallet, and use DriveCrypt as an extra level of protection/encryption on my laptop. Oh and try not to use thumb drives, as they are easy to lose and if I have to, they are also encrypted.

  • goosemcgoose

    I think you’re being a little crazy about your boarding passes. I always keep mine until I’m certain I’ve been credited for the mileage. They’re usually one of the things the airlines will ask for when for some reason they fail to credit you, which they often do. Most boarding passes don’t contain any sensitive information. Yes the Chinese ones have your passport number on them, but the government, and every bank, hotel, car rental company, etc etc has that already.

  • caber

    This advice should be applied to any national border crossings. National border control have major leeway in the name of security. I had my phone confiscated going through Australian immigration and the experience was nerve racking.

    Even America is not safe as Edward Snowden has revealed that the NSA is involved with extensive monitoring. Going to websites like The Intercept and searching for wiki leaks will flag your activity as suspicious. As long as you fit their profile then you are subject to much higher risk. Ask yourself these few questions:

    Are local, or are you foreign?
    Are you going to be dealing with a lot of money or someone well connected? (Local rich businessmen? weak and a dime and dozen. Brother in law of Judge? Much stronger)
    Will you be rocking the boat?
    Is your industry sensitive to national interests?
    Is your background (not even you yourself) against the policy of the government?
    Are your personal views against the policy of the government?
    Are you antagonizing or not cooperating with the authorities – The simple act refusing to submit your phone or private personal information will flag you.

    The biggest plus with Western democracies and free countries is not only having a lot more protected rights, they actually do change and evolve over time – whereas totalitarian regimes are more rigid and static. And then there’s the rule of law but even that gets thrown out of the window from time to time.

    • Eric S Johnson

      Much of what’s written about cybersecurity is paranoid nonsense. The smart things to do (not China-specific) are:
      1) use only your own device(s)
      2) be sure your own device(s) …
      a. is using the latest, greatest, most-updated version of everything, from the operating system on down
      b. has all storage fully encrypted (“whole disk encryption”)
      3) be sure all your communications are encrypted while transiting the cyberspace of the country you consider an adversary. I.e. for someone in China, use Skype, Gmail. A VPN can’t hurt. (For the commenter who thinks Skype is “monitored in China”–evidence, please? Don’t waste our time with “it’s common sense” or “everyone knows.”)
      4) on all online accounts which matter (e-mail, messaging, cloud backup, social network, etc.), use
      a. impossible-to-guess passwords, which are
      b. stored in a password manager, and additionally protected by
      c. multi-factor authentication. (And, of course, use the mfa on your password manager too!)

      This is all both “not very hard to do” and yet not done by most. There’s much more you can do, of course, but these are the basics–and they’ll defend you against all but the most targeted attacks. And if you’re targeted, you probably have bigger problems than cybersecurity.

  • Well I live here in China and because of that, I’ve become extra sensitivity about computer security. So much so that when I’m in other countries, I can sense when monitoring actions are happening on systems.

    I do know this, when I am successful in keeping my data private, I don’t share the technique. In the past I did and I would immediately see my solutions defeated.

  • Justas Splitas

    Thank you! That’s a meaningful information when I visit China .