“Paranoia is just having the right information.”
― William S. Burroughs
The lawyer’s job is to discern risk and help their clients to avoid them. Put another way, we are both trained and paid to be paranoid.
Years ago, when I was in Tokyo on a particularly sensitive matter, I left my hotel room as I had done pretty much every day for the last 7-8 days and starting walking to my subway stop. Then for some reason I got a strange feeling about having left my laptop computer in my hotel room and I decided to return. When I did, there were two very well dressed men wearing black suits and ties looking at my turned on laptop. I immediately asked them (in English) what the ____ they were doing in my room and one of them responded in shockingly good English that they were with the hotel and just checking on my internet. To this day, I have little doubt that they were with Japan’s Secret Service.
I just read a lawyer-written article, Privacy Tip #15 – Protecting your privacy during holiday travel, that provides some good tips for maintaining your privacy when you travel. The article lists out the following, with my comments in italics:
- Don’t leave your laptop, tablet. USB drive, other removable media or mobile phone in your car trunk. I never ever ever put anything in the trunk of a taxi or other car. I take it all with me and put it on the seat.
- Don’t leave your laptop, tablet or mobile phone unattended on a plane or train. Agreed. In addition to this, you should make sure to constantly remove sensitive data from your devices and store it elsewhere
- Use complex passwords on all devices so if you forget them or they are stolen, your data is not immediately vulnerable and accessible. This should go without saying.
- Be careful not to store or leave your devices in the seat pockets of airplanes or trains. This is indeed a good thing to guard against.
- Destroy your travel documents (including boarding passes) when you are finished with them by shredding them. I rip mine up in the airplane and give half to the flight attendant and dump the other half in the first garbage can I see upon disembarking.
- Lock your laptop and other mobile devices in your hotel safe. Hotel safes are not as safe as widely believed. Which is why stripping your devices of confidential information and using complex passwords is always critical.
- Wipe your laptop before and after you travel to high risk areas such as China, Russia, the Ukraine, Iran or Iraq. Agreed. Just not sure there are any low risk areas.
- Use your VPN connection any time you are accessing your company information and not free wifi. Agreed. When I am out of the country, there are certain websites I will not check under any circumstances. I instead request that other lawyers or staff go to those sites for me and report back or I ask them to send me what I need.
- Frequently update your virus and firewall protections. Good idea.
When going to China and to many other countries as well, I assume my hotel room and my phones (including my own cell phone) is bugged and my internet is monitored. I assume the worst and I take every measure I can to be careful. I have plenty of stories to tell involving people who were not careful about their data.
1. Many years ago, I was staying on the business floor of the Hotel Lotte in Pusan, Korea. Back then this floor had a couple of computers for its guests. I got on one of those computers (to read the news) and the first thing that popped up was a letter written by a Seattle company revealing information I know they would not have wanted me (or anyone else) to see. Someone from this company had written this letter on the computer (in Word format) and simply left it there. Not smart.
2. Many times I have gotten on the internet at an airport computer and been let right into someone’s webmail account. Not smart.
3. I once found a memory stick in the desk drawer of my hotel in Shanghai that contained an incredible amount of information on a European plastics company. Another time, on the floor of my hotel room in Los Angeles, I found a USB stick from a leading fashion company, listing out who at the company should be kept and who should be laid off. Not smart.
3. A stockbroker I know was sent an email by a rival stockbroker, urging my stockbroker friend to oppose some proposed law that would strike hard at those with massive net worth. The stockbroker who sent out this email cc’ed it to a half dozen or so of his clients and my friend figured these were people with the requisite massive net worth and he cold-called them for their business. He ended up getting a great client with this tactic. Not smart.
4. Many years ago, a client of ours discovered one of its employees was running a rival business within my client’s business. My client then arranged for this employee to bring his two company laptops to the office and then when the employee went out to lunch, my client locked him out. You would not even believe the stuff we found on those laptops. I am talking both business and personal. Very, very personal. Naked photos with mistress personal. Not smart.
5. Many years ago, I was going to a particular city in a former Communist country and my client and I agreed that, above all else, I should completely avoid meeting with or even talking to “Oleg” [made up name here]. I had to go to this city, but I was going to be there for only two days. I fly in, walk into my hotel lobby and, before I can even check in, two people come up to me and say that Oleg will be coming by to take me to dinner at 7:00 pm. I felt I had to go at that point and when I asked Oleg how he knew of my arrival, he said that he gets emailed the list of all foreigners as soon as they arrive. Oleg runs a very successful private business. The moral of this story is that you should never assume that you can go into a country completely unnoticed.
He leaves his cellphone and laptop at home and instead brings “loaner” devices, which he erases before he leaves the United States and wipes clean the minute he returns. In China, he disables Bluetooth and Wi-Fi, never lets his phone out of his sight and, in meetings, not only turns off his phone but also removes the battery, for fear his microphone could be turned on remotely. He connects to the Internet only through an encrypted, password-protected channel, and copies and pastes his password from a USB thumb drive. He never types in a password directly, because, he said, “the Chinese are very good at installing key-logging software on your laptop.”
What do you do to protect your data and your privacy when you travel?