China: The Walls Have Ears, Part 2

Paranoia is just having the right information ― William S. Burroughs

Just when I think I cannot get any more paranoid.

The New York Times just came out with Traveling Light in a Time of Digital Thievery, on how various U.S. government agencies and think tanks and companies are requiring their employees to travel “electronically naked” when they go to China. Electronic nakedness means bringing only data-free electronic devises. I hate to say it, but this probably makes sense for many people/companies.

I wrote on this same topic almost exactly two years ago, in China: The Walls Have Ears. In that post, I said that when “I go to China and many other countries,  I assume my hotel room is bugged and my internet is monitored. I assume the worst and I take every measure I can to be careful. I know people will (and have) laugh at my ‘paranoia’ but I have plenty of stories to tell involving people who were not careful about their data.”

I then listed out the following clear-cut privacy breaches/mistakes of which I had been made aware:

1. Many years ago, I was staying on the business floor of the Hotel Lotte in Pusan, Korea. This floor has a couple of computers for its guests. I got on one of those computers and the first thing that popped up was a letter written by a Seattle company revealing information I know they would not have wanted me to see. Someone from this company had written this letter on the computer (in Word format) and simply left it there. Not smart.

2. Many times I have gotten on the internet at an airport computer and been let right into someone’s web-mail account. Not smart.

3. A couple of years ago, I found a memory stick in the desk drawer of my hotel in Shanghai that contained an incredible amount of information on a European plastics company. Not smart.

3. A stockbroker I know was sent an email by a rival stockbroker, urging my stockbroker friend to oppose some proposed law that would strike hard at those with massive net worth. The stockbroker who sent out this email cc’ed it to a half dozen or so of his clients and my friend figured these were people with the requisite massive net worth and he cold-called them for their business. He ended up getting a great client with this tactic. Not smart.

4. Many years ago, a client of our law firm discovered one of its employees was running a rival business within my client’s business. My client then arranged for this employee to bring his two company laptops to the office and then when the employee went out to lunch, my client locked him out. You would not even believe the stuff we found on those laptops. I am talking both business and personal. Very, very personal. Naked photos with mistress personal. Not smart.

5. Many years ago, I was going to a particular city in a former Communist country and my client and I agreed that I should completely avoid meeting with or even talking to “Oleg” [made up name here]. I had to go to this city, but I was going to be there for only two days. I fly in, walk into my hotel lobby and, before I can even check in, two people come up to me to tell me Oleg will be coming by to take me to dinner at 7:00 pm. I felt I had to go at that point and when I asked Oleg how he knew of my arrival, he said he gets emailed the list of all foreigners as soon as they arrive. Oleg runs a very successful private business.

The New York Times article starts out focusing on the digital steps Kenneth Lieberthal takes before going to China:

He leaves his cellphone and laptop at home and instead brings “loaner” devices, which he erases before he leaves the United States and wipes clean the minute he returns. In China, he disables Bluetooth and Wi-Fi, never lets his phone out of his sight and, in meetings, not only turns off his phone but also removes the battery, for fear his microphone could be turned on remotely. He connects to the Internet only through an encrypted, password-protected channel, and copies and pastes his password from a USB thumb drive. He never types in a password directly, because, he said, “the Chinese are very good at installing key-logging software on your laptop.”

It seems other companies mandate similar procedures:

At AirPatrol, a company based in Columbia, Md., that specializes in wireless security systems, employees take only loaner devices to China and Russia, never enable Bluetooth and always switch off the microphone and camera. “We operate under the assumption that we will inevitably be compromised,” said Tom Kellermann, the company’s chief technology officer and a member of President Obama’s commission on cybersecurity.

Google said it would not comment on its internal travel policies, but employees who spoke on condition of anonymity said the company prohibited them from bringing sensitive data to China, required they bring only loaner laptops or have their devices inspected upon their return.

Does the above make sense? What do you do to protect your data in China and elsewhere?