China Business, Internet

China: The Walls Have Ears, Part 2

China walls have ears

Paranoia is just having the right information ― William S. Burroughs

Just when I think I cannot get any more paranoid.

The New York Times just came out with Traveling Light in a Time of Digital Thievery, on how various U.S. government agencies and think tanks and companies are requiring their employees to travel “electronically naked” when they go to China. Electronic nakedness means bringing only data-free electronic devises. I hate to say it, but this probably makes sense for many people/companies.

I wrote on this same topic almost exactly two years ago, in China: The Walls Have Ears. In that post, I said that when “I go to China and many other countries,  I assume my hotel room is bugged and my internet is monitored. I assume the worst and I take every measure I can to be careful. I know people will (and have) laugh at my ‘paranoia’ but I have plenty of stories to tell involving people who were not careful about their data.”

I then listed out the following clear-cut privacy breaches/mistakes of which I had been made aware:

1. Many years ago, I was staying on the business floor of the Hotel Lotte in Pusan, Korea. This floor has a couple of computers for its guests. I got on one of those computers and the first thing that popped up was a letter written by a Seattle company revealing information I know they would not have wanted me to see. Someone from this company had written this letter on the computer (in Word format) and simply left it there. Not smart.

2. Many times I have gotten on the internet at an airport computer and been let right into someone’s web-mail account. Not smart.

3. A couple of years ago, I found a memory stick in the desk drawer of my hotel in Shanghai that contained an incredible amount of information on a European plastics company. Not smart.

3. A stockbroker I know was sent an email by a rival stockbroker, urging my stockbroker friend to oppose some proposed law that would strike hard at those with massive net worth. The stockbroker who sent out this email cc’ed it to a half dozen or so of his clients and my friend figured these were people with the requisite massive net worth and he cold-called them for their business. He ended up getting a great client with this tactic. Not smart.

4. Many years ago, a client of our law firm discovered one of its employees was running a rival business within my client’s business. My client then arranged for this employee to bring his two company laptops to the office and then when the employee went out to lunch, my client locked him out. You would not even believe the stuff we found on those laptops. I am talking both business and personal. Very, very personal. Naked photos with mistress personal. Not smart.

5. Many years ago, I was going to a particular city in a former Communist country and my client and I agreed that I should completely avoid meeting with or even talking to “Oleg” [made up name here]. I had to go to this city, but I was going to be there for only two days. I fly in, walk into my hotel lobby and, before I can even check in, two people come up to me to tell me Oleg will be coming by to take me to dinner at 7:00 pm. I felt I had to go at that point and when I asked Oleg how he knew of my arrival, he said he gets emailed the list of all foreigners as soon as they arrive. Oleg runs a very successful private business.

The New York Times article starts out focusing on the digital steps Kenneth Lieberthal takes before going to China:

He leaves his cellphone and laptop at home and instead brings “loaner” devices, which he erases before he leaves the United States and wipes clean the minute he returns. In China, he disables Bluetooth and Wi-Fi, never lets his phone out of his sight and, in meetings, not only turns off his phone but also removes the battery, for fear his microphone could be turned on remotely. He connects to the Internet only through an encrypted, password-protected channel, and copies and pastes his password from a USB thumb drive. He never types in a password directly, because, he said, “the Chinese are very good at installing key-logging software on your laptop.”

It seems other companies mandate similar procedures:

At AirPatrol, a company based in Columbia, Md., that specializes in wireless security systems, employees take only loaner devices to China and Russia, never enable Bluetooth and always switch off the microphone and camera. “We operate under the assumption that we will inevitably be compromised,” said Tom Kellermann, the company’s chief technology officer and a member of President Obama’s commission on cybersecurity.

Google said it would not comment on its internal travel policies, but employees who spoke on condition of anonymity said the company prohibited them from bringing sensitive data to China, required they bring only loaner laptops or have their devices inspected upon their return.

Does the above make sense? What do you do to protect your data in China and elsewhere?

26 responses to “China: The Walls Have Ears, Part 2”

  1. I’ll start by getting this out of the way: all the anecdotes Dan describes reflect pure stupidity. Obviously, you shouldn’t leave your thumbdrives lying around or use public computers for anything private. It’s sort of mind-boggling that otherwise savvy business people can be so digitally ignorant in the 21st century, but so it goes. I will add that you can be plenty dumb without a computer–I’ve overheard conversations in hotel lobbies and coffee shops where sensitive business information and possible commercial secrets were openly discussed. When I first moved into my apartment a few years ago, I was getting bank statements in the mail for a company registered in Macau. And of course, it pays not to carry around product prototypes to bars (just ask Apple).
    For guys like Kenneth Lieberthal, who come and go from China, these over-the-top precautions do make some sense. As an individual, he may have certain information in his possession that can be accessed more easily if that information is physically brought in to China. But the article creates the impression that physical distance provides substantially increased digital security. Unless one stores files on devices that are NEVER networked, then there is a risk that those files will be compromised. And a careful study of the Stuxnet virus proves that it is possible to sabotoge devices that are not externally networked.
    The NYT article seems to suggest that traveling into China with clean laptops or “electronically naked” will mitigate the risks of cyber espionage. If, like Kenneth Lieberthal, you are an individual or organization without a fixed physical presence in China, you can reduce risk by adhering to these practices and other precautions. However, any foreign organization with a fixed in-country presence in China is operating in a remarkably adverse environment and faces perpetual risk of corporate or state-directed espionage (which, in China, is often the same thing).
    Many (most?) foreign organizations in China do indeed have offices here, complete with computers, servers, telephone lines, internet connections, mobile devices, mobile data subscriptions, third party IT contractors, made-in-China network infrastructure, and, MOST SIGNIFICANTLY, Chinese employees. Let’s also keep in mind that in China, all electronic communications take place over state-owned infrastructure provided by state-owned telecoms. A great many of the Fortune 500 companies conduct critical R&D in precisely this environment, but how any organization operating in that environment can successfully resist concerted attempts at penetration is beyond me. Of course, there are prudent steps that can be taken to reduce risk and remove low-hanging fruit, but a state-directed effort to collect information from an onshore organization will almost certainly be (at least partially) successful.
    Ultimately, the NYT raises an important issue: the scale of commercial espionage in China is absolutely massive, as is the level of intelligence collection efforts directed at offshore foreign entities (see DuPont for a recent example). But for foreign organizations in China, the precuations outlined in the NYT are just the tip of a very large iceberg.

  2. WHY would China want to bug the hotel room of a foreign lawyer and monitor his emails?
    A senior diplomat maybe, a small businessman, no. Maybe if Dan is this paranoid go have your meetings in Starbucks is all I can say otherwise other peoples offices are likely bugged too and they’re all listening into your conversations about all your clients and what they want to do in China to alert all their competitors. Or maybe check your tax and visa status in China and keep your details on record.

  3. @Dixon of Dock Green
    Unfortunately SMEs really do no need to be very careful in China. China is very corrupt and it is quite common for the police and telecom companies to be bribed or coerced into bugging phones and other such skulduggery.

  4. North American law firms have already been the subject of targeted attacks by PRC hackers (see
    OK, it’s not going to happen to every small businessman or woman visiting the PRC, but you’d be surprised at how easy some westerners make it for even an opportunist computer snoop while in the PRC.
    My own experience of the PRC has been that our company’s ostensibly friendly business partner was electronically eavesdropping on everything we did – often just by directly tapping into our connections – don’t ask me how. When I raised this with a Chinese friend he was surprised that we didn’t take this for granted. No secrets between friends in China!
    It’s worth taking a loaner to China even if you’re not worried about privacy. My laptop internet settings were completely stuffed after using it to connect to the net in China. Again, don’t know what happened but it was like I brought the Great Firewall home with me, even after completely clearing out all cookies, caches etc. Had to totally wipe the hard drive and start again.

  5. are you aware that it is NOT uncommon for Chinese police to break into your room and copies your entire HD when you are not in the room? Plus they install keyloggers and bots to datadump periodically once infected.
    only thing I brought last time I was in China is a dumb cell phone and keep my contacts off the phone memory (while using a SIM card brought once I landed in Asia) Didn’t access any critical accounts while I am on the ground there…
    last employer I worked for disabled all extension ports AND inspects any devices before and after each trip to China (or any Asian country) BTW, they also removed the optical drive. Access via secure VPN only.
    anyone knows where I can rent a loaner laptop in the Northwest?

  6. Few year back I was cooperating with a Chinese company in order to manufacture some new products in South China. I kept all sensitive technical files in my pc encrypted with a professional software. I never left unattended my pc except when taking shower. While in my partner office time to time I needed to connect my pc to internet in order to check or send e mails. One day I discovered that, while I was on line, some one was downloading and erasing files from my PC: 5 GB of files gone . I do not know if any one was then able to decrypt the files but since I took more steps to improve security.
    Does not matter if you are a micro-enterprise or a big company , what matter is the value of the information that you may have with you.

  7. In the good old days, there was less reason to snoop on the small businessmen coming into China, at least in part because good surveillance takes a lot of resources. If you follow someone around, you need a handful of people to do it right. Most people fail to realize how difficult good surveillance actually is to maintain over several hours. Most of us will notice someone who has remained in our proximity for several city blocks, even in crowded areas and without the benefit of formal intelligence training. If you bug someone’s room, you may have hours of conversation that you need to listen to and translate.
    The laptop and cellphone have made surveillance easier, because you can copy/image the hard drive and then use search engines on it to determine whether the person (or data) is of interest. The cellphone also allows tracking of people’s general movements and communications without much effort. If people leave their laptop in a room, one security service person can make the rounds and pull down the hard drives in a matter of minutes. If this can be done, why waste a handful of officers and a car (or three) to follow only one of those people around for several hours. An electronic “first cut” is relatively easy, efficient, and aids the ability of security service managers to devote the “full-court press” surveillance resources to the targets that really matter.
    Given the way China works, I would not be terribly surprised if the Ministries of State Security and Public Security sold information that wasn’t useful to them off of the hard drives they image to interested Chinese companies to boost their budget or line their pockets. And, given what constitutes state secrets these days, Chinese companies probably can provide ample justification for why a businessperson or engineer needs to have their computer checked.
    At the end of the day, the basics of security are banal and boring—-which is why so many people, including those who should know better, forget them (e.g. the CIA flap [if true] in Lebanon a couple of months ago). The most challenging part however is figuring out what kind of information and how that information moves about and in-and-out of your company.

  8. No idea if Dan’s on the right track or not, but here’s a few straws in the wind:
    1) Guy I knew in Nanjing working for China mobile (or it could have been Unicom, I can’t remember) who took bribes to supply SMS messages for specific accounts to the local PSB and others. From what he said this is very common. This was in ’05.
    2) The place I lived in when I first arrived in mainland, the foreigner’s residence at a military-run university back in ’03, where I was told by people working in the foreign-affairs office that the phones were bugged.
    3) One day in ’07 I shared a taxi back to my flat in Longhua from Shenzhen airport. The guy I shared with claimed to be a researcher, and offered me money for any company documents I might be able to lay my hands on. I demurred.
    Like I said, I am not a security expert, and things might have changed in the meantime – but I don’t think they will have changed for the better.
    @Richard – At Foxconn there were draconian punishments (instant dismissal) for anyone found in possession of an unauthorised USB-connectable device, camera, or camera phone. This rule was pretty widely flouted though. It’s just impossible to maintain that kind of security without anything short of a pat-down search of everyone coming in and out of a facility. In a factory with a work-force in the hundreds of thousands it is virtually impossible.

  9. Yes, to all of the above. To Dixon, why would China want to monitor a foreign lawyer? For a million reasons relating to the work he is doing for clients. Lobbying work, for example, involving negotiations with government ministries. Commercial contract work, for example, involving negotiations on behalf of a foreign enterprise with a well-connected (or of national interest) local firm. Knowledge is power, especially at the negotiating table.
    I used to travel to China all the time (hundreds of trips) and I found, interestingly, that I was very often assigned the same rooms (in five-star hotels in Beijing). It was far beyond coincidence, and I assumed that for convenience, only certain rooms were wired for sound (and video?).
    I had a client who represented American industry, and he happily informed me one day that the ministry with which we had dealings (Culture) had offered to provide a car and driver for his upcoming visit. I suggested we decline the offer and hire our own. I said, “I assume the driver we hire will STILL be interviewed by state security, or perhaps even be an officer, but let’s make it that little bit harder for them.”
    Final anecdote: on several occasions in China I met an Israeli guy who was in the cybersecurity business. Wildly paranoid (though it’s like he “just had the right information”), to the point that when we ran into each other by chance in a hotel where I stayed all the time, he asked me how I knew he’d be there. I said, “Um, I always stay here.” Anyway, he told me that he had been taken to lunch one time by a Chinese counterpart, phoned in the room and asked to come down early. They went to lunch, lunch finished, and the Chinese guy started stalling, delaying “Lev” in his return to his hotel room. Finally, after a two-hour lunch (the eating took 20 minutes), Lev managed to escape, and when he returned to his room, his laptop was missing. State security had removed it to try to crack the hard drive. [They returned it later without apology.] I asked, “And do you think they cracked it?” He said, “In a million years, they’d only be able to crack it with a hammer.” But of course, he was at the leading edge of creating cybersecurity software applications. And this was five years ago.
    All good fun!

  10. If I were Dan especially given he is high profile about China I’d be very concerned about even visiting China his room would definitely be bugged and his emails read as soon as he logged in his hotel room, and things copied even as he doesn’t know. 100% the PSB will have a big file on Dan. All this is especially true as China goes through a leadership struggle right now. He is right to be concerned its not paranoid its good business sense in what is still a very communist country and police state.

  11. 1. Use a Linux based OS and set up Full Disk encryption.
    2. Always use a VPN when using the internet, even when using Skype.
    3. Never open any attachments from a Chinese person unless you a using a Linux live CD or in a special virtual machine that you can easily restore after you open the file.
    4. Your phones are not only used as remote listening devices but if you have GPS they can track your every movement.
    5. With all the cameras they are installing they are also starting to require foreigners to take special pictures in some place that can be uploaded into their facial recognition software (Thanks Cisco!)
    6. You would be surprised at how many people willingly give away important information to the Chinese “friends” just from the Chinese asking so called basic questions that are “normal” to ask a foreigner in China, or so they say.
    7 Never use thumb drives from a Chinese person, never accept one as a gift which could contain a keylogger, unless you are using it in a virtual machine.
    8. Pretty much all hotels in China even in smaller cities have listening bugs built in to the room. Some places that we have seen are in the big mirrors in the middle of the room. In the window frames. Don’t believe it? Buy a good bug sweeper online, beware of fakes, and take it to China with you and you will see not only the hotel rooms light up, but even your apartment, dorm, or even friends houses too.
    9. You can be sure you internet and phone is being monitored.
    10. Be careful about installing software that is made in China.

  12. China Immigration have everything now on you when you arrive or leave, all your history, plus other data on your work and even where you stayed and what you spent. It is all linked up with the PSB now and to the tax bureau. Someone like Dan would be better off doing his business from the US rather than China because as he has a China business they will know all about it what he said online and once he arrives they can be totally in control of you including detention and asking for fines as well as monitoring everything you do in business. It is becoming too risky unless you are 110% legal and have all kinds of permits and documents and don’t do your work in offices.

  13. The bugs are behind the mirrors. I was staying in a hotel in Shenyang and the mirror fell down and lo and behold, right behind it was what was clearly a bug. This happened last year.

  14. “Hello…Is this the front desk? Uh yeah…uh…I need to get another room.”
    “What’s wrong with your room?”
    “There are too many bugs in my room.”

  15. What do you suppose that they do with all the video footage of foreigners in hotel rooms and massage parlors in China?

  16. So if one finds a “bug” or camera in one’s hotel room or apartment in China, can he/she just crush the bug? Won’t the hotel or building management get upset? If one cannot crush the bug, it isn’t reasonable to expect one to live with bugs, is it?

  17. @bobby: “1. Use a Linux based OS and set up Full Disk encryption.”
    Computers running Linux are on sale in China, suggesting some in China are familiar with Linux. You sure that’s good enough protection?

  18. I am in agreement that visitors should use “best practices” (and bring along laptops without sensitive files on their hard drives, and keep track of those USB sticks!) when they are visiting China–or India or any number of other foreign locations. But as Mick’s comment notes, issues with international cyber-hacking can arise when one is in their home country, as well. Cyber hacking or theft no longer requires physical presence of a person and/or his/her computer within a country (although that situation, together with a lack of caution, certainly can make things that much easier for a would-be thief or hacker, and I believe that is the basis for the article). One’s use of foreign streaming websites can provide just such an entry to one’s hard drive by a foreign hacker, while you are in your office or at home. And China does not have a monopoly on hackers, or government-sponsored hacking.

  19. Pssha. Exaggerated. Executives need to be worried about corporate espionage anywhere in the world. Really think Marriotts, Hyatts of the world would allow the PSB to put cameras, listening devices in all rooms? No way.

  20. I attended the China-European Summit in Beijing this week and heard complains from Chinese multinational companies that the US has an image of today’s China as if China hasen’t changed since 1966 … Thats a reason why many Chinese company prefer to establish cooperation with European companies and not with US companies.
    This thread is a proof that the complaints of those Chinese companies are well founded.

  21. Richard’s point is well-taken: a primary cause of security issues is stupidity; a secondary is disloyalty. 80% of the value is created by 20% of the personnel. Same can be said about threats: 80% of the security risks are raised by 20% of the personnel – the stupid (as in most of Dan’s examples), or the disloyal. However, if a firm’s security system causes delays to access files (say 10%), which impairs work by the highly productive group, then that will always have a disproportionate affect on value, without any clear benefit in cost (since any system can be beaten as a result of a combination of stupidity or disloyalty).
    For a law firm, all hours may be billed at the same rate, but not all yield the same client value. If your system creates a delay in accessing files, and you try to pass on those costs to clients, they’ll probably accept some security precautions – but balance must be struck.

  22. @Mi Fu – I both think you’re right and you’re wrong.
    Yes some of the people here are being a bit paranoid – for one thing, your average Chinese police officer knows little more about computers than your average British police officer does – and that’s very little. The local PD are not breaking into your hard-drive whilst you’re out of your hotel room.
    Yes, I think American’s are a bit more given to being suspicious of China than Europeans. This is most easily explained by most Americans having less experience of travelling abroad that the average European.
    But when you’ve lived in China a while and found yourself sat across the table from a guy who takes money to sell SMS messages to the highest bidder, or you’ve worked in a place where the people who work there tell you the phones are bugged, or when you yourself have been offered bribes to supply sensitive documents, you do have to admit that China isn’t 100% safe when it comes to the risk of industrial espionage.
    Should industrial espionage be a concern for companies working in China? Obviously it depends what you are doing, but I can tell you that it was a very big concern for Foxconn when I worked there, and not only because they were worried about investigative reporters. The example of Foxconn also shows that there are risks involved in being seen as overly secretive, so this should also be taken into account.
    I guess it’s worth pointing out that all foreigners who work and live in China are under at least a minimal amount of surveillance in as much as files are maintained on them at the local Public Security Bureau. The content of these files contains at least information on the results of the extensive health-tests mandated by Chinese immigration law (including, at least when I took them , HIV tests), place of residence, employment details and so-forth.
    There was at least one incident in the late nineties of a file being produced during the interrogation of a foreigner prior to their expulsion from the country in which remarks made in university classrooms and other places critical of PRC policy had been documented. It is not known if this kind of surveillance continues,
    It’s also worth pointing out that private websites written by foreigners in which criticism of the PRC government is made are under surveillance even if they are blocked. The incident of the Swedish student who was expelled from China from China for remarks made on a personal blog hosted by a blogging service (blogspot) which is blocked in China demonstrates this. The incident of the US citizen who was detained and interrogated about several blogs critical of PRC policy with which he had had deallings also shows this.

  23. I would like to second an item in Bobby’s comment (Feb 14 at 7:25am) — Linux LiveCDs are great tools to have at your disposal. You download a CD image, burn it onto a CD-R (or DVD+R), finalize the disk, and boot from CD/DVD. As long as you have used write-once media and closed/finalized the disk, it is impossible to modify it. You now have an OS that cannot be infected with a virus for any longer than it takes to reboot, cannot have a software keylogger installed (hardware keyloggers are still possible if they gain physical control of your computer), and has much higher general security than Microsoft’s OSes.
    Attacks on the hardware, and the firmware in the hardware, are still possible; and there may be vulnerabilities in Linux that weren’t patched in the version you burned onto the CD. However, short of writing your own OS, it’s about as safe as you can get.

  24. I’m in education (School of Foreign Studies Nanjing University) and private diplomacy. (American Chinese relations) So I figure that all bugging, spying, and so on is just free advertising. When ever I send out an email or whatever, I load it with APPROPRIATE bait such as key words, pictures of me with important folks, students looking happy, laughing children, in front of landmarks, big factories, and so on. I even photoshopped-up a cool picture of me and President Obama head to head laughing as if sharing an in-joke, but haven’t DARED to use it. Besides, would it be legal if not tagged a composite? Is there a legal word I could use that is sufficiently misleading? 😉
    In other words, this game can be useful & amusing. Many folks come to me within this “international competitive sport” and sometimes we just look into each others eyes, and laugh. It’s a great ice beaker, does create an inside track upon which one can build trust quickly, and even skumbags, of which both countries have plenty, can occasionally be useful and informative. But you gotta be CLEAN, and not break any laws of either country. Maybe carry two little PC, one for business, and one for fishing?
    Good Luck!

  25. you plugged in a random memory stick that you found in a hotel room?!?  hopefully not on your own computer!

Leave a Reply

Your email address will not be published. Required fields are marked *