A lawyer’s job is to discern their clients’ risks and help them avoid them. We are both trained and paid to be paranoid.
Years ago, when I was in Tokyo on a particularly sensitive international law matter, I left my hotel room as I had done pretty much every day for the last 7-8 days and began walking to my subway stop. Then, for some reason I got a strange feeling about having left my laptop in my hotel room and I decided to return. When I did, there were two men wearing black suits and ties looking at my turned on laptop. I immediately asked them (in English) what they were doing in my room and one of them responded in shockingly good English that they were with the hotel and just checking on my Internet. To this day, I have no doubt they were Japanese Secret Service.
With all that has been going on in China lately regarding data theft and with the accelerating decline in relations between China and the West, our international lawyers are getting a raft of questions from clients and readers wanting to know what they should be doing to protect their data when traveling to China.
Here is our most recent list.
- Tell as few people as possible that you will be going to China and tell those few people as late as possible. But assume that once you enter China, if someone really wants to know if you are there, they have probably bought off someone at China customs to get that information. Also assume that the government knows pretty much everywhere you go.
- If you are going to China from Hong Kong, be prepared for triple strength scrutiny.
- Password and/or fingerprint and/or facial recognition and/or two factor authentication protect your laptop, tablet, mobile phone, USB drive, or other removable media. Needless to say, use really good passwords. Use encryption. But recognize that if a Chinese government official pressures you for your password or your finger or your encryption key, you will face jail time if you don’t turn it over.
- Do not have sensitive data on whatever laptop, tablet, mobile phone, USB drive, or other removable media you bring into China. Keep that on your devices at home or in the cloud.
- Delete any cloud apps with sensitive data before you go to China. Most cloud access is either terrible or non-existent in China anyway, but should it be available and you truly need it while there, you likely can re-download it and use it. Needless to say, you had better have a good password for this. Note though that if the Chinese police demand you give them the password, you pretty much must do so or face jail time. See China’s New Cybersecurity Program: NO Place to Hide and China’s New Cybersecurity System: There is NO Place to Hide.
- Never let yourself be separated from your laptop, tablet, mobile phone, USB drive or other removable media. By this I mean, never put these things in a car trunk or leave them unattended on a plane or train. I’ve heard of many instances were taxi drivers drove away with a briefcase in the trunk, only to return it the next day, possibly relieved of key data. If you don’t think taxi drivers or hotel workers in China can and do sell data, I am here to tell you that they do.
- If you must leave one of your devices in your hotel room, hide it in such a way that you will be able to tell if someone messed with it while you were gone. Note that your hotel as access to your room safe and if the Chinese government were to ask anyone at your hotel to open it, their response would be to run (not walk) to your room to do so.
- China is damn good at hacking so you should have your IT people look at your laptop right before and right after you get back from China.
- Use your VPN connection to access your company information and not free wifi. Note though that it is becoming increasingly difficult to use VPNs in China.
- Frequently update your virus and firewall protections.
- Just assume your hotel room and any phone on which you talk while in China (including your own cell phone) is bugged and that your Internet usage will be monitored. Assume the worst and take every measure you can to be careful.
I love telling the following stories of random data sloppiness I personally have encountered.
- Many years ago, I got on a “common” computer at a hotel in Korea (to read the news) and the first thing that popped up was a letter written by a Seattle company revealing information I know they would not have wanted me (or anyone else) to see. Someone from this company had written this letter on the computer (in Word format) and simply left it there. Not smart.
- Many times I have gotten on the Internet at an airport computer and been let right into someone’s webmail account. Not smart.
- I know this isn’t company data, but what percent of the time do you delete your Netflix or Hulu or HBO Go information from your hotel television before you check out?
- I have on more than one occasion found USB sticks filled with company data left in my hotel room. Not smart.
If people do these sorts of things….
Many years ago, in Traveling Light in a Time of Digital Thievery, the New York Times detailed the steps Kenneth Lieberthal takes before going to China:
He leaves his cellphone and laptop at home and instead brings “loaner” devices, which he erases before he leaves the United States and wipes clean the minute he returns. In China, he disables Bluetooth and Wi-Fi, never lets his phone out of his sight and, in meetings, not only turns off his phone but also removes the battery, for fear his microphone could be turned on remotely. He connects to the Internet only through an encrypted, password-protected channel, and copies and pastes his password from a USB thumb drive. He never types in a password directly, because, he said, “the Chinese are very good at installing key-logging software on your laptop.”
There you have it.
What do you do to protect your data from China?
