- China implemented new regulations on Monday under its toughened counterespionage law, which enables authorities to inspect smartphones, personal computers and other electronic devices, raising fears among expatriates and foreign businesspeople about possible arbitrary enforcement.
- A Japanese travel agency official said the new regulations could further prevent tourists from coming to China. Some Japanese companies have told their employees not to bring smartphones from Japan when they make business trips to the neighboring country, according to officials from the companies.
The new rules, which came into effect one year after the revised anti-espionage law expanded the definition of espionage activities, empower Chinese national security authorities to inspect data, including emails, pictures, and videos stored on electronic devices.
Such inspections can be conducted without warrants in emergencies. If officers are unable to examine electronic devices on-site, they are authorized to have those items brought to designated places, according to the regulations.
It remains unclear what qualifies as emergencies under the new rules. Foreign individuals and businesses are now expected to face increased surveillance by Chinese authorities as a result of these regulations.
A 33-year-old British teacher told Kyodo News at a Beijing airport Monday that she refrains from using smartphones for communications. A Japanese man in his 40s who visited the Chinese capital for a business trip said he will “try to avoid attracting attention” from security authorities in the country.
In June, China’s State Security Ministry said the new regulations will target “individuals and organizations related to spy groups,” and ordinary passengers will not have their smartphones inspected at airports. However, a diplomatic source in Beijing noted that authorities’ explanations have not sufficiently clarified what qualifies as spying activities.
Last week, Taiwan’s Mainland Affairs Council upgraded its travel warning for mainland China, advising against unnecessary trips due to Beijing’s recent tightening of regulations aimed at safeguarding national security.
In May, China implemented a revised law on safeguarding state secrets, which includes measures to enhance the management of secrets at military facilities.
I’ve personally never done the trip to China for a lot of reasons (you know you are living your best life when a postdoc explains that you should never under any circumstances go to China because of what you have said) but do a lot of foreign travel for work:
No company should let any employee bring corporate electronics on international travel. Have burner phones and laptops that are set up to do incredibly minimal work locally (basically just have the slides… maybe) and to remote in. And work with your IT department to “randomly lock” them if a wrong password is detected in an airport or government facility.
It doesn’t matter if it is the UK asking if we want the left or right hand this time or the CCP: It is just an unnecessary risk that is easily avoided.
And then inform the traveler of whether they want to bring their personal devices or not.
This is the approach I use with laptops domestically, and I think that there’s something to be said for it. Like, the laptop itself doesn’t store important information. A remote server does. The laptop is just a thin client. If the laptop gets lost or stolen – which I’ve had happen – I revoke the credentials. No important information is lost, and no important information is exposed.
Whole-disk laptop encryption has improved things too from an exposure standpoint (albeit not a loss standpoint), though I don’t use it myself (don’t want to spend any battery life on it). I assume that smartphones have some form of reasonably-secure storage hardware, but I don’t know if it involves encryption.
What I found irritating – and this is years back now – was an employer who didn’t care if I took a laptop in or out or what information I stored on it (as long as it was a work system), but who refused to provide remote access to the network, so I couldn’t just keep the important information on the work network. I mean, I get if they want to have some sort of isolated DMZ and require an externally-accessible server to live there, not provide VPN access in to the general network, but not having the ability to have remote network access to work systems at all is just incredibly obnoxious.
I think that some of it is that Windows is not phenomenal to use remotely. Yeah, there are solutions, but they aren’t great if you’re on a high-latency, low-reliability, or low-bandwidth link. I try to use console Linux for as much of my stuff as possible. That whole ecosystem was designed around thin-client, remote use.
Oh yeah. I DEFINITELY have some horror stories over needing to access GUI apps remotely (my favorite involved a secure tunnel to one facility to then tunnel back to a machine that was literally three doors down from my office…)
But stuff like the web interfaces to ms/google office make the vast majority of this trivial. Since SSH always worked in Windows via (god awful) putty. And increasingly other applications are understanding they need to support server/client setups so you are just connecting over a tunnel rather than using a remote desktop protocol.
I mean, Windows can do the thin client side fine. I’d personally somewhat-prefer to use Linux for that, but that’s not really my sticking point. I’m normally keeping my software, data, stuff like that on the server, and just running two remotely-connected terminals and a web browser on my client. Virtually all the software can run on the server. My problem is Windows on the server side; like, it’s just not reasonable to use a Windows machine remotely via a command-line for anything other than some very basic administrative tasks, and using a GUI remotely once latency goes up or bandwidth down is just painful.
Unfortunately, there’s this baseline understanding of liberal western democracies providing security while eastern fascist dictatorships of the proletariat are looking for people to punish arbitrarily. The tolerance for British mass surveillance (some of the worst in the world) is sky high, simply because they’re doing it the white way.
The CCP are actively engaging in genocide (remember the Uyghurs? Probably shouldn’t if you don’t want to piss off the CCP) and have a long history of “reeducation” camps.
While I have very serious problems with how the majority of western nations handle immigration and human rights violations, that is more along the lines of “oh, please stop isreal. By the way, here are all those bombs you asked for. Don’t use them all on one mosque!” or actively turning people back to be executed in the horror they are running from (although, the US is doing a great job of having some stuff that looks a lot like concentration camps on the Southern border…).
But it is still night and day in terms of horror. The day is pretty shitty but the night… holy fuck.
But also? That doesn’t change anything. It is a nation’s responsibility to engage in basic espionage if only to protect its people’s interests. And governments all have the power to basically shit on a visitor’s human rights so long as they can keep the embassies from finding out. So why take any risks you don’t need to?
It always gets me to see how Americans treated Afghanistan for 23 years, only to find religion when they see China doing the same Radical Islamic Extremism crack downs the Ted Cruz masterbates to in the middle of the night.
Literally right on the other side of the border! Practically the same dudes. And we outright applauded China for helping us with the genocide under Bush, when we were applauding Russia for the same shit in Chechnya no less.
But now we’re out of there, and in between kicking off massive famines and looting their Treasury, we’ve decided to care about Uyghurs now.
More black and white.
It’s not called The China Man’s Burden, ffs. Who do they even think they are?
Anyway, back to explaining to Houthis why we don’t have health care by blowing up another elementary school in Yemen.
That’s just so impractical. The point of business travel is to get something done. For that you need your devices, and access to relevant data and systems.
Setting up a clean device for every trip where you cross a controlled border is such a hassle it wouldn’t really pass in any company. Well with the exception of defense companies, I could understand them being paranoid enough.
Plenty of companies are, rightfully, adopting security models where even domestic workers never have a copy of anything sensitive on a laptop (sometimes even desktop) and rely on corporate servers to do work. Yes, it really fucking sucks during an outage but it avoids the never ending problem of people leaving their laptop at a starbucks. There is absolutely zero reason to not do that on foreign travel.
Also: The point of business travel is to have meetings or collaborations that can’t be done remotely. For the former, you basically just need that set of slides and the ability to fetch a limited subset of other data. For the latter? You are by necessity taking corporate secrets and having a secure connection back home is a bare minimum.
And if your IT department have problems reprovisioning laptops to contain basically a VPN client and a web browser? Then you have even bigger problems. In a semi-competent world, you just reimage a laptop in a closet to the minimum machine that you give to a new hire and then you flag the user’s account for heightened security in whatever VPN setup you have. Because it is REALLY easy to detect if something is connecting from where it shouldn’t be (e.g. Fred is in Canada but suddenly is trying to connect from Australia) or is anywhere near a government facility or airport (… no comment).
As an aside, I’ll point out that I have worked with various government and government adjacent orgs over my years. Their security is complete dogshit next to a decent sized company. Because they are just protecting government secrets and focused on covering their asses. A company is protecting potentially billions of dollars and everyone’s livelihood. Which makes for an environment where you aren’t ten years behind the state of the art because nobody wants to risk jail time (which they would not get if they are acting in good faith…) over approving something as crazy as a VPN.
Hate to tell you, this is now the norm. Right now, today, thousands of corporate travelers!
Company creates a travel laptop, perhaps even just a completely empty kiosk laptop. Corporate traveler downloads critical data to the laptop in an enclave (like a presentation). They have a two-factor token with them. If they need to get back to the corporate network for whatever reason, they use remote desktop software and no data is stored on the local device. They’re given policies telling them that if the computer is out of their possession, or view at any time, that the device is not to be used whatsoever afterwards. Contact security and let them deal with it.
When the traveler comes back to the mothership, laptop is checked into IT, it’s completely wiped.
Does remote desktop software suck? Yeah. It’s better than the alternative though