- China implemented new regulations on Monday under its toughened counterespionage law, which enables authorities to inspect smartphones, personal computers and other electronic devices, raising fears among expatriates and foreign businesspeople about possible arbitrary enforcement.
- A Japanese travel agency official said the new regulations could further prevent tourists from coming to China. Some Japanese companies have told their employees not to bring smartphones from Japan when they make business trips to the neighboring country, according to officials from the companies.
The new rules, which came into effect one year after the revised anti-espionage law expanded the definition of espionage activities, empower Chinese national security authorities to inspect data, including emails, pictures, and videos stored on electronic devices.
Such inspections can be conducted without warrants in emergencies. If officers are unable to examine electronic devices on-site, they are authorized to have those items brought to designated places, according to the regulations.
It remains unclear what qualifies as emergencies under the new rules. Foreign individuals and businesses are now expected to face increased surveillance by Chinese authorities as a result of these regulations.
A 33-year-old British teacher told Kyodo News at a Beijing airport Monday that she refrains from using smartphones for communications. A Japanese man in his 40s who visited the Chinese capital for a business trip said he will “try to avoid attracting attention” from security authorities in the country.
In June, China’s State Security Ministry said the new regulations will target “individuals and organizations related to spy groups,” and ordinary passengers will not have their smartphones inspected at airports. However, a diplomatic source in Beijing noted that authorities’ explanations have not sufficiently clarified what qualifies as spying activities.
Last week, Taiwan’s Mainland Affairs Council upgraded its travel warning for mainland China, advising against unnecessary trips due to Beijing’s recent tightening of regulations aimed at safeguarding national security.
In May, China implemented a revised law on safeguarding state secrets, which includes measures to enhance the management of secrets at military facilities.
That’s just so impractical. The point of business travel is to get something done. For that you need your devices, and access to relevant data and systems.
Setting up a clean device for every trip where you cross a controlled border is such a hassle it wouldn’t really pass in any company. Well with the exception of defense companies, I could understand them being paranoid enough.
Plenty of companies are, rightfully, adopting security models where even domestic workers never have a copy of anything sensitive on a laptop (sometimes even desktop) and rely on corporate servers to do work. Yes, it really fucking sucks during an outage but it avoids the never ending problem of people leaving their laptop at a starbucks. There is absolutely zero reason to not do that on foreign travel.
Also: The point of business travel is to have meetings or collaborations that can’t be done remotely. For the former, you basically just need that set of slides and the ability to fetch a limited subset of other data. For the latter? You are by necessity taking corporate secrets and having a secure connection back home is a bare minimum.
And if your IT department have problems reprovisioning laptops to contain basically a VPN client and a web browser? Then you have even bigger problems. In a semi-competent world, you just reimage a laptop in a closet to the minimum machine that you give to a new hire and then you flag the user’s account for heightened security in whatever VPN setup you have. Because it is REALLY easy to detect if something is connecting from where it shouldn’t be (e.g. Fred is in Canada but suddenly is trying to connect from Australia) or is anywhere near a government facility or airport (… no comment).
As an aside, I’ll point out that I have worked with various government and government adjacent orgs over my years. Their security is complete dogshit next to a decent sized company. Because they are just protecting government secrets and focused on covering their asses. A company is protecting potentially billions of dollars and everyone’s livelihood. Which makes for an environment where you aren’t ten years behind the state of the art because nobody wants to risk jail time (which they would not get if they are acting in good faith…) over approving something as crazy as a VPN.
Hate to tell you, this is now the norm. Right now, today, thousands of corporate travelers!
Company creates a travel laptop, perhaps even just a completely empty kiosk laptop. Corporate traveler downloads critical data to the laptop in an enclave (like a presentation). They have a two-factor token with them. If they need to get back to the corporate network for whatever reason, they use remote desktop software and no data is stored on the local device. They’re given policies telling them that if the computer is out of their possession, or view at any time, that the device is not to be used whatsoever afterwards. Contact security and let them deal with it.
When the traveler comes back to the mothership, laptop is checked into IT, it’s completely wiped.
Does remote desktop software suck? Yeah. It’s better than the alternative though