Think about the information you carry and what would happen if it fell into the wrong hands
In North America and Western Europe we take for granted our governments aren’t actively tracking what we do and say online. The same can’t be said for Russia—who is building its own copy of the internet that the government strictly controls—or China with its Great Firewall inspecting and blocking what people within its borders do, say, and see online.
We’ve known about state-sponsored cyber threats for some time, nothing new or surprising there, but it’s come to light that before allowing tourists into the Xinjiang region—where the Muslim population is closely monitored by the government—Chinese officials seize devices at the border and install malware onto them to scan for 70,000 documents—like copies of the Quran—and copy call histories, texts, calendar entries, and other personal information that are all sent to government servers.
A chilling thought to say the least.
It’s situations like this why you need to think about how to minimize your data footprint while traveling internationally and having a secure communications device for keeping in touch with people back home.
In the case of China installing malware onto people’s phones, this goes beyond simple inspections at the border, and can have far reaching effects long after you return home. Before talking about solutions to reducing your data footprint while traveling, here is some background on the Chinese malware issue itself.
The Great Firewall of China gets personal
China’s policy of controlling, monitoring, and restricting information within its borders is well known. Many sites and services like Wikipedia, Facebook, Google, and many VPNs are blocked or filtered by China’s national firewall. This isn’t the first time Chinese authorities have forced malware installations in Xinjiang. Residents of Xinjiang were forced to install JingWang on their phones in 2017 to do the same thing as this visitor-targeted malware is doing now.
We know that when you’re in China everything you do online is closely monitored, and something as simple as checking Gmail is hit-and-miss (sometimes it works, sometimes not). Now from Motherboard, Süddeutsche Zeitung, the Guardian, the New York Times, and the German public broadcaster NDR we know that China has gone one (dangerous) step further—installing malware onto tourists’ phones.
The malware, called BXAQ or Fengcai, is an invasive app based on a few other apps like “CellHunter” and “MobileHunter” to do its job. Interestingly, Chinese officials aren’t trying to hide the app at all. It’s right there on the home screen, ostensibly so it can be deleted later—assuming it doesn’t leave traces behind. According to the journalists and others who contributed to the story once the app was loaded—visitors to Xinjiang had to hand their phones over to officials—it started doing its data gathering work:
Once installed on an Android phone, by “side-loading” its installation and requesting certain permissions rather than downloading it from the Google Play Store, BXAQ collects all of the phone’s calendar entries, phone contacts, call logs, and text messages and uploads them to a server, according to expert analysis. The malware also scans the phone to see which apps are installed, and extracts the subject’s usernames for some installed apps. From Motherboard.
According to the article, journalists observed iPhones connected to physical devices probably do the same thing as the Android malware. It’s a lot harder to side load an app or exfiltrate data from an iOS device, but it might be safe to assume it was at least moderately successful or officials wouldn’t be trying.
What are they doing with the data?
What isn’t known, of course, is what is really being done with the data, how long it’s kept, or how the data might be used against you in the future. If the goal is to see who the Chinese government thinks might be making trouble for them in the province, the data could be used and kept for a long time. Given China’s human rights record and general stance on privacy, there is nothing stopping them from also using that data as part of industrial espionage or arrest you on suspicion of breaking Chinese laws. A truly frightening prospect as foreign citizens have been used as pawns by China in international disputes.
Since the malware isn’t hidden in any way, you can more than likely delete it from your phone, and since BXAQ has been flagged as malware by most Western anti-virus companies/scanners, the damage done should be limited. However, Motherboard has learned Chinese anti-malware tools do not flag BXAQ as malware, creating a real possibility Chinese citizens could be used at “patient zeros” for spreading malware as they travel around the world. If the only allowed anti-malware and anti-virus apps in China make sure government spyware sticks around on devices, you can be sure this is already being leveraged by China on its citizens—and possibly visitors.
While authorities installing malware on tourists’ phones appears to be limited to this one region of China, it’s still a troubling development. Governments forcing people to install spyware is an Orwellian scenario no one wants to see spread to other places. Thankfully it doesn’t appear government-installed malware is becoming a trend, but let’s consider what is common practice crossing borders today: asking travelers to unlock their phones and laptops for inspection by border officials. Remember you have very few rights and protections when you cross international borders. It is perfectly legal as part of protecting national security to check, inspect, and search anyone or anything crossing into a country. The things you carry with you are considered “goods” and can be inspected at the border.
But since our devices hold so much personal, private information, there are very good reasons to take precautions when traveling internationally.
Minimizing your data footprint: The new reality of traveling with devices
There was a time when taking precautions like backing up your devices and powering them down for travel were more about damage and theft, today you have to think about if your device is inspected at a border what information is stored on it that could compromise your privacy—or the privacy of others. This is especially important when visiting places where privacy and free speech protections aren’t the same as you’re used to at home, but is a good practice when crossing any international border.
Minimizing your data footprint comes down to this question:
Should I leave my “real” devices at home and use “disposable” ones when I travel abroad or try to go “device-less”?
It’s not practical to travel without internet-connected devices, so the device-less option is off the table right away. From taking pictures and keeping electronic tickets handy, to maps and translation software, we rely on our devices for everything today. However, considering how much personal data is on your regular device, is it smart to have all that information on your device, especially when traveling internationally? In today’s era of dodgy public Wi-Fi, plus devices being regularly inspected at borders, limiting your data footprint when traveling seems like a smart precaution.
If you can’t leave devices at home, how can you minimize your data footprint? One common solution is using a secondary device that has little, if any, information stored on it that can be wiped before and after you cross a border. Secondary devices make sense, but does it make sense for everyone all the time? Journalists and activists have very good reasons to carry a phone with a limited amount of information on it to certain places:
It really depends on where you are going and your threat model. I mean an activist or journalist going into Israel, Russia or China, yes absolutely. It's often as much an issue about something being confiscated or lost as about targetted with "insert threat"
— Rory Byrne (@roryireland) July 18, 2019
Is this practical for the rest of us?
Actually, yes. Having a device you use just for internet access with a bare minimum of apps and information—and logged out of social media—paired with a trusted communications device for staying in touch with people gives you access to information while still letting you keep in touch—securely. As this post from the Guardian points out, with so much data stored on the cloud, you can easily delete apps like Outlook, Dropbox, and OneDrive before crossing borders and reinstall later—data gone in transit, back when you need it.
Here’s how a system using a temporary device for productivity paired with a secure communications device works.
Purpose-built secure communications devices plus temporary productivity tools
A basic smartphone or Chromebook for internet access and productivity is simple to set up. Keeping in mind you only partially set the devices up before traveling. You might have Facebook, Gmail, Dropbox, etc installed but you haven’t logged into the apps yet. The goal here is limiting the amount of data you’re carrying across borders rather than raising suspicions by having no data at all. Once you’ve reached your destination you can connect to the internet, fire up your VPN for travelling, and download all your data to the device. It’s important to use a VPN when traveling because hotel, airport, and other public Wi-Fi hotspots are notoriously insecure and dangerous to your privacy.
With essential productivity taken care of, the purpose-built second device for communications comes into play. This is device should:
- Allow for private communications.
- Be designed to keep only a minimum of data on the device, keeping your data footprint small by default.
A second secure communications device is important for people who can’t be out of touch, but still need to protect their privacy and limit their cross-border data footprint.
Given concerns raised by civil liberties and privacy groups around the world, anyone who works with sensitive data and keeps it on their devices, should consider what data carry they travel abroad. This list can include:
- People in finance
- Counselors and therapists
Using temporary devices with minimal amounts of data reduces the damage to your privacy—and the privacy of the people you communicate with—if your devices are inspected at the border, but a secondary secure communications device like SKY ECC gives anyone who works with sensitive content peace of mind that they can communicate freely without fear the messages could be intercepted and decrypted.
SKY ECC allows you to limit your data footprint with automatic message expiry and flash messaging. You can tailor your address book to protect the privacy of your contacts with custom names, without needing to remove and re-add contacts. You can stay in touch with colleagues, and still maintain everyone’s privacy and security. And with a modicum of data kept on the device at any time, there is little data to worry about. David Kennedy, a former marine and cyber warfare expert, explains in the video below how having as little an amount of data as possible is a viable strategy for crossing any international border. SKY ECC—with its ability to be wiped and your contacts restored later—is a perfect tool for this.
We designed SKY ECC purely as a secure communications device. There are no extras or apps that could compromise the security or privacy of your communications. The devices are locked down to prevent unauthorized software from being loaded onto the device. Preventing unauthorized apps and connections is built into the SKY ECC device security model, making it nearly impossible for SKY ECC devices to have the malware discussed above installed on them. We believe your privacy should be paramount and we’ve made the tools to help you achieve privacy, security, and as small a data footprint as possible.