Consider what would happen if your information was to fall into the wrong hands
Living in Europe and North America, there are certain freedoms take we have that are impossible elsewhere in the world. Amongst these is that our governments are not actively tracking our every move online, what we say and do. For people in countries such as Russia – where a government-controlled version of the internet is being built- and China -where the governments ‘Great Firewall’ can censor, block, watch and monitor whatever is done online within its borders- these freedoms are taken away from them.
Cyber threats from these states is something that has been known for a while, so none of this is exactly surprising. What should be alarming though is that the tourists visiting the Xinjiang region of China, home to a large Muslim population that is closely watched and monitored by the government, have had their devices seized when crossing into the country and having malware installed on them by Chinese officials. This malware scans for over 70,000 documents, looking for certain documents or books, like the Quran – the central religious text in the Muslim faith- as well as copies of texts, call histories and personal information, which is all sent onwards to the Chinese government servers.
Highly disturbing would be an understatement to this.
Making sure that your data footprint is kept to a minimum when travelling abroad, whilst having a device which can give you secure communications to talk to whoever you want back home is crucial when dangers like this exist.
When countries such as China take the step to taking peoples devices to install malware, it has far further than any simple border inspection and the effects can be far further ranging, happening way after you have returned home. We are going to discuss the best way to make sure your data footprint is reduced whilst travelling, but before, we are going to give background on the issue of Chinese malware itself.
China’s Great Firewall: Using malware to watch and monitor
The nations strict regulation, control and monitoring of information is well documented and known. Across China, sites and services such as Facebook, Google, Wikipedia and VPNs are all inaccessible, being actively filtered or blocked by the countries Great Firewall. For the citizens of Xinjiang, this is not the first time they have had to deal with Chinese authorities forcing malware onto their devices. In 2017, residents were forced to have JingWing installed onto their phones, which does the same function as the malware being forced on tourists now.
Even when you are doing something as basic as checking your email, Gmail for example, then the Chinese government is watching and monitoring everything you are doing. However, thanks to the work of the Guardian, Motherboard, the New York Times and Süddeutsche Zeitung and German broadcaster NDR, it is known that China has gone further, taking tourists’ phones and installing malware.
Known as BXAQ or Fengcai, the malware is an invasive app, similar to that of apps like “Mobile Hunter” or “CellHunter”. Interestingly, the app is in plain sight, right on the home screen. Chinese officials don’t make any sort of attempt to hide it or make sure it cannot be seen. From the accounts given by the journalists and other sources who helped contribute to the article, the app immediately started gathering data after it was uploaded by officials.
Once installed on an Android phone, by “side-loading” its installation and requesting certain permissions rather than downloading it from the Google Play Store, BXAQ collects all of the phone’s calendar entries, phone contacts, call logs, and text messages and uploads them to a server, according to expert analysis. The malware also scans the phone to see which apps are installed, and extracts the subject’s usernames for some installed apps. From Motherboard.
Journalists writing in the article noted that iPhones that were connected to physical devices, seemingly similar to what happens with Android malware. For iOS devices, it is a lot harder to take data or forcibly have apps loaded in. However, it would be assumed that the Chinese officials have found a way or they would not be trying.
What happens to all the data? And what do they want with it?
The worrying question is what the Chinese government is actually doing with the data, as well as how long they are holding it for and how that data may be used in the future. Considering China’s track record with human rights and the government’s view on privacy, it could seem likely that all of this data is being harvested so that they can track citizens and arrest anyone who they may not like. This already is a terrifying prospect, but I can be taken further as citizens of other nations may become pawns to China, should they seek to use them in international disputes.
With most anti-virus companies and scanners in the West flagging BXAQ as malware and the fact it is not hidden on your phone, the damage that can be done should be minimal. Despite this though, there is a real danger, as Motherboard has reported. In their investigations, they have found that BXAQ is not flagged as malware by Chinese anti-malware tools. This could lead to the situation that Chinese citizens will be unwittingly spreading the malware when they travel outside of China. If the Chinese government decides that the only anti-virus or anti-malware apps allowed are ones that allow the spyware to stay on the device, then it can be sure to say it is leveraging its own citizens, and potentially visitors too.
Whilst this practice of forcibly installing malware to tourists phones is currently limited to the Xinjing province, it is an extremely worrying development. Spyware being forced onto citizens by the government is a nightmarish scenario straight from a George Orwell novel. Whilst this, for the time being, does not seem to be becoming a global trend, it should be considered what is a common practice when crossing a nation’s border: unlocking your devices for inspection from border officials. For protecting their nation’s security, it is legal for border officials to inspect, check and search anything or anyone entering into their country.
But with so much private, personal information held within your devices, taking precautions internationally is a wise move.
Keeping your data footprint small
If we go back a few years, backing up devices for travelling was normally to keep them from theft or damage. But today’s picture is quite different. Now you must consider that if you device is inspected by border security, will your personal data and privacy be secure, as well as the people you talk to. This becomes vitally important when travelling to countries where free speech and privacy are not protected to the same levels as we would find in North America or Western Europe.
Keeping your data footprint to a minimum can be brought down to one question:
Should I leave my “real” devices at home and use “disposable” ones when I travel abroad or try to go “device-less”?
In the 21st century, even if travelling for leisure and not business, it is simple impractical to travel without any internet connected devices. This rules out a device less option instantly. However, with your regular, day to day device, think how much data you have stored. When visiting other countries, is it smart to have that much personal information stored on your device? Making sure your data footprint is limited when travelling would be sensible and smart precaution.
So, leaving devices completely is out of the question, so how can you keep your data footprint as small as possible? One move would be to have a secondary device for travelling. Containing as little information as possible, it can be wiped as you enter a country and just before. But having two devices, is that really the best move for all of us? It may seem logical but is it the best path to go down? For activists and journalists, having a phone containing a limited amount of information is something definitely needed.
It really depends on where you are going and your threat model. I mean an activist or journalist going into Israel, Russia or China, yes absolutely. It’s often as much an issue about something being confiscated or lost as about targetted with “insert threat”
— Rory Byrne (@roryireland) July 18, 2019
But is that practical for all of us?
Yes actually. Using a device only for internet access, without being logged into social media, with next to no apps or information, whilst also using a trusted communication device to stay in contact, so that you have an access to the information you need, whilst also allowing you to stay in touch, safely and securely. As pointed out in this article by the Guardian, with the amount of data that is kept in cloud storage, apps such as OneDrive, Dropbox or Outlook can all be deleted then reinstalled at a later time or date. Gone in transit to be returned when you need it.
Using a temporary device that is paired up with a secure communications device: Here’s how it works
Secure Communications plus temporary productivity tools: Keeping your data safe
Having a device set up for productivity and internet access is quite simple to set up. Remember, you are only partially setting up the device in question before you travel. You may have apps installed, such as Gmail or Facebook, but you have not logged into them. The aim is not to arise suspicion of having no data at all, but instead limiting how much data when you cross the border. Once across and you have safely arrived at your destination, connect up to the internet, have the VPN running, and you can download the data onto your device. Using a VPN is highly important as public Wi-Fi are extremely insecure and hazardous to your privacy, regardless of it is from a bar, hotel or airport.
With the productivity sorted, the second device is next to play: the purpose built communication device. This device needs to be able to hold the bare minimum of data and be able to provide private communications. For those who need to stay in touch, but do not want their privacy compromised and want to keep their data footprint to a minimum.
Anyone who carries sensitive data with them as they travel should consider their privacy, not only their own, but of others too, especially for professionals such as doctors, therapists, counsellors, lawyers and in the finance industry. With rising concerns from privacy and civil liberty groups across the world, keeping your data safe should be a priority.
Having a secondary device for when you travel is a good step to reducing the damage inflicted on to your privacy, as well as those you message. However, using a secure communications device, such as SKY ECC, as a second device can provide, not just you, but everyone you talk to the peace of mind in knowing your privacies are secure, able to communicate without fearing who may be trying to decrypt or intercept the communications.
With flash messaging and automatic message expiry, SKY ECC helps keeps the footprint your data leaves as small as possible. Allowing you to custom tailor your devices address book, you can give your contacts custom names without needing to remove contacts. These functions allow you to help everyone’s security and privacy remain whilst staying in contact with colleagues. In the video below, former marine and cyber war expert David Kennedy, explains how having your data at the smallest possible amount when crossing an international border is a solid and great strategy. With the ability to be wiped and able to restore contacts later, SKY ECC is perfect for the job.
With SKY ECC, we designed it to be a secure communications device. No apps or extras are added in, as to leave nothing that could leave your communications and privacy unsecure or compromised. SKY ECC device security model is built with preventing unauthorized connections and apps in mind, making it almost impossible for the malware we talked about earlier to be installed. Your privacy is number one to us and with the tools we have made, we aim to help you have security, privacy and the smallest data footprint possible.