Friday, August 01, 2008

Expert tells China visitors to encrypt data as U.S. announces policy of laptop seizure

I saw two articles this morning which I think invite comparison. First, Phil Dunkelberger, CEO of PGP Corporation, says people visiting China should take laptops with no data, or encrypt what data they have:

Travelers carrying smart cell phones, blackberries or laptop computers could unwittingly be offering up sensitive personal or business information to officials who monitor state-controlled telecommunications carriers, Dunkelberger said.

He said that without data encryption, executives could have business plans or designs pilfered, while journalists' lists of contacts could be exposed, putting sources at risk.

Dunkelberger said that during unrest in Tibet in March, overseas Tibetan activists found their computer systems under heavy pressure from Chinese security agencies trying to trace digital communications.

"What the Chinese tried to do was infiltrate their security to see who in China the Tibet movement was talking to," he said.

...

Dunkelberger, whose firm serves many multinational corporations operating in China, said, "A lot of places in the world, including China, don't have the same view of personal space and privacy that we do in the United States."

"You've got to suspect that every place you're doing work is being monitored and being watched," he said.

Dunkelberger's advice is good as far as it goes. Of course, PGP Whole Disk Encryption won't help protect data in transit, and while PGP Email will protect the content of email messages, it won't conceal the source and destination. The threat described is one where traffic analysis enough can reveal a lot, and so you'd want to make use of a corporate VPN, some kind of proxy, or a system like TOR if you want to protect information about where your Internet traffic is ultimately going. PGP is a good company that makes great products; my employer uses PGP Whole Disk Encryption and Email products.

The second article, however, casts some doubt on the last part of what Dunkelberger says. It looks like the U.S., where the NSA engages in warrantless wiretapping with the assistance of the large incumbent telecoms (and a spineless Congress gives them immunity for violations of the law), the CIA spies on foreign visitors within the borders of the U.S. in conjunction with the FBI's counterintelligence division, isn't so different from other countries. It's now publicly admitted by DHS that Immigrations and Customs Enforcement officers have the right to seize laptops and other electronic devices from people entering the U.S. and hang on to them indefinitely in order to search them. Therefore Dunkelberger's advice should be taken by anyone coming into the U.S., as well--use blank laptops or laptops with encryption only. Some companies have begun to only allow employees to have a web browser and a VPN client on their laptops, and keep all data in the corporation, which can completely eliminate this particular governmental risk.

No comments: