Travel to China 2023: Information Security Must-knows from a Recent Visit
The good news of China’s border opening for travelers is worth celebrating. However, it is also worthwhile to look into what travelers should know to protect themselves, their devices and information.
On March 13, 2023 China announced it would reopen its borders, allowing the issuance of all categories of visas from March 15th. The Chinese government claimed the border opening was to “facilitate people-to-people exchange between China and other countries” (http://us.china-embassy.gov[.]cn/eng/zytz/202303/t20230315_11041658.htm). This is the first time in the three years since the COVID-19 pandemic erupted that foreign travelers can enter mainland China. Despite high price tags and a lack of direct flights, business travelers, tourists and overseas Chinese eagerly sought plane tickets to visit the country. According to a February 2023 survey conducted by the US-China Business Council, a US trade group in China, 50 percent of chief executives from 43 American companies planned to visit China before July this year.
The good news of China’s border opening for travelers is worth celebrating. However, it is also worthwhile for us to look into what travelers should know to protect themselves, devices, and information when they travel to China. In the past three years, China had locked the border and implemented measures and regulations to manage the pandemic. Since the last time visitors have been there, the Chinese government has more widely and deeply applied its technological means for managing and controlling the population – such as surveillance systems, data collection tools, and evolving censorship methods.
What should travelers expect when they travel to China? A friend of Natto Thoughts visited China in February this year and shared the experience with us. We would like to share some notable information security must-knows with our readers.
You Need to Have a Working Mobile Phone When Traveling to China
The general advice on traveling overseas with electronic devices suggests “if you can do without the device, don’t take it.” However, travelers to China must have a working mobile phone because almost all public services use an electronic format, such as customs forms and local transportation tickets. Without a mobile phone, travelers could find themselves stumbling at every step, as the Chinese saying goes (the term 寸步难行, pronounced cun bu nan xing, literally means it is hard to move an inch).
For example, upon entering China, one must fill out a health declaration form via the China Customs app, web portal, or Wechat mini-program. The health declaration form collects personal information including name, gender, nationality, occupation, date of birth and passport number; exit/entry information, which includes a mobile phone or landline number in addition to transportation information; the past 14 days of travel history; and health status, including any symptoms and a COVID-19 test result. After submitting the required information, the traveler must save a screenshot of the system-generated QR code that next appears. The QR code is valid for 24 hours. Customs officers scan the QR code when travelers enter or exit customs. When travelers do not have local network services, the customs service offers a free WiFi service for travelers to connect at the passport control points.
Exiting China, travelers have to repeat the process of filling out the health declaration form.
The health declaration form is collecting more than simply health information. In effect, it has superseded the previously used paper departure/arrival card (see below) and collects more information (as previously described) than the paper form.
Your Facial Information Is Collected and Recognized Everywhere
When first entering the Chinese border, travelers’ facial information is collected at the customs. The facial information connects with other personal data such as passport information during a traveler’s stay in China. When travelers take a train, entering the train station requires scanning a passport into a machine that matches it with biometric records. Since China has implemented real-name registration for all forms of transportation, including air, trains, and buses, travelers need to expect that personal information and travel information will likely be shared wherever they travel in China.
At entrances to residential or office buildings in China, facial recognition systems most likely have been installed, particularly in major cities. Travelers may have to register with the relevant management offices overseeing the building to be able to enter it. Going to visit someone in a Chinese residential building, Natto Thoughts’ friend found that the building door scanned their face. However, no registered data could be found, and the doorman asked the visitor to register. This likely means personal data of foreign travelers may be not consistently shared in advance with local level authorities, or that the building management offices may not have been authorized to access the data.
Your Real Cash Seems Odd in a Cashless China
China is close to a fully cashless economy after over a decade of widely applied mobile payment usage. By June 2022, over 86 percent of Chinese Internet users were using online payments. Mobile payment is so popular that even beggars ask for donations by displaying a QR code board that potential donors can scan for convenient payment, according to a Chinese media report.
Travelers cannot easily sign up for popular payment systems WeChat pay or AliPay without a Chinese bank account. Therefore, when paying a taxi fare or buying snacks from a street vendor, travelers are better off announcing they intend to pay in cash. Taxi drivers may shake their heads, thinking “another dumb foreigner.” They are not supposed to discriminate against those who want to pay in cash. China’s Central Bank issued a warning on this matter at the end of 2020. However, travelers paying in cash may seem odd or inconvenient in China.
Lastly, without a Mobile Phone and Network Connection, You Can’t Even Go to the Bathroom
As we emphasize the necessity of having a working mobile phone while traveling in China, Natto Thoughts’ friend shared a bathroom story making this point even more serious. At a popular mall in a second-tier city in China, our friend went to use the facilities and found a toilet paper dispenser that says “free toilet paper” but asks to scan a QR code before dispensing that free paper. The QR code requires bathroom goers to log into WeChat accounts that lead to a website playing a commercial video claiming to be about environmental protection. Indeed, the so-called “cloud toilet paper” machine read, “Scan QR code for toilet paper, new ways for environmental protection.” If this was all for environmental protection, we could understand and sacrifice the urgency of our bathroom needs. However, collecting bathroom goers’ social media account information and other information may be worth more than the free toilet paper to the authorities who installed the machine. Natto Thoughts would like to remind all travelers bound to China: “bring your own toilet paper.”
What Now - Recommendations
If you are still here and thinking to plan a China trip, Natto Thoughts suggests you take the following recommendations into your travel consideration:
“Burner” Devices: consider using devices other than their everyday ones (a.k.a. “burners”). The safest method of communicating while overseas is to obtain a new phone with no connection to your personal or professional life. This phone can then be discarded at the end of the business trip. Natto Thoughts suggests using a burner phone with a US-based Internet service provider (ISP). Purchasing a local Chinese SIM card is likely to require real-name registration. US-based ISPs such as AT&T often have data roaming services in China. Users of those services will not be blocked by China’s Great Firewall , according to the on-the-ground experience of Natto Thoughts’s friend. Popular sites, such as Google, Facebook, and Twitter can be accessed through roaming services.
Alternative Communication Methods: Consider using encrypted communication methods. Applications such as Signal or Wickr may provide safer communication avenues for important or sensitive communication.
Sanitize: If you take your regular devices, remove any documents or contacts lists containing sensitive or high-risk data before traveling.
Update: Update to the latest available version of software on all devices; this includes all apps on phones and operating systems on phones and laptops. Doing so will prevent attackers from using flaws in outdated systems.
Enable 2-factor Authentication: Use 2-factor authentication when logging in to accounts.
Encrypt: Encrypt all sensitive data. Ideally, use full device encryption on mobile phones and laptops to prevent attackers from stealing devices and accessing files.
Back up Data: Back up all important files in a separate location, such as your company’s cloud storage provider, to ensure travelers do not lose files even if your devices are compromised.
Sign out: Sign out of any online services that hackers could use to compromise your devices.
Use a VPN: Use a personal VPN at all times with all devices, especially if you must connect to public Wi-Fi networks. If possible, connect to a personal hotspot which is inherently more secure than Wi-Fi networks.
Enable Remote Lock and Wipe Functions: Enabling remote lock and remote wipe functions on mobile devices will allow you to hinder thieves from stealing data from stolen devices.
Disable Bluetooth: Disabling Bluetooth will prevent Bluetooth attacks such as Bluejacking and Bluesnarfing.
Avoid Public Charging Stations: Avoid using public charging stations, particularly those with a USB connection, whenever possible, as the security of such ports is unknown.
Store Carefully: Keep mobile devices on your person at all times or, if impossible, in a hotel safe.
Avoid Public Computers. Do not use public computers, such as those in hotels, airports or Internet cafes, for anything personal or relating to the company.
Travel Advice Reference
“Traveling Overseas with Mobile Phones, Laptops, PDAs, and Other Electronic Devices.” US National Counterintelligence and Security Center.
“Cybersecurity Tips for International Travelers.” US Federal Communications Commission.
“Travelling Overseas with Electronic Devices.” Australian Cyber Security Centre.
“International Data Security Guidance.” Harvard Global Support Services.
“China Travel Advisory.” US Department of State