Central to the recent story of US citizen Ge Xun’s detention in Beijing was his captor’s determination to harvest data from his laptop and other electronic devices, and to obtain login information such as his Twitter password. Other travellers to China face similar but less overt threats, with commercially as well as politically sensitive information at risk of covert interception. By Nicole Perlroth at The New York Times:
When Kenneth G. Lieberthal, a China expert at the Brookings Institution, travels to that country, he follows a routine that seems straight from a spy film.
He leaves his cellphone and laptop at home and instead brings “loaner” devices, which he erases before he leaves the United States and wipes clean the minute he returns. In China, he disables Bluetooth and Wi-Fi, never lets his phone out of his sight and, in meetings, not only turns off his phone but also removes the battery, for fear his microphone could be turned on remotely. He connects to the Internet only through an encrypted, password-protected channel, and copies and pastes his password from a USB thumb drive. He never types in a password directly, because, he said, “the Chinese are very good at installing key-logging software on your laptop ….”
McAfee, the security company, said that if any employee’s device was inspected at the Chinese border, it could never be plugged into McAfee’s network again. Ever. “We just wouldn’t take the risk,” said Simon Hunt, a vice president.
As extreme as Lieberthal’s measures may seem, many have questioned whether they go far enough, with Daring Fireball’s John Gruber, for example, pointing to the danger of clipboard loggers. “If your device has been compromised,” he concludes, “there’s no safe way to enter a password.”
Nevertheless, there are other workarounds. For email, for example, Gmail’s 2-step verification system combines a conventional password with six-digit numerical codes generated by smartphone apps, each valid only within a 30-second window: of limited help in the event of physical seizure as in Ge Xun’s case, but a useful additional layer of security in less dramatic circumstances. Other providers such as Fastmail.fm allow the creation of alternative login details such as one-time passwords.
