Ask HN: How to safely collaborate with team member (temp) in China?

by tsenkov on 4/25/2023, 12:06:47 PM with 7 comments
A person goes to China for a month, visiting family and they want to continue to collaborate with team while there.

VPN seems to be a no-brainer, but even in that scenario - VPN's allowed to operate in China, most likely collaborate with the Chinese government?

Is there a secure way to get access to company data and systems of a western company while traveling in China?

  • by hayst4ck on 4/25/2023, 6:50:25 PM

    You could set up your own VPN and if it works great, if it doesn't that's life.

    I think the question that's more important is how big of a target are you? If you/your company/your co-worker are all ultimately nobodies, then it probably doesn't matter.

    If you have highly desirable state secrets or advanced tech, then from a technical perspective you're probably out of luck.

    Your problem might not even be the connection, but the device connecting.

    Chinese (PRC) people will almost all have WeChat on their phone. It's not hard to imagine keeping a list of all Chinese citizens in the US who come back to china, catch messages that say "I have to work for several hours" and launch a targeted attack with Pegasus like software.

    A border agent could say "your data or else."

    If you buy an iPhone in China, that data, like complete backups, is probably open to the Chinese government probably unencrypted. I am not sure what happens when a person who bought an iPhone outside of china and brings it to china, or who sets their locality to PRC.

    A password vault could be compelled to be opened.

    So to answer your question, first we have to understand what you have of value and what your threat model is.

    From an ultra paranoid perspective, no physical device with privileges should enter China and even the employees personal devices shouldn't have anything company related like 2fac codes.

    From a completely practical perspective, connecting to a vpn on a laptop while tethering through a "state approved" vpn is probably fine.

    I think most valley companies would give completely new devices for e-mail and meetings and maybe local development, but completely restrict prod access, then destroy those devices when the employee comes back, but maybe I misremember.

  • by comprev on 4/26/2023, 12:12:16 PM

    Serious question - is the staff member _that vital_ to the company by which they cannot be unavailable for one month?

    The first thing I'd do is involve a lawyer familiar with working for a western company in "hostile" environments and involve InfoSec for a risk assessment.

    Coincidentally I know of a Chinese citizen, living & working in EU (western employer), who needs to be in China for 1-2 months for medical reasons. He casually (well, naively) believes it will be no different to working remote in EU, and therefore not a problem for his employers.

  • by hnthrowaway0328 on 4/25/2023, 1:58:56 PM

    From my understanding companies in China can apply for non-blocking Internet so people can visit Google/Youtube/etc. freely. However, if your concern is that the general Internet in China is not safe enough (monitored), I'm not sure what solutions can solve that. Maybe there is some end-to-end encryption software that you can use?

  • by tsenkov on 4/25/2023, 2:14:34 PM

    Does anyone know if Amazon Workspace hosted in Tokyo, could be accessed from China? Latency to AWS Japan would likely be one-of/or the lowest from China to an AWS datacenter?