During a lengthy flight, the passenger sitting next to me and I had a very interesting conversation. Centered around keeping privacy and safety at the forefront of business travel, the conversation touched several issues that we both had dealt with in the past, namely: how to avoid broadcasting yourself to the bad guys, and, as it is related, how to mitigate the different levels of risk that different locations have when it comes to targeting you.
We both started on the same spot, agreeing that traveling with your personal mobile phone and laptops should be avoided, everywhere, even those places deemed “safe”. The reasoning, we both concluded, was that if it’s not a government collecting, then it’s a series of other adversaries, such as opportunistic hackers looking to make a buck out of getting your credit card or other important information, social media and big corporations that thrive in selling information, and local thieves trying to steal good hardware and make money selling it. There are more bad guys, of course, but you get the idea.
We agreed that to best mitigate this, you need to have cheap and disposable travel devices that can either be disposed of at the end of the trip, or that could be wiped clean and made ready for the next trip. This will enable two things: 1) if these devices get stolen, well, bad luck but no harm since no personal information can be found there, and 2) since the device would be bare bones with what you need for your trip, if you get stopped and asked to handle the device by a gov. official or "another" entity, then you could also handle it without any worries.
From here we went down the rabbit hole.
We began chatting about collection capabilities, both over the air and on the internet, and the current state of the interconnected world. He ventured into the “people and their data are now the currency of big tech”, which has some truth to it but as he stated it, it is an oversimplification and calling for some conspiracy theories. We had a healthy argument there. He approached this from a business perspective, since he is part of big tech, and I approached it from a privacy and security side of the equation, since what I do is related to that world. It turns out both sides of the equation feed each other, however, similar to the world of security offense vs defense, the attackers always have the last word. In this case, data collection organizations always have the latest in collecting technology and methodology. We, on the defense side, always have to play catch up.
So, going back to traveling with “burner” devices… This conversation really cemented my belief that the age of traveling with devices that contain all your life in them, e.g. your smartphone or personal laptop, are over. We should never allow all that information to exist in one single place to begin with, but it’s so easy to do it (I’m guilty as well) because of the convenience it provides, and the readily accessible collection of tools we have in them to get “moar, faster”, should be avoided at all costs. Traveling should be done with specific traveling devices, empty of anything that doesn't immediately support the trip, and even that information and software should be carefully selected.
The more we move around with our lives in our devices, the more we feed the ability of bad actors to target us. They might not be targeting you specifically because of who you are, but they are collecting, always.
Assess the situation and build a baseline of the things you are willing to give away about you, and those you are not. Make sure those things you want to keep from getting out are not on your devices, as you travel, but also generally speaking. Make it a point to not give away personal information unless strictly necessary. For example, mobile phone service providers don’t need your social security number to give you a line, don’t give it away.
Let’s begin getting smart about how we travel, how we commute, and how we treat our devices.