Should we allow our software developer to work remotely from China?
December 23, 2018 1:23 PM   Subscribe

I run a small software startup. One of our devs will be going back home to China for a few weeks. Is it an unacceptable security risk for him to work remotely while he’s away?

There are two parts to my question: (1) is this even possible? (2) Is this a good idea?

Is this possible?
We use google suite, and many key pieces of our infrastructure (Jira, bitbucket) use Google for SSO authentication and login. My understanding is that these services will be blocked by the Great Wall. Does anyone have any direct experience with this kind of situation?

Is this a good idea?
I understand the Chinese government has something of a reputation for snarfing down content from laptops brought into the country. Our dev’s laptop has source code, private keys, and (likely) personally identifiable information from our customers. I’m not worried about the Chinese government stealing our source code (we’re so early and our code changes so rapidly that, meh, whatever). Credentials (especially to access our AWS services) seems like a bigger deal.

Am I being too paranoid? Is there any official guidance or best practices about this? Has anyone been in a similar scenario who can share insights?
posted by awenner to Computers & Internet (7 answers total) 1 user marked this as a favorite
Nope. Not too paranoid: not paranoid enough.

Don't allow him to take his dev laptop to China.

It's our official company policy: we'll give you a laptop that you can carry to China if we think you really, really need one, and you don't have root on it, and it does just a few things.

Here's a guide

You might start clamping down on that PII information on employee laptops right now.
posted by the Real Dan at 1:42 PM on December 23, 2018 [31 favorites]

On the PII alone I wouldn't risk that lawsuit. Their data may be compromised in China, but it would be your corporate responsibility to safeguard it - which likely means making sure it traveling to China fits within the constraints of your privacy policy. If in the off chance your privacy policy is broad enough that a room of lawyers says 'fine' - realize you will be on the hook if their data is compromised nonetheless. Likewise, you are exposing data structures and stores to a foreign agent - so... dependent on what they have time to glean off an employee's laptop, the question then comes - have you compromised key systems that aren't in china because they now have a roadmap for how your data is stored?

This isn't something that a VPN fixes in this case... you've got way too many issues to work through here...
posted by Nanukthedog at 1:48 PM on December 23, 2018 [7 favorites]

You are not being paranoid enough.

For the sake of simplicity, just assume any data they take to China will be compromised, and that any system they access from China will also be compromised. This is not strictly true, but unless you're prepared to suffer really exciting consequences it's just easier to assume the worst and act accordingly.
posted by aramaic at 6:05 PM on December 23, 2018 [4 favorites]

I think it's the OP article of this post from several months ago, about the concentration camps and other circumstances in Xinjiang, which mentions that the journalist faced compulsory installation of an app on his or her phone upon passing through military checkpoints.

Speaking as someone who has never been to China myself, that says to me that there are no limits to what your employee could be compelled to do... perhaps simply as an aspect of policy or a recent policy change in any given region he passes through, as in Xinjiang, rather than due to particular interest in your developer or your company on the part of the authorities.
posted by XMLicious at 11:58 PM on December 23, 2018

Some of the most important work of software development happens away from the computer.
posted by amtho at 6:42 AM on December 24, 2018 [2 favorites]

Here's a *working* link to a guide from the FBI.

The most pertinent part of it:

Sanitize your laptop, telephone, &
PDA, prior to travel and ensure no
sensitive contact, research, or personal
data is on them. Back-up all information
you take and leave that at home. If
feasible, use a “clean” laptop, phone and
a new email account while traveling. Or If you can
do without the device, Do Not Take It!
posted by the Real Dan at 8:14 AM on December 24, 2018

posted by oceanjesse at 2:26 PM on December 25, 2018

« Older What can I make instead of persimmon cookies?   |   Snow tires and gas mileage Newer »

You are not logged in, either login or create an account to post comments