Traveling to China: an honest threat model

A CEO arrives in Beijing with his regular iPhone. WhatsApp doesn’t work. Gmail doesn’t work. LinkedIn doesn’t work. The corporate VPN doesn’t connect either — the port is blocked. He calls me from the hotel room: “Why did nobody warn me?”

The common trap

“China is like any foreign country but with some services blocked. Get a VPN.”

This is a dangerous oversimplification, for two reasons. First, most commercial VPNs are themselves blocked in China — or throttled to the point of being unusable. Second, the threat isn’t just blocked services: it’s an active surveillance environment where communications data is collected, analyzed, and potentially transmitted to state services.

The traveler who arrives in China unprepared is simultaneously cut off from their usual tools and exposed to a level of surveillance they’ve never encountered elsewhere. Without preparation, that combination is operationally paralyzing and a genuine security risk.

What the Great Firewall blocks

The list is long, and regularly updated. Permanent blocks include:

Google (Search, Gmail, Maps, Drive, Calendar, Meet, YouTube, Play Store — the entire portfolio), WhatsApp, Telegram, Signal, Facebook, Instagram, Twitter/X, YouTube, LinkedIn, Dropbox, OneDrive, most commercial VPN services (ExpressVPN, NordVPN, Mullvad, ProtonVPN), Slack (intermittent), and most major international news sites.

For a business executive, this means: corporate email (if Google Workspace), collaboration tools (if Slack/Teams on foreign infrastructure), VPN access (depending on protocol), and essentially all their normal communication channels are non-functional.

What works

WeChat is the central app of daily life in China. For payments, local contacts, communication with Chinese partners — it’s indispensable. But using it carries major security implications: Citizen Lab has extensively documented MSS (Ministry of State Security) monitoring of message content. Conversations on WeChat are not private, even between two foreign users.

Alipay is necessary for payments. Western bank cards are accepted in major hotels and some restaurants, but rejected in most shops, local restaurants, and transit. Alipay is the local standard.

Baidu for local search if you need information in Mandarin.

Certain VPNs on certain protocols: obfuscated tunneling protocols (Shadowsocks, V2Ray, Trojan) resist the Great Firewall better than standard VPNs. They’re used by foreign companies with offices in China. Their legality for traveling foreign nationals is a grey area — unauthorized VPNs are technically illegal in China, but prosecutions of foreign business travelers are rare. In practice, many multinationals use obfuscated solutions to maintain connectivity for their teams on the ground.

The actual threat model

Here’s what Chinese surveillance means concretely for a business traveler:

Passive mass collection. All network traffic in China transits through state-controlled equipment. Metadata (who you call, when, from where, for how long) is systematically collected. For foreign nationals on business travel, this level of collection is a baseline reality, not a hypothetical risk.

WeChat content analysis. Citizen Lab’s research is clear: WeChat analyzes message content to detect politically sensitive topics, prohibited terms, and atypical communication patterns. This analysis is not limited to Chinese citizens — foreign accounts are included.

Local apps and excessive permissions. Chinese apps systematically request very broad permissions (contacts, precise location, microphone, camera, files). These permissions aren’t requested by accident — they reflect Chinese legal requirements for cooperation with security services.

Hotel and public Wi-Fi. It’s reasonable to assume that unencrypted traffic on hotel networks in China is monitored. Hotels are legally required to register with authorities and to cooperate with security requests.

For exposed profiles: a journalist, a lawyer on a case involving Chinese assets, an executive with significant economic interests in China, an activist or researcher on sensitive topics — the risk is no longer passive collection. It’s active targeting: device intrusion attempts, physical surveillance, approach attempts via third parties.

Technical preparation

VPN: test before departure, not after. Your standard corporate VPN has a good chance of being blocked. Options with better success rates: Shadowsocks (open source, obfuscated protocol), Outline (from Jigsaw/Google, consumer-facing Shadowsocks implementation), V2Ray. None are guaranteed — the Great Firewall adapts. Have a backup plan. Best approach: test from a Chinese proxy server before departure, or ask a colleague already on the ground to test the same access.

Dedicated device. For any L2 or L3 trip: a clean laptop and phone, provisioned for the trip, with no company data beyond what’s strictly necessary for the mission. (→ see Travel Laptop article)

Separate accounts for China:

• WeChat: create a separate account for China use, not your usual account linked to your full identity and permanent professional contacts.
• Alipay: separate travel account with funds for the duration of the stay.
• Don’t connect these accounts to your primary identities.

Local apps on dedicated device only. If you need to install Chinese apps (DiDi for transport, Meituan for food, etc.), install them only on the dedicated travel device. Never on your primary phone.

On the ground

Never discuss confidential business over WeChat. Even with trusted partners. Assume content is accessible to state services. For sensitive exchanges, use Signal via VPN if available, or encrypted voice calls.

Sensitive meetings happen outside. Not in hotel conference rooms, not in offices you don’t control. Outside, in open public spaces with ambient noise. This is the standard for diplomats and journalists who have worked in China for years.

Never leave your phone unattended during meetings. Even placed face-down on a conference table while you step out for a moment. Rapid physical access techniques (USB data extraction in a few minutes) are operational.

Be careful with local SIMs. If you buy a local SIM in China, your passport is scanned at purchase and the SIM is linked to your identity. Use an international eSIM pre-purchased before departure instead.

Who faces critical vs. manageable risk

Tourist travel with no sensitive professional data: risks are manageable with basic precautions (working VPN, dedicated WeChat account, clean device). The Chinese state has little interest in tourists with no strategic value.

Business travel with sensitive data: dedicated device required. Dedicated WeChat account. Tested VPN. Sensitive communications via secure channels only.

Journalist, lawyer on China-related case, executive with significant Chinese assets, researcher on sensitive topics: intensive preparation required. Brief with a security expert familiar with the Chinese context before departure. Clean provisioned dedicated device. Re-imaging protocol on return. No sensitive data stored locally during the stay.

On return

Systematic re-imaging of all devices used in China. Never reconnect directly to the corporate network. Devices returning from China or Russia should be treated as potentially compromised until proven otherwise.

(→ see Return from Mission article for the full protocol)

• N1 Understand what's blocked (Great Firewall) before departure
• N1 Test corporate VPN from a connection simulating China
• N1 Have a payment plan (Alipay or cards that work locally)
• N2 WeChat and Alipay on dedicated travel accounts, not primary accounts
• N2 Dedicated clean device without sensitive data
• N2 Local apps installed on dedicated device only
• N2 Never discuss confidential business over WeChat
• N2 Sensitive meetings outside, not in hotel rooms or conference rooms
• N2 International eSIM pre-purchased (not local SIM requiring passport scan)
• N3 Brief with a security expert familiar with the Chinese context
• N3 Systematic device re-imaging on return
• N3 Never reconnect to corporate network without prior isolation on return