Hotels, conferences, and public Wi-Fi

Part 15 of 18, third and last of the travel posts. The day-to-day mechanics — the hotel network, the conference Wi-Fi, the airport lounge, the coffee shop on the way to the meeting. The small kit and habits that compound over a year of travel.

_Part 15 of 18 in the Digital privacy for board directors series._

The first two travel posts covered the strategic layer — country risk, clean devices, selective sync. This post is the daily mechanics. The hotel room, the conference, the airport lounge, the coffee shop between meetings. The places a board director spends most of their travel time, where most of the exposure happens, and where the small habits compound over a year.

I am writing this with the practical expectation that you are travelling several times a quarter, most of the time to tier-one and tier-two destinations, and that the question is how do I be sensible without being absurd.

The hotel network

Three things to know about hotel Wi-Fi.

It is shared. Other guests are on the same network. Depending on the hotel's network design (which you cannot verify), other guests may be able to see traffic, attempt to reach your devices, or, in poorly-configured cases, see your traffic in plain text. The defence is a VPN.

The captive portal is fragile. The page where you enter your room number and email to agree to the hotel's Wi-Fi terms is one of the most-targeted parts of hotel infrastructure. Captive portals have been compromised at major chains in the past; the impact is that a guest's first connection on arrival is on a network that has already been adversarially configured. The defence is to expect the captive portal and then immediately turn on the VPN before doing anything else.

Some hotel networks deliberately inject content. A small number of hotels, particularly in some Asian and Middle Eastern jurisdictions, inject advertising or tracking content into HTTP traffic. The defence is HTTPS everywhere (most major sites are now HTTPS by default; the practical implication is to be wary of any not secure warning your browser gives you on a hotel network).

A sensible hotel-network posture:

Connect to the hotel Wi-Fi.
Open the VPN immediately. Confirm it is active.
Do not do anything sensitive until the VPN is active.
If the VPN does not work — some hotels block VPNs — switch to your phone's mobile data via personal hotspot. The roaming charge is usually less than the alternative.

A small note on VPNs: pick one that is paid-for and reputable. The free-VPN market is heavily compromised. Mullvad, IVPN, and ProtonVPN are the three I would routinely recommend. Cost: £5–10 per month. The corporate VPN provided by your firm is also fine if available.

The hotel room itself

A few smaller practical points that are easy to overlook.

The hotel-room safe is for theft deterrence, not for the state. It will keep an opportunistic housekeeper or thief out for the duration of your stay. It will not keep anyone with authority access out. For tier-three destinations, the device travels with you.

The hotel-room TV is a device. Some are connected to the same network as the hotel Wi-Fi. Some have microphones for voice search. Do not have sensitive conversations directly in front of one. Unplugging the TV at the wall is mildly excessive in tier-one destinations and a reasonable habit in tier-three.

The hotel telephone is monitored at minimum at the switchboard. It is not the channel for confidential calls. Your mobile phone, over the hotel Wi-Fi via VPN, is.

The mini-bar and complimentary water are not security concerns, but the room itself often has more cameras than the guest realises. Smart-TV cameras, sometimes hidden alarm-clock cameras (a documented issue at the low end of the hotel market). For high-risk destinations, a discrete sweep on arrival is not paranoid.

Conferences

Conferences are interesting because they combine high-density of potential targets with low security awareness in the same space. The compromise patterns I see at conferences:

The conference Wi-Fi. Often as bad as hotel Wi-Fi, often worse. Most conference networks have no segmentation between attendees. VPN, every time.

The conference USB. Free USB sticks handed out as schedule guides, sponsor materials, presentation downloads. Each is a potential vector. Take the USB if you must; do not plug it into anything you care about until it has been wiped on a sacrificial machine.

The conference charging station. Free charging desks at major venues are sometimes legitimate, sometimes not. The juice-jacking attack pattern is real. A wall socket and your own cable, or a USB data-blocker, removes the risk.

The badge scan. Your conference badge has a QR code or RFID chip that is scanned by every booth you visit and that has links to your contact information, employer, and seniority. The data flows to a marketing list. For most conferences, this is the deal. Be aware that the list is shared with the conference's commercial sponsors and may, depending on the conference's data handling, end up in places you did not expect. The defence is to know what is on the badge and to decide whether you are willing to have it scanned.

The conversation in the public space. Restaurants, hotel lobbies, conference cafes. The people who can hear you include other attendees, journalists, and (occasionally) people specifically there to listen. The thing I would not say in a press interview, I do not say in a hotel lobby is the right rule.

The airport lounge

A short paragraph. The lounge Wi-Fi is shared; use the VPN. The lounge is full of business travellers and is a target for opportunistic shoulder-surfing. A privacy filter for your laptop screen (a film that narrows the viewing angle so people next to you cannot read) is £25 and worth it for any director who travels regularly. The first time you spot another traveller staring at your screen, the filter pays for itself.

The coffee shop on the way to the meeting

The most ordinary case and one worth thinking about. You have a meeting at 11 and you arrive at a coffee shop at 10:30 to read the briefing on your laptop.

The coffee shop Wi-Fi is, in practice, fine for general use over a VPN. The screen is exposed to whoever is sitting at the next table. The conversation is exposed to whoever is sitting near. The trip is short and the exposure is bounded.

The discipline:

VPN before opening anything.
Privacy filter on the screen.
Briefing read on the laptop, not printed out and left on the table.
The phone screen-locked when you step away to order a refill.
Any sensitive call taken outside, not at the table.

The small kit

Five items that, together, cost about £200 and last several years. Worth carrying for any board director who travels.

1. A USB-A and USB-C data blocker (£10 each). 2. Two wall-socket plug adapters for the regions you most travel to (£10–20). 3. A laptop privacy filter (£25–40). 4. A small lockable cable lock for the laptop in the hotel room (£20). 5. A small Faraday pouch for the phone when you do not want it to communicate (£15). Particularly useful for the I am in a confidential meeting and want to be sure my phone is not listening moment.

What this month looks like

Two short pieces of work.

One: if you travel monthly, assemble the small kit above. The plug adapter, the privacy filter, the data blocker. Total cost £100 or so; durability several years.

Two: if you do not currently have a paid VPN, take out a subscription with one of the three reputable providers I named earlier. Configure it on your phone and laptop before the next trip, not at the destination.

In nine weeks: the fifth and last children-focused post in the series — the AI year, deepfakes, and what changes for children in the era of generative imagery.