I was surprised by Gurudutt Verma's reply. I too thought the remote_id was a constant value that never changed so that you could trace objects across different sites/databases.
The remote_id is based on a random value and the current timestamp. That in itself wouldn't be a problem if the id didn't change. But it's quite hard to trace objects across databases if their remote_id's don't match.
A remote id indeed should be permanent and never be changed ... BUT ... by default there is no mechanism for having unique remote id's unless you cerate it yourself. I guess that's why it depends on time and a random number each time it is called. But this should be at least configurable to turn this randomness off in case you have a central registry of these remote-id's ... so Hans, we'll have to eternally remove the malicious code with each update or better, write a small extension which populates a real unique persistant 'remote id' table from our central registry server .... and use our own object transfer methods (outside of the import/export features).