The Ultimate Aim Of China's 2016 Cybersecurity Law Is Now Clear: Nothing Digital Can Be Secret From The Authorities

from the looking-at-you,-too,-foreign-companies dept

It’s no secret that China is tightening its control of every aspect of the online world — Techdirt has been reporting on the saga for years. But what may not be so clear is how China is doing this. It is not, as many might think, the direct result of diktats from on high, but flows naturally from a massive program of carefully-crafted laws and new government initiatives created with the specific intent of making the online world subservient to the Chinese authorities. Central to this approach is a law passed three years ago, generally known in the West as “China’s cybersecurity law“.

A review of the law in 2017, by the New America think tank, brought some useful clarity to complicated political landscape. It names a number of powerful players involved, including the Cyberspace Administration of China, the Ministry of Public Security, the Ministry of Industry and Information Technology, the country’s military and intelligence establishment, and BAT — Baidu, Alibaba, Tencent — China’s Internet giants. The legal framework is also complex. The 2017 article picks out six “systems”: the Internet Information Content Management System; the Cybersecurity Multi-Level Protection System; the Critical Information Infrastructure (CII) Security Protection System; the Personal Information and Important Data Protection System; the Network Products and Services Management System; and the Cybersecurity Incident Management System.

Clearly, there’s a huge amount of activity in this area. But because of the many interlocking and interacting elements contributing to the overall complexity, it’s hard to discern what’s key, and what it will all mean in practice. A 2018 report on the law from the Center for Strategic & International Studies noted that one of the systems — the Multi-Level Protection System (MLPS) — has a far wider reach than its rather bland name implies:

MLPS ranks from 1-5 the ICT networks and systems that make up China’s CII based on national security, with Level 5 deemed the most sensitive. Level 3 or above triggered a suite of regulatory requirements for ICT products and services sold into that CII, including indigenous Chinese IP in products, product submission to government testing labs for certification, and compliance with encryption rules banning foreign encryption technology.

That in itself is not surprising. Governments generally want to know that a country’s digital infrastructure can be trusted. However, it turns out these rules will apply to any company doing business in China:

MLPS 2.0 will cover any industry with ICT infrastructure because it covers the vague category called “network operators,” which can include anyone who uses an ICT system. MLPS 2.0 also appears to have a focus on cloud computing, mobile internet, and big data.

That extremely broad reach has been confirmed following the recent appointment of a big data expert to oversee the implementation of MLPS. The China Law Blog has analyzed several Chinese-language articles giving details of this move, and what emerges will be deeply troubling for any foreign business operating in China:

This system will apply to foreign owned companies in China on the same basis as to all Chinese persons, entities or individuals. No information contained on any server located within China will be exempted from this full coverage program. No communication from or to China will be exempted. There will be no secrets. No VPNs. No private or encrypted messages. No anonymous online accounts. No trade secrets. No confidential data. Any and all data will be available and open to the Chinese government.

As the China Law Blog explains, this means that there will be important knock-on consequences:

Under the new Chinese system, trade secrets are not permitted. This means that U.S. and EU companies operating in China will now need to assume any “secret” they seek to maintain on a server or network in China will automatically become available to the Chinese government and then to all of their Chinese government controlled competitors in China, including the Chinese military. This includes phone calls, emails, WeChat messages and any other form of electronic communication.

As previous Techdirt posts have reported, China has been steadily moving in this direction for years. Nonetheless, seeing the endgame of the authorities — unchecked access to everything flowing through Chinese networks — confirmed is still troubling. The intentions are now clear, but a key unanswered question is how rigorously the strategy will be enforced. The situation for social media censorship in China gives some grounds for hope. An article on the Asia Dialogue site explains:

Despite the broad and still expanding legal framework, the actual implementation of China?s information control is neither monolithic nor consistent. While the Chinese government is increasingly adept at managing and using new media and advanced technologies to its advantage, it also relies heavily on private companies to carry out government directives on a daily basis.

The same may be true for the implementation of MLPS 2.0 in particular, and China’s cybersecurity law in general. If it isn’t, Western companies are likely to find operating in the country even more difficult than it is now, when it is hardly plain sailing.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “The Ultimate Aim Of China's 2016 Cybersecurity Law Is Now Clear: Nothing Digital Can Be Secret From The Authorities”

Subscribe: RSS Leave a comment
TFG says:

Re: Re: Re: How is it different?

And exactly how is this different than what companies in the US, UK, France, and the rest of the world do?

Why are you phrasing this as a question? Phrasing this as a question creates a connotation, whether you intend it or not, that the lack of a difference means we should not point out the problem. If this is your intent, then kindly begone – you add nothing to the discourse.

If this is not the intent, then I recommend you instead add to the discourse by pointing out the instances of similar behavior by the entities you named, and calling for simultaneous and consistent decrying of these actions.

To actually answer your question: it is different only to the degree in which China has succeeded in their goal. They are much further along than the other entities who are attempting similar things. It is no different in terms of the deserved outcry and pushback against the actions taken. China’s actions should not be ignored, nor should the actions of the entities you called out.

That One Guy (profile) says:

Re: Other than almost entirely?

By all mean, point to the laws in place in those other countries that accomplish the same thing, because while there are a few dangerous idiots knocking around in the US and elsewhere who would certainly like to be able to snoop into any and all electronic data/communications they have yet to manage anything as blatantly intrusive as china has with this.

Anonymous Coward says:

How can a private company that deals, in finance ,stock,s ,investing ,
have servers in china ,
Also the government will have acess it user account,s ,data, passwords.
email,s , personal health data .
Info on stock and shares, buyers, sellers .
This could be used to manipulate the market or make profit,s that would be illegal in the west .
It,s different in the west the nsa or cia does, not expect to have acess to all user or customer data,
companys can encrypt data ,or send it to the cloud
facebook is going to encyrpt messenger data, only its users can read or send messages.
Since the sender and reader each have a private key on their phone.
its even worse than the west ,in that chinese citizens have to install certain app,s on their phone,s .
These apps can be used to record data and audio from the phone,
user location etc
this is the ultimate vision of 1984 ,
or maybe 2024,
total acess to user data on any phone, device and server .
america or the uk does not ask citizens to install apps on phones or pc,s so they cna be recorded and monitored .
its similar to russian law, in foreign company has to give the government acess to servers and user data if it wants to do business in russia .

That One Guy (profile) says:

'Welcome to china, hand over your passwords.'

This means that U.S. and EU companies operating in China will now need to assume any "secret" they seek to maintain on a server or network in China will automatically become available to the Chinese government and then to all of their Chinese government controlled competitors in China, including the Chinese military. This includes phone calls, emails, WeChat messages and any other form of electronic communication.

Delightful, so basically if you want to do business in china you may as well ditch encryption and security entirely, because anything in their reach will be widely known soon enough, it’s only a matter of time.

Operate in the chinese market in exchange for having any and all secrets you might want to keep laid bare on a whim. It will be interesting to see how many companies are willing to take a ‘deal’ like that.

Anonymous Coward says:

Re: 'Welcome to china, hand over your passwords.'

It only applies to communications that pass through China. Smart companies already limit what is allowed to be carried or stored internationally, especially when working in China or India. This will make doing business slightly more difficult, true. Conveniently, the law also effectively legalizes the industrial espionage and rampant IP theft done by, and for, Chinese companies.

Sum Ting Wong says:

"China's cybersecurity law"

China may have better laws than we do protecting the government from any insidious privacy-seekers, but surely we will have a better acronym when we adopt this same sort of law. I’m thinking Protecting the American Nation’s Optimal Privacy Through Internet Communications Oversight Normalization, For Youth, Teens, and Women.

Anonymous Coward says:

I’m curious how this will affect electronics manufactured in China for companies in US and other nations. If those electronic devices rely on security for anything are the certificates, keys and passwords expected to be handed over to the Chinese government even if the devices are not to be sold or used in China? Does this effectively mean that we can’t trust any security-related device manufactured in China?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...