New Regulations Appear To Authorize Chinese Law Enforcement To Hack Into Computers Anywhere In The World
from the everyone's-doing-it dept
A recurrent theme here on Techdirt has been the way in which the West has ceded the moral high ground in so many areas involving the tech world. For example, in 2010, we noted that the US had really lost the right to point fingers over Internet censorship. The moral high ground on surveillance went in 2013 for people, and in 2014 for economic espionage. Meanwhile, the UK has been shown to be as bad as the most disreputable police states in its long-running blanket surveillance of all its citizens.
The UK's most recent move to cast off any pretense that it is morally superior to other "lesser" nations is the Investigatory Powers Act, which formalizes all the powers its intelligence services have been secretly using for years. One of the most intrusive of those is the power to carry out what is quaintly termed "equipment interference" -- hacking -- anywhere in the world. That means it certainly won't be able to criticize some new rules in China, spotted by the Lawfare blog:
The regulations seem to authorize the unilateral extraction of data concerning anyone (or any company) being investigated under Chinese criminal law from servers and hard drives located outside of China.
Article 9 of the 2016 regulations provides that the police or prosecutors may extract digital data from original storage media (e.g., servers, hard drives) that are located outside of mainland China (i.e., including servers in Hong Kong, Macau, and Taiwan) "through the Internet" and may perform "remote network inspections" of such computer information systems. Remote network inspections are helpfully defined, in Article 29, as "investigation, discovery, and collection of electronic data from remote computer information systems related to crime through the Internet." The only caveat to this grant of authority is a requirement that investigations be subject to "strict standards." No guidance is provided as to what "strict" means.
On its face, the regulation indicates that Chinese officials have authorization to remotely search or extract data anywhere in the world, subject only to the limitations of [China's] domestic law.
If the idea of Chinese government agents hacking into your computer doesn't appeal, well, tough luck: the West is doing it too, so there's really nothing governments there can say that isn't deeply hypocritical. That won't stop them, of course, and it may lead to some nasty international name-calling that could escalate dangerously.
The fact that pretty much all the main players are hacking everyone else like crazy is yet another argument for not weakening encryption anywhere. However much certain politicians might want magic crypto systems that only let in the good guys and always keep out the bad guys -- perhaps by invoking the necessary hashtags -- they simply don't exist. Morever, the supposedly clear-cut distinction between good guys and bad guys has been blurred so completely by decades of the West losing the moral high ground here that it's not a very useful way of framing things anyway.