Today China began enforcing its controversial new Cybersecurity Law, which broadly demands that multinational companies make data accessible to the Chinese government while strengthening the regime’s control over content found inappropriate. Such measures have been made under the auspices of bolstering Chinese national security, but could have profoundly negative impacts on the free flow of information and commerce. For a better understanding of what the law entails, and its potential impact on political speech and the economic competitiveness of foreign companies within China, revisit The Cipher Brief’s analysis from December.
China’s new Cybersecurity Law, which received parliamentary approval in November and will go into effect in June of 2017, is not necessarily novel. The law essentially requires tech companies operating in China to retain consumer data and provide the state access, while also filtering content deemed illegal. Much like in other countries, China says it wishes to use data to secure the state against terrorist threats and the cyber breaches that plague all modern institutions, both public and private.
The decentralized and global nature of the Internet is both an asset and a burden of our modern era. It provides resilience for our communication pathways and facilitates commerce and cultural exchange, yet also enables abuse like terrorist planning and recruitment, as well as criminal activity on a global scale. Less tangibly, but equally important, it poses serious challenges to traditional conceptions of sovereignty, rule of law, and privacy. Data continuously flows across national borders and is stored on servers beyond individual nations’ legal jurisdictions, creating technical loopholes for predatory actors; all while encryption lends anonymity to dissidents, criminals and terrorists alike.
Governments across the political spectrum—from Russia and China to Western liberal democracies—are seeking to reclaim their sovereignty in the digital sphere. The U.K. will soon implement the Investigatory Powers Act, cynically dubbed the “Snooper’s Charter,” and the U.S. has—among others actions—recently made changes to Rule 41 of the Federal Rules of Criminal Procedure to allow the FBI to hack any number of devices anywhere in the world related to the subject of a single warrant.
So why has the Chinese law drawn so much criticism? What does it actually mean for Chinese citizens as well as both Chinese and foreign tech companies?
In short, the law allows the Chinese regime to codify, and, in turn, further, its current practices of surveillance, censorship, and market protectionism into written policy—explicitly tied to the nation’s national security.
But if it is already common practice, why pass a law? And why pass the law now? Adam Segal, Senior Fellow for China Studies and Director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations, argues “the law sits at the convergence of two trends. First, the revelations of NSA contractor Edward Snowden and the overall growth of cybercrime,” and second, China “is clearly worried about threats to domestic security.”
This is a two-part conundrum nagging many countries. On the one hand, governments worry that data of citizens being stored abroad allows cyber criminals and foreign intelligence services to access it more easily, while simultaneously making it more difficult for the government itself to access the data.
But on the flip side, requiring data related to Chinese citizens or business operations to be stored on servers within the country’s borders gives the Chinese government unrestricted access to the Internet data of all Chinese citizens—including data held by foreign tech companies—particularly with provisions in the law requiring companies operating in China to lend technical support to security agencies, commonly in the form of weakening encryption through the creation of backdoors. This could not only enable the Chinese government to more closely monitor their own citizens, but could also facilitate surveillance of international consumers of Chinese technology.
Many fear the new law furthers the Chinese state’s censorship regime—commonly known as the Great Firewall of China—by restricting online discussion under the auspices of protecting national unity. Sophie Richardson, the China Director at Human Rights Watch, notes that “Beijing has expanded connectivity primarily for economic reasons, but also as a means to monitor and control individual views.” With this new law, Richardson argues “Beijing wishes to create a veneer of legal legitimacy when it imprisons on-line critics or shuts down companies, and to extend into the digital realm sufficient uncertainty about what might or might not be legal to fuel self-censorship.”
Importantly, China’s censorship regime has led to a ban on foreign Internet firms unwilling to comply with the country’s policies on content removal—most notably Google, Facebook, and Twitter. This has led to domestic firms essentially imitating foreign business models, such as Google’s Chinese counterpart, Baidu, or Renren, the Facebook of China or Weibo and Twitter, while adhering to government restrictions. Search “Tiananmen Square” in Baidu to witness the distinct difference in results from the same search on Google.
But while the fear of surveillance and censorship have distanced many foreign tech companies—allowing China’s compliant tech industry to fill the void—the new law also creates practical burdens on foreign Internet companies to protect China’s market. The data localization measures requiring companies to host Chinese-related data within the country puts a burden on companies who do not already have Chinese data centers. And by requiring companies to store all Internet logs for six months—an enormous financial burden on both foreign and domestic companies for expensive data storage space—this may even hinder the emergence of Chinese tech startups.
Perhaps the most important protectionist policy within the law is the requirement that companies provide their source code so that the government may ensure that it is “secure and controllable.” Alan McQuinn, a Research Analyst at the Information Technology and Innovation Foundation, argues the new law is intended “to restrict, if not outright exclude, foreign technology companies from China, especially given the risks that come from disclosing valuable source code and intellectual property to the government who may then pass it to a local competitor.”
Therefore, it seems that though the Chinese law mirrors, in many ways, attempts by governments worldwide to address emerging issues in cyberspace, the criticisms of the law come down to a fundamental mistrust of the Chinese government. As access to the internet spreads, the questions of national sovereignty in the digital sphere and the transnational flow of data are faced by all nations, and so the policies of Western countries may come under similar scrutiny, lest they tacitly legitimize the actions of the more invasive and controlling regimes of the world.
Levi Maxey is the cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.