Encryption in China - Max Fang's Notes

# [[Encryption]] in [[China]] ## The Encryption Debate in China https://carnegieendowment.org/2019/05/30/encryption-debate-in-china-pub-79216 (Selected excerpts) On one hand, the Chinese government has set out a legal obligation for tech companies to provide access to data for public security and intelligence gathering purposes. This has meant that Chinese tech companies either eschew certain types of encryption or they utilize encryption on commercial products with a backdoor or key escrow. On the other hand, poor cyber hygiene and rampant cyber crime have sparked rising awareness of privacy and a demand for personal information security among Chinese citizens. Very little of China’s encryption debate occurs in public. Much of the existing public discourse involves the Chinese media covering encryption debates in other counties primarily as a way to justify the policies that China is pursuing. For instance, the Chinese press has drawn comparisons between the decryption provision in China’s Cybersecurity Law and Australia’s 2018 encryption law and the United Kingdom’s 2016 surveillance law. Similarly, in March 2015, in response to U.S. criticism of draft provisions in China’s Counterterrorism Law that appeared to require the installation of backdoors and the reporting of encryption keys, Chinese Ministry of Foreign Affairs spokesperson Lu Kang responded, “If you do some research, you will find no difference between the provision and relevant legislation by western countries. I believe double standards have no place to play on this issue.” The majority of what might be considered the encryption debate in China appears to occur through governmental consultation with domestic actors and, occasionally, foreign actors. The primary central government agency tasked with regulating encryption is the Office of State Commercial Cryptography Administration (OSCCA), or the Guojia Shangyong Mima Guanli Bangongshi, sometimes alternatively called the State Cryptography Administration (SCA), or the Guojia Mima Guanliju. This agency was established in 2005 and falls under both the Chinese Communist Party General Office and the State Council. It is the administrative office of the Central Leading Small Group on Encryption. The OSCCA plays a prominent role in a broader, more complex regulatory ecosystem. It consults and jointly releases regulations and guidance with other state organs, including the Ministry of Public Security (MPS), the State Secrecy Bureau, and the State Council Information Office. The Cyberspace Administration of China (CAC) plays a role in developing a cybersecurity review regime for network equipment as part of the Cybersecurity Law, though the law mentions encryption only once, calling for carriers to use a procurement framework called the Multi-Level Protection Scheme (MLPS) and include encryption. Various other regulators and ministries have released drafts of industry-specific implementation guidelines; for example, the People’s Bank of China and the Ministry of Education have released guidelines for the finance and education sectors, respectively. Every province and provincial-level city also have their own cryptography administrations, which publicize, oversee, and enforce central decisions in their given jurisdictions. Beyond its aforementioned functions, the OSCCA includes a cryptography research institute, an encryption analysis and testing center, and a dedicated chip laboratory (for secure cryptoprocessors). It also organizes industry conferences and oversees efforts to create and promote encryption standards in cooperation with China’s Standardization Administration through the Encryption Industry Standardized Technology Committee (or the Mima Biaozhun Weiyuanhui). A large part of the committee’s work seems to be releasing indigenous encryption standards.1 The encryption practices used for military and party documents and communications are handled by separate systems and suppliers, on which there is very little public reporting. A few other state organs also bear mentioning. The Chinese Association for Cryptologic Research (CACR), or the Zhongguo Mima Xuehui, was established in 2007 to promote cryptographic research. The association currently has about 2,980 individual members and 158 organizational members; it publishes a bimonthly journal and hosts conferences on cryptography. The National Information Security Standardization Technical Committee, or the Quanguo Xinxi Anquan Biaozhunhua Jishu Weiyuanhui, plays an important role in setting technical standards. Over the past several years, the committee has put out nearly 300 national cybersecurity standards, including several related to encryption. Most of these standards are not mandatory, but their adoption may be required for certain sectors under the MLPS or the Cybersecurity Law. While international companies are represented on a number of subcommittees that set standards, the encryption working group (Working Group 3) does not accept foreign members and has a clear bias toward domestic cryptography and encryption. According to the mandate, foreign IT vendors would need to work with an approved Chinese vendor to install WAPI-enabled equipment, an arrangement that would expose foreign intellectual property to potential theft. Intel pushed back against the new regulation, going so far as to announce that it would stop shipments of the Centrino WiFi chip, which at the time was used in half of all laptops in China, according to one estimate. China ultimately scrapped the regulation, but only after the U.S. government threatened to pursue a case at the World Trade Organization (WTO) and the International Organization for Standardization rejected the standard. The capitulation likely indicated a lack of internal consensus within the Chinese government on encryption technologies, at least with respect to implicit goals in the directive. As Shazeda Ahmed and Steven Weber argue, the fact that the directive regulated the use of encryption in the commercial sector and not government ministries suggests that economic concerns overrode security concerns as the regulation was being formulated. At the time, foreign IT vendors like Microsoft, IBM, Intel, and Cisco dominated the Chinese IT market, and the Chinese government had clear aims to expand the market share of domestic companies. Moreover, the directive marked the beginning of a series of pushes and pulls between Beijing and foreign companies over China’s attempts to use encryption technology as an exclusionary industrial policy over the next two decades. Even though the attempted mandatory adoption of specific encryption standards has been largely unsuccessful at encouraging other parties to adopt Chinese encryption standards, Chinese authorities have had greater success at creating mandatory domestic intellectual property requirements in specific sectors. In 2007, the MPS released the MLPS procurement framework, which requires that critical infrastructure and high-risk sectors use domestic IT, including domestic encryption technology. The MLPS laid out a grading system that ranks the security of network applications based on the risk they pose to national security, the public interest, and social stability: level one denotes little impact, whereas level five indicates an “especially grave” impact. Under the MLPS, operators of systems classified as level three or above are required to use indigenous technology for core systems and undergo a certification process. For encryption standards, compliance at level three and above requires the use of Chinese encryption algorithms. The systems classified at level three and above encompass a broad swath of commercial sectors including banking, finance, communications, commerce, healthcare, and education. The Information Technology Industry Council posited that roughly $35 to $40 billion of the nearly $60 billion China spent on commercial and public sector IT in 2010 fell under the terms of the MLPS. Nearly two decades after Directive No. 273 was formulated, China’s encryption regulatory regime remains a product of the government’s diverging goals. Early attempts at regulation like Directive No. 273 and the WAPI standard mandate appear to have been mainly motivated by economic development goals. While better security may have been found in foreign products, given the immaturity of the country’s domestic producers, economic goals often overrode the security concerns of users and specialized ministries in those early years. The MLPS and especially the 2013 Snowden revelations then shifted the pendulum toward greater Chinese concern about the vulnerabilities that come from dependence on foreign suppliers. Throughout this period, strong opposition from international tech companies and foreign governments led the Chinese state to roll back or slow-walk the implementation of regulations. Even as China’s regulatory approach to encryption slowly takes shape, the ground under this ongoing debate is shifting, given that Chinese citizens’ views about how their data is used and protected are taking on added salience. The concerns of individual users are gradually taking center stage, and the Chinese government is placing the onus on tech companies to better secure user data. To date, personal data protection standards in China have not kept pace with the growing importance of digital technologies in everyday life. A September 2018 survey found that more than 80 percent of participants reported being victims of data leaks in one form or another. Much of this data often ends up on the thriving black market. One 2017 exposé by two Chinese journalists captured the scope of the challenge, reporting that, for a modest fee, they were able to acquire a wide array of personal information on colleagues—from hotel check-in history, apartment rentals, bank deposit records, and even live location-tracking data. In May 2018, China’s first comprehensive standard for data protection, the Personal Information Security Specification, went into effect. It outlines best practices for the collection, use, transfer, and storage of personal data. In cases of data transfer and storage, the specification explicitly requires that companies use security techniques like encryption. The Chinese government is employing a range of means to induce corporate compliance with what is ultimately a nonbinding standard, including by making references to violations of the specification during audits and investigations. The specification also will likely provide the basis for the Personal Information Protection Law, which is on the 2019 legislative agenda of the National People’s Congress. Some Chinese companies have begun introducing products with more privacy features in response to these consumer concerns over data protection and privacy. Huawei has advertised the file-based encryption function on its flagship smartphone, the Mate 9. In a digital ad campaign, the Chinese smartphone maker Gionee emphasized the security features of its M6S Plus model, including a secure cryptoprocessor. Some Chinese entrepreneurs like Yang Geng, the former chief security officer at Amazon China and Xiaomi, have launched start-ups related to privacy and encrypted services. But it is unclear how far the Chinese government will allow companies to go when it comes to encrypting commercial services. Since the 2015 Counterterrorism Law took effect, the Chinese government has gradually outlined a legal obligation for tech companies to provide technical and decryption assistance for public security and intelligence gathering purposes. The 2017 National Intelligence Law further solidifies that obligation, as does the Cybersecurity Law, which requires tech companies to store internet logs of users’ online activity for at least six months to aid law enforcement. Insofar as encryption makes accessing user data more difficult, these laws are likely to deter companies from fully embracing encryption. These legal provisions even seem to be affecting the operational decisions of foreign companies. In response to the Cybersecurity Law, Apple announced in January 2018 that it would migrate iCloud data for Chinese users to a domestic cloud service provider run by Guizhou-Cloud Big Data, a division of China Telecom. The decision seems to have been motivated in part by joint venture requirements and the data localization provision in the Cybersecurity Law, but it appears that the legal obligation to assist Chinese authorities also played a role: Apple later clarified that it would also transfer the encryption keys for Chinese iCloud accounts to China. This move is likely to streamline the process of providing user data to Chinese authorities upon request, though some have questioned whether Apple’s joint venture partner can act unilaterally if such requests are made. Notably, unlike major international communications apps like WhatsApp, Facebook Messenger, iMessage, or Telegram, no major domestic Chinese messaging platform has adopted end-to-end encryption, likely because such encryption would make a considerable amount of user data inaccessible to platform operators. Chinese authorities have made their disapproval of end-to-end encryption known, banning two encrypted South Korean messaging apps, Line and Kakao Talk, in 2014. In September 2017, Chinese censors finally blocked WhatsApp, the last Facebook product available in China and the last major end-to-end encryption messaging service in China aside from iMessage.5 While multinational firms have traditionally had limited influence on China’s domestic encryption debate, there have been a few instances in which foreign pressure has shaped policy outcomes, such as the eventual decision to discard the WAPI mandate. An early draft of the Counterterrorism Law, for example, stipulated that “telecommunications service providers” and “internet service providers” must disclose their encryption practices to the Chinese government and provide the government with the technical means to continue accessing information on the network. The final provision, after foreign protests, contained a less specific requirement to “provide technical support and assistance, such as technical interface and decryption, to support the activities of the public security and state security authorities in preventing and investigating terrorist activities.” Foreign firms also had success in suspending banking regulations that would have required banks to allow Chinese regulators to examine their encryption algorithms. Moving forward, the encryption debate in China will be shaped by a series of factors, including domestic bureaucratic politics; interactions between Beijing and foreign firms; and the interplay between Chinese users’ growing demands for personal security and the Chinese government’s national security demands. The outcomes of the first two are easier to predict. In bureaucratic terms, despite the high-level attention to cybersecurity and encryption policy, the Chinese policy process will continue to be incremental and incomplete. No single agency will have unquestioned authority as various actors, as well as the central government and local authorities, bargain over jurisdiction and influence. Meanwhile, foreign companies are likely to get results at the margins of Chinese encryption policy. Foreign analysts expect that the final form of the Encryption Law will reduce the regulatory burden for using encrypted products in China—a development that foreign companies will welcome. A September 2017 State Council decision to remove the approval requirements for the production, distribution, and use of certain encryption technology was cause for optimism. In addition, the OSCCA’s decision in May 2017 to authorize the Dutch semiconductor manufacturer NXP to develop and produce cryptography products in China—the first time that the OSCCA has granted a foreign company such a certification—also indicated that Chinese authorities might be inching toward liberalizing at least some facets of the country’s encryption regime. There is little reason to believe, however, that Beijing will abandon its concerns about national security or its desire for technological autonomy. In fact, Chinese policymakers are likely to see the trade war and the U.S. government’s efforts to prevent the flow of technologies into China as a justification for redoubling attempts to reduce the country’s dependence on foreign products. Indeed, even as China liberalizes certain aspects of the country’s encryption regulatory regime, it might make other aspects more intensive. The latest draft of the MLPS 2.0 procurement framework, for instance, relaxes the domestic intellectual property requirement for level three and above, although it appears to increase scrutiny in other areas and expand the number of sectors that are classified at level three. In short, foreign influence on China’s encryption debate has always been limited, and it will become even more so. It is harder to predict how the interactions between Chinese users and the Chinese government will play out, especially as Beijing envisions its economy and methods of governance as increasingly dependent on big data and artificial intelligence. Even in its more limited form, focused on financial credit history, the social credit system will involve pooling large amounts of data, which could exacerbate public concerns over personal data security. In a more extreme form, the social credit system could connect separate oceans of data to provide comprehensive scores of citizens’ social, political, and financial reliability on a scope that is hard to comprehend. The government’s big data surveillance already appears to have led to massive data leaks. If there are leaks or hacks of such data, and history suggests there will be, Chinese citizens will almost certainly demand greater protections, which could involve the wider use of encryption ## China’s Privacy Conundrum https://slate.com/technology/2019/02/china-consumer-data-protection-privacy-surveillance.html [[Slate]] [[2019-02-07]]