Will China’s New Anti-Terrorism Law Mean the End of Privacy?

A newly drafted Chinese anti-terrorism law, if enacted in its current form, will empower Beijing to expand its already nearly unchecked policing of the Internet to reach web traffic and other online data flows emanating from both domestic and international companies with operations inside China.

Generally, national governments such as those of the United States or Germany may obtain private domestic data only after submitting a formal government request to the holding entity.

If enacted, the law would allow law enforcement personnel to examine such data so long as a terrorist threat were deemed to exist.
(U.S. and German government surveillance of international data flows, by contrast, is fairly unrestricted.) Under China’s draft anti-terrorism law [Chinese], governments could access and examine any private data transmitted through the domestic Internet, without prior notice or court order, so long as it were deemed necessary to facilitate an investigation into potential terrorist activities.

Under the draft law issued by the National People’s Congress (NPC), telecommunication service operators and Internet service providers (together “ISPs”—see Terminology Note for clarification) would be required to install government-accessible back doors and provide encryption keys to public security authorities for any data stored on their servers. The law also requires ISPs to locate their servers and store all P.R.C.-collected user data in China, thereby providing the government the capability to access a wealth of private data, including corporate documents stored on a P.R.C.-based cloud server, or an individual’s personal email or chat logs. If enacted, the law would allow law enforcement personnel to examine such data so long as a terrorist threat were deemed to exist.

(Shutterstock)

Worryingly, this terrorist threat would not need to be demonstrated under the law, nor would companies have an avenue for appeal to protect against government overreach. And because the law would not require the Chinese government to inform a company before or after using such backdoors to examine data, such access could be used surreptitiously to examine private or privileged information on the barest of pretexts. It is perhaps this concern that led President Obama to come out forcefully against the draft law, stating in a recent interview that, if passed, it would “essentially force all foreign companies, including U.S. companies, to turn over to the Chinese government mechanisms where they can snoop and keep track of all the users of those services” and that the Chinese government would “have to change [the law] if they are to do business with the United States.”

Following an appeal by U.S. officials and trade groups, it appears that China has, for now, backed off from its plans to promulgate the law. However, China’s Foreign Ministry has said that “deliberation on this law is ongoing,” raising concerns in the Chinese legal community that a law with similar provisions may be passed sometime this year. Companies with operations in China would be wise to familiarize themselves with the present draft, as its content and context may be instructive for understanding the future direction of China’s Internet policy.

Technology Requirements of China’s Draft Anti-Terrorism Law

Although the draft anti-terrorism law is broad in scope, the specific provisions most relevant to ISPs are contained in the law’s Articles 15 and 16, which would require ISPs to comply with the following rules or face a penalty:

  • Backdoors must be made available to government authorities: Article 15 requires “network and information systems operators” to install “technical interfaces in the design, construction, and operation of telecommunication and Internet [services].” These technical “interfaces” would act as backdoors for government access. China’s law enforcement authorities could use these backdoors to “prevent” or “investigate” terrorist activities. Notably, the draft law does not require Chinese law enforcement to provide any form of notice when using these backdoors to access private data or to demonstrate any connection between the data sought and suspected terrorism.
  • Encryption Keys must be made available to government authorities: Article 15 requires ISPs to “report their encryption scheme” to the “departments responsible for encryption for examination.” No further details are given regarding the scope of this “examination,” but the authority likely to enforce this requirement is the Office of State Commercial Cryptography Administration. Article 16 requires ISPs that provide “encrypted transmission services” to file their encryption scheme with “network communication departments and public security organs,” and to assist such organs—likely the Ministry of Industry and Information Technology, for example—in any subsequent investigative work. Essentially, this provision would require ISPs to provide the encryption keys to relevant government departments for use during any later investigation.
  • All data must be stored locally on servers placed inside China: Article 15 states that any ISP “providing telecommunications or Internet service within the borders of the People’s Republic of China must locate its related servers and domestic user data within the borders of [China].” This data localization requirement follows on the heels of a similar measure in Russia and appears aimed at ensuring that the Chinese government has full access to all information transmitted within its borders. This requirement is in keeping with China’s recent embrace of the principle of “cyber-sovereignty,” which holds, in part, that states, rather than a multilateral coalition of stakeholders, should be free to regulate all content transmitted within their physical, geographical borders. By requiring international companies to place their servers in China, the draft law would ensure that international companies fall under Chinese jurisdiction.
  • Monitoring and reporting of all content on the Internet in China must be enhanced: The draft law also directs ISPs to increase their network security and content monitoring systems in accordance with relevant laws and regulations. If an ISP discovers “information with terrorist content,” then it shall immediately cease transmission of the offending information, record all details related to its transmission, and report the matter to the “public security organs” or “relevant responsible departments.” Chinese law currently requires ISPs to monitor and report a number of forms of prohibited content. Under this provision, “terrorist content” would be added to that list.
  • The Firewall must be strengthened: Article 16 states that “[r]esponsible departments may adopt technical measures to stop the dissemination of information with terrorist content available on the international Internet.” This oblique reference to China’s firewall, one of the few found in Chinese law and regulation, suggests a further strengthening of China’s main tool for censoring overseas content. In addition to the data localization requirement discussed above, this provision suggests that China is taking an increasingly narrow view of content delivered from overseas, which may suggest further openings to international technology companies provided they strictly adhere to Chinese law.

Political Factors Driving the Draft of the Anti-Terrorism Law

(AFP/Getty Images photo)

An anti-terrorism police S.W.A.T. unit performs exercises on the outskirts of Beijing. The Beijing police S.W.A.T. unit was established in 2005 to deal with terrorism and riot control particularly during the Beijing Olympics and unrest in Xinjiang.

The draft of the anti-terrorism law reflects the Party’s concern with two recent developments seen as threatening China’s domestic security.

First, terrorist groups centered in China’s far-west Xinjiang Uighur Autonomous Region have carried out a series of attacks against government and civilian interests over the last two years, including mass knifing attacks at train stations in Kunming and Urumqi and the crashing of a Jeep into a group of pedestrians in Tiananmen Square. Attacks by China’s minority Uighur population on government authorities and ethnic Han Chinese have increased, though specific details of these attacks are generally unattainable given restrictions on the media in Xinjiang.

China’s draft anti-terrorism law is a response to these recent violent events. From a Chinese point of view, the law is necessary to ensure the safety and security of its citizens, and to prevent any form of social instability that may pose a threat to continued economic development or Party rule.

Second, the draft law’s focus on technology reflects the Party’s increased attention to cyber-security following Edward Snowden’s allegations of global U.S. government surveillance. This concern—the idea that the U.S. government has similar data-monitoring practices in one form or another—is a difficult presumption to rebut. China has defended the draft law vociferously at recent press conferences, indicating that the law’s technology requirements are a reasonable response to the current international situation. At one press conference, a Chinese official made a veiled reference to an “other country’s” recent hack of private encryption keys, a not-so-subtle reference to recently published allegations that U.S. and British intelligence had hacked into a private company and obtained the encryption keys to millions of SIM cards used around the world. In a world of such threats, China believes it is justified in seeking clear legal mechanisms to protect and safeguard its national security.

The Draft Law’s Effect on Global Technology

Although it is unclear what shape the draft law will take in its final form, its current provisions are instructive for understanding the direction of China’s Internet policy. If passed, the law would have three major effects on global technology:

  • Cyber-Sovereignty may further wall-off the Chinese Internet. The government’s access rights, data localization requirements, and a strengthened firewall, all found in the draft law, point to a future Chinese Internet heavily monitored by the Party and further splintered from international norms. Along with recent actions by Russia and Iran, such actions portend an Internet balkanized along national lines.
  • International companies will see increased opportunity, but at a high cost. Although China boasts the greatest number of Internet users and mobile device subscribers of any nation on earth, international Internet companies long have faced difficulties providing their services within the P.R.C. As noted above, China’s new approach to Internet management suggests a scheme by which overseas content is increasingly censored while international technology companies are permitted (and likely encouraged) to locate their servers domestically, thereby falling under Chinese jurisdiction. This could mean increased opportunity for global technology companies to offer their products and services within China, provided they agree to follow Chinese law, tantamount, in some cases, to exercising strict self-censorship. Though the conditions under which this access is granted may prove too burdensome for many global technology companies, we should remember that international companies in other sectors have put up with other arguably onerous requirements in exchange for access to China’s large consumer market. These concessions are not the companies’ preference but are deemed a cost of doing business in China.
  • Diminished international markets for Chinese technology companies. Along with the international success of the Chinese Internet giants Tencent and Alibaba, China currently boasts a vibrant startup scene still largely overlooked in the West. As this industry matures, Chinese technology firms looking to grow their international market may find themselves stymied by international consumers or governments unwilling to adopt their products because of security concerns related to P.R.C. government access. This could prove to be a major blow to one of the true bright spots in China’s slowing economy, frustrating efforts by Chinese policymakers to pursue innovation-led development and a “go global” economic development strategy.

A Need for Greater Transparency

Feng Li—Getty Images

Chinese officials have defended the draft by stating that the law, if adopted, would only be used by the public security organs to investigate terrorist activities following a “strict approval process.” However, the draft law—which first emanated from a small group of legislators composed of representatives from the NPC Legislative Affairs Committee, the Ministry of State Security, the Ministry of Industry and Information Technology, the People’s Bank of China, the State Council Legislative Affairs office, and the China People’s Armed Police Force—does not contain any reference to this approval process and Chinese officials have yet to offer further specifics. Although other Chinese laws and regulations permit government requests for telecommunications data, they do not typically set forth the internal approvals process governing such requests.

It is this lack of transparency that undergirds most criticisms of the draft law. Chinese officials have repeatedly insisted that the anti-terrorism law is being drafted in line with international practice, but this is not quite accurate. While it’s true that most international stakeholders recognize that governments have a legitimate need to access privately stored telecommunications data under certain circumstances, this access usually is afforded only after the government has provided a specific legal request to a private company. By empowering government agencies to gain unfettered access to data flowing over the Internet inside their national, physical borders, China’s approach represents a radical departure from current international practice and strikes a heavy blow against individual rights. If promulgated in its present form, China’s draft anti-terrorism law risks causing irrevocable damage to the healthy development of the nation’s IT industry.

To remedy current gaps in legislation, Chinese lawmakers should consider drafting more transparent rules for permitting government access to personal data. As the United States grapples with similar questions in its own Cybersecurity Information Sharing Act of 2014, both countries may find it productive to convene at the international level, along with technology companies, trade groups, and other stakeholders, such as privacy and human rights advocacy groups, to work together to create a set of fair, transparent, and verifiable international guidelines governing government access to private data and providing necessary protections for the rights of private companies and individuals. Although current Sino-U.S. tensions make it unlikely that such an approach would yield an immediate solution, such consultation could, at the very least, help spur discussion and potentially strengthen channels of communication between U.S. and Chinese policymakers in this important area.