China's new cybersecurity rules ban foreign companies from using VPNs to phone home

For decades, it was a commonplace in western business that no one could afford to ignore China: whatever problems a CEO might have with China's human rights record could never outweigh the profits to be had by targeting the growing Chinese middle-class.

Businesses tied themselves in knots trying to reconcile this. Exactly 15 years ago, I challenged the Chairman of Google's Board at the Web 2.0 Conference over his company's decision to censor its search-results to help the Chinese state suppress political dissidence (his excuse: censoring search results delivered a "superior user experience" because including sites blocked by the Great Firewall in search results would just frustrate Chinese users who tried to click on them). The real reason? Yahoo was in China, and in 2004, if you wanted to get Google to do something stupid, all you needed to do was get Yahoo to do it first.

Two years later, we learned that Yahoo had secured their commercial future in China by helping the Chinese state target dissidents' Yahoo Mail inboxes, so that Yahoo's users could be kidnapped and tortured for their political activities.

Five years after that, Google disclosed that Chinese spies had hacked Gmail in order to continue their surveillance of pro-democracy activists, and revealed that this was the reason the company had pulled out of China altogether. Google co-founder Sergey Brin, a Soviet refugee, could not stomach being a party to repressive state surveillance.

But since then, Google has embarked upon a secret project to re-introduce a censored/surveilling search tool to the Chinese market.

Google's not alone. Apple is totally dependent on China, both for customers and for manufacturing, which is why it agreed to remove all functional VPNs from its App Store, leaving only those that had backdoors for Chinese spies.

Now, with the Hong Kong uprising in full swing, Apple has caved in and blocked an app that let Hong Kongers avoid the city-state's murderous police thugs.

Not just Apple, either: basketball fans have been disgusted to watch the NBA (also totally dependent on China for broadcasting fees and merch sales) censor its fans and owners who voiced support for Hong Kong's pro-democracy movement.

All along, businesses have insisted that if only we were patient and allowed them to make billions from China, China would "westernize" and embrace an open and free political model that would justify all those petty and gross human rights abuses that western companies profited from.

The tacit quid-pro-quo for that support was that China would leave its western collaborators alone, at least outside of China. That's what made the Gmail hacks so shocking, after all — breaking into Google's servers was a violation of the unspoken deal between China and Google. Likewise the outrage over the NBA censoring American fans and owners — it's one thing to sanitize your in-China offerings to appease the murdering autocrats of China, but another thing entirely to allow those war-criminals to reach into America and decide who may speak and what they may say.

But China was always going to embrace-and-extend its reach over western companies, and this is just the beginning.

The latest move is the long-threatened extension of Chinese spying powers over foreign companies, whose employees are to be prohibited from using working VPNs to communicate with their non-Chinese offices. These employees will now be left to use the same censored internet as Chinese citizens, and every trade secret and confidential communique they transmit to their home offices will be open to capture, inspection and use by Chinese authorities and the state industries they have long supported by funneling proprietary foreign corporate data to domestic competitors.

The Chinese "Cybersecurity Law" enables Chinese authorities to access any data on any server or personal computer, even those used by foreign firms. Moreover, a new Foreign Investment Law that takes effect in 2020 will eliminate any special dispensations currently enjoyed by foreign firms (for example, foreign firms are presently exempt from rules that allow the Chinese state to insert political appointees within the executive ranks of companies to monitor their operations — this will no longer be the case as of Jan 1).

As Steve Dickinson points out on the China Law Blog, the ability of Chinese firms to spy on all communications between Chinese and offshore offices of US firms compromises US companies' ability to comply with US laws restricting the export of "sensitive technologies" — the fact that the Chinese state can simply plunder these technologies from US companies' servers means that whether or not the US companies turn their trade secrets over, they can still be presumed to be in the hands of the Chinese state and military and the Chinese companies that are closely aligned with them.

Under the new Chinese system, trade secrets are not permitted. This means that U.S. and EU companies operating in China will now need to assume any "secret" they seek to maintain on a server or network in China will automatically become available to the Chinese government and then to all of their Chinese government controlled competitors in China, including the Chinese military. This includes phone calls, emails, WeChat messages and any other form of electronic communication. Since no company can reasonably assume its trade secrets will remain secret once transmitted into China over a Chinese controlled network, they are at great risk of having their trade secret protections outside China evaporating as well.

The U.S. or EU company may have an enforceable agreement with the Chinese recipient of its confidential information. So trade secrecy is protected with respect to that authorized recipient. But if the secret is easily available to the Chinese government, there is no real trade secret protection.

By giving the Chinese government and its cronies full access to its data, the U.S. or EU company may very well be deemed to have illegally exported technology to China and it could face millions of dollars in fines and even prison sentences for some of its officers and directors. There is an inherent conflict between foreign laws mandating a company not transfer its technology and China's laws which effectively mandate that transfer.

China's New Cybersecurity Program: NO Place to Hide [Steve Dickinson/China Law Blog]

(via Four Short Links)