Tea Leaf Nation
The ‘Chilling Effect’ of China’s New Cybersecurity Regime
A new draft law may stymie domestic innovation and trample on citizens’ rights, experts say.
This article has been updated to reflect additional responses.
On July 6, China unveiled a sweeping new cybersecurity draft law, which, due to the structure of China’s law-making process, will likely be made into law with few changes. The bill comes amid increasing global concerns over cybersecurity, as well as rising tension in the U.S.-China relationship, as some in the United States have blamed Beijing for a massive cyber hack of the U.S. federal government which compromised the personal information of millions of government employees. The draft law also follows on the heels of a new national security law China adopted on July 1, which state media claimed would “protect people’s fundamental interests.” But both laws have raised fears may place even tighter control on civil society there, as well as make unreasonable demands on foreign companies doing business with China.
To probe the implications of China’s cybersecurity bill for both Chinese citizens and the world, Foreign Policy solicited opinions from several experts. Sophie Richardson is China director at Human Rights Watch; Sharon Hom is executive director at the New York-based organization Human Rights in China; Jennifer Zhang is a researcher at the Transparency Project at the University of Hong Kong’s Journalism and Media Studies Center.
FP: How will this law affect the lives of ordinary Chinese citizens? How will it affect freedom of expression?
Sophie Richardson: There are several aspects of the draft Cybersecurity Law that pose serious threats to fundamental human rights. Article 1 emphasizes the protection of “internet sovereignty,” a term that has been used to justify increasing state control over online speech. Other provisions increase surveillance of the Internet for overly broadly defined security reasons without establishing effective privacy protections, increase requirements for companies to censor online speech, heighten a demand for companies to require real-name registration by users, and stipulate that user data must be stored in China.
If adopted as drafted, the law will likely further stifle on-line speech, particularly as it increasingly denies users the anonymity critical to avoid harassment by the authorities. While some of the draft law’s restrictions are already being imposed, in practice, enforcement of these rules has been uneven. The new draft law appears to be aimed at legitimating many ad hoc practices. Chinese netizens have made remarkable use of the available limited space to hold officials to account, publicize injustices, share information, and mobilize public opinion. In effect, one of the only means available to people in China to seek accountability or transparency from the state, or to peacefully communicate without threat of reprisal, is at grave risk.
Jennifer Zhang: On one hand, the draft law sets up a fairly comprehensive personal data protection regime and requires Internet companies to ensure user information security during the data collection and retention process. But on the other, the law reinforces real name registration, requiring users to provide real identity information when signing service agreements to ensure the traceability of Internet content. Real name registration may increase the risk of identity thefts and personal data leakage — South Korea suffered [one of] the worst online data security breaches in history in 2011 after the real-name system was introduced in 2007. It also magnifies the existing chilling effect on social media activists who may need to think twice before posting online due to their personal safety concerns.
Sharon Hom: The draft law contains a familiar list of broad prohibitions on any person and organization using the networks to engage in activities harming national security, propagating terrorism and extremism, inciting ethnic hatred and discrimination, dissemination of obscene and sexual information, slandering or defaming others, and upsetting the social order. Inside the draft law’s ‘Trojan Horse’ purpose to ensure “network security, preserve cyberspace sovereignty, national security and public interest and the lawful rights and interests of citizens” and to “promote the healthy development of economic and social informatization,” its broad and vague provisions give yet another green light to the authorities to trample on fundamental rights of citizens such as freedom of expression, access to information, and right to privacy. Specific provisions that the state protect the rights of citizens, right to privacy, protection of user-identifiable information, and the establishment of a public complaint system ring hollow within a legal and political system that lacks transparency, accountability, and independent institutions.
The record speaks for itself. The prominent Chinese lawyer Pu Zhiqiang — charged with the crime of inciting ethnic hatred and ethnic discrimination for his blog posts about the Xinjiang riots — and the numerous cases of citizens detained for disrupting public order (e.g. for peaceful acts or citizen actions addressing social problems acknowledged by the authorities) reveals the underlying censorship and social control purpose of these regulatory initiatives.
FP: What does the law mean for Chinese tech companies, an increasingly dynamic part of Chinese economy and society?
Richardson: Many provisions in the draft law set out clear requirements for companies to censor and facilitate surveillance of users in China. They will be required to provide unspecified “necessary assistance” to police, when investigating crimes and for “national security reasons,”, to censor “prohibited” messages, and report the incidents to the authorities, along with other undefined “network security incidents.” These terms are poorly defined, but failure to comply with them puts companies at risk of being closed or fined. Some companies may also be required to submit equipment and services to “security inspections” and meet security standards determined by the government. The draft law also echoes other existing requirements that companies install “back doors” so that security agencies can access encrypted communications; doing so undermines rather than enhances cybersecurity.
Read in conjunction with the national security law and draft counter-terrorism law, these provisions raise concerns that the government is imposing additional requirements to make companies complicit in state censorship and prosecution of peaceful speech.
Hom: The draft law envisions implementing its framework through a complex system of coordination, management, reporting, oversight, technical capacity and awareness building; and remedial measures, fines, and administrative and criminal punishment for infractions. This kind of heavy bureaucratic system is likely to present obstacles to generating a climate conducive to innovation necessary for China’s domestic private technology development to be competitive. Can such a cumbersome bureaucracy be effective in the fast-paced technology environment that generates today’s often cross-border cybersecurity threats? Encasing China’s territory within an Internet sovereignty rhetorical shield does not seem very effective against cross-border cybersecurity threats.
Zhang: In general, the draft law imposes more explicit obligations on tech companies to not only protect users’ personal information but also conduct more efficient control of information flow on the Internet, with clear and relatively heavy penalties for non-compliance. This may put local Internet services at a disadvantage if users switch to overseas sites that have liberal user registration and administration guidelines. Additionally, tech companies are expected to receive more regulation and supervision from the Cyberspace Administration [under the direction of China’s Internet czar Lu Wei]. For instance, the storage and transfer of Chinese citizens’ personal information will be subject to the evaluation and authorization of the Cyberspace Administration, which will be legally authorized to order tech companies to stop the transmission of “illegal content” or block its transmission from overseas.
FP: Most of the measures in the law are not new. Among other provisions, for example, the new law grants authorities the legal power to cut area-wide access to Internet to maintain order in the case of social instability. Why is there a need for a law to allow measures that the government already has a history of taking?
Hom: Consistent with the regime’s “rule by law” approach, the cybersecurity draft law, open for public comment until August 5, 2015, sets out a comprehensive framework that essentially legalizes and expands upon current practices, policies, and laws that regulate and control all information flow online and offline. Similar to other current draft legislative initiatives such as those regarding national security, counter-terrorism, and foreign NGOs, the draft cybersecurity law is driven by overarching “national security with Chinese characteristics” concerns.
The draft law also echoes past international efforts by China to promote control over information under the label of “information security.” It greatly expands beyond content to encompass a comprehensive range of restrictions over activities by virtually all persons and entities using networks and systems.
Zhang: China has been eager to claim “Internet sovereignty” since the 18th party congress [in November 2012], with Internet control naturally topping the central leadership’s agenda. The cybersecurity law aims to codify the previously scattered Internet regulation policies and solidify Cyberspace Administration’s status as the leading Internet governing body. The law demonstrates the country’s determination to take a more effective and concentrated approach to make cyberspace a “safe and harmonious” territory.
Richardson: There is no need for these provisions. In the abstract, it’s fine for governments to conform their actions to the law—so long as that law does not legitimate human rights abuses. This draft does little more than pull together measures the government already has a history of abusing.
This draft law reflects a broader pathology of the Xi Jinping government: the desire to create a veneer of legality and legitimacy for profoundly rights-violating behavior. President Xi has described the judicial system as a “knife” which should be “held firmly in the hands of the party.” He considers laws a tool to bolster the ruling Communist Party’s grip on power, rather than to protect people against arbitrary state power, and the slew of national-security-oriented legislation reflects this belief.
FP: What factors seem to be driving the raft of tough new security laws, from a national security law to restrictions on foreign NGOs, emerging over the past few months?
Zhang: The draft law may be seen as China’s official response to both domestic and foreign criticism of its chaotic Internet control measures. By codifying Internet regulations and concentrating the power to the Cyberspace Administration, China is likely to exert a more aggressive posture with more efficiency in governing domestic cyberspace.
Richardson: China’s draft Cybersecurity Law is the latest in a series of pieces of legislation ostensibly designed to strengthen national security. While the Chinese government has genuine security needs, these new laws conflate the security of the state with that of the party, and generally treat peaceful critical speech and activism as national security concerns.
Since President Xi Jinping assumed power in 2013, the authorities’ already-low tolerance for dissent has further diminished, even though Article 35 of the Chinese Constitution guarantees the right to free expression. Since that time, the government and the party have issued directives insisting on “correct” ideology and party supremacy among party members, university lecturers, students, researchers, and journalists. They have also significantly narrowed space for the media and online expression and arrested possibly hundreds of activists, further limiting opportunities for citizens to press for much-needed reforms. Chinese law does not clearly guarantee a right to privacy with respect to government surveillance, and there are no effective means of redress for privacy violations, especially for personal information obtained by the security apparatus.
These recent laws, alongside public rhetoric about threats to national security, reflect a remarkable paranoia within the top leadership. While it is true that China faces a growing number of protests, and has grappled with some violent attacks, it is also true that the government faces no organized, armed threat that would necessitate such emergency powers as outlined in these laws.
Despite this, President Xi has warned fellow cadres that the party’s monopoly on power may not last forever, and later the top leadership issued an internal Document Number 9 warning against the “seven perils,” namely “universal values” such as press freedom and civil society. The top leadership’s sense of crisis has translated into an expanding crackdown on independent voices, even affecting those who have manifestly no interests in challenging the authorities. Feminists planning to put stickers about sexual harassment on buses, an economics professor sparking classroom debate about inter-ethnic relations, or peaceful activists calling for officials to publicly disclose their assets are now seen as threats to national security, and are harshly prosecuted. Ultimately, the Xi government is doing itself a great disservice by eliminating partners in society who would otherwise help tackle its growing list of social problems, from severe pollution to domestic violence.
FP: Will this bill create obstacles for foreign companies trying to do business in China?
Zhang: With the draft law’s obscure obligations, such as the requirement to actively monitor and delete “illegal” content, foreign Internet companies who do business in China will probably face more business and human rights- related questions from concerned shareholders and the public.