Implications of a Chinese cryptography-law

Yesterday June 26 a new law on cryptography was submitted to the standing committee of the National People’s Congress for commenting and debate. I have just translated the news article about it, and comment on it. In 2017 a first draft was published with the request for public feedback (including address for letters and e-mails). I have not been able to find the revised proposal of 2019 yet, and am not sure if it is publicly available. If any expert on the Chinese legislative process can help, I would greatly appreciate it. So it seems a proposal is first drafted, then receives public attention and interested groups may comment on it. In the next step it is submitted to the National Congress where representatives again comment it from the perspective of their constituents. I would assume that also the Deliberative Conference gets to comment, and related industry associations as well as professors in respective fields get to comment as well.

Here is the relevant description in the press release, followed by my considerations:

The proposed law classifies cryptography into three types: core, standard, and commercial. “Core” and “standard” are used to protect national sensitive data, belongs to state secrets, and is strictly managed by the department for cryptography. “Commercial” cryptography is used to protect non-state secrets, citizens, legal persons and other organizations data security.

In order to simplify market entry, improve impartial supervision, and improve government service (part of the overall reform and opening), and to support the development of the cryptography industry, the overall political mechanisms are defined in the law. They include among others the support for cryptographic research and development, a market regulation for commercial cryptography, financial support, standardization, testing mechanism, voluntary industry testing, etc.

The state will support cryptographic research and knowledge exchange, legal protection of IP rights, support technological advance and innovation, a series of prizes and awards for best practice, and improve education about cryptography. It is also regulated that no organization or individual is allowed to steal passwords or illegally intrude into protected information or systems. It is not allowed to use cryptography for illegal activities. Legal responsibilities are also defined in the proposal.

My take on what we get

1.      It shows how much the Chinese state is concerned about regulating itself during the current period: two out of three categories concern protection of state secrets, and only one category is used for all types of cryptography, i.e. data protection, in the private sector. This third category goes from self-driving connected cars, to the ubiquitous WeChat (not just data privacy, but also protection from hackers who might steal all money people store in WeChat or even from the bank accounts linked to WeChat), to any business’ sensitive data protection. The one thing I am not sure is, whether banks are covered by the second category, as they are all state owned. Online, especially Cell-Phone banking is extremely common in China, so the protection from hackers must be of great concern for the Chinese government.

2.     Once again China is pushing the development of a future technology. Although cryptography has been around for a long time, in times of AI and crypto-currencies the need for data security grows at a dramatic rate. Unlike before, when economic policy was mostly done through Communist Party initiatives, China is now pushing for more “rule by law”. Therefore it makes sense that this law contains the section which outlines governmental support for the development of this industry. It also means that it is a good time to be in this industry (or to invest in this industry). The Chinese economy is “government-driven” (as opposed to investment-driven or consumption-driven, etc.), that is what all Chinese investors and managers tell me, and they mean it not in a negative way, but simply in an objective way. The smartest choice for investors is to ask, which industry governments (national, provincial, regional) want to develop, then invest in them, thereby helping the governments fulfill their targets and getting good returns for it.

3.      In the term “knowledge exchange and IP protection” lies the opportunity to foreign companies. There already are some regions, and more will come, which give huge incentives to foreign high-tech companies, in order to build up technology clusters. There is the IT cluster in Beijing’s Zhongguancun (built around Baidu), there is an AI technology park in Hangzhou (Alibaba), there is the Shenzhen IT cluster (Huawei) to name just some examples. I wouldn’t be surprised if some place in China will market itself as the new cryptography valley, trying to attract global talents and companies with massive tax and even direct financial incentives.

4.     The very critical part is hidden in just one harmless sentence that seems obvious at first sight: It is not allowed to use cryptography for illegal activities (不得利用密码从事违法犯罪活动). No I don’t want to be as speculative as some Western media, but if I were a government introducing such a law, I would also want to make sure it is enforced. And here is the legal basis to demand and order access for government agencies to all content protected by “commercial cryptography” (the first two types are only for government data, so the government has access anyway). In consequence, if a social media like the Russian Telegram chooses to encrypt all its messages, then it either doesn’t accord to Chinese regulation based on this law and must be blocked, or it opens its encryption to security agencies of the state. Now, is this a scandal? What I read in Western media is, that most people have no doubt the Chinese government already can read all content on social media, including private communication. If that is the case, then the law would merely legalize what is already common practice. So either this new law is no scandal, or the current accusations against the Chinese government were baseless. I personally tend to the former of the two options, although most of the censorship is not done by the government, but rather by the platforms themselves, because they are responsible also for the content private users post. The encryption law will be implemented the same way: platforms are responsible for the content the users send (AI will help a lot to check), and the government will only do random sample tests.

So overall, how relevant is this new law? I think it is very relevant for people in related industries, because of the stipulated incentive mechanisms and the standardization. The last point may even have global implications, as China is more and more actively pursuing a strategy of defining global standards, as to avoid dependency on other actors to define standards which the Chinese corporations then just have to follow. For now, cryptography remains rather independent, as applications from social media to Swift banking, to other IT fields are quite separated between China and the West. But for example Network-encryption from Huawei’s 5G infrastructure will definitely follow Chinese standards (which probably will be written to no small extent by Huawei). In Africa and BRI countries more and more Chinese encryption technology will become relevant, and looking at the AI cooperation with Isreal, also the Middle East may become an area where Western and Chinese cryptography mix. I do not know about the status of cryptography legislation and standardization in the West, to be honest. But it would make sense to engage in constructive dialogue with China, rather than picking fights over small parts of the legislation. Looking at self-driving cars, encryption and data protection will be a matter of life and death. It does make sense to have global standards for so important matters.