As the United States debates whether police should have guaranteed access to encrypted products like your iPhone or Android device, Beijing’s new technology policies—part of a broader law that passed on Sunday to combat terrorism in the country—are sure to spark renewed hand-wringing in Silicon Valley over whether and how U.S. firms should even operate in China.
Adam Segal, director of the Council on Foreign Relations’s Digital and Cyberspace Policy Program and Maurice R. Greenberg Senior Fellow in China Studies, believes that U.S. companies are right to be worried.
In an interview with the Daily Dot on Tuesday, Segal—the author of the forthcoming book The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age—explained what the new law contains, what aspects of it remain uncertain, and how China’s interest in encrypted technology fits into its longtime strategy of regulating speech within its borders.
Where did this law come from? What is its political context?
Adam Segal: It comes from both an objective sense that the security risks to China are growing—from an external security risk, and seeing what’s happened in France and in the U.S. and the threat from ISIS and other terrorist activities—but also from a consolidation of power under [President] Xi Jinping and a real crackdowns on dissidents and other organizations.
Does this law have any buy-in outside of President Xi’s regime? Do domestic businesses like it?
The Chinese public is probably pretty convinced of the threats. There have been a number of attacks that were perpetrated by Uyghurs in China. The U.S. and others have criticized China for its policies in Xinjiang and don’t believe that these are necessarily motivated or influenced by outside groups, but the Chinese public is going to think that Xi Jinping and the regime are doing the right things to secure the country.
Have you seen the text of the law? How forthcoming are Chinese authorities being about its exact contents?
There is a Chinese version of it [that has been] posted. I can send you a link to people who have started translating it. … I skimmed the tech parts of it. I haven’t read the entire thing.
China says U.S. companies don’t have to worry about backdoor mandates. Is that in the law?
It does not say “backdoors.” But there’s certainly enough in there that will worry the foreign companies. The language [in Chapter III Article 18] is, “Telecom operators and Internet service providers must provide technical interface, decryption, and other technical support to the public security bureaus and the state security organs.” Those are broad enough and vague enough that, even if they don’t ask for a backdoor, they may ask for decryption keys. Foreign tech companies are still going to have plenty to worry about, and there will be plenty of pressure on Apple and others to provide some type of access to the security agencies in China.
Of course, Apple has end-to-end encryption, so they can’t provide any keys. Do you think Beijing can use its new law to demand that Apple build a special, China-only encryption scheme that can be backdoored?
We seem to be on a road of eventual confrontation between the Chinese government and Apple. Apple may have to make a decision about what it’s going to do to remain in the China market like lots of other companies. So far, it hasn’t been explicitly laid out that way. The Chinese government hasn’t said, “We’re not going to allow end-to-end [encryption],” but that clearly seems to be the trend. I’m sure that U.S. tech companies that are providing [end-to-end encryption] are beginning to think that they may be facing a “high noon at the O.K. Corral” kind of moment.
A Chinese government spokesman compared this new law to the Communications Assistance for Law Enforcement Act. Is that a valid comparison?
In the sense that … the Chinese are clearly following the U.S. debate, and they are clearly aware that U.S. and other foreign government law allows for access to communications for national-security and law-enforcement reasons. To the extent that [China knows about] CALEA and all the other provisions that the U.S. government has for that [purpose], the Chinese are going to say, “Look, there are legitimate security concerns.”
They are clearly following the debate on encryption as well, and [they] have—in the counterterrorism law, in the cybersecurity law, in the national-security law—often said, “We are not going to allow for double standards and [for] the U.S to criticize us for doing things that are also being debated in the U.S.”
How hard is it going to be for U.S. businesses to comply with this law, given what you’ve said about the government’s opaqueness? What is the implementation of this law going to look like, and how will that affect foreign businesses?
We don’t know yet. Part of the confusion and problem for U.S. companies is always that Chinese law tends to be written fairly vaguely and broadly, and then implementation comes down to how individual agencies and, in some cases, provincial governments and local governments interpret it. The companies are not going to know yet. Even if they have a sense of what the intention of the policy is, they’re really not going to have a very clear idea of how it’s going to be implemented.
In some cases, you’ll see that agencies or specific ministries will basically choose to ignore implementation. It’s both a question of interpretation and implementation.
Might we see companies start to do things and wait until the government tells them to stop? Or will they wait for ministries to lay out a timeline for implementation?
The ministries will issue guidelines or draft policies and say, “This is how we’re going to do it.” In best-case scenarios, they ask for feedback; the companies will often have an opportunity to provide feedback on implementation. Worst-case scenario, they just put it up on the website and say, “This is what we’re doing.”
At the end of the day, is this law going to expand Chinese government surveillance? Will they make use of it to expand how they can enforce their censorship and repression?
Not particularly. There’s not a lot of technical detail. What they already have in place on the surveillance and censorship side doesn’t seem to change. There [are] more explicit provisions about when they can cut off regions from the Internet completely. They’ve done that in Xinjiang in the past. So it gives [Beijing] more legal standing for that. But there’s nothing particularly new, except on the foreign side, about what the Chinese have already been doing. Much of it is kind of making legal what was already happening.
How would you situate this new law in the context of the Western debate about law-enforcement access to encrypted communications? Is this likely to make a difference in that debate?
I think it has some affect, at least on atmospherics. Certainly, no U.S. government officials want to be compared to a member of the Chinese Communist Party. I think it also allows the supporters of encryption—one of [their] stronger arguments is to say, “Look, what we do domestically has ripple effects internationally. We don’t want to provide justification to more repressive regimes.”
I think the most direct effect on how this all games out is going to be on the companies. They’re going to have to explicitly make some decision about “What are we going to do in the China market?” Because I can’t imagine that it’s going to be very easy for a U.S. company to justify giving the Chinese some kind of technical access, or some help in decrypting, and then turn around and say, “Well, we’re not going to do it for the U.S. government.”
That, I think, is going to be a very difficult position for any U.S. company to be in. That is probably the scenario that the companies are very worried about.
Is this law going to change the calculus for companies debating whether to operate in China? It’s a gargantuan market, and every company wants access to it. Does something have to give at some point? Does Beijing yield to outside pressure in order to give its citizens better tools and quality of online life, or do companies yield in order to make more money?
The history, over the last 20 to 30 years, has been [that] companies have been willing to compromise, that the market has always [been] seen [as] too big an opportunity to give up. Besides, it must be very hard for a company’s CEO or board to say, “Oh, we have no China strategy.” So they have had to make compromises to operate in the China market.
The issue has been so far that companies have tried to basically operate in the China market under the same terms as they operate everywhere else, for cost reasons and for precedence. It could be [that] we’re reaching a point where companies are going to have to make a decision [about] if they’re going to fork their product lines and have one set of products for China and one set for the rest of the world.
LinkedIn operates in China, but LinkedIn in China operates under different conditions than it does in the rest of the world. If Facebook were to ever go into China, it would clearly have to make a similar decision. Companies may have to make that kind of decision as they go forward.
Does China want the kind of access to encrypted products that the U.S. and other governments want? Has it waged a similar campaign to get that access? How would you compare the U.S. “crypto wars” to what’s going on in China?
There is no encryption debate in China, publicly, as far as I can tell. We do know that the Chinese have conducted man-in-the-middle attacks on Apple and others, and there is a state encryption bureau that works on it … domestically. The Chinese, for a long time, even before [Edward] Snowden, have assumed that there were backdoors in U.S. products. That was just kind of the working assumption. And Snowden just reinforced that for them. What kind of capabilities they have in breaking encryption, what kind of agreements they might have with their own companies, none of that [information] is publicly available.
Illustration via Max Fleishman