As US officials voice opposition to China's draft anti-terrorism legislation, technology companies are caught in the crossfire, as companies are increasingly tasked with providing sensitive information to about their user to an array of competing governments.
The Chinese legislation would mandate technology companies to install “back doors” or hand over encryption keys and user information to government agencies. Financial institutions and even manufacturing companies would similarly be required to turn over user data to China.
It is the latest escalation in a race between China and Western government to enact aggressive surveillance policy. During a press conference last week, China's Foreign Ministry spokesperson Hong Lei said China looked at legislation enacted by other countries, including the US, in drafting the law.
He compared the legislation to the U.S. Communications Assistance for Law Enforcement Act, a wiretapping law that provides hardware and software specifications for telecommunications companies, to make it easier for law enforcement agencies to perform surveillance on telephone and Internet traffic. Lei said, “It is hoped that the US side would respect China's normal legislation, rather than exercise double standards.”
The remarks came less than a week after President Obama signed the Cybersecurity Act of 2015. The legislation, buried within the Omnibus Spending Bill, was criticized by civil liberties groups as an assault on privacy that would do little to increase national security.
Sen. Ron Wyden (D-Ore.) called the legislation “the worst” version of CISA, in a statement. The US does not need “knee-jerk responses that allow companies to fork over huge amounts of their customers' private data with only cursory review,” he wrote. “Reducing the amount of independent oversight and constricting the scope of the PCLOB's (Privacy and Civil Liberties Oversight Board) authority sends the wrong message and will make our intelligence agencies less accountable.”
China's controversial legislation was tabled in March, under pressure from US officials and business groups. A week after the US enacted its own controversial legislation, China's anti-terror law was back in play.
Notably, the anti-terror law expands the definition of terrorism. The draft defines terrorism as any “proposition or activity — that, by means of violence, sabotage or threat, generates social panic, undermines public security, infringes personal and property rights, and menaces government organs and international organizations — with the aim to realize certain political and ideological purpose.” It is not difficult to envision China using this expansive definition to restrict journalist and other enemies of the state.
“It's race to the bottom,” said Nathan Leamer, a policy analyst and the outreach manager for the R Street Institute, in speaking with SCMagazine.com. “We've opened the door to other countries racing to pass bad cybersecurity policy.”
US officials' stance against China is further complicated by revelations that the NSA may have been involved in creating a backdoor in Juniper's VPN connection. Juniper issued a security warning and created a patch two years after reports emerged stating that the NSA was involved in creating backdoors in Juniper products.
Morey Haber, VP of Tech at BeyondTrust, believes the backdoor was created to comply with now-expired legislation. In speaking with SCMagazine.com, he said, “Companies the size of Juniper do not put back doors in and not know about that.”
Security researcher Samy Kamkar wrote in an email to SCMagazine.com that legislation allowing government surveillance will pressure individuals to increase encryption, since it makes public the fact of mass surveillance “from various nation states, hacking groups, criminal organizations and others.”
This month, Google's legal director of law enforcement and information security Richard Salgado and senior privacy policy counsel David Lieber announced on the Public Policy blog that the search company has seen a 20% increase in requests in criminal investigations and a 49% increase in the number of individual accounts specified since the last reporting period.
French legislators have been working on legislation that would allow broad surveillance capabilities beyond those approved in France after the Paris terror attacks last month. New measures may include prohibiting free and shared Wi-Fi and prohibiting or attempting to block the anonymous browser Tor within the country – a technically challenging feat that so far only China has been able to achieve. Earlier this year, Russia tried, and failed, to block Tor.
Meanwhile, the UK is considering surveillance legislation that would govern law enforcement hacking.
“If the US is going to enact bad cyber-surveillance legislation,” asked Leamer at R Street Institute, “what is to stop other countries from following suit?”
UPDATE: China's legislature approved the anti-terrorism law. See the full story.