Chinese About To Enact New Cybersecurity Law
The Chinese parliament is about to enact a new cybersecurity law which will force U.S. companies doing business in China to make some ugly choices which could, potentially, affect you.
If Parliament passes the law on Monday November 7th, it will become law.
Foreign business interests (like U.S. tech companies) are sorta unhappy because losing the Chinese market could be huge.
Among the requirements are:
Companies must store data locally, which I assume means in China. A number of (typically repressive) governments such as Russia have recently passed similar laws. The impact of this may include a requirement to change how systems work to create the ability to store data locally based on the locale of the user. A Chinese person in the United States, for example, could have his or her data stored here, but under the proposed law, an American national visiting or living in China would have to have his or her data stored in China. How exactly this works is unclear. For example, if you have a Chinese national who lives in the United States but goes home to visit his or her family in China, do you have to move his or her data? Do you split it up and store part of it here and part there? What happens when that person comes back to the U.S. Many systems may not handle this possibility at all.
Another requirement is to provide encryption keys to the Chinese government so that they can spy on people and eavesdrop on their communications. For companies that use a single encryption key (which of course is a horrible practice but is done a lot), giving the Chinese that key exposes all their customers. What about a company like Whatsapp that has different keys for each message and generate 25 billion messages a day. How would that work? Personally, I would like to see what happens when they give the government 200 billion keys a week. That would be interesting.
U.S. companies are concerned that their market could be impacted since the encryption key requirement seems to apply to foreign companies not Chinese companies. Just like the U.S. complaints that the NSA spying and hacking of U.S. products reduces the foreign market for U.S. products, if U.S. companies have to turn over encryption keys but Chinese companies do not have to, that could have the effect of giving Chinese companies an advantage.
We still do not know what the final version of this bill will look like, but it is certainly a concern for U.S. tech companies.
Information for this post came from Reuters and Techwire Asia.