China’s new cybersecurity law: Don’t claim sovereignty over cyberspace in the name of cybersecurity

The latest move in this direction is the passing of a highly controversial regulation on cybersecurity in China, a move which has triggered concerns from not just businesses worldwide, but also human rights groups.


By Asheeta Regidi

Edward Snowden’s revelations of NSA surveillance resulted in a spurt of cybersecurity regulations around the world. India responded with the National Cybersecurity Policy in 2013, but this is yet to be implemented. In fact, India is yet to see any effective cybersecurity regulations.

China, on other hand, went the opposite way, asserting almost a virtual sovereignty over ‘Chinese’ cyberspace. The latest move in this direction is the passing of a highly controversial regulation on cybersecurity in China, a move which has triggered concerns from not just businesses worldwide, but also human rights groups.

Free Access of the internet in China near impossible
Since Snowden’s revelations, China has been talking increasingly stringent measures to protect its cyberspace. It is already known that access to several popular online websites like Facebook, Twitter and YouTube are blocked in China. Instant messaging services like Kakao talk were suspended on grounds of suspicions of terrorist activities. While Whatsapp so far has remained accessible in China, the new regulations are likely to oust that as well. China has also imposed restrictions on online games, app developers and app stores in the name of security. It also prohibits spreading ‘rumors on disasters’, and has gone so far as to detain persons who questioned the official casualty figures of a disaster.

 China’s new cybersecurity law: Don’t claim sovereignty over cyberspace in the name of cybersecurity

Image credit: Reuters

The result is that people are forced to stick to local Chinese services like WeChat. Many people have resorted to virtual private networks to escape the censorship and have free access to information and services, but in 2015, access to VPNs was restricted as well.

China mandates revealing real identity, data localisation and cut-off of internet
The new Chinese regulations only increase the inaccessibility of free internet. The regulations reveal that in the name of cybersecurity, highly restrictive and potentially abusive laws can be enacted. The new Chinese cybersecurity regulations contain several controversial clauses which affect network service providers, technology companies and individual users equally. The fines for not following these rules range between 10,000 to 5,00,000 RMB:

  • Under the new regulations, individuals are prohibited from using the internet in a list of ways, including to ‘overthrow the socialist system’, ‘spread false information which can disturb social order’ and any activity which can affect another’s ‘privacy’, or ‘any other legal rights’. These vaguely worded restrictions leave huge scope of misuse and censorship by the state. Companies are also required to censor any content which is prohibited.
  • Another rule that affects individuals is that collecting real identity information of users, i.e., their names, addresses and so on, has been made mandatory. This applies to any services provided relating to telephone services, network access, publishing and even instant messaging. Companies which refuse to do so cannot operate in China.
  • The new regulations mandate that network equipment and network security products used by network operators must meet national standards. Key network equipment and network security specific catalogs are to be issued. The fear of technology companies is that they will be forced to used only the equipment listed in the catalogs. This can greatly compromise the security of their systems.
  • To be legal, the equipment used by companies must also be subjected to testing and certification requirements. Companies fear that this provision can be used to force them to provide access to their software source codes and other sensitive data. ‘Critical infrastructure operators’, a crucial but undefined term, also need to undergo security evaluations at least once a year.
  • Another worrying provision is mandatory data localisation. Any critical infrastructure operators who collect personal data or important business data need to store the data locally. This puts an end to any overseas data storage, a move used by many companies to cut costs and save space. This will also affect the availability of cloud based services in China. An operator needing to transfer data for business purposes can do so only with governmental permission.
  • The critical infrastructure operators and network operators are mandated to provide ‘technical support and assistance’, with no clarification again as to what such assistance encompasses. It could very well include encryption backdoors or surveillance assistance. Higher encryption standards like those used by Whatsapp will probably be illegal. Network operators also need to maintain data logs for at least 6 months.
  • Lastly, the regulation also gives the Chinese government the authority to ‘limit’ network traffic, or in other words, limit or cut off internet access in case of a public emergency. What circumstances justify such a drastic move is also not specified.

India’s laidback approach to cybersecurity

Image: Reuters

Image: Reuters

In the cyber age we live in today, mandatory cybersecurity measures are clearly the need of the hour. This can be seen in India’s Draft Policy on the Internet of Things, issued in 2015. This policy talks of using technology to automate critical services like water management, environment management, ambulance services, health monitoring, industrial systems and so on. Integrating all these critical services with technology, however, also open them to cyberattacks. The policy, however, merely mentions cybersecurity and data privacy.

Even India’s National Cyber Security Policy only talks of cybersecurity as something to be encouraged, not mandated. Unfortunately, even the most technologically advanced companies in India only consider cybersecurity just as something good to have, as opposed to top priority.

The effect of this laidback approach was clearly seen with the recent ATM hacking which compromised the data of almost 30 lack bank debit cards. This is even though the banking sector is among the few sectors that actually has cybersecurity regulations in place. These regulations obviously did not help to either to prevent the breach or equip the banks to tackle it. The ATM breach, hopefully, has served as a major wake-up call, pressing for stringent cybersecurity measures.

Preserve individual freedom
China’s approach to cybersecurity has practically prohibited any free access of the internet, and has effectively banned free speech as well. China is only more likely to increase its stranglehold over Chinese cyberspace. While cybersecurity is a must today, it should not be at the price of individual freedom. It is hoped that India will come out with effective cybersecurity regulations soon, but ones which will preserve individual freedom, not only of expression but of choice as well.

The author is a lawyer with a specialisation in cyber laws and has co-authored books on the subject.

Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.