“Accept the supervision of all parts of society” may sound like a commandment from a dystopian fantasy, but it’s actually one of six rules that China wants tech companies to agree to as part of doing business in the country’s large market. The New York Times obtained a letter sent to various U.S. tech companies, which essentially outlines a pledge the Chinese government wants them to take, but it’s unlcear when companies are expected to respond and what will happen if they don’t.
The document has mostly standard demands: that companies be transparent about data collection from users, store the data securely, let users decide how much personal data they want to share, generally “respect the user’s right to choice,” and patch vulnerabilities as they come to light. But it wouldn’t be a letter from the China Information Technology Security Evaluation Center (presumably under pressure from the government) without some sketchy stuff, right? Right!
The document is explicitly about tech firms “not harming national security.” It asks companies to agree that all data pertaining to Chinese users be stored on servers that are physically in China. And there’s a definite sense that the Chinese government wants backdoors into encrypted data, and possibly even source code for every service.
In the document, companies are asked, “To promise to accept supervision from all parts of society, to cooperate with third-party institutions for assessment and verification that products are secure and controllable and that user information is protected etc. to prove actual compliance with these commitments.”
Gotta prove actual compliance, guys; you can’t just phone it in.
As Ars Technica points out, the document is similar in many ways to agreements Chinese companies have had to make to do business in other countries, like the United Kingdom. The United States also has an opt-in security evaluation program called the National Information Assurance Partnership for Common Criteria.
China’s President Xi Jingping is visiting the White House next week, and minister of Cyberspace Affairs Administration Lu Wei will meet with tech companies in Seattle, where they may be expected to respond to the letter.
In the meantime, the Times reports (hilariously) that, “The Cyberspace Administration of China did not respond to a faxed request for comment on the pledge.”