It's going to be entertaining to watch my Fortune 250 figure out how to work with this.
We make big, expensive, technical things that have a lot of very-closely-held software on them. One current, big, internal effort is to encrypt the code on the controller, so that people can't dump it, or at least not modify it. What's going to happen when the Chinese government demands to escrow the signing keys for any product sold in their country? I fully expect that they will be handed over. That's pretty much a given. But what if they go further and demand to escrow the source code? That would get really interesting, really fast, for many reasons.
Also, how will they continue to block Skype chat history in the US, based on dodgy interpretations of SOX and related laws, yet allow the Chinese government full access to all the logs? What happens when the CEO chats in China, or someone chats at him from China? I suppose it will be Microsoft to the rescue here, with a giant tick-box in the Skype FOR BUSINESS admin panel for "segregate retention policy based on CHINA," which is precisely the sort of thing that continues to make them the big bucks. All of these hosted infrastructure pieces, like Office365 and GSuite, are going to need huge exceptions built into them. (Maybe they already do, and I'm just ignorant.)
> One current, big, internal effort is to encrypt the code on the controller, so that people can't dump it, or at least not modify it.
Do you think you can do it? This is what the industry has abandoned more than a decade ago. DRM keys from efuses leak, credit card protected flash getting copied, "physically uncopyable" security elements have few POCs against them shown
I don't see how any sizable foreign company could operate in China under rules like this. All sufficiently large companies are privy to certain trade secrets of partners, vendors, clients through agreements, technology, information sharing, etc, and will have legal arrangements in place for it. If the government gets carte blanche access to their data, no company could operate without violating those agreements.
I have been involved in companies that operate internationally and within China. What you can do is to have isolation modes. Separate email servers or providers for people who are going to be accessing emails from China. Mirror only the documents etcetera that will need to be accessed from China.
It's almost as if you have a spin off company that can request very limited access of information from the main one.
It's a bit more expensive but definitely worth it.
They can't. That's the reason why they have been leaving in droves, but it's very hush hush so far. A lot of microelectronics assembly has already moved out of the country. Samsung and Sony, for example, are closing all of their smartphone manufacturing operations in China.
Many of them can't just extricate themselves from the Chinese market before these changes hit. They will take huge losses if they disrupt communications or restrict access to trade secrets.
My guess is that many will try to ignore that law and just assume that the government isn't looking or that it is bound by local law not to give trade secrets to competitors and so on. Of course that's not worth a lot, but ...
There is one simple, proven tactic China could use to both have their law and still keep giant foreigner companies. App stores have been known to give api special access, and collect smaller fees from big apps. A VIP status, or exemption list will make such companies stay until China kicks em out.
The solution is to stop operating in a culture of secrecy, lying and back-stabbing as so many US companies seem to be obsessed with. Open source your code and designs and start selling services. It's sad that it takes a threat like this to prove that the system we have in place doesn't work and is prone to corruption.
If such policies are truly enforced, there seems to be little to stop China from stealing absolutely all the technical know-how of a foreign company installed there and supplant it with one of their own later on.
It really feels like they're pushing how much companies are willing to bear to get access to China's market and manufacturing capabilities to the limit.
And why would they not? The west for a very long time favoured the CEOs and share holders over general population when it comes to globalisation. China exploits that as much as they can.
It is quite amazing that you cannot voice anything on HN anymore without being downvoted, regardless if you literary quoting wikipedia or basic economics.
The irony here is that by advertising the fact that they have a massive amount of raw, unencrypted data, they're making themselves the biggest hacker target in the world.
I really hope this backfires on them so the rest of the world will be hesitant to follow their example.
China is clearly hostile and I think this a wrong strategy to do business with them.
If anything was ever close to the Big Brother society described in 1984 this is it.
I read the follow-up blog post with details[1] as well as the actual Chinese regulation text[2]. The blog post seems to omit a lot of details and some claims are dubious.
I don’t have time to translate everything, but here’s an example quote from the blog post:
> The inspectors can fully access the system and they are permitted to copy any data they find. See Article 15.
Whereas Article 15 reads (even if you can’t read Chinese, Google Translate will probably do a reasonable job)
> ... look up and/or copy information on matters related to the audit and inspection of Internet security. ...
So this is quite vague (not really surprising for any regulation), but at face value the law doesn’t seem to say “fully access” or “any data”. Does this cover any data that has nothing to do with security? Ostensibly not. Realistically I’m not sure. Either way, citing the law with an exaggerated translation doesn’t promote confidence in the blog post.
Edit: to be absolutely clear, I was only commenting on the part of the blog post with explicit citations. Most of the blog post speculates on intent and actual scope, but since those are speculative and don’t deal with the text of the law directly, the author is of course entitled to his own interpretations.
No more trade secrets, so companies like ASML that have a physical presence with their know-how in China are now also legally screwed? Any of their chip making device can now be legally reverse-engineered, starting January 1st? Any produced wafer, chip design, IC, whatever is currently in China, can now legally be taken from your company and used by your competitors? Sounds like a good time to move out of China, as otherwise you will have government-backed competitors with your tech in 1-2 years.
But lets do a thought experiment with it! Like an episode of Black Mirror. Imagine being an upper-class engineer in China in 10 years. You're sipping your morning coffee and checking your emails. Every day you get an email with all the trade-secrets collected across China the night before; curated and tailored just for you. Kinda like Recorded Future but instead of passively analyzing the internet these secrets were beamed straight from the source.
Their technology could advance rapidly as a result of this.
Question. Part of western awareness towards, paranoia, fear, and wherewithal to stand against certain government behaviors and the totalitarian state is obviously awoken from and influenced by fiction, including 1984, Brave New World, Fahrenheit 451, It Cant Happen Here, The Handmaid's Tale, A Clockwork Orange, Philip K. Dick, even We. This shared and collective "memory" of fables, many of which people havent even read but still discuss as if they had, give all a certain a framework, grammar, and shared understanding for talking about the future, and thusly what consequences may come from allowing said future to unfold unabated.
Does eastern fiction not have this foundation of fictional dystopia from 50-100 years ago woven into societies consciousness? Are people more accepting of certain encroachments towards that type of future, because their legend and myth dont as often scream about potential slippery slopes and repercussions? Is it a fictional fear instilled in our cultural fabric that makes us so averse to what maybe isnt and wont ever be as bad as our stories tell us it will be?
Perhaps there is an upshot. If the Chinese government have complete access to all traffic in China, they will be unable to deny knowledge of hacking originating from their own IP blocks. By the same token you would expect that all unlawful traffic originating in China to cease.
As explained by Guo Qiquan, the chief cheerleader for the plan, the main goal of the new system is to provide “full coverage”. As explained by Guo, “It will cover every district, every ministry, every business and other institution, basically covering the whole society.
> "No communication from or to China will be exempted. There will be no secrets. No VPNs. No private or encrypted messages. No anonymous online accounts. No trade secrets. No confidential data."
I would guess the companies with subcontractors/branches in China has been assuming everything they submit there is no-longer a trade secret or secret at all.
It remind me of ancient Chinese saying "普天之下,莫非王土,率土之滨,莫非王臣", that means "all land belong to the king in the kingdom, all men are servants of the king in the kingdom"
It also reminds me of 天高皇帝遠 (the sky is tall and the emperor is far), which has a somewhat contrary meaning: as you get further from the capital, rules are looser.
As an opinionated non-expert, I have to ask: isn’t “” This means intra-company VPN systems will no longer be authorized in China by anyone, including foreign companies. This in turn means all company email and data transfer will be required to use Chinese operated communication systems that are fully open to the China’s Cybersecurity Bureau. All data servers that make any use of Chinese based communications networks will also be required to be open to the Cybersecurity Bureau’s surveillance and monitoring system.”” really the Chinese government shooting itself in the foot?
This reminds when a decade or two ago Senators Hillary Clinton and Frits Hollings tried to pass Disney written SSCA legislation that would require every Internet device like smart TVs, computers, etc. to have backdoors so companies like Disney and the government could check for copyright material.
In either the Clinton bill or what the Chinese are doing there is a huge risk of third party getting access to encryption keys and other form of access. Large scale organized crime would love this as would bad behaving state actors.
> This system will apply to foreign owned companies in China on the same basis as to all Chinese persons, entities or individuals. No information contained on any server located within China will be exempted from this full coverage program. No communication from or to China will be exempted. There will be no secrets.
Can the author provide a source for this? I couldn't find any reference to it from the articles linked by this blog.
I'm not quite clear what "this change" is or means.
As far as I know, VPNs had been illegal in China before, so maybe this could be mainly a toughening of the laws, and it still depends on the government's discretion to actually use the data, or to crack down on VPNs?
In such regimes it can be a huge problem to find out what laws to take seriously and which ones not. And it often isn't as easy as taking all the laws seriously, because then nothing works either...
[+] [-] TheRealDunkirk|6 years ago|reply
We make big, expensive, technical things that have a lot of very-closely-held software on them. One current, big, internal effort is to encrypt the code on the controller, so that people can't dump it, or at least not modify it. What's going to happen when the Chinese government demands to escrow the signing keys for any product sold in their country? I fully expect that they will be handed over. That's pretty much a given. But what if they go further and demand to escrow the source code? That would get really interesting, really fast, for many reasons.
Also, how will they continue to block Skype chat history in the US, based on dodgy interpretations of SOX and related laws, yet allow the Chinese government full access to all the logs? What happens when the CEO chats in China, or someone chats at him from China? I suppose it will be Microsoft to the rescue here, with a giant tick-box in the Skype FOR BUSINESS admin panel for "segregate retention policy based on CHINA," which is precisely the sort of thing that continues to make them the big bucks. All of these hosted infrastructure pieces, like Office365 and GSuite, are going to need huge exceptions built into them. (Maybe they already do, and I'm just ignorant.)
[+] [-] Zak|6 years ago|reply
Do you work for John Deere?
Wouldn't it be funny if abusive behavior by the Chinese government ends up undermining abusive behavior by large corporations?
[+] [-] pray4URenemies|6 years ago|reply
[+] [-] baybal2|6 years ago|reply
Do you think you can do it? This is what the industry has abandoned more than a decade ago. DRM keys from efuses leak, credit card protected flash getting copied, "physically uncopyable" security elements have few POCs against them shown
[+] [-] thescriptkiddie|6 years ago|reply
[+] [-] microcolonel|6 years ago|reply
[+] [-] choonway|6 years ago|reply
[+] [-] kstenerud|6 years ago|reply
[+] [-] toxicFork|6 years ago|reply
It's almost as if you have a spin off company that can request very limited access of information from the main one.
It's a bit more expensive but definitely worth it.
[+] [-] starfallg|6 years ago|reply
[+] [-] bayesian_horse|6 years ago|reply
My guess is that many will try to ignore that law and just assume that the government isn't looking or that it is bound by local law not to give trade secrets to competitors and so on. Of course that's not worth a lot, but ...
[+] [-] mirimir|6 years ago|reply
[+] [-] vezycash|6 years ago|reply
[+] [-] cycloptic|6 years ago|reply
[+] [-] Peckingjay|6 years ago|reply
[+] [-] StreamBright|6 years ago|reply
https://www.forbes.com/sites/mikecollins/2015/05/06/the-pros...
It is quite amazing that you cannot voice anything on HN anymore without being downvoted, regardless if you literary quoting wikipedia or basic economics.
[+] [-] matz1|6 years ago|reply
[+] [-] SteveNuts|6 years ago|reply
I really hope this backfires on them so the rest of the world will be hesitant to follow their example.
[+] [-] stephc_int13|6 years ago|reply
[+] [-] crispyambulance|6 years ago|reply
[+] [-] SN76477|6 years ago|reply
They are even reading the brainwaves of children in schools.
https://www.inkstonenews.com/tech/brainco-startup-tests-brai...
[+] [-] nickthemagicman|6 years ago|reply
[+] [-] pell|6 years ago|reply
[+] [-] Thrwtz|6 years ago|reply
https://www.chinalawblog.com/2019/10/chinas-new-cybersecurit...
[+] [-] oefrha|6 years ago|reply
I don’t have time to translate everything, but here’s an example quote from the blog post:
> The inspectors can fully access the system and they are permitted to copy any data they find. See Article 15.
Whereas Article 15 reads (even if you can’t read Chinese, Google Translate will probably do a reasonable job)
> ... look up and/or copy information on matters related to the audit and inspection of Internet security. ...
So this is quite vague (not really surprising for any regulation), but at face value the law doesn’t seem to say “fully access” or “any data”. Does this cover any data that has nothing to do with security? Ostensibly not. Realistically I’m not sure. Either way, citing the law with an exaggerated translation doesn’t promote confidence in the blog post.
[1] https://www.chinalawblog.com/2019/10/chinas-new-cybersecurit...
[2] http://www.gov.cn/gongbao/content/2018/content_5343745.htm
Edit: to be absolutely clear, I was only commenting on the part of the blog post with explicit citations. Most of the blog post speculates on intent and actual scope, but since those are speculative and don’t deal with the text of the law directly, the author is of course entitled to his own interpretations.
[+] [-] nomercy400|6 years ago|reply
[+] [-] tjpnz|6 years ago|reply
It's already happening.
[+] [-] zelon88|6 years ago|reply
But lets do a thought experiment with it! Like an episode of Black Mirror. Imagine being an upper-class engineer in China in 10 years. You're sipping your morning coffee and checking your emails. Every day you get an email with all the trade-secrets collected across China the night before; curated and tailored just for you. Kinda like Recorded Future but instead of passively analyzing the internet these secrets were beamed straight from the source.
Their technology could advance rapidly as a result of this.
[+] [-] basch|6 years ago|reply
Does eastern fiction not have this foundation of fictional dystopia from 50-100 years ago woven into societies consciousness? Are people more accepting of certain encroachments towards that type of future, because their legend and myth dont as often scream about potential slippery slopes and repercussions? Is it a fictional fear instilled in our cultural fabric that makes us so averse to what maybe isnt and wont ever be as bad as our stories tell us it will be?
[+] [-] darronz|6 years ago|reply
[+] [-] thoughtstheseus|6 years ago|reply
[+] [-] trentnix|6 years ago|reply
Sauron is envious.
[+] [-] sorokod|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] anvandare|6 years ago|reply
[+] [-] psychoslave|6 years ago|reply
https://en.wikipedia.org/wiki/The_Emperor%27s_New_Clothes
[+] [-] gii2|6 years ago|reply
I would guess the companies with subcontractors/branches in China has been assuming everything they submit there is no-longer a trade secret or secret at all.
[+] [-] unstatusthequo|6 years ago|reply
[+] [-] xuesj|6 years ago|reply
[+] [-] AlchemistCamp|6 years ago|reply
[+] [-] edejong|6 years ago|reply
[edit: grammar]
[+] [-] botwriter|6 years ago|reply
Plunging the world into a global recession.
With this + the US trade war, why on earth would a multinational still invest in China.
[+] [-] mark_l_watson|6 years ago|reply
This reminds when a decade or two ago Senators Hillary Clinton and Frits Hollings tried to pass Disney written SSCA legislation that would require every Internet device like smart TVs, computers, etc. to have backdoors so companies like Disney and the government could check for copyright material.
In either the Clinton bill or what the Chinese are doing there is a huge risk of third party getting access to encryption keys and other form of access. Large scale organized crime would love this as would bad behaving state actors.
[+] [-] johannkokos|6 years ago|reply
Can the author provide a source for this? I couldn't find any reference to it from the articles linked by this blog.
[+] [-] Thrwtz|6 years ago|reply
https://www.chinalawblog.com/2019/10/chinas-new-cybersecurit...
[+] [-] beatle_sauce|6 years ago|reply
[+] [-] steelaz|6 years ago|reply
[+] [-] bayesian_horse|6 years ago|reply
As far as I know, VPNs had been illegal in China before, so maybe this could be mainly a toughening of the laws, and it still depends on the government's discretion to actually use the data, or to crack down on VPNs?
In such regimes it can be a huge problem to find out what laws to take seriously and which ones not. And it often isn't as easy as taking all the laws seriously, because then nothing works either...
[+] [-] mytailorisrich|6 years ago|reply
I don't think any of this will change. Companies will still be able to use VPNs, but they will likely have to be by authorised VPN software vendors.
Obviously the worry is that this may mean that the Chinese government could have backdoors or some other sort of access to data.
[+] [-] frequentnapper|6 years ago|reply