
China's New Cybersecurity Program: No Place to Hide - lelf
https://www.chinalawblog.com/2019/09/chinas-new-cybersecurity-program-no-place-to-hide.html
======
TheRealDunkirk
It's going to be entertaining to watch my Fortune 250 figure out how to work
with this.

We make big, expensive, technical things that have a lot of very-closely-held
software on them. One current, big, internal effort is to encrypt the code on
the controller, so that people can't dump it, or at least not modify it.
What's going to happen when the Chinese government demands to escrow the
signing keys for any product sold in their country? I fully expect that they
will be handed over. That's pretty much a given. But what if they go further
and demand to escrow the source code? That would get really interesting,
really fast, for many reasons.

Also, how will they continue to block Skype chat history in the US, based on
dodgy interpretations of SOX and related laws, yet allow the Chinese
government full access to all the logs? What happens when the CEO chats in
China, or someone chats at him from China? I suppose it will be Microsoft to
the rescue here, with a giant tick-box in the Skype FOR BUSINESS admin panel
for "segregate retention policy based on CHINA," which is precisely the sort
of thing that continues to make them the big bucks. All of these hosted
infrastructure pieces, like Office365 and GSuite, are going to need huge
exceptions built into them. (Maybe they already do, and I'm just ignorant.)

~~~
thescriptkiddie
I actually think it would be a good thing if governments required access to
the source code for all software that they use.

~~~
kibwen
I'd go further and extend that to "every citizen has access to the source code
of all software their governments use".

~~~
dmix
The government already has enough crippling inefficiency, but yeah let’s throw
a grenade onto all the software they ever wanted to use.

~~~
vangelis
We should simply persecute anyone finds issues with this software to the full
extent of the law. A culture of fear around security research is the most
effective culture.

------
kstenerud
I don't see how any sizable foreign company could operate in China under rules
like this. All sufficiently large companies are privy to certain trade secrets
of partners, vendors, clients through agreements, technology, information
sharing, etc, and will have legal arrangements in place for it. If the
government gets carte blanche access to their data, no company could operate
without violating those agreements.

~~~
cycloptic
The solution is to stop operating in a culture of secrecy, lying and back-
stabbing as so many US companies seem to be obsessed with. Open source your
code and designs and start selling services. It's sad that it takes a threat
like this to prove that the system we have in place doesn't work and is prone
to corruption.

~~~
computerex
The fundamental issue is that people have a right to privacy and information.
Open sourcing the code and designs is cool, but what about personal customer
information? Why should the Chinese government have that? The contents of the
services, if you will. That's the scariest part.

~~~
cycloptic
The parent comment I was replying to was talking about trade secrets, not
customer information. But on that topic, the US has its own data-gathering
operation which presumably is already collecting the same information. There
is an opportunity here for someone to step up and speak against this practice.

~~~
computerex
Do you have evidence of ongoing mass surveillance practices in the U.S that is

> presumably is already collecting the same information

Do you have any evidence at all?

------
Peckingjay
If such policies are truly enforced, there seems to be little to stop China
from stealing absolutely all the technical know-how of a foreign company
installed there and supplant it with one of their own later on. It really
feels like they're pushing how much companies are willing to bear to get
access to China's market and manufacturing capabilities to the limit.

~~~
StreamBright
And why would they not? The west for a very long time favoured the CEOs and
share holders over general population when it comes to globalisation. China
exploits that as much as they can.

[https://www.forbes.com/sites/mikecollins/2015/05/06/the-
pros...](https://www.forbes.com/sites/mikecollins/2015/05/06/the-pros-and-
cons-of-globalization/)

It is quite amazing that you cannot voice anything on HN anymore without being
downvoted, regardless if you literary quoting wikipedia or basic economics.

~~~
Peckingjay
I am aware that China has had no qualms to rig the game in its favor so far.
Those measures would take it up on a whole new level though. I'm just not sure
how many companies will be willing to abide by having almost all the data from
their operations in China available to the government, unless they don't have
other viable options, even though these might be a lot more expensive.

------
SteveNuts
The irony here is that by advertising the fact that they have a massive amount
of raw, unencrypted data, they're making themselves the biggest hacker target
in the world.

I really hope this backfires on them so the rest of the world will be hesitant
to follow their example.

~~~
lallysingh
This much is certain. It's going to be the biggest intelligence grab for non
Chinese nations in decades.

I wonder if they're serving birthday cake at the NSA cafeteria today.

------
stephc_int13
China is clearly hostile and I think this a wrong strategy to do business with
them. If anything was ever close to the Big Brother society described in 1984
this is it.

~~~
crispyambulance

        > I think this a wrong strategy to do business with them.
    

Of course it's wrong, unfortunately however, your corporate overlords don't
mind "Big Brother" as long as there's a short-term "trade-off" for them.

~~~
eatbitseveryday
Let's not use code block formatting for quotes.

Just use the sideways carrot '>' or italics.

~~~
crispyambulance
I don't care.

~~~
eatbitseveryday
I see in your latest comments on HN you had a change of heart :)

------
Thrwtz
Follow up post contains much more detail

[https://www.chinalawblog.com/2019/10/chinas-new-
cybersecurit...](https://www.chinalawblog.com/2019/10/chinas-new-
cybersecurity-system-there-is-no-place-to-hide.html)

------
oefrha
I read the follow-up blog post with details[1] as well as the actual Chinese
regulation text[2]. The blog post seems to omit a lot of details and some
claims are dubious.

I don’t have time to translate everything, but here’s an example quote from
the blog post:

> The inspectors can fully access the system and they are permitted to copy
> any data they find. See Article 15.

Whereas Article 15 reads (even if you can’t read Chinese, Google Translate
will probably do a reasonable job)

> ... look up and/or copy information on matters related to the audit and
> inspection of Internet security. ...

So this is quite vague (not really surprising for any regulation), but at face
value the law doesn’t seem to say “fully access” or “any data”. Does this
cover any data that has nothing to do with security? Ostensibly not.
Realistically I’m not sure. Either way, citing the law with an exaggerated
translation doesn’t promote confidence in the blog post.

[1] [https://www.chinalawblog.com/2019/10/chinas-new-
cybersecurit...](https://www.chinalawblog.com/2019/10/chinas-new-
cybersecurity-system-there-is-no-place-to-hide.html)

[2]
[http://www.gov.cn/gongbao/content/2018/content_5343745.htm](http://www.gov.cn/gongbao/content/2018/content_5343745.htm)

Edit: to be absolutely clear, I was only commenting on the part of the blog
post with explicit citations. Most of the blog post speculates on intent and
actual scope, but since those are speculative and don’t deal with the text of
the law directly, the author is of course entitled to his own interpretations.

~~~
dangerface
Article 15 seems specific to pen testing at least thats what I think they mean
by "public security organs"

> Article 13 Public security organs conducting Internet security supervision
> and inspection may conduct on-site supervision and inspection or remote
> inspection.

~~~
TrueDuality
That sounds to me like it's authorizing them to remotely "access" the
computers and networks, and failing that they can perform an on-site
inspection. So yeah pentests, not necessarily with the corporation's
knowledge...

~~~
oefrha
Article 16 says subjects must be notified of remote inspections, including the
time and scope; or said inspections must be published ahead of time. Remote
inspections must not disrupt normal functioning of the subject’s systems.

Again, I’m only talking about the written text of the law.

------
nomercy400
No more trade secrets, so companies like ASML that have a physical presence
with their know-how in China are now also legally screwed? Any of their chip
making device can now be legally reverse-engineered, starting January 1st? Any
produced wafer, chip design, IC, whatever is currently in China, can now
legally be taken from your company and used by your competitors? Sounds like a
good time to move out of China, as otherwise you will have government-backed
competitors with your tech in 1-2 years.

~~~
tjpnz
>Sounds like a good time to move out of China, as otherwise you will have
government-backed competitors with your tech in 1-2 years.

It's already happening.

------
zelon88
This is the scariest thing ever.

But lets do a thought experiment with it! Like an episode of Black Mirror.
Imagine being an upper-class engineer in China in 10 years. You're sipping
your morning coffee and checking your emails. Every day you get an email with
all the trade-secrets collected across China the night before; curated and
tailored just for you. Kinda like Recorded Future but instead of passively
analyzing the internet these secrets were beamed straight from the source.

Their technology could advance rapidly as a result of this.

~~~
basch
Question. Part of western awareness towards, paranoia, fear, and wherewithal
to stand against certain government behaviors and the totalitarian state is
obviously awoken from and influenced by fiction, including 1984, Brave New
World, Fahrenheit 451, It Cant Happen Here, The Handmaid's Tale, A Clockwork
Orange, Philip K. Dick, even We. This shared and collective "memory" of
fables, many of which people havent even read but still discuss as if they
had, give all a certain a framework, grammar, and shared understanding for
talking about the future, and thusly what consequences may come from allowing
said future to unfold unabated.

Does eastern fiction not have this foundation of fictional dystopia from
50-100 years ago woven into societies consciousness? Are people more accepting
of certain encroachments towards that type of future, because their legend and
myth dont as often scream about potential slippery slopes and repercussions?
Is it a fictional fear instilled in our cultural fabric that makes us so
averse to what _maybe_ isnt and wont ever be as bad as our stories tell us it
will be?

~~~
xfs
It's rare to see introspective questions around here. The fear is not all
fictional, but the fictional part, the fear of the totalitarian Other, is
definitely helpful in justifying the establishment status quo and maintaining
consensus. The excesses in the status quo are instead projected onto the
Other, disavowed.

The other part of the fear is just what is called ideology, the lens through
which the world is understood. In this case the western ideology is
universalism, the philosophy that certain ideas are to be applied universally
and infinitely. The works you list here are really examples of how
universalism (utopianism, technologism, capitalism, totalitarianism) as a
historical process necessarily develops into its own failure, in a Hegelian
sense. I don't see univeralism as predominant as particularism in eastern
fiction or even philosophy. The "eastern" particularism means that no idea is
to be blindly applied to the end, no law is absolute, and no principle is
sacred if it doesn't "work" in practice. The Hegelian process shall be halted
if it is going to evolve into dystopia. This is why there is no such fear in
eastern fiction.

~~~
basch
Thank you. I have no idea how accurate or complete this answer is but I like
it and the idea of a duty towards particularism acting as a protective layer
against encroachment of authority, instead of fear tactics concerning
universalism. Sort of "rule of thumb vs a moral" way of looking at shaping the
world.

------
darronz
Perhaps there is an upshot. If the Chinese government have complete access to
all traffic in China, they will be unable to deny knowledge of hacking
originating from their own IP blocks. By the same token you would expect that
all unlawful traffic originating in China to cease.

~~~
thoughtstheseus
Why would that be the expected?

~~~
Ill_ban_myself
Because if it did not stop it would imply the Chinese government accepts and
approves of the criminal acts

~~~
ppf
And then?

~~~
kristofferR
Hehe, it's completely off-topic, but the combination of China and "And then?"
reminded me of this hilarious movie scene:

[https://www.youtube.com/watch?v=oqwzuiSy9y0](https://www.youtube.com/watch?v=oqwzuiSy9y0)

~~~
ppf
It's not an accident ;-)

------
trentnix
_As explained by Guo Qiquan, the chief cheerleader for the plan, the main goal
of the new system is to provide “full coverage”. As explained by Guo, “It will
cover every district, every ministry, every business and other institution,
basically covering the whole society._

Sauron is envious.

~~~
sorokod
almost like a Palantir

~~~
i_am_nomad
I don’t think all of my emails and files get automatically decrypted and
processed through Palantir, but of course I’d like to know if I’m mistaken
about that.

~~~
sangnoir
Parent was referring to Tolkien's Palantir - not Thiel's

~~~
sorokod
Yes

------
anvandare
Good to see the mask (and gloves) are finally coming off. No one can pretend
anymore that the emperor has clothes.

~~~
psychoslave
Well, if you follow the fable, it's actually now that you should see everybody
claiming that these clothes are wonderful.

[https://en.wikipedia.org/wiki/The_Emperor%27s_New_Clothes](https://en.wikipedia.org/wiki/The_Emperor%27s_New_Clothes)

~~~
erichocean
Apple, for one, is doing just that.

------
gii2
> "No communication from or to China will be exempted. There will be no
> secrets. No VPNs. No private or encrypted messages. No anonymous online
> accounts. No trade secrets. No confidential data."

I would guess the companies with subcontractors/branches in China has been
assuming everything they submit there is no-longer a trade secret or secret at
all.

~~~
unstatusthequo
Have been for awhile. Just like operating in presumed breach state.

------
xuesj
It remind me of ancient Chinese saying "普天之下，莫非王土，率土之滨，莫非王臣", that means "all
land belong to the king in the kingdom, all men are servants of the king in
the kingdom"

~~~
AlchemistCamp
It also reminds me of 天高皇帝遠 (the sky is tall and the emperor is far), which
has a somewhat contrary meaning: as you get further from the capital, rules
are looser.

~~~
dbuder
I like that, but I think the sky is full of cameras and drones and the
Emperor's minions see all.

------
edejong
Time to unpack those radios that operate slightly under the noise floor, using
shared correlation codes and synchronized clocks. P2P for the win.

[edit: grammar]

~~~
bayesian_horse
And if you are caught you get sent to jail.

~~~
bogwog
If you're lucky.

------
botwriter
I can see the fall of China happening in the next 5 - 10 years.

Plunging the world into a global recession.

With this + the US trade war, why on earth would a multinational still invest
in China.

~~~
Quarrelsome
> in the next 5 - 10 years.

this estimate is far too short even assuming a sequence of unprecedented
negative events. A more tangible catalyst would be a power vacuum after the
current leader dies filled by a very poor candidate. Even then it took lousy
Roman Emperors hundreds of years to squander the legacy of Rome.

~~~
SteveNuts
Ancient Romans didn't have instantaneous access to information and global
markets. The whole world economy could collapse basically overnight in the
modern era.

~~~
Quarrelsome
barbarians are at the gates.

~~~
Ill_ban_myself
I hope you speak barbar

------
mark_l_watson
As an opinionated non-expert, I have to ask: isn’t “” This means intra-company
VPN systems will no longer be authorized in China by anyone, including foreign
companies. This in turn means all company email and data transfer will be
required to use Chinese operated communication systems that are fully open to
the China’s Cybersecurity Bureau. All data servers that make any use of
Chinese based communications networks will also be required to be open to the
Cybersecurity Bureau’s surveillance and monitoring system.”” really the
Chinese government shooting itself in the foot?

This reminds when a decade or two ago Senators Hillary Clinton and Frits
Hollings tried to pass Disney written SSCA legislation that would require
every Internet device like smart TVs, computers, etc. to have backdoors so
companies like Disney and the government could check for copyright material.

In either the Clinton bill or what the Chinese are doing there is a huge risk
of third party getting access to encryption keys and other form of access.
Large scale organized crime would love this as would bad behaving state
actors.

------
johannkokos
> This system will apply to foreign owned companies in China on the same basis
> as to all Chinese persons, entities or individuals. No information contained
> on any server located within China will be exempted from this full coverage
> program. No communication from or to China will be exempted. There will be
> no secrets.

Can the author provide a source for this? I couldn't find any reference to it
from the articles linked by this blog.

~~~
steelaz
If true, what does that mean to AWS regions in China?

~~~
desdiv
The China AWS region is operated by a Chinese company, with all servers
physically located in China, thus accessible to the Chinese government.[0]

The above also applies to Microsoft Azure China[1], and any other major cloud
provider with a presence in China.

[0] [https://www.amazonaws.cn/en/about-
aws/china/](https://www.amazonaws.cn/en/about-aws/china/)

[1] [https://docs.microsoft.com/en-us/azure/china/overview-
operat...](https://docs.microsoft.com/en-us/azure/china/overview-operations)

------
bayesian_horse
I'm not quite clear what "this change" is or means.

As far as I know, VPNs had been illegal in China before, so maybe this could
be mainly a toughening of the laws, and it still depends on the government's
discretion to actually use the data, or to crack down on VPNs?

In such regimes it can be a huge problem to find out what laws to take
seriously and which ones not. And it often isn't as easy as taking all the
laws seriously, because then nothing works either...

~~~
mytailorisrich
VPNs are not illegal. VPN apps that are not authorised by the government are
illegal, and using a VPN to bypass the Great Firewall is also illegal.

I don't think any of this will change. Companies will still be able to use
VPNs, but they will likely have to be by authorised VPN software vendors.

Obviously the worry is that this may mean that the Chinese government could
have backdoors or some other sort of access to data.

------
frequentnapper
Will YC China still continue to exist?

------
bamboozled
This will damage the government as much as it damages the citizens.

It's now going to be easier than ever to intercept traffic in China. It plays
into the hands of foreign intelligence agencies.

~~~
andromeduck
Not really, it'll still be hard for foreign agents to exfil mass amounts of
data without being noticed and data can still be encrypted in flight/at rest
w/ root keys shared with chinese intelligence via some escrow system like how
enterprise certs work right now.

------
justinclift
The KPMG take on this seems relevant:

[https://assets.kpmg/content/dam/kpmg/cn/pdf/en/2019/05/mlps-...](https://assets.kpmg/content/dam/kpmg/cn/pdf/en/2019/05/mlps-
insights-strategies.pdf)

Also, does anyone know how to access the Chinese text version of the
standards? (I have friends who grok Chinese well, can pass to them for reading
over)

The link from the article goes to a translation service which just wants to
charge money for translation to English, with no way to access the original
documents. Searching online so far just turns up similar translation services,
without the original docs.

~~~
yorwba
I didn't even see a link to a translation in the article, but I believe it's
about the following three standards:

GB/T 22239-2019 信息安全技术 网络安全等级保护基本要求 Information security technology — Baseline
for classified protection of cybersecurity
[http://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=BAFB47E887...](http://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=BAFB47E8874764186BDB7865E8344DAF)

GB/T 25070-2019 信息安全技术 网络安全等级保护安全设计技术要求 Information security technology —
Technical requirements of security design for classified protection of
cybersecurity
[http://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=9FB6EE8597...](http://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=9FB6EE8597B21436D0E99BF44FD42C4D)

GB/T 28448-2019 信息安全技术 网络安全等级保护测评要求 Information security technology
—Evaluation requirement for classified protection of cybersecurity
[http://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=7E736CDF45...](http://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=7E736CDF4502B6FF1258DD250AA3EC8C)

The link to read online requires Flash...

~~~
justinclift
Thanks, that looks very helpful. :)

> The link to read online requires Flash...

Ugh. Security holes galore. Not going to install it on any network connected
gear I use. :(

------
AlchemistCamp
I wonder if HN is hosted in China at all.

Edit: To clarify, I _doubt_ any of it is. Still, having seen some seemingly
unlikely events coming to pass over the past few years, it's natural to be
curious and think through the scenario.

~~~
tasuki
I don't think HN is hosted in China. Why should it be?

~~~
komali2
Like, random AWS server or something?

~~~
hn_throwaway_99
HN isn't hosted on AWS, and AWS doesn't have any data centers in China.

~~~
deadbunny
They do, they are just run as (what I assume is) a separate company entirely.

[https://www.amazonaws.cn/en/](https://www.amazonaws.cn/en/)

------
LeoNatan25
"By giving the Chinese government and its cronies full access to its data, the
U.S. or EU company may very well be deemed to have illegally exported
technology to China and it could face millions of dollars in fines and even
prison sentences for some of its officers and directors. There is an inherent
conflict between foreign laws mandating a company not transfer its technology
and China’s laws which effectively mandate that transfer.

Under China’s new cybersecurity system, there will be no place to hide."

Very good. Put the Cooks and Pichais in jail. Only this will make them rethink
doing business in China.

------
diggidydogg
I think all countries should enforce these same rules for Chinese company's
operating on foreign soil.

~~~
SkyBelow
Would be much better to reverse it. Anything given to China is also put in the
public domain. Keeps things a bit more fair and makes people think twice about
giving something up.

~~~
andromeduck
why not both

------
pray4URenemies
It really aligns well with the face scan initiative (and credit core system)
[https://www.businessinsider.com/china-to-require-facial-
id-f...](https://www.businessinsider.com/china-to-require-facial-id-for-
internet-and-mobile-services-2019-10)

what you browse, what information you read will define you.

Basically it can make an automated prison, where you have to read Xi's
commandment every morning to get +10 points... etc..

------
lom888
There is an article in this week's London Review of Books by John Lanchester
which covers a similar theme: [https://www.lrb.co.uk/v41/n19/john-
lanchester/document-numbe...](https://www.lrb.co.uk/v41/n19/john-
lanchester/document-number-nine)

------
Chirael
I wonder if there’s any relation between this and “Made in China 2025” [1].
Seems like it would be a lot easier if there are no more trade secrets from
the government, and the government has representatives in various Chinese
companies [2].

[1]
[https://en.wikipedia.org/wiki/Made_in_China_2025](https://en.wikipedia.org/wiki/Made_in_China_2025)
[2] [https://www.cnbc.com/2019/09/23/china-to-place-government-
of...](https://www.cnbc.com/2019/09/23/china-to-place-government-officials-
in-100-companies-including-alibaba.html)

------
Invictus0
The Stasi is back, now mechanized & equipped with machine learning.

------
reaperducer
"But Chinese law now requires complete government access to those secrets if
those secrets cross the Chinese border for any reason."

So if a routing burp just _happens_ to send some data to China that was
supposed to go from New York to London, then "Oops! So sorry. We read all of
your company's plans. But that's OK, we kept a copy on that file share that
your Chinese competitor has access to."

~~~
oefrha
If you send all of your company’s plan unencrypted from New York to London,
you have a much larger problem. Any intelligence agency worth their salt
should be gobbling up as much as traffic as possible.

------
justinclift
Wwith access to _all_ your files they'll also have your (software, GPG, etc)
signing keys.

So, it's not just a matter of being able to read from any system in your
network. They'll be able to impersonate people (including with valid
signatures), sign new software releases, and more.

Sounds especially useful when disappearing people first, so there's no "Hey, I
didn't send that!".

------
jiveturkey
The blog itself is a law blog, not a political blog, so I understand that it
is just putting out a very focused bit of information. (Which I will believe
when I see reputable news source coverage.)

But I'm amazed no one here has remarked or supposed that this is a reaction to
tariffs. This is China playing hardball in a way that we can't react with tit-
for-tat.

------
chaz6
This could potentially mean they start making space a battleground when
entites switch to foreign-operated satellite data services.

------
naringas
what about China's own "national security concerns"? will those be out in the
open? somehow I don't think so but that's only my supposition.

I would bet they will keep their own one government party secrets private and
encrypted.

"privacy for us (the party) but not for you"

------
Lio
It would be interesting to know how this affects Taiwan.

If the CPP regards Taiwan as part of greater China then does that mean they
believe they have a right to all information held in Taiwan including that
owned by foreign companies?

Or does Taiwan get an exception for now at least?

------
mensetmanusman
Wow.

This means it will be extremely risky to have any business in China, as it
allows any intro-company email server to accessed.

Since it is unofficial state policy to provide foreign company know-how to
home grown competitors, this will be an amazing fireworks show.

------
idoescompooters
I hope people realize this is what Snowden told us is happening HERE in the
U.S.

~~~
mensetmanusman
But the NSA wasn’t handing the information out to western companies. That is
the China modus op. at the moment...

------
pmarreck
Just curious: Did no one in China watch
[https://www.rottentomatoes.com/m/the_lives_of_others](https://www.rottentomatoes.com/m/the_lives_of_others)
?

------
diggidydogg
Can we apply the same rules to Chinese company's operating on foreign soil?

------
phkahler
Is it possible this causes a lot of competition in the US as some companies
bring work and manufacturing back home? Or will they just move to another
country?

------
tempguy9999
"the Cybersecurity Law and related laws and regulations are very clear that
they apply to all individuals and entities in China without regard to
ownership or nationality. There are no exceptions. More important, the new
Foreign Investment Law that goes into effect on January 1, 2020 eliminates any
special status associated with being a WFOE or other foreign invested
enterprise. Foreign owned companies will be treated in exactly the same way as
Chinese owned companies"

If true? Talk about screwing your own pooch. With the milspec PoochBuster
9000.

------
logicchains
I wonder if this will create a market for software that's inscrutable to
anyone other than the creator, so it can't easily be adapted or modified. "Of
course, here is my unencrypted source code. It's written in a homotopy type
theory DSL I implemented in the C preprocessor, and completely verified with
dependent types so any change will cause a type error. I haven't got around to
implementing compile-time type checking, however, or error messages, so type
errors will cause it to coredump at runtime."

~~~
ETHisso2017
Even if you offered me something like that for free, I wouldn't run it or use
it...

~~~
logicchains
If you were an executive and the only other choices were either giving away
all your IP or leaving China and billions of dollars of revenue behind, you
might think differently.

~~~
ETHisso2017
I was speaking from the customer perspective.

------
jquery
So if I’m traveling to China is it now unsafe to use pre-Installed VPNs? Am I
at risk of jail if I do so or set up my own VPN?

------
vezycash
"But I've already invested and sacrificed so much money, time & effort on this
deal, relationship, person, place..."

This thought causes victim of scams to mortgage their houses and send the
money to scammers - even in the face of overwhelming evidence. Causes victim
of abusive relationships to remain even when their lives are in danger. It's
also what will keep western companies in China - even as China slowly
strangles them to death.

Sunk Cost Fallacy

~~~
milofeynman
China can also assume company boards will be making short term gains
decisions, while China is making long term moves.

~~~
dleslie
Not just private entities; democratic states tend not to produce meaningful
policy that reaches beyond their electoral terms.

~~~
mistermann
I would be very surprised if Chinese leadership isn't _extremely_ cognizant of
the necessarily short term thinking forced upon corporations (quarterly/annual
earnings progression) and politicians (re-election) in Western democracies,
and putting a massive amount of strategic thinking into how to best exploit
this without attracting too much attention. Neither the corporations or
politicians are going to be particularly motivated to draw attention to it,
and public concerns on individual issues like this are typically ineffectual,
I think they will be able to get an absolute massive amount of mileage out of
this weakness.

Honestly, I think the West's best defense is young otherwise powerless people
on the internet making memes mocking the irresponsible behavior of people in
power.

~~~
Loughla
>Honestly, I think the West's best defense is young otherwise powerless people
on the internet making memes mocking the irresponsible behavior of people in
power.

I honestly am going to need you to explain why this is your thought.

~~~
mistermann
I see no other defense that would plausibly be undertaken in the current
culture of the West. There are _many_ options of course, I just don't see any
that maintain current levels of corporate profitability and re-election
likelihood. What little commentary on the matter I see from those who hold
power seems motivated by the chance for political gain, or corporate
perception management.

------
SubiculumCode
Outlawing encryption is as futile as outlawing 'abstract' poetry. Hidden
meanings can always be encoded.

------
yalogin
China is the biggest failure of the western nations in a post USSR world. The
fact that the whole world let China become so huge and powerful while being so
authoritarian is a travesty. They have now completed integrating the internet
and big data into their despotic regime. This is the worst place imaginable
for a free thinking brain. Even now the the western world is just following
along to their dollar tunes.

------
exabrial
This sounds like a hackers dream: mandatory documented centralized backdoors
literally everywhere.

------
aykutcan
China strikes back huh.

This is big issue no matter how you look at it.

Maybe "no trade secrets" is a bit exaggeration.

------
stephc_int13
What about big companies like Supercell, owned by Tencent at about 80% ?

------
bumbacloth
maybe the Chinese internet will have a single point of failure, the
government? I think they will have a massive problem with ransomware if all
servers are accessible with the same backdoor.

------
make3
I'm starting to think we should all just systematically boycott Chinese
products and pressure companies not to work with them. China is more and more
a real threat to world stability, to democracy and to the humaneness of our
world

------
xorand
Are there any legal consequences if Sci-Hub is hosted in China?

------
ausjke
which is why I withdrew the idea to set up a branch there, the internet access
and censorship combined are enough to kill any idea to run business in China.

------
SolarNet
Oh hey look another example of _Rainbows End_ being spot on in predictions. At
some point the U.S. will try something similar (hell under Trump there was
already noise about it), and I think _Rainbows End_ is necessary reading for
what we will be up against.

~~~
SubiculumCode
That was such an interesting novel. Of course in that novel the justification
for total surveillance and lockdown of components was the extreme
vulnerability to terror enhanced by technology, AI, and automation...which was
hard to argue against in Rainbows End.

~~~
SolarNet
That was what it was for the US and EU polities. I think there is a throwaway
line about China just doing it because China. When this happens in US and EU
it will be because of terrorism, linked with technologies like amazon's
drones, or uber's cars, or some other thing.

------
danmaz74
TLDR: "This means intra-company VPN systems will no longer be authorized in
China by anyone, including foreign companies. This in turn means all company
email and data transfer will be required to use Chinese operated communication
systems that are fully open to the China’s Cybersecurity Bureau. All data
servers that make any use of Chinese based communications networks will also
be required to be open to the Cybersecurity Bureau’s surveillance and
monitoring system."

If VPNs will really be forbidden, I guess that lots of companies will really
be forced to pull out of China.

------
onemantaker1
The rules makes no sense. The rules are very strict

------
alfiedotwtf
tl;dr: Nothing is beyond our reach.

... sounds familiar

------
mtgx
What's even sadder is that a good portion of world's governments see this as
an _ideal_ they need to follow. China's online surveillance, censorship,
"perfect citizen" scoring, and public facial recognition systems are seen as
something they need to replicate, and the sooner the better, preferably.

The US government came up with the idea for "Total Information Awareness"
almost 2 decades ago, and it's been trying to achieve that goal since then,
even though it's been denying that the program exists, in public. The UK has
also been trying to achieve the same with Snooper's Charter and the Great
British Firewall.

[https://en.wikipedia.org/wiki/Total_Information_Awareness](https://en.wikipedia.org/wiki/Total_Information_Awareness)

[https://www.theguardian.com/uk-news/2016/sep/14/gchqs-
great-...](https://www.theguardian.com/uk-news/2016/sep/14/gchqs-great-
british-firewall-raises-serious-concern-privacy-groups)

If you've been paying attention over the past 6-8 years, you should've noticed
that so-called democratic countries like the US, UK, Australia, and others,
have also stopped trying to hold China accountable for "human rights abuses"
in public. That's been a huge red flag for me that these governments aren't
heading in a good, positive direction for humanity.

Only very recently the US has started mentioning China abuses superficially,
but only in the context of trade war, and as another reason to get everyone to
"hate China" \- but I don't feel they mean it and are doing it because they
actually think those abuses are bad. It's just another tactic to manipulate
the masses to accomplish a larger objective.

------
anovikov
This is very worrysome: it this simply accelerates the already ongoing exodus
of foreign owned businesses from China. Yes, human right activists, opposition
members and such, will simply continue using obfuscation as they do now, they
are out of the legal space anyway and change of laws don't change anything for
them. But businesses need to stay compliant. So they will leaving and with
their money, share of government ownership, and thus government control of
things, in China will keep creeping up. They are basically returning to
Communism.

Good thing about it is that we know how it ends, Communism is not viable. Bad
thing is that it leaves little hope for the current generation of Chinese...

------
nickthemagicman
People aren't stupid. They will realize that the internet is being monitored
by the government and will simply use it for trivial things.

The internet will be more or less useless.

~~~
marapuru
A large amount of the population does not use the internet the way you do. I
don't have the exact numbers, but by figure of speech I would dare to say that
80% of the population do not care about data collection or being spied upon as
long as they get what they want.

~~~
ilkan
I disagree with that characterization of "the population". Internet use is
mandatory, as government, banking and corporate services use more and more
online-only application or submission processes. Lowers costs by eliminating
paper, increasing speed and reducing the call center and paper processing
jobs. For many thingsb the only choice is online forms, email and online
display (anyone used bankbooks recently?)

------
roenxi
It is interesting to play compare-and-contrast. The US government has a policy
that is substantially similar in many respect - if I want to have a digital
conversation without the US government getting a copy I'm not sure how I would
go about it in practice. Certainly in a work setting, everything may as well
get CC'd to the local government and US government offices.

The Chinese are upping the ante and this policy is going to be a social
disaster for anyone involved in politics. But it is a good moment to reflect
that the problem isn't the Communist Party of China specifically, it is a lack
of private digital spaces. Spy agencies don't make us safe.

~~~
roca
> The US government has a policy that is substantially similar in many respect

Not at all. The US legal tools that let the government demand data
substantially limit what can be demanded. There is currently nothing in US law
that prevents you from protecting your own systems. You might get a NSL, but
you can fight it.

No doubt the US government collects a lot of data covertly, but you can fight
that too. I'm not a big fan of giant US tech companies, but (based on well-
placed friends I trust) I believe Google and others sincerely fight covert
collection, and they're pretty competent.

I think a good choice for a private conversation would be a browser peer-to-
peer WebRTC conversation on one of many hosts such as
[https://talky.io/](https://talky.io/) (for example). Good end-to-end
encryption, perfect forward secrecy, open-source clients running on your
platform of choice, many possible Web hosts which are unlikely to have been
all backdoored by the government (and you can set up your own easily if you
want). Obviously if you have been specifically targeted by a state-level
agency, your client is probably already hacked and none of that matters, but
those attacks are expensive and it seems unlikely that covers more than a
small fraction of people.

It is counterproductive to take the position that all countries are similarly
bad and there's nothing we can do about it.

~~~
acollins1331
Wait... You trust Google to keep our information secret? Don't they literally
allow access to all our information for money through targeted ads? Didn't
Google just admit to reading all of our emails for like a decade now?

~~~
phkahler
Google AFAICT does not share your data. They use it to target ads on behalf of
others, which leaks some of it. But they hold it pretty close.

------
xorand
On another thread [0] [1] "My Google account got suspended because of
NewPipe". No place to hide.

[0]
[https://news.ycombinator.com/item?id=21247759](https://news.ycombinator.com/item?id=21247759)

[1]
[https://github.com/TeamNewPipe/NewPipe/issues/2723](https://github.com/TeamNewPipe/NewPipe/issues/2723)

------
shp0ngle
I do not believe the actual implementation will be so severe.

Every major IT company in China, that interacts with the outside world, has a
VPN to circumvent blocking and uses the VPN heavily.

~~~
novok
And the article says, that won't be legal anymore. And it would be enforced.
No more real encryption in china anymore.

~~~
shp0ngle
I do not believe it, as it will decimate all their IT industry.

The communist party is embedded and makes money from the industry. They do not
want to see it blow up.

Alibaba, Tencent, Baidu, JD, all would just die.

~~~
mytailorisrich
There does not seem to be any ban on companies VPNs. They don't need to and
that would weaken protection against external attacks.

I think the aim, if I understand it as it is not very clear overall, is rather
than government agencies may access the company's infrastructure (VPNs are
irrelevant).

~~~
shusson
> rather than government agencies may access the company's infrastructure

I think the law is closer to "government agencies may access any of the
company's information".

~~~
mytailorisrich
My understanding is that the law is that government agencies may access
companies' infrastructure to conduct security and compliance audits.

The _worry_ is that this may be used to access companies' data.

------
contingencies
This article reads as alarmism from an actor with interest in projecting FUD.
China broadly has the same effective policy as most governments: requiring
access to be given when legally demanded. This is already the case and has
been the case for a long time. The theoretical legal requirement and the
practical reality of enforcement differ, such that everyone is forced to
operate in a grey area. Such a situation is _normal and expected_ in China.
Should the authorities want something, they come and tell you. Exactly the
same as the west.

~~~
joosters
Yes, the article is not very well written, in that it blends factual
statements about the new laws together with their own opinions,

e.g. _' For that reason, the Chinese Cybersecurity Bureau does not plan to
politely make a formal request for the information. The fundamental premise of
the new cybersecurity systems is that the government will use its control of
communications to simply take the information without discussing the matter
with the user.'_

Does the author have some magical view into the Chinese Cybersecurity Bureau?
Is he making this broad statement based upon something that the CSB has said?
Or is it just his viewpoint?

Much more likely is, as you state, when the government wants something, they
are going to come along and demand it. And if you want to keep doing business
in China, you will have to provide that data.

This, while still a worrying state of affairs, is a far different scenario
from 'all crypto is banned!' espoused by the writer.

~~~
Thrwtz
Refer to the follow up blog post where he goes into detail, including the
actual law if you can read Chinese.

~~~
joosters
Perhaps you could quote the relevant part that shows that this is more than
just an opinion of the writer?

Given that it is a fundamental theme of the original article (encryption
effectively banned), why doesn't the author provide this information in the
very same article?

