
China Tries to Extract Pledge of Compliance from U.S. Tech Firms - hackuser
http://www.nytimes.com/2015/09/17/technology/china-tries-to-extract-pledge-of-compliance-from-us-tech-firms.html
======
sandworm101
Give the Chinese some credit for this one. At least they are being open about
the demand. This pledge seems a bilateral acknowledgement of the situation.
China can demand backdoors and so can the US (calea). Such things are legal in
their respective countries. Companies, especially those that are publicly-
traded, must appease local governments if they want to keep shareholders
happy.

Our anger should instead be focused on solutions to surveillance that do not
rely on trusting corporations. F/OSS tools and client-side encryption is the
path forwards, not extracting unenforceable promises from trillion-dollar tech
giants.

~~~
fauigerzigerk
I disagree completely. If corporations do not make a stand on surveillance and
censorship then official demands are only going to get more brazen and receive
less public attention and scrutiny.

FOSS and client-side encryption alone are not going to solve this problem. If
governments can openly demand and enforce whatever they like, then users of
these technologies can be threatened with draconian punishment and be
prosecuted as terrorists and pedophiles.

There needs to be counter pressure from consumers, consumer groups, experts
and corporations in order for client-side technologies to remain a viable
option for people outside the Ecuadorian embassies of the world.

Corporations are not in the business of appeasing local governments.
Corporations are in the business of pleasing consumers so that they make a
profit. They appease local governments only to reach consumers and they can't
do it in a way that causes consumers to distrust them as that would be self
defeating.

Also, what is in the economic interest of a corporation is not self evident.
It's the people at the top of these companies who make these judgements. I'm
sure many of them value their privacy more than the average person and their
judgement is going to be influenced by that. The same goes for shareholders.

It's always going to be a balancing act for global internet companies so let's
make our weight felt!

~~~
a3n
> I disagree completely. If corporations do not make a stand on surveillance
> and censorship then official demands are only going to get more brazen and
> receive less public attention and scrutiny.

You're describing a world where corporations represent you, the consumer. But
you're not a constituent of the corporation, you're a resource. Corporations
want to keep you happy in the same way that dairy farmers want to keep cows
happy, so they'll keep on producing money or milk. The constituents are
shareholders.

The ones representing your interests are the elected parts of the government.
Which, I know, is laughable in the US. But still, corporations are not it.

Your comments on open source and consumer counter pressure describe something
hopeful.

~~~
oneweekwonder
> The ones representing your interests are the elected parts of the
> government. Which, I know, is laughable in the US. But still, corporations
> are not it.

a bit off-topic, but is there a country that is not laughable and the general
public actually trust and believe the government have their needs in mind?

~~~
anon4
(Parts of) America, before it was run over by illegal immigrants from Europe
and Britain.

------
Animats
Now this is the sort of thing that should have been in the Transpacific Trade
Agreement - prohibiting countries from requiring backdoors.

In some areas, the US prohibits cooperation with the laws of other countries.
The Arab League requires vendors to agree not to do business with Israel, and
the US has a law forbidding US companies from complying with that. So there's
a precedent for this. That's been enough to more or less break the Arab
League's boycott.

~~~
sandworm101
1) The Arab League is not a country. It is a group of representatives from
several countries, few of which really get along with each other. Statement
and edicts from the league are not law to be obeyed by people but by countries
(they need to ratify by passing local laws). The league cannot directly
require anything of any vendor.

2) Lots of laws in the arab world are not enforced. Outsiders often find these
and assume they mean something. They do not. In totalitarian states what
matters is what the ruling group wants to do. The existence or non-existence
of a written law is very much beside the point.

~~~
qubex
The existence of laws that are not usually enforced is the basis for arbitrary
enforcement if and when there is a 'need' to persecute somebody. Facile
attitudes towards evidence are further enablers. The Rule Of Law is as much
about parsimony of laws as it is of uniform enforcement.

------
Amorymeltzer
>store Chinese user data within the country

The rest is expected but this to me is the most interesting one of the lot.
We've seen these requests come up now and again, but I think we will be seeing
the importance of "where" data is stored more and more in the upcoming years.

As a US citizen, I know that Google/Apple/Facebook/etc. have tons of data on
me and acknowledge that the US gov't can generally get some of this data, but
I'll be damned if those companies let Chinese/Russian/etc. governments access
that data. More to the point, I don't think the US government wants
information on its citizens stored elsewhere, and readily accessible to
government inspection.

So let's not be naive and ask how dare China ask for the same thing. Of course
they would ask that.

~~~
the8472
Over here in europe we're asking for pretty much the same thing from US
companies.

And the microsoft case regarding data stored in ireland[1] just adds more fuel
to the fire.

[1]
[http://www.irishtimes.com/business/technology/1.2186247](http://www.irishtimes.com/business/technology/1.2186247)

~~~
bsder
> Over here in europe we're asking for pretty much the same thing from US
> companies.

However, the reasoning is _quite_ different.

The EU wants data stored in the EU so that it is nominally _protected_ from
hostile country intercept and is subject to EU protection laws.

Whereas, China actively intends to use the locally stored data _for_
intercept.

Now, one can argue that the local EU governments _also_ want to intercept the
data. Nevertheless, until we see The Great Internet Wall of Europe I'm willing
to give those countries a little more slack that they might actually be trying
to do the right thing.

~~~
throwaway7767
I'm sure the chinese government is genuinely concerned about foreign powers
spying on their citizens, just as the US is concerned about the same thing. I
don't think the fact that they both spy on their _own_ citizens, as well as
foreign citizens, makes that less relevant.

As for GFW, yeah it's evil, but I don't see how that means that the chinese
government is not concerned with others spying on them.

EDIT: Just to clarify, I hate all this spying with a passion. Just saying that
the motives are the same for everyone here.

------
marme
The big thing is that these things are law in China. The chinese government is
basically making the tech companies sign a document saying they will comply
with the law. The laws in China are insane and if tech companies want to do
business there they must accept them or pack up and leave like google did.

Hosting data for chinese users within china has been part of law for a while
now, all servers hosting content that is licensed to be displayed in china
must also be hosted in china. There are tons of rules that allow the
government to control tech companies. If the law is not there and some tech
company does something the government wants to control they can pass a law the
next day if they wanted to. Laws are pretty arbitrary in china because there
is only one party and they vote practically unanimously on anything the
leaders propose

------
studentrob
China has always reserved the right to shut you down, copy your service and
acquire your userbase. Not much has changed

~~~
forgotmysn
agreed. unless this agreement goes both ways and ensures IP protection, I
can't imagine this is going to get much traction with these companies.

~~~
studentrob
If your company is not abiding by the set rules and is kicked out, will your
patent still be valid? Would you be allowed to defend it in court?

Would a Chinese judge stand up for your business to the letter of the law? Or
follow orders coming from Beijing?

------
RexRollman
It will be interesting to see if the US Government, who wants backdoors, will
condemn China for wanting backdoors.

~~~
throwaway7767
> It will be interesting to see if the US Government, who wants backdoors,
> will condemn China for wanting backdoors.

Where have you been for the last 10 years? The US regularly condemns China for
backdoors in their equipment, they even do it with a straight face after the
Snowden revelations.

------
aashiks
When the US and other countries tries to do it, it is some how portrayed as
"those pesky government people" but when China wants to do it, its all ":O"

~~~
lazaroclapp
Pretty sure most people who oppose one, oppose the other as well. Personally,
I think the only "principles" technologists should be signing with regards to
this sort of thing are these: [https://projects.eff.org/~barlow/Declaration-
Final.html](https://projects.eff.org/~barlow/Declaration-Final.html) (yes, I
am being hyperbolic, but only up to a point)

~~~
nickpsecurity
Not at all. I endorse both restricting location of data to safer places and
security review of products. The specifics vary considerably from country to
country. The consensus is that a Swiss ownership/company offering services in
their country evaluated by INFOSEC professionals would be ideal. If any L.I.
exists, it would have low likelihood of abuse. Iceland may not have L.I. or
crypto regs but it's unknown how they will handle future U.S. pressure. Swiss
handled it pretty well and aren't NSA SIGINT partners unlike most of Europe.

Then, there's Europe with its data protections of unknown effectiveness for me
as an American. Then, there's America where the sue happy, LEO's, and courts
can get away with a lot. Your actual trade secrets, source code, etc are more
protected here plus stronger patents. Then we have China and Russia where some
employees and external parties on the network will be hacking the crap out of
you while the government protects them when caught.

So, quite different situations in different countries even for same topic.

------
bsder
Any company who moves essential business data to China in order to do business
there is a fool.

Unfortunately, the CEO who authorizes this kind of stupid action is rarely the
CEO who gets bitten when China steals the business data, trade secrets, and
the cuts the company out of the loop for a domestic company.

~~~
nickpsecurity
Exactly. I've been telling them that for years. The country's M.O. is:

(a) sucker businesses over there with lure of cheap labor

(b) steal their intellectual property

(c) combine that I.P. with domestic activities to steal market share

(d) try to dominate the market with combo of cheap labor, domestic R&D, and
freshly stolen I.P.

It's a dumb game for American companies to get into in the long-term. In
short- to mid-term, there's plenty of money to be made while you have the I.P.
and market. And, like you said, someone else takes the hit in the future. An
externality.

~~~
bsder
This is part of the reason for the server demands as well as spying.

When a business has things on a server somewhere and a relatively dumb client,
it's _REALLY_ hard to pirate, steal, copy, modify, etc. You can bake your
"crown jewels" into the server and it never gets into the hands of the client.

One of the phone chipset manufacturers used to run service where they would
compile your code for you. But they would _NOT_ give you the compiler.

I was really annoyed as a developer, but I also understood the reasoning as it
effectively kept the Chinese from cloning their kit.

~~~
nickpsecurity
That is a strategy people try but it's usually weak. The Chinese have stolen
TB from clients and servers across industries. One still has to protect the
server from attacks from the client, other servers, or networks. Whole problem
remains.

The main benefit of that architecture is to protect against non-technical
insiders and others who have less opportunity for physical attack. The compute
nodes are stored in a hopefully-secure location with files similarly
centralized. Additionally, if the mechanisms are technology agnostic, there's
potential for further hardening, monitoring, obfuscation, recovery, etc.

Doesn't eliminate a Chinese-style threat, though, if it's connected to a
network in any way and doesn't use high assurance components.

------
vinceguidry
The more of these articles I read about US tech firms being asked to kowtow to
the political whims of the countries they operate in, the more I'm reminded of
the fight in the Middle Ages between church and state. Each is dependent on
the other so they can't fight an all-out war, but the politics can get pretty
nasty.

~~~
hyperion2010
Right up until 1789.

~~~
venomsnake
Hmmm ... there was no church in the French revolution. The state/church war
was mostly during the Holy Roman Empire and the 30 year war. But by the time
Richelieu has finished with it - the papacy was no longer a determining factor
in the continental politics.

~~~
antimagic
That is just not true. The Church was front and centre in the French
Revolution. The whole problem was that the first two estates (Church and
Nobility) didn't want to cede power to the third estate (the Commons).
Removing the King was the only path the Commons found to get their share of
the power (the King was actually well-loved by his subjects, at least at the
start of the Revolution, in 1789). Many churches were severely vandalised
during the Revolution, and Church-imposed taxes were banned.

So yeah, without getting into the weeds, the Church was very much one of the
major causes of the Revolution, and it lost plenty of it's authority as a
result of the Revolution.

------
wahsd
Well, we are doing the same thing so we can't even stand up against it. What
are we going to say? Don't do what we do? Tell our companies that they will
have to risk having their Chinese markets shut down over night for non-
compliance?

------
tiatia
It is the same or at least similar in Germany.

~~~
hackuser
Do you mean that Germany requires tech companies to sign a similar agreement?

------
ksec
Not sure about others, But this isn't news to me.

And now pretty much standard ( or going to be standard ) in every country.

------
charonn0
> The Chinese government, which has long used its country’s vast market as
> leverage over American technology companies, is now asking some of those
> firms to directly pledge their commitment to contentious policies that could
> require them to turn user data and intellectual property over to the
> government.

This first paragraph seems to be an egregious and willful misrepresentation of
the document[1] by the New York Times. Most of these promises appear to be
good and reasonable ideas without an ulterior motive. The only part that I
don't quite understand is #6 where they talk about the "supervision of
society".

Farther down the article:

> The letter also asks the American companies to ensure their products are
> “secure and controllable,” a catchphrase that industry groups said could be
> used to force companies to build so-called back doors — which allow third-
> party access to systems — provide encryption keys or even hand over source
> code.

I don't see that phrase anywhere in this document, though the individual words
do appear several times. Moreover, I don't see how anyone can reasonably argue
that anything in the document implies third-party access to secure or
proprietary information.

[1]:
[http://www.nytimes.com/interactive/2015/09/16/technology/doc...](http://www.nytimes.com/interactive/2015/09/16/technology/document-
the-pledge-china-wants-tech-companies-to-sign.html)

~~~
nl
_This first paragraph seems to be an egregious and willful misrepresentation
of the document by the New York Times._

No, if anything it is an understatement of how problematic this pledge is.

 _The only part that I don 't quite understand is #6 where they talk about the
"supervision of society"._

"Supervision of society" is what the modern government of China has moved to
as an quasi-alternative to traditional communist "Command and Control"
planning[1].

It encompasses both the type of business regulation that is more familiar in
the West (business licenses, safety regulations) along with comprehensive
state surveillance of both financial/economic indicators as well as what many
societies would consider "private speech".

[1]
[https://books.google.com.au/books?id=TfHGAAAAQBAJ&pg=PA74&lp...](https://books.google.com.au/books?id=TfHGAAAAQBAJ&pg=PA74&lpg=PA74&dq=%22supervision+of+society%22&source=bl&ots=lKoOJqAJkd&sig=c4I870VZSgZlBCr_bOsg28R9MUg&hl=en&sa=X&redir_esc=y#v=onepage&q=%22supervision%20of%20society%22&f=false)

