
China passes law requiring tech firms to hand over encryption keys - DiabloD3
http://betanews.com/2015/12/27/china-passes-law-requiring-tech-firms-to-hand-over-encryption-keys/
======
Animats
_" This rule accords with the actual work need of fighting terrorism and is
basically the same as what other major countries in the world do."_

 _" When changes in technology hinder law enforcement’s ability to exercise
investigative tools and follow critical leads, we may not be able to identify
and stop terrorists who are using social media to recruit, plan, and execute
an attack in our country."_

One of the above is from Li Shouwei, the deputy head of the Chinese
parliament's criminal law division. The other is from the US FBI director.

~~~
singiht34-02
This is purely anecdotal, but countries that haven't actually been touched by
terrorism seem to be a lot more terrified of terrorists than countries that
have been. It's a lot more of a boogeyman when it's those-people-over-there-
doing-crazy-things

I remember in Poland and Croatia people were so scared that a common sentiment
was basically wanting to ban all muslims.. you know.. just-to-be-on-the-safe-
side

So while yes, this is a scapegoat, people in China are actually scared of the
terrorists.. it's bizarre

~~~
__P
I think you don't follow Chinese news very much. They are heavily effected by
terrorist attacks, low and high tech.

Also, I don't think China's position has anything to do with the peoples
"fear" this is related to the governments position of trying to maintain it's
power by staying on the right side of the information asymmetry the internet
affords.

~~~
gscott
China has it's own definition of terrorism.

------
shaobo
The Verge (referencing WSJ) says firms are not required to handover encryption
keys.

[http://www.theverge.com/2015/12/27/10670346/china-passes-
law...](http://www.theverge.com/2015/12/27/10670346/china-passes-law-to-
access-encrypted-communications)

~~~
cmurf
It requires the OS/product vendor to enable key escrow though. Apple used to
have a mechanism for this. Microsoft has a mechanism for this. And presumably
all of them will escrow encryption keys for any products they sell in China.

GCHQ wants this too. So if tech companies comply with China's law, why
wouldn't they comply with the U.K.'s? And if they comply with the U.K. law,
why couldn't there be one in the U.S.?

~~~
blazespin
Do you have a cite for that? If Apple has to turn on / enable key escrow
that's a very huge freaking deal.

~~~
khalilravanna
I think the point is that Apple no longer has "backdoor" keys for encryption
any longer so that they have no keys to give the government when they come
knocking. I'm basing this conclusion off a quote from the article: "While the
government insists that there will be no requirement for companies to install
backdoor", as well as an interview with Tim Cook off 60 Minutes where he
stated they won't be going the backdoor route anymore. I believe there are
more quotes available from him if you google "apple encryption backdoor".

~~~
throwaway7767
Apple can certainly read iMessage conversations and provide that data to
goverments. They don't have the private keys, but they run the directory
server that distributes the public keys used to encrypt to. So they can very
easily provide you with the wrong public key for your recipient, decrypt that
data and store/forward, and then re-encrypt on their end with the correct key
and forward to the actual recipient.

"Secure" communications systems that rely on a trusted central third party to
vouch for keys are no more secure than allowing that same third-party to
implement key escrow.

------
slowmovintarget
My wife, a current citizen of China, has a uniform response to these kinds of
stories. "Well what do they expect!? If you do business in China, of course
that's what you get. If they don't like it they can get out."

Her point being that no one should be surprised when an authoritarian
government exerts its authority. Also, water is wet.

~~~
jmckib
No offense, but it sounds like she's trying to justify authoritarianism by
shifting the blame to its victims for not "getting out".

~~~
crdb
I read it somewhat differently. From my limited interaction with Chinese
citizen as a resident of Singapore, many think more pragmatically.

"We do what it takes to get a billion people to first world middle class
standard of living. Yes, there's a bit of collateral damage but you guys'
industrial revolution was not all roses, read some Dickens. We can have the
luxury of rights when we're there. You're telling me to eat cake since we ran
out of bread."

In other words the _majority_ of Chinese citizen (that I know - YMMV,
selection bias, etc.) think that the government is doing an alright job
considering its constraints, and don't feel particularly oppressed - the
authoritarianism is population-sanctioned. Just like the new French anti-
terrorism measures.

~~~
jmckib
> We can have the luxury of rights when we're there. You're telling me to eat
> cake since we ran out of bread

The majority of economists would disagree. More economic and political freedom
would accelerate economic progress, not hold it back. Check out Why Nations
Fail by Daron Acemoglu for an in depth discussion of this in relation to
China.

~~~
paul_milovanov
The chicken-egg problem has been solved and nobody told me? my, my.

~~~
jmckib
All I'm saying is that more freedom causes economic growth, which is not a
controversial statement. I think you're saying that economic growth will lead
to more freedom. I'm sure that's true to some degree, but there are
counterexamples. The Soviet Union experienced dramatic economic growth, but
freedom never improved, and eventually the economy stagnated, as will China's
(I predict).

In any case, surely more freedom in China would not be a bad thing.

~~~
rumcajz
> All I'm saying is that more freedom causes economic growth

What about Russia in '90s?

------
timguoqk
A friend of mine has a startup in China. He told me a year ago that the law
already required his company to talk with government officials every month.
They also needed to create a backdoor API according to a well-written
specification for the government to access all the information in the
database.

~~~
TheSpiceIsLife
_well-written specification_

That may very well be the defining difference between the Chinese and Western-
governments.

~~~
astrostl
"The United States is a nation of laws: badly written and randomly enforced."
\- Frank Zappa

~~~
enraged_camel
I think "selectively enforced" is a better way to put it.

~~~
slowmovintarget
No, Frank Zappa had it best. Your words may be more accurate but his words are
better.

~~~
ekianjo
The point he was making was right. It's not randomly enforced at all, it's
enforced only when it pleases the government.

~~~
dasil003
But the government is not a single actor with agency, from the outside it
might as well be random. +1 Zappa.

------
danwakefield
Well, HOPEFULLY, the western governments pushing for exactly the same thing
might think twice now. Any breach in the Chinese system would also be
beneficial in highlighting even more flaws in the concept.

~~~
fucking_tragedy
If anything, the fact that China is doing it is evidence that we need to do it
as well to maintain national security.

~~~
jonesb6
Sure most of us disagree with what "fucking_tragedy" is saying, he doesn't
offer evidence, and it stems from a weak line of reasoning. But we shouldn't
bury it just because we disagree with it.

Even though I side with encryption, I think it's worth at least exploring the
other side's argument.

Does access to encryption give increased capability to China in such a way
that it "profits" in matters of national security / finance / etc. Or will
such a move ultimately "cost" China due to the side effects of weaker
technological infrastructure, privacy, etc?

Will it be a detriment to the United States (assuming current government
snooping laws remain the same)?

I think the answers to these, while they can be theorized and predicted, will
best be fleshed out in due time, hopefully influencing US politicians to make
the right decision.

~~~
fucking_tragedy
I'm glad that you're arguing with that particular interpretation of my comment
in good faith. It is refreshing to see.

However, what I meant to convey is this: despite the obvious problems with
such a program, the government sees value in control and centralization of the
country's secure communications. If we ignore the obvious problems with "We
have all the keys" & "Secure communication" and look to recent initiatives and
programs with similar contradictory goals, we've been told by politicians that
they were implemented because everyone else is doing it and it's necessary for
national security.

I see how nonsensical this is, but if a similar program is pushed, this is how
it would be pitched to the public.

------
lasermike026
No one outside of IT should have access to crypto keys for any reason.
Dinosaur government institutions need to get with it or go away.

Now that I'm done with that this is a critical issue. Mass surveillance is one
of the many issues of our time. Time to get to work and time to throw some
money at this.

~~~
VLM
Crypto is too easy. Yes, too easy. Its too easy to make a single master key
for a government to demand or someone to steal that unlocks everything.

In 1915 when a discovery subpoena goes out for all records relating to dumping
dioxanes in a river, the company legitimately unlocks the filing cabinet and
hands the files over. They don't get a key to the executive washroom or the
telegram private code directory (unless that was in the subpoena) or the
complete customer list or really pretty much anything but the paper files
relating to dumping dioxanes in the river.

In 2015 when a discovery subpoena goes out for all records relating to dumping
dioxanes in a river, the company freaks out because if they hand out "the"
public key then both the .gov and any .com they're affiliated with and
probably individual theives will pown every VPN they ever had and ever will,
and all their records of every sort so "oh no we can't hand over keys never to
no one".

When you look at it from that point of view, the abject failure of IT and IT
companies to properly handle encryption is by no means any reason for the
judicial legal system to be inconvenienced. In 1915 no judge would have
tolerated a response like "Well we can't give you the dioxane pollution paper
files and telegrams because then criminals would pown our company because
we're incompetent at IT"

The other part is sociological. You may hold that phone in your hand, but its
not yours, and using it is as dangerous as talking to a police officer or
government official or hacker. Its not your phone, never has been, and any
illusion to the contrary will result in tears. Ditto a site on the internet.
Government protection of privacy assumes the privacy ever existed in the first
place, which it doesn't.

~~~
jeff_marshall
The existance of "the" key is not an inherent problem in situations like this.
Instead, it speaks to poor key management practices by the people responsible
for implementing cryptography for an organization.

Consider, as an analogy, the (poor) practice of using shared passwords. What
do you do when you fire someone who had legitimate access to this password?
You have to change everything or risk a compromise of all the systems sharing
this password. Hence, the need for tools like sudo that separate
authentication (what password / auth key) and access control (what rights).

With encryption, it's similarly possible to break one big risk domain into
lots of smaller ones using things like separate trust anchors (for
authentication) or encryption keys (for access control). For example, If your
org gets served a subpeona for your financial records you can give them your
tape backups for the relevant time periods plus the necessary decryption key,
but withold the decryption key for the backups of your R&D data and the
signing key for your VPN.

------
laotzu
So basically any device manufactured in China and sold abroad should be
assumed to be rooted by the Chinese government?

~~~
VLM
And any company related to the Chinese government, which is basically all of
them. So if you make tractors and use Chinese computers to make tractors, your
Chinese competitor who makes tractors can be assumed to have full access to
your computer systems, for all practical purposes.

~~~
coldtea
[citation needed]

~~~
mahranch
Not OP, but "capitalism" in China isn't like it is in the west. The government
literally runs everything, and can demand literally anything they want from
companies. If China's government wanted Lenavo to start making blow up dolls,
that's exactly what they would do. China's government has absolute authority
and total control. People like to compare the U.S government to China's, but
these people are fedora wearing neckbeards who almost never leave their
parents basement. As someone who _has_ lived in China for a brief stint,
expecting any device built, designed and manufactured in China not to have
some sort of back door is like expecting the U.S not to spy. At this stage in
the game, it's understood and expected.

If they're requiring backdoors on technology _imported_ into the country
(source:
[http://www.theregister.co.uk/2015/03/05/obama_criticises_chi...](http://www.theregister.co.uk/2015/03/05/obama_criticises_china_tech_rules_backdoor_terrorism/)
), why wouldn't they require them on their own technology that they build
themselves? It doesn't make sense from a purely logical standpoint. Of course
they're not going to come out and admit it, but we're also starting to see
evidence of it:

Example 1: [http://www.zdnet.com/article/former-pentagon-analyst-
china-h...](http://www.zdnet.com/article/former-pentagon-analyst-china-has-
backdoors-to-80-of-telecoms/)

Example 2: [http://www.geek.com/chips/spy-agencies-shun-lenovo-
finding-b...](http://www.geek.com/chips/spy-agencies-shun-lenovo-finding-
backdoors-built-into-the-hardware-1563801/)

Example 3: [http://www.computerworld.com/article/2860742/chinese-
android...](http://www.computerworld.com/article/2860742/chinese-android-
phone-maker-hides-secret-backdoor-on-its-devices.html)

Is it really so hard to believe? Especially when the indirect evidence and
logic is so overwhelming? I'm no tin-foil hat wearing conspiracy nut, but come
on here... It's China.

~~~
coldtea
> _Not OP, but "capitalism" in China isn't like it is in the west. The
> government literally runs everything, and can demand literally anything they
> want from companies._

Well, in China the government controls the companies, in the west the
companies control the government. Sort of the same end result, with the two
being in bed with each other.

> _Is it really so hard to believe? Especially when the indirect evidence and
> logic is so overwhelming?_

Well, haven't seen anything "overwhelming" in the list. E.g. the Chinese
government had Huawei and ZTE add backdoors to their stuff. But we know that
Cisco has done the same in the west -- and the government asked other
companies to do the same thing, pressuring Apple etc. So isn't "overwhelming"
a kind of a double standard?

~~~
mahranch
> Sort of the same end result, with the two being in bed with each other.

No, not really the same at all. When the companies have all the political
power, they do what's best for their shareholders - their bottom line.
Whatever helps them acquire more profit and revenue. Here, it's all about the
money.

When the government controls the companies (As it is in China), the government
does what's best for the people in power (the government). And that usually
means doing whatever helps them hold onto or increase their power by way of
strict authoritarian rules & laws, censorship and all the indirectly related
things that go along with it.

Their goal is to keep the population under control because that means they get
to stay in power. China's biggest fear is a revolution or an uprising which is
why they're so strict when it comes to public demonstrations, censoring things
like Tienanmen square, and cracking brutally hard on rights activists and the
leaders of these "change-bringers" (Source:
[http://world.time.com/2011/02/26/chinas-fear-of-a-jasmine-
re...](http://world.time.com/2011/02/26/chinas-fear-of-a-jasmine-
revolution/)). The last and absolute worst thing that could happen to China is
a revolution. They will commit atrocities like you can't even begin to imagine
to keep that from happening.

In the west, you don't have to worry about that. Why? Because it's bad for
business. Not good for profits and not good for revenue. The best environment
for capitalism and for businesses to make the most amount of money is one of
peace (Source:
[http://www.theguardian.com/politics/2003/jan/22/iraq.economy](http://www.theguardian.com/politics/2003/jan/22/iraq.economy))

~~~
coldtea
> _No, not really the same at all. When the companies have all the political
> power, they do what 's best for their shareholders - their bottom line.
> Whatever helps them acquire more profit and revenue. Here, it's all about
> the money. When the government controls the companies (As it is in China),
> the government does what's best for the people in power (the government)._

And hopefully, in the latter case, the people. Because governments, even if
not democratic (and I'd wouldn't call that 2-party/donations/gerrymandering
system democratic either) have an interested in pleasing the population (e.g.
out of fear of revolt etc). Whereas companies mostly in maximizing profit.

> _The last and absolute worst thing that could happen to China is a
> revolution. They will commit atrocities like you can 't even begin to
> imagine to keep that from happening._

Well, the absolute worst thing that could happen to China could actually BE a
revolution. It's a huge ancient country, and it has always had its ways of
government and its tradition of mandarins/confucianism etc.

Besides, places like Libya and Iraq, where "democracy was restored" are hardly
success stories for toppling a stable system of power. China could well become
a hell-hole, and have massacres that rival the ones in the "cultural
revolution", EVEN if they manage to get rid of the ruling party easily -- the
fight for the succeeding situation could make the US Civil War look like a
Disney movie.

------
cjbprime
The bottom of this article suggests that the requirement to "hand over
encryption keys" isn't present in the bill:

[http://www.theverge.com/2015/12/27/10670346/china-passes-
law...](http://www.theverge.com/2015/12/27/10670346/china-passes-law-to-
access-encrypted-communications)

------
rinze
Write laws against the dissidence, but call it terrorism. Then you can argue
that you are just trying to get the same level of access everybody else is
asking for.

------
andrewclunn
So US companies to be forced to put back doors into products that they sell in
China. And the Chinese government DOESN'T think that the US government will
also have those keys? It's like they're asking for the US to have full access
to their sensitive data.

~~~
cmurf
U.S. has asserted that subpoenas for data controlled by a U.S. company are
valid, even if the data is stored exclusively out of the country.
[https://en.wikipedia.org/wiki/Microsoft_Corporation_v._Unite...](https://en.wikipedia.org/wiki/Microsoft_Corporation_v._United_States_of_America)

So I seriously doubt the Chinese government thinks the U.S. won't have the
ability to get those keys. But these are device encryption keys used to
encrypt data at rest on the device. This isn't a demand to escrow the private
keys used for data in transit for email and messaging; I don't know how that
works in China, i.e. the Great Firewall, if that just depends on
blacklist/whitelist sites, or if all devices are required to use a Chinese
government certificate for such communications.

------
jumpbackwards
Many countries require this

[https://en.wikipedia.org/wiki/Key_disclosure_law#United_King...](https://en.wikipedia.org/wiki/Key_disclosure_law#United_Kingdom)

UK is a great example and a good place to not store any valuable data.

------
xjia
According to the original text, tech firms are only required to provide
necessary technical support in decryption, not simply handing over the keys.

[http://news.xinhuanet.com/politics/2015-12/27/c_128571798.ht...](http://news.xinhuanet.com/politics/2015-12/27/c_128571798.htm)

------
mc32
It'll be interesting to see what Apple do in this case, their having said that
they would not build backdoors for their products --but it's difficult to see
them turn away from one of their largest markets.

I'm guessing they will make concessions for the sake of market, whreas Google,
so far, has resisted that temptation.

~~~
adevine
Well, the thing about Apple's approach is that they can't hand over encryption
keys if they don't have them.

~~~
mc32
Given that impasse, they might be motivated to re-architect their services for
the Chinese market.

------
krick
I think in the most "civilized" countries for the long time already it's that
we (as whole communities) agree to the law (and the authority) either because
we don't know about it or we believe that we personally (as individuals) will
never have to actually follow it.

I wonder if we're far beyond the point when we could actually stop following
the law if it becomes bad enough and it's already virtually 1984 but we just
didn't really notice. Or if there's still some hope out there, somewhere.

~~~
DKnol
I'm terribly interested in what kind of environment "if it becomes bad enough"
specifically refers to, in your comment.

------
azevedomarti
China: We passed the law. Everyone on earth knows we are controlling the
internet. U.S.: We support freedom but due to national security, we can
control the internet without passing the law. By the way, please help us to
hunt Edward Joseph Snowden. He violates our definition of freedom and
transparency. Thank you!

------
godzillabrennus
First, I can't see this actually working out they way they want especially
with open source software designed to thrwart detection from governments using
amongst other things a form of encryption.

Second, I'm betting the US Government has enough sway to get special treatment
for American companies.

~~~
pjc50
_US Government has enough sway to get special treatment for American
companies_

I don't think they do in this case; this is why Google pulled out and Cisco
collaborate with the surveillance.

~~~
jfoutz
Although, they do probably have enough sway to get _all_ of China's keys.
Perhaps not sway, perhaps just cracking.

Nice of China to create a central repo with everything one could want.

------
netcan
I wonder if at some point in the future this will seem like a reasonable
request for IS to make?

------
robryk
So how does it apply to e.g. keys to backups of Apple devices if the device
was bought out of China and then used in China?

------
blazespin
Will Apple have to start escrowing the root key for devices they sell in
China?

~~~
ams6110
It will be interesting to see whether they value their principles more than
sales in the Chinese marketplace.

------
jijji
hahah good luck with that

------
crististm
It's time to reconsider our irrational (actually inherited) opposition to
"security through obscurity" [ * ].

In times when big brother knows you're using AES and forcibly asks you for the
keys, it makes sense to not advertise your encryption scheme at all.
Steganography.

[ * ] It actually makes more sense to enlarge the search space of an attacker
by not providing him the fixed form of a known encryption algorithm/scheme.

~~~
mindslight
The formal name for the concept is Kerckhoffs's principle. And no, it is not
time to reconsider it.

It has more to do with defining what the "key" _is_ , and is quite compatible
with steganography.

If your method is simply "cipher data", it can never have steganographic
properties.. If instead it's "two redundant-looking blobs, one random and one
AES", then you've got a leg to stand on.

~~~
crististm
You are free to stand by your principles.

I'm arguing that "security through obscurity" is not equivalent with the
"Kerckhoffs's principle" but with adding more obfuscation layers (on which
steganography may be one of them) on top of default schemes.

People who know better don't advertise their internal network topology. Nor do
they show off with their encryption schemes (they might use known schemes but
they won't tell you they do it).

~~~
mindslight
How those additional layers are defined is quite important as to their
effectiveness - do they hold up to scrutiny, or are they merely good enough to
trick their designer? Lumping effective crypto along with feel-good ad-hoc
schemes into one big category of "obfuscation" is a disservice to analysis.

I'll repeat - Kerckhoffs's principle is more about analysis than design. If
you insist on eschewing it, what you're actually doing is making it so the
"key" of your system includes the design of the system itself. And while it
intuitively seems "more key" should make the system more secure, the net
effect is the opposite as that poorly-specified "key" merely functions as a
difficult-to-analyze crutch.

Gödel basically guarantees that anybody can make a cryptosystem so secure they
themselves cannot break it. Don't be that guy.

------
ck2
I've decided I am going to say "tank man" in every China thread so their
censors will kill the page.

As horrible as many of things the US has done in the name of its citizens (and
on its citizens) one thing you'll never see happen here is internet censorship

(instead one-day some US agency will just record every page you've read, or
maybe they will have the UK do it for them, so they are technically not spying
on their own citizens)

~~~
dragonwriter
> As horrible as many of things the US has done in the name of its citizens
> (and on its citizens) one thing you'll never see happen here is internet
> censorship

Internet censorship happens in the US, though its _mostly_ in the form of
government pressure on major internet companies to remove access to disfavored
content rather than _direct_ government censorship.

~~~
ck2
Hmm, it is disfavored or illegal content originating in the US?

Because I've seen US law enforcement takedown US websites that were breaking
US laws but I've never heard of law enforcement forcing US isps block foreign
content, even if it is breaking US law. I could be wrong though and I'd like
to see an example in that case.

Maybe the government making youtube or facebook take down terrorist content,
that would be censorship I guess if the content is not technically illegal but
that's a pretty extreme example.

~~~
Dylan16807
They've taken domain names, does that count as blocking?

~~~
dragonwriter
When it is done because of content, and particularly to suppress content (as
opposed to the domain owners rights to particular content), there is a pretty
good argument that it is a form of censorship.

