21 May 2016

Chinese Security Gathering Data on Encryption Used by American High Tech Companies

PAUL MOZUR and JANE PERLEZ
May 17, 2016

China Quietly Targets U.S. Tech Companies in Security Reviews

HONG KONG — Chinese authorities are quietly scrutinizing technology products sold in China by Apple and other big foreign companies, focusing on whether they pose potential security threats to the country and its consumers and opening up a new front in an already tense relationship with Washington over digital security.

Apple and other companies in recent months have been subjected to reviews that target encryption and the data storage of tech products, said people briefed on the reviews who spoke on the condition of anonymity. In the reviews, Chinese officials require executives or employees of the foreign tech companies to answer questions about the products in person, according to these people.

The reviews are run by a committee associated with the Cyberspace Administration of China, the country’s Internet control bureau, they said. The bureau includes experts and engineers with ties to the country’s military and security agencies.

While other countries, including the United States and Britain, conduct reviews of some tech products, they usually focus on products that will be used by the military or other parts of the government that are concerned with security, and not on products sold to the general public.

The Chinese reviews stand out because they are being applied more broadly, including to American consumer software and gadgets popular in China, the people briefed on the reviews said. And because Chinese officials have not disclosed the nature of the checks, both the United States government and American tech companies fear that the reviews could be used to extract tech knowledge as well as ensure that the United States was not using the products to spy.


Ultimately, the reviews could be used to block products without explanation or to extract trade secrets in exchange for market access. Those secrets could be leaked to Chinese competitors or expose vulnerabilities, which, in turn, Chinese hackers could exploit.

Further, tech companies are concerned that the reviews could set a precedent and that other countries will follow suit, each demanding different checks that would not only be costly but also put the companies at risk of having to hand over further secrets in exchange for market access.

China and the United States have been embroiled in a quarrel about tech and security that has strained their relationship. The reviews could be a fresh sticking point, raising questions about the security of American technology and the degree to which American companies will acquiesce to Beijing’s demands for fear of being punished in a huge market still partly controlled by the state.

Chinese officials have not formally disclosed that they are conducting the reviews, and their existence has not been previously confirmed outside of rare, brief mentions in local news media.

It is not clear specifically what Chinese authorities are demanding as part of the process. There is no indication that foreign companies have provided access to highly guarded material such as source code — the digital underpinnings of software — or other commercial secrets.

One Chinese media report implied that the tech security reviews began early last year. Over the last nine months, a number of companies have been called in, the people who spoke on the condition of anonymity said.

The lack of disclosure by China’s government has made it hard for the United States government to voice its objections, and has fed concerns that China is quietly carrying out further policies to target American technology companies.

China’s Internet regulators suggested the possibility of reviews three years ago, after revelations by Edward J. Snowden, the former National Security Agency contractor, concerning surveillance escalated tensions between China and the United States over computer security.

Since then, China has quietly begun carrying out the reviews. That represents a shift in the way China manages foreign technology. Its previous efforts came through proposed new rules and other public measures that let foreign companies and governments resist.

The Cyberspace Administration of China said in a faxed response to questions that many countries carried out security reviews and that the inspections did not target any particular country or product.

China relies on American technology products, even as it has made clear that it is concerned about the security of those products. A majority of Chinese government offices, state-owned enterprises and other institutions that handle potentially secret information, like universities and research institutes, use Microsoft Windows. Most smartphones in China run software made by either Apple or Google. And the high-end computing that supports China’s banks, energy companies and military uses, in part, American-designed chips and servers.

In a congressional hearing last month, Apple’s general counsel, Bruce Sewell, said the Chinese government had asked the company to share source code in the last two years but that Apple had refused.

Apple has seen new pressure in China as regulators have shut down its iBooks and iTunes Movies stores there. Last week, Apple disclosed that it was investing $1 billion in the Chinese ride-hailing app Didi Chuxing, a move that some technology experts said appeared aimed at currying favor with Beijing.

Chinese restrictions against American companies have been a highly charged diplomatic issue. Last year, the Obama administration raised concerns about Chinese rules that trade groups said were written to wean the country’s banking industry off foreign technology. The United States also objected to an antiterrorism law that called for foreign companies to hand over encryption keys in China. In both cases China relented, temporarily scrapping the banking laws and tempering the language in the antiterrorism law.

China’s tougher tone is part of a broader challenge that governments around the world are posing to the technology industry over issues like privacy and encryption. In the United States, federal law enforcement officials have pressed Apple to help them gain access to encrypted iPhones even as the Obama administration has resisted Chinese policies that would require similar access.

Under President Xi Jinping, China has taken steps to keep tabs on technology from American companies and reduce the nation’s dependence on it.

In a speech last month, Mr. Xi outlined what he described as the two prevalent viewpoints on tech policy in China. Under one, the country would continue with an industrial policy intended to absorb technology from foreign companies and ensure products are “secure and controllable.” That phrase, companies and industry groups said, could include such measures as giving the Chinese government access to systems, providing encryption keys or handing over source code.

For foreign companies, the other option could be worse.

“One viewpoint holds that we must close ourselves off, make a fresh start, thoroughly shake off our reliance on foreign technology and rely on indigenous innovation to pursue development,” Mr. Xi said, according to a transcript of the speech. “Otherwise, we would always follow in the footsteps of others, and would never be able to catch up.”

Mr. Xi ultimately said China must find a middle ground and determine “which things can be imported but have to be secure and controllable; which things may be imported, digested and absorbed for re-innovation; which things can be developed in collaboration with others; and for which things we must rely on our own strength and indigenous innovation.”

While details on the tech reviews are scant, commentary from the state-run China Daily in 2014 suggested that companies affected could include Cisco Systems and Microsoft. Other state news media has said the reviews will prevent product suppliers from “illegally controlling, interfering in or interrupting user systems, or illegally collecting, storing, handling or exploiting information about users.”

Cisco and Microsoft declined to comment on the Chinese media statements. Apple also declined to comment.

A slide show from the China Electronics Standardization Institute, a group that carries out research on behalf of the government, makes the motivation for reviews clear. It links the reviews to concerns about China’s digital security vulnerabilities and what it characterizes as a technology gap between China and countries like the United States, Russia, Israel, Britain and Germany.

“As the world connects to the Internet, various forms of attacks and new defensive technologies are ever multiplying, bringing challenges to China’s development of a new digital industry,” the group said.

No comments: