A closer look at China’s Cybersecurity Law — cybersecurity, or something else?

China’s Cybersecurity Law (“CSL”) has been sharply criticized for its vague and sweeping language, as well as for its discriminatory impact on companies outside China. In our first post on the CSL, we provided a brief introduction to the law, including discussing how it compares with Europe’s General Data Protection Regulation. As we wrote, it’s very different from the GDPR — not only in terms of the issues it addresses but also its underlying values. It is structured to put the human rights of the people it’s supposed to protect at risk, and is flawed by design.

Below we take a closer look at the law, examining two key provisions to explore its impact on human rights: the requirement that network operators ask internet users for their real names, and the requirement that companies store users’ data locally. These provisions demonstrate the expansive scope of the law and how it can facilitate human rights abuse and increase government control of the internet.

How the law negatively impacts human rights and risks cybersecurity

Many provisions in the CSL have a direct negative impact on the exercise of human rights in China. For example, Article 50 gives the government the authority to cut off access to media platforms overseas that disseminate information that is broadly banned under Chinese laws and regulations. Article 58 empowers the government to limit internet connections when authorities see the need to “safeguard national security and social public order.” However, among the provisions, two in particular — Article 24 on real-name registration and Article 37 on data localization — stand out not only because they threaten human rights, but also because they have highly questionable value for cybersecurity. In fact, these provisions might be worse than useless for cybersecurity. They may undermine it.

Article 24 of the CSL mandates that network operators, specifically those classified as providers of publication/messaging systems, register users under their legal name; and if an individual fails to provide a real name, the individual cannot get access to services. This type of policy is typically used to “encourage” people to self-censor before they speak out online. That is China’s intention here. According to an official government press outlet, Xinhua News, the policy is intended to ensure a safe, good-faith environment online since publishing under their own names would make Chinese netizens more cautious about what they say.

This is an attempt to deprive people of anonymity, an important safeguard for fundamental human rights. The capacity for anonymity is critical for innovation and economic growth and necessary for freedom of expression. Real-name registration facilitates government surveillance of people’s online activities, and it undermines the right to privacy in a way that is inherently disproportionate.

Within Article 37 is the requirement that critical information infrastructure operators store personal information and important data domestically, with “security assessments” necessary to transfer any such data abroad. This practice is known as data localization. Governments promote this type of requirement as a way to keep data out of the reach of foreign governments and ensure that the information is better protected. Lawmakers relied on a similar rationale in Russia, which has passed its own data localization law. While data localization might seem like a way to provide security, in practice it has typically been used to increase government monitoring of people’s online activities. The impact of a policy like this is even worse in countries with a record of human rights violations — like China.

Both provisions are dangerous and policies of this kind have a track record internationally of undermining human rights. They also weaken cybersecurity. To protect data, you minimize collection and storage (“data minimization”) — not collect more than necessary to provide a service. Data minimization is a global best practice for cybersecurity. The less information you have in a database, the less you must protect. Real-name requirements mandate that private actors hold more — not less — personal information. In South Korea, for example, the real-name registration mechanism attracted bad actors seeking access to people’s private information. The South Korean Constitutional Court has now struck down the requirement because it undermined the freedom of expression without showing value for the public interest.

Similarly, when governments require companies to store data locally, it can prevent adoption or use of “database sharding,” one of the best security tools and practices. With sharding, a database is designed to store data redundantly in multiple locations. Google and Microsoft already engage in this practice as a way to increase security and efficiency, and to offset the risks of regional failure. Further, as a practical matter, data on the internet often flows beyond national borders. Keeping it in one place is not necessarily more safe. With current operational security practices, which have resulted in multiple massive data leaks, localizing data without deploying necessary protections will make it worse for cybersecurity in China. Further, as the documents revealed by Edward Snowden showed, no matter where the data are stored, intelligence agencies or sophisticated hackers can still find ways to target or even tamper with it.

As you can see, Articles 24 and 37 have little connection to cybersecurity, yet they undermine important human rights protections. The Chinese government may seek to promote cybersecurity through these requirements, but in practice they deliver the opposite, while threatening online speech.

In context, these provisions are even more chilling

These concerns become even deeper if you look at Article 24 and 37 in the context of other provisions in the CSL. For instance, Article 48 requires private companies to censor expression and report people to the government if they publish or disseminate “illegal” content. Real-name registration would allow the government to identify and quickly arrest the person who creates vaguely defined “illegal” posts. And with the real-name information, the government could also quickly associate this person with posts on other websites, especially with the help of Article 28, which requires network operators to provide technical support and assistance to government agencies for national security or crime investigation purposes. “National security” will be defined under the National Security Law (NSL),  which encompasses a broad range of issues, including finance, energy, and food. These laws ensure that the Chinese government has extremely broad authority to take action in response to published content.

What are the implications for China and a healthy internet?

This troubling approach to cybersecurity is not limited to China. Around the world, governments are passing similar laws in an attempt to tighten their control over information. Zimbabwe, for example, just opened the Ministry of Cyber Security, Threat Detection and Mitigation in what appears to be an effort to curtail online speech.

This is the wrong direction for laws to keep the internet secure. Cybersecurity and cybercrime frameworks should enhance the internet as a societal platform for communications while protecting human rights. When “cybersecurity” is used to suppress human rights, it causes profound damage to the internet as a vehicle for free expression, which in turn threatens an innovative, vibrant, — or to use the term employed by Xi himself, a “healthy” — society.

Burdensome surveillance and practices that create security risks not only undermine human rights but can harm China’s economic successes. In order to achieve a truly “healthy internet,” Chinese leaders should review the CSL and related laws, and implement a stand-alone data protection law that adequately safeguards people’s rights. China and other countries should reconsider policies like real-name registration and data-localization, not just to enhance the security of the internet and preserve human rights, but also to ensure society’s overall health and progress.