BEIJING/WASHINGTON (Reuters) - China is weighing a far-reaching counterterrorism law that would require technology firms to hand over encryption keys and install security “backdoors”, a potential escalation of what some firms view as the increasingly onerous terms of doing business in the world’s second largest economy.
A parliamentary body read a second draft of the country’s first anti-terrorism law this week and is expected to adopt the legislation in the coming weeks or months.
The initial draft, published by the National People’s Congress late last year, requires companies to also keep servers and user data within China, supply law enforcement authorities with communications records and censor terrorism-related internet content.
Its scope reaches far beyond a recently adopted set of financial industry regulations that pushed Chinese banks to purchase from domestic technology vendors.
The implications for Silicon Valley companies, ranging from Microsoft to Apple Inc, have set the stage for yet another confrontation over cybersecurity and technology policy, a major irritant in U.S.-China relations.
“It’s a disaster for anyone doing business in China,” said one industry source. “You are no longer allowed a VPN that’s secure, you are no longer able to transmit financials securely, or to have any corporate secrets. By law, nothing is secure.”
The Obama administration has conveyed its concerns about the anti-terrorism draft law to China, according to a U.S. official.
Although the counterterrorism provisions would apply to both domestic and foreign technologies, officials in Washington and Western business lobbies argue the law, combined with the new banking rules and a slew of anti-trust investigations, amount to unfair regulatory pressure targeting foreign companies.
“The true test will come with implementation,” said Scott Kennedy, the Director of the Project on Chinese Business and Political Economy at the Center for Strategic and International Studies in Washington.
“Given the recent spate of AML-related (anti-monopoly law) cases against foreign firms, the regulations about the banking sector, and the reduction of foreign firms’ products on government procurement lists, there is good reason for foreign firms to be highly concerned,” Kennedy said.
To be sure, Western governments, including in the United States and Britain, have for years requested tech firms to disclose encryption methods, with varying degrees of success.
Officials including FBI director James Comey and National Security Agency (NSA) director Mike Rogers publicly warned internet companies including Apple and Google late last year against using encryption that law enforcement cannot break.
Beijing has argued the need to quickly ratchet up its cybersecurity measures in the wake of former NSA contractor Edward Snowden’s revelations of sophisticated U.S. spying techniques.
In December, China’s banking regulator adopted new rules that outlined security criteria that tech products in 68 categories must meet in order to be considered “secure and controllable” for use in the financial sector, according to a version of the regulations seen by Reuters.
To attain the designation, source code powering operating systems, database software and middleware must be registered with the government if they are not domestically developed.
U.S. Trade Representative Michael Froman issued a statement on Thursday criticizing the banking rules, saying they “are not about security – they are about protectionism and favoring Chinese companies”.
“The Administration is aggressively working to have China walk back from these troubling regulations,” Froman said.
A U.S. official confirmed a letter was sent by Froman, America’s top trade negotiator, and other senior officials to Chinese counterparts expressing their concerns.
James Zimmerman, Chairman of the American Chamber of Commerce in China, said the latest rules, if implemented, would likely limit opportunities for U.S. companies, but could also backfire on China.
“One unfortunate consequence of over-broad anti-terrorism policies is to potentially isolate China technologically from the rest of the world, and the end result of that may be to limit the country’s access to cutting-edge technology and innovation,” Zimmerman said.
But several U.S. technology executives and industry sources who spoke on condition of anonymity said they feared the security law would be more stringent than the bank regulations – and more sensitive to discuss - because it was rooted in public security considerations.
The vague, open-ended requirements for cooperating with law enforcement appeared the most worrying, as well as the possibility of steep penalties or jail time for non-compliance, according to one executive.
“It’s the equivalent of the Patriot Act on really, really strong steroids,” said one U.S. industry source, referring to the anti-terrorism legislation enacted under the George W. Bush administration following the Sept. 11, 2001, attacks.
The National People’s Congress did not respond immediately to a request for comment.
Apple and Google declined to comment on the proposed law, while Microsoft was not immediately available for comment.
China is drafting the anti-terrorism law at a time when Chinese leaders say the country faces a serious threat from religious extremists and separatists. Hundreds of people have been killed over the past two years in the far western region of Xinjiang in unrest the government has blamed on Islamists who want to establish a separate state called East Turkestan.
Writing by Gerry Shih in Beijing; Additional reporting by Paul Carsten and Matthew Miller in Beijing and Joseph Menn in San Francisco; Editing by Alex Richardson