Companies and individuals using the Web in China should carefully read the Caixin article from 25 January, “Beijing Says Multinationals Need Not Fear VPN Crackdown.”  Just in case it is dropped later, some key points, albeit not the entire article, are extracted further below.  One line reads:  “…foreign trade companies and multinationals that require such private services can turn to officially authorized offerings, adding the new action “won’t have any impact on their general business.”

Individual computer users in China have employed Virtual Private Networks (VPNs) for years to “tunnel” under the so-called Great Firewall. Evading official censorship of the Web, users can access forbidden fruit such as Facebook, certain rude pages on Wikipedia, and uncouth videos on YouTube.

Mobile phone user's conversation is overheard with a cartoon version of "eavesdropping software" [qieting ruanjian, 窃听软件]

Chinese working in foreign firms value another, seemingly more anonymous way around censorship: the internet gateways provided by their employers, who tend to (correctly) become nervous that users will access the hard stuff: political dissident websites, banned religious material, and so on.  These are items that can quickly land a viewer in prison, ruin employee-company relations if mishandled, and cause intense official scrutiny of a firm and its network.

The developing situation begs the question of whether the PRC is attempting to channel VPN users into a few services, which can be more easily monitored for communications intelligence of interest to authorities.

If clear violations of law were all the watchers sought to isolate, this would be less worrisome.  However, the current administration follows, in the phrase coined by David Shambaugh, a “hard authoritarianism.” Current policies strongly contrast with the previous, more relaxed period (1992-2008): an intensified crackdown on all forms of dissent since 2009 has been accompanied by increased restrictions on use of the internet and social media.[1]

Because China’s current leadership is so concerned about the imagined intersection between internal dissent and “foreign hostile forces,” foreigners and foreign companies in China now have reason to be ever more cautious about their use of electronic systems connected to the Web.  Companies should reexamine policies to ensure their people and assets are not subject to unacceptable risk in this dynamic period.


p.s.: A knowledgable observer noted this week that companies in China are required to use SEMB*-approved IPSEC (internet protocol security), which has been “back-doored” by the host government (Thanks J.).

* SEMB = the China State Encryption Management Board, also known recently as OSCCA, the Office of State Commercial Cryptography Administration.

Excerpt from the Caixin 25 January article:

The Ministry of Industry and Information Technology (MIIT) announced the crackdown on its website on Sunday, outlawing dozens of popular VPN services that help web surfers get around China’s blockage of sites that address sensitive topics. Such services enable access to blocked sites by routing requests that originate from the Chinese mainland through servers located elsewhere.

The MIIT’s “rectification campaign” will run until March 2018, according to the original notice.

The move raised concerns that some multinational organizations might lose access to their VPNs, which are needed in China to view pages on services like Google’s search engines and news sites like Reuters, Bloomberg and the New York Times, and on social networking sites like Facebook and Twitter.

Addressing those concerns, the MIIT issued a follow-up statement on Tuesday in a question-and-answer format discussing the reasons for the crackdown and what it hoped to achieve through the campaign.

The statement said the crackdown is aimed at service providers that have not been approved by the ministry, including companies and individuals who were unauthorized to offer international telecom services. China tightly regulates such services, which are mostly confined to the nation’s three big state-run carriers — China Mobile, China Telecom and China Unicom.

It said foreign trade companies and multinationals that require such private services can turn to officially authorized offerings, adding the new action “won’t have any impact on their general business.”

[1] David Shambaugh, China’s Future (Cambridge: Polity, 2016), pp. 115-120.