Global technology suppliers will soon face a new hurdle when selling their products in China, to disclose details of computer encryption used in their products and other trade secrets.
Starting Saturday, the Chinese government will require vendors in several product categories to comply with the rules in order for them to be able to sell to government agencies.
The new rules cover 13 technologies, including firewalls, routers, smartcards, database security tools, as well as anti-spam and network intrusion detection products. Under the new requirement, vendors who sell these products to government purchasers will need to first get them tested and certified by China's Certification and Accreditation Administration (CNCA), a process that involves their sharing encryption key codes.
The information security testing and certification requirement was first proposed in 2008 by China's General Administration of Quality Supervision, Inspection and Quarantine (AQSIQ). Initially, the rule was supposed to go into effect last May and applied to all sales of the covered products in China, not just those to government agencies. But following protests from the US and the European Union, the implementation deadline was pushed back a year, and the requirement was narrowed to cover only sales to government agencies.
Officially, at least, the rule is not really about encryption, said Christopher Cloutier, an associate partner with law firm King & Spalding's intellectual property practice group. Rather, it is about certifying certain information security and technology products to China's Compulsory Certification System (CCC) mark, Cloutier said. The CCC mark is a quality certification standard that is applied to a wide number of products sold in China. The standard is overseen by the CNCA and AQSIQ.
While on the surface the requirement is about quality, the fact that it touches upon sensitive encryption technologies could mean other motivations, Cloutier said.
"If I were a foreign-based producer of products with encryption, I would be very reluctant to give all my secrets to the government of China," he said. "So now they have an excuse to buy only Chinese-origin technologies," Cloutier said. The new requirements "feed into a sort of growing nationalism and assertiveness in China to openly favour Chinese companies versus foreign ones," he said.
Foreign vendors covered under the new requirement will face a difficult choice, Cloutier maintained. "They either decide to sell to the government of China, or to everyone else," he said.
"Let's say you make a particular product and you have encryption in it and you sell it to the government of China," Cloutier said. That fact could well influence purchasers outside of China who might be concerned about the security of that company's encryption technologies, he said. "If you sell to the government of China you've got to tell them how the stuff works," and that could be off-putting to other customers, Cloutier said.
There is also concern that sharing encryption technologies with China will enhance Beijing's Internet monitoring and surveillance capabilities and result in the information being leaked to Chinese rivals.
An Intel spokesman said the regulations have "some very specific applications not related to our business." Even so, the company has been working closely with the Information Technology Industry Council on the issue, the spokesman said without elaborating. The Washington, D.C.-based ITI is a trade association for high-technology companies.
Vendors Symantec, Cisco Systems and Gemalto did not immediately respond to requests for comments.
Harmon Nkenge, a spokeswoman for the US Trade Representative's office, said US officials are continuing to press China to address the concerns of foreign governments and industry before implementing the new testing and certification requirement.
"In April 2009, China agreed to significantly reduce the scope of its planned information security testing and certification rules after the United States and other trading partners expressed serious concerns about the scope and content of the rules," Nkenge said in an email. "We were pleased with that decision," she added.
The chances of the Chinese government pushing back the implementation deadline or further reducing the scope of the requirement seems unlikely at this point, Cloutier added.
Bruce Schneier, a noted cryptographer, and chief security technology officer at BT predicted that some US companies will comply with the new rules. "Some companies will, and some won't," Schneier said, "There are US companies that sell shock batons to foreign governments [so] features that enable surveillance are much easier to justify," he said.
China's requirement that vendors disclose their encryption codes to the government is not entirely without precedent. The Clinton administration in 1993 floated the idea of a "key escrow" in connection with the Clipper chip data encryption technology. The Clipper Chip technology was developed by the National Security Agency and proposed by the government as a way to standardise encryption technology in the US.
Under the proposal, vendors who implemented the Clipper encryption technology in their products would have been required to hand over the decryption keys to the government, which would keep it in escrow and use it to decrypt communications, if there was a valid legal need for it.
That proposal failed to take off after vigorous protest from privacy groups which said the technology and the key escrow scheme would allow the government to expand domestic surveillance.