Proposed Chinese security law could mean tough rules for tech companies

China apparently wants to one-up the U.S. and the U.K. when it comes to urging technology companies to install security backdoors and break their encrypted documents and user communications in the name of national security.

Reuters reported on Friday that a newly proposed Chinese counterterrorism law calls for technology companies to turn over encryption keys to the Chinese government, allow for ways to bypass security mechanisms in their products, require companies to store user data and maintain servers in China, and remove any content that the country deems supportive of terrorists.

China is expected to adopt the draft legislation in the “coming weeks or months,” according to the report. The proposed law follows a set of banking security rules that the Chinese government adopted in late 2014 that requires companies that sell both software and hardware to Chinese financial institutions to place security backdoors in their products, hand over source code and comply with audits.

The Reuters report cited several anonymous executives of U.S. technology companies who said they are more worried about this newly proposed law than the banking rules because of the connection to national security. Supposedly, the laws are worded in a way as to be open to interpretation, especially in regards to having to comply with Chinese law enforcement, which has some executives fearful of “steep penalties or jail time for non-compliance.”

The newly proposed law follows recent news that China has been peeved by U.S. intelligence-gathering operations revealed by the leaked Edward Snowden NSA documents and allegations by the U.S. government that members of the China’s People’s Liberation Army used cyber espionage tactics to steal business trade secrets. China apparently doesn’t take those allegations too kindly and instead the country claims that products sold in China by U.S. technology companies pose security concerns.

If there’s one thing both China, the U.S. and the U.K. can all agree upon, however, is that companies should not be using encrypted technology to mask user communications. If companies do use the security technology, governments want those companies to hand over their encryption keys in case law enforcement or government investigations warrant it.

Attorney General Eric Holder and FBI Director James Comey have made public their displeasure with how encryption supposedly makes it easier to hide the activities of criminals. However, a recently leaked document from the Edward Snowden NSA data dump showed that some U.S. officials believe encryption is the “[b]est defense to protect data.”

Report: China wants backdoors in imported tech, but only its own

Western companies are doing big business in China, but storm clouds lie on the horizon. According to a New York Times report, new banking security rules approved in the People’s Republic at the end of 2014 require those selling hardware and software to Chinese banks to install backdoors for the benefit of Chinese security services.

The rules also state that companies must “turn over secret source code [and] submit to invasive audits.” While seriously problematic for many firms, this element isn’t particularly surprising.

In the wake of Edward Snowden’s NSA revelations and the U.S.’s indictment of Chinese army officials for industrial espionage, China’s authorities have repeatedly implied that U.S. products are themselves a threat to national security, because they track users and/or may contain NSA backdoors. Reports in May 2014 suggested that China was considering banning banks from using [company]IBM[/company] servers.

On the consumer side, [company]Apple[/company] for one has already reportedly agreed to let China’s security services screen its products to ensure their safety. However, many firms may find this demand impossible to meet, due to intellectual property and security concerns.

Of course, the U.S. is also pushing companies dealing in communications devices and services to install backdoors for its own intelligence and law enforcement purposes. Both administrations – and that of the U.K. — want firms such as Apple to hand over a key to users’ private communications, even though the companies have recently been moving to a more secure end-to-end encryption model where they don’t hold any keys. This is effectively a backdoor demand, though authorities generally prefer to call it “lawful intercept.”

Draft Chinese anti-terrorism laws are pushing for the same thing. This is one of the many problems with official policies that undermine genuinely strong encryption. Particularly in a globalized trade context where your nation’s companies want to make money in foreign markets, it’s a bit hopeful to think backdoor privileges can be reserved only for your own security apparatus.

However, the Times piece talked about China’s new banking regulations forcing equipment makers to build in “ports” for official monitoring purposes. This is where things get really complicated: the rules may require companies to create special versions of their products for China, and U.S. tech firms and the Chamber of Commerce are reportedly anxious that the move may be protectionist in nature.

This Change.org petition response shows how much Uber has changed

Uber has just responded to a group of Change.org petitioners protesting Uber’s background check policies in India, following the alleged rape of a passenger by a driver with an assault record. After the petition reached more than 63,000 signatures, Uber India safety lead Deval Delivala wrote a 600-word apology, explaining the steps the company is taking to improve its driver vetting process in the country.

Thursday night, the company said it will start doing its own background checks on drivers, instead of relying on government certification programs to vet the drivers adequately.

600 words might not seem too long to the average person, but by Uber’s standards this is a humble pie manifesto. It far exceeds the length of apologies or safety explanations Uber has sent to media in the past. I realized when rereading my old stories on Uber that it’s a complete 180 from the company’s response to assault incidents in 2013.

In the Change.org apology, Delivala covered everything from Uber’s reaction to the alleged rape (it was a “deeply sobering reminder that we must always be vigilant”) to what it taught Uber about background checks in India. She explained how the company is trying to strengthen its system, through things like a document verification system and an incident response team. She finished up with a bold promise: “We will repay [your] support with action and live up to the trust that you have placed in us.”

It may just be lip service, but it’s a new, refreshing kind of lip service. As recently as September, Buzzfeed found that Uber sent media the same two sentence response to any situation involving passenger safety, whether a rape, assault, or pedestrian injury. During one of Uber’s biggest scandals when an executive threatened to dig up dirt on journalists, CEO Travis Kalanick famously issued a 13 part tweet apology with very little apology actually included. After the rape of an Indian passenger in December, he published a blog post that was only 100 words.

These may be inadequate responses to terrible incidents, but they’re still far better than Uber’s old way of dealing with safety issues. In 2013, Uber used to claim it wasn’t responsible for its passengers’ safety. It didn’t think it was culpable for the actions of drivers or passengers on its platform (much like Facebook wouldn’t be responsible if one user threatened another on the site). Uber’s then-spokesperson told me that point blank after an SF driver hit a passenger. He said, “We’re not law enforcement…If law enforcement pursues this, we would cooperate. But we’re a technology platform that connects riders and providers, so it’s not our job to investigate.”

The Change.org apology shows how far the company has come. It still has major ethical issues and PR tactics to iron out, but at least it has started accepting responsibility for the incidents that occur through its service.

Do our phones need a kill switch?

A political fight is brewing between local politicians and the mobile carriers about whether every phone should include a kill switch. The wrong people are having the argument.