Proposed Chinese security law could mean tough rules for tech companies

China apparently wants to one-up the U.S. and the U.K. when it comes to urging technology companies to install security backdoors and break their encrypted documents and user communications in the name of national security.

Reuters reported on Friday that a newly proposed Chinese counterterrorism law calls for technology companies to turn over encryption keys to the Chinese government, allow for ways to bypass security mechanisms in their products, require companies to store user data and maintain servers in China, and remove any content that the country deems supportive of terrorists.

China is expected to adopt the draft legislation in the “coming weeks or months,” according to the report. The proposed law follows a set of banking security rules that the Chinese government adopted in late 2014 that requires companies that sell both software and hardware to Chinese financial institutions to place security backdoors in their products, hand over source code and comply with audits.

The Reuters report cited several anonymous executives of U.S. technology companies who said they are more worried about this newly proposed law than the banking rules because of the connection to national security. Supposedly, the laws are worded in a way as to be open to interpretation, especially in regards to having to comply with Chinese law enforcement, which has some executives fearful of “steep penalties or jail time for non-compliance.”

The newly proposed law follows recent news that China has been peeved by U.S. intelligence-gathering operations revealed by the leaked Edward Snowden NSA documents and allegations by the U.S. government that members of the China’s People’s Liberation Army used cyber espionage tactics to steal business trade secrets. China apparently doesn’t take those allegations too kindly and instead the country claims that products sold in China by U.S. technology companies pose security concerns.

If there’s one thing both China, the U.S. and the U.K. can all agree upon, however, is that companies should not be using encrypted technology to mask user communications. If companies do use the security technology, governments want those companies to hand over their encryption keys in case law enforcement or government investigations warrant it.

Attorney General Eric Holder and FBI Director James Comey have made public their displeasure with how encryption supposedly makes it easier to hide the activities of criminals. However, a recently leaked document from the Edward Snowden NSA data dump showed that some U.S. officials believe encryption is the “[b]est defense to protect data.”

NSA, GCHQ reportedly stole mobile network encryption keys

Private information protected by the little SIM card in your handset might not be so private after all. Based on new documentation from former NSA-employee-turned-whistleblower, Edward Snowden, The Intercept is reporting on a state-sponsored theft of encryption keys from Gemalto; a company that makes 2 billion SIM cards annually.

encryption theft

According to The Intercept’s report, the U.K.’s GCHQ, working with the U.S. National Security Administration, was behind the hack on Gemalto, providing government agencies with the information by infiltrating the company.

What exactly does that mean to individuals and their privacy? Quite a bit, The Intercept said:

With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

Snowden’s documentation suggests for the first time the formation of a Mobile Handset Exploitation Team (MHET), with the purpose of seeking ways to gain access to handsets and cellular communications. This would allow the agencies to decrypt cellular communications with the knowledge of either private citizens or the cellular network providers, and without requiring a court order.

gemalto-slide-540x404

In short, such a situation removes the potential for any semblance of privacy for individuals using default smartphone services.

Any data, including contacts or saved messages, stored on a SIM card could be at risk for harvesting; but that’s just the tip of the iceberg. Mobile phone communications could be harvested in bulk and later decrypted by the agencies, so it’s not just a “real-time” communications problem.

Essentially, then, with these encryption keys compromised, I don’t see how carriers can effectively guarantee privacy on their networks, depending on how widespread the theft really is.

And that points to the core of the problem: With clandestine acts such as this, do we even know if we have all of the information on the agency’s activities? It’s unlikely, at best and extremely concerning.

In light of the report, Gemalto has provided the following email statement to Gigaom:

“In the digital world we all live in, Gemalto is especially vigilant against malicious hackers and of course has detected, logged and mitigated many types of attempts over the years, and at present can make no link between any of those past attempts and what was reported by The//INTERCEPT.  We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such highly sophisticated technique to try to obtain SIM card data. From what we gathered at this moment, the target was not Gemalto, per se – it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible.  There have been many reported state sponsored attacks as of late, that all have gained attention both in the media and amongst businesses, this truly emphasizes how serious cyber security is in this day and age.”

This post was updated at 1:16pm with Gemalto’s statement.