Published by The Lawfare Institute
in Cooperation With
The Chinese government is operationalizing President Xi Jinping’s concept of cyber sovereignty and implementing the country’s new Cybersecurity Law. Four regulations issued since late August show the leadership’s approach to data privacy and security online. The regulations require real-name identity registration (实名制 or 身份信息认证) and the establishment of a digital social credit or rating system (用户分级管理制度) for Internet use.
Reuters writes that the changes can be understood as Beijing tightening control over information dissemination ahead of the 19th Party Congress (the gathering of top leaders that takes place every five years; the next convention is set for October 18). Tech Crunch says this is a sign that Beijing is becoming more stringent about censorship.
While top-down censorship rules are certainly major components, there is a bigger story here, with implications likely to be felt long after the Party Congress closes. These moves are part of sweeping efforts by Xi’s administration to strengthen China’s system of cyber governance and to expand the legal framework for control over all data, networks and information content. China is pushing ahead with its own internet model, where the space for anonymity online is rapidly eroding, and data collected from a single digital identity is feeding into a vast government scoring system that reaches into all aspects of life.
Four new rules for identity registration and social credit online
In a recent two-week span, the Cyberspace Administration of China released four overlapping regulations that apply to all online interactions. That means all internet forums, message boards, group chats, and news comment threats. They are summarized in the chart below:
|Aug. 25, 2017||Internet Forum Service Management Regulation (互联网论坛社区服务管理规定)||Article 8 states that users should be denied service if they do not register under their real identities for online forums and message boards.|
|Aug. 25, 2017||Internet Thread Comments Service Management Regulation (互联网跟帖评论服务管理规定)||Article 9 requires real name registration to post comments, reply, and other interaction online for news and social media. It also calls for companies to create a credit system where users will receive ratings that determine their scope of service. The central government will also keep a credit file on users.|
|Sept. 7, 2017||Internet User Public Account Information Services Management Regulation (互联网用户公众账号信息服务管理规定)||Article 6 requires that internet users provide their organization, national identity documents and mobile phone numbers or be denied service. Companies must also set up credit rating systems tied to user accounts.|
|Sept. 7, 2017||Management Rules of Internet Group Information Services (互联网群组信息服务管理规定)||Articles 6 and 7 require real identity registration for users and the establishment of credit ratings for internet chat groups, and they make internet group owners liable for violations.|
In each provision, the regulations call for “foreground voluntary name, background real name” (前台自愿，后台实名). This means that users can still choose a screen name for display on the internet, or even appear anonymous, but their identity information will be stored with the Ministry of Public Security. Advocates of the system argue that the data is more secure with the government ministry than within company storage platforms.
Will the government enforce the new rules?
The government is more likely to enforce the requirements than in the past. This is not the first time that Beijing has tried to set up real-name registration for internet use, but these measures appear to have more teeth than earlier efforts. These rules have a powerful institutional backer: the Cyberspace Administration of China (CAC). The regulations also flesh out the real-name registration requirement in the new cybersecurity law. Real-name registration could become low-hanging fruit as the government tries to show progress with the new law as it struggles with more complex, politically contentious issues such as securing critical information infrastructure.
Chinese internet companies including Tencent and Alibaba are probably not going to push back, as they did with other controversial aspects of the cybersecurity law, such as restrictions on cross-border data flows. In fact, both companies put forward their own proposal for real-name registration in 2014.
So far the only public challenge to the regulations has come from citizens who are online group chat owners threatening to delete all of their group chats in protest to being held legally liable. But the government does not appear concerned; the only response came from an administrative law think tank essentially restating the content of the new requirements.
Why do the new rules matter?
The rules explicitly make companies and anyone who could fall within the broad category of an internet group “builder” or “manager” responsible for ensuring information security and content. This is in keeping with long-standing Chinese efforts to augment technical monitoring and censorship systems with user self-censorship; the trend has been to push responsibility toward the end user.
A significant development with these rules is that they also lay the foundation for the government to aggregate all online data on individuals (financial transactions, behavior, social network) to feed into a vast credit system, which already plays a part in determining people’s access to loans, education, travel and even such everyday activities as restaurant bookings. As Stanley Lubman explains, “playing many hours of video games triggers a lower credit score, while purchasing diapers earns points for responsible behavior.”
Before the new regulations, a piecemeal “social credit system” existed on major payment platforms such as Alipay and WeChatPay and as a government experiment in select cities (with a plan for full implementation by 2020). The new regulations are an important step toward making the social credit system a national reality.
What is driving this?
The moves are much more than a clampdown in the run-up to the October Communist Party Congress, though the meeting adds urgency to their deployment. At their root, the measures are a fresh attempt, with the guidance of President Xi’s speeches, to yet again mobilize the bureaucracy to rein in the internet in China and to ensure that the Communist Party can monitor and control technological developments that allow individuals and groups to communicate outside established media channels. Xi’s speech on July 26 (known by some as the “726” speech) stressed that the internet is a “double-edge sword” that can allow “hidden negative energy” to become the “biggest variable” impacting governance and social stability. This variable must be minimized, he suggested. Xi has cast the internet as the main battlefield in the domain of ideological struggles. Hence the need to ensure the “orderly” development of major platforms such as WeChat. This thinking is the backdrop for the release of the recent regulations, all within a legal framework undergirded by the far-reaching Cybersecurity Law that combines provisions on cybersecurity, digital/data economy (informatization), and media content into a single package in a way no other country has been willing or able to do. The law’s three areas of emphasis will be the focus of enforcement efforts in coming months.
Since the Arab Spring uprisings a few years ago, Beijing has been sensitive about the potential for internet applications that are difficult for authorities to monitor being used for discussions that could lead to organized action on the streets. Harvard’s Gary King has highlighted the censorship reaction rooted in concerns that online chatter around sensitive topics could morph into action. Legally mandating visibility into chat rooms and pushing censorship responsibility down to chat owners ensures that the regime does not lose control over popular online platforms.
Since China’s Cybersecurity Law took effect June 1, much attention has focused on content provisions, primarily outlined in related regulations such as the Internet News Information Service Management Regulations and the Regulations for Internet Content Management Administration Law Enforcement Procedures. The Ministry of Public Security appears to have taken the lead during this period, published the first (lengthy) list of enforcement actions in late August; most involved violations of the content regulations. This enforcement effort can be understood as part of the run-up to the Communist Party Congress, but the systems being put in place, including the real-name registration provisions, should be seen as a long-term effort to ensure that no online domain remains free from oversight. Key bureaucracies such as the Public Security have been able to show they are acting to enforce the Cybersecurity Law, but major and more politically difficult aspects remain unsettled. Enforcement actions over cybersecurity reviews of network products and services (the government released a separate list defining what exactly falls in the scope of the law) and cross-border data transfers will take longer.
Real-name registration tightly linked to the Social Credit System
Beijing has been ratcheting up efforts over the past decade to force internet users away from anonymity online. Requiring real-name registration to conduct such everyday activities as buying mobile SIM cards and using internet cafes has greatly diminished anonymity in cyberspace The efforts have been aided by technological developments and the advent of what are essentially mobile operating systems such as Tencent’s WeChat and widely used mobile payments systems including WeChatPay and Alipay. These payment systems are tied to bank accounts, which require a valid cellphone number, national ID and other personal information. With more than 963 million registered on WeChat, it’s clear that most Chinese are already conducting online activity in their real names. Browsing can still be done anonymously through a variety of tools, but real-name requirements for comments and other online activities have vastly narrowed the potential scope of anonymous activity online in China.
The growing power of the Social Credit System to determine citizens’ ability to conduct activities online is also reducing the capacity for online anonymity—which has all but disappeared in China. Many if not most users have welcomed the system, as China hadn’t previously had a widely used system for establishing credit-worthiness. The Social Credit System requires real-name information attached to the data it captures so that an individual’s creditworthiness, from social/political and economic vectors, can be aggregated in the system’s vast databases. On one level, the system functions not much differently from the types of data aggregated by large Western digital platforms. But because Western users are not tied to a single, all-powerful mobile payments platform, they do not think about their personal data being aggregated by one platform (an option many in the West would protest). Users’ preference for maintaining some anonymity and personal data privacy in many countries will be an interesting test for companies such as Tencent and Alibaba as they expand globally.
Industry-government relationships in China’s data privacy regime
A key question is how Chinese companies and the government will work together in sharing data and enforcing credit systems. Companies such as Alibaba, JD.com, Baidu and Tencent could refuse to turn over data. In the first legal case in China ever on data privacy and security, Ali Cloud (Alibaba’s cloud service provider) lost a lawsuit in which it refused to turn over its users’ data. A gaming company had asked Ali Cloud to delete content on its cloud service platform involving an alleged infringement. Ali Cloud refused to do so without user consent or legal authorization. The court ruled for the gaming company. Senior Ali Cloud executives issued statements after the ruling saying that users’ data privacy is a top priority. Although Ali Cloud lost, some media reports urged Ali Cloud to appeal and likened the case to Apple's refusal to comply with U.S. government requests to unlock an iPhone of a suspect in a domestic terrorism case.
Meanwhile, some Chinese internet companies are experimenting with their own credit systems and may be sharing data with the government. How these dynamics are playing out needs to be clarified.
How Different Is China’s Push for Real-Name Registration?
Beijing’s effort, accelerated under Xi, to eliminate anonymity online in the name of cybersecurity appears to be one of the Communist Party’s most well-organized activities, legally and bureaucratically. There have been attempts outside of China to reduce anonymity from the top down, but in advanced societies such as Europe and the United States, the process has been bottom-up, with major players such as Facebook attempting to impose real name registration by making users verify their identities, and with commercial activity driving more real-name use across online applications. Much online anonymity has been driven to the dark web, through networks such as Tor, which has long been blocked by China.
However, some in China perceive the U.S. as also taking a state-led approach. One Chinese scholar writes that “even though the U.S. does not have formal legislation that requires real name registration on the Internet, its advanced Internet monitoring technology has long achieved the effect of a real-name system.”
The China and Estonia Approach to Cybersecurity
China is not the only government attempting, from the top down, to eliminate online anonymity. But it’s not just authoritarian governments such as Russia that are embracing some aspects of the China internet model.
Estonia, for example, has built an online system based on the principle that true cybersecurity in a digital world is not possible with anonymity. Former president Toomas Ilves, whose government laid the groundwork for Estonia’s cybersecurity efforts, writes that “the key to all online security is a secure online identification system...a nebulous fear of an imagined Big Brother prevents citizens in many places from adopting a smart-chip-based access key that would afford them secure online transactions.”
It is at least worth recognizing that China’s approach has some similarities with that of Estonia. That said, what Ilves calls “an imagined fear” of a Big Brother is a very real consideration of life under the Communist Party of China. The differing political systems mark important differences in the two countries’ online efforts.
South Korea also attempted real-name registration in 2007, implemented in an attempt to combat cyberbullying, before a court said it restricted freedom of speech. Chinese media blamed the failure of the South Korean effort on the fact that the government could not guarantee user data security since it resides with private companies. The scholars argue that in China, user data would be secure since it resides with the government ministry.
Special thanks to Jennifer Meng for invaluable research assistance.