China’s New Cryptography Law: Still No Place to Hide

The PRC National People’s Congress on October 26 enacted the long awaited Encryption Law (密码法), which will come into effect on January 1, 2020. The official text of the law can be found here and an English language summary can be found here:  The Law is another piece of the comprehensive cybersecurity system China is rolling out under its Cybersecurity Law and MLPS 2.0 system we previously described in China’s New Cybersecurity Program: NO Place to Hide and China’s New Cybersecurity System: There is NO Place to Hide. The system being designed for China seeks to pursue a challenging goal: make networks opaque to bad actors but transparent to the government and the CCP.

Cryptography is a key technology that will be used to achieve these goals. Cryptography must be used to protect the confidentiality of information transmitted and stored on networks, but its use presents governments with a dilemma: the same cryptography that hides information from the general public can also be used to hide information from the government itself. In this case, the Chinese government is presented with the issue of how it can require cryptography while still maintaining its open access to the network system.

The Law divides encryption into three categories: core, common and commercial. Core and common are intended for systems that transmit and store PRC state secrets. Commercial encryption is intended for business and private use. The Law provides that it welcomes foreign providers of commercial encryption. Art 22-23. Foreign encryption systems can be sold in China, provided that the systems have been approved and certified through a certification system that has not yet been described. Use of encryption will be subject to the provisions of the Cybersecurity Law and the associated MLPS 2.0 regulations. Article 26. The State Cryptography Administration (SCA), an office of the CCP, will have authority to monitor and inspect implementation and use of the cryptography system.  Article 31.

This three class system ignores the way cryptography is normally implemented. The most important cryptography systems are not commercial systems. Most systems are based on the Gnu Privacy Guard system. This is a completely open system. The source code is generally available to the public. You can download the source code here. It is not conceivable that the organizations that offer GPG systems will cooperate with the PRC government in obtaining review and certification of their product when their whole focus is to allow companies and individuals to hide their information from the government. Cooperation with any government would be contrary to that principle.

This then leads to the first question under the new Law. Most cryptography systems are freely downloadable as open source systems. The PRC government is free to examine the source code used to implement the GPG and related open source systems. So the real issue is: will the PRC government allow companies and persons who operate in China to use GPG and related systems, given that that these system will NEVER be submitted to the PRC government for review and approval. If the answer is no, then the entire set of provisions for foreign encryption systems are completely meaningless. If the answer is yes, then the designation “commercial” has not meaning.

This then leads to the most important issue. Cryptography techniques are not secret. The most importent algorithms are public and available to anyone to use. Governments know exactly how the algorithms work because governments have been the inventors of most of these algorithms. So the Cybersecurity Law ‘s focus on cryptography products is really nothing more than a head fake. What is critical in cryptography is not protection of the cryptography algorithm; what is critical is protection of the key that allows decryption of the encrypted message or data.

The Cryptography Law is silent on the issue of decryption and it is also silent on protection of passwords and other keys that prevent decryption. Its ultimate plan is to break all forms of end to end encryption by putting all passwords and decryption keys into the hands of the PRC government and the CCP. In other words, opaque to the public but transparent to the government.

Article 31 of the Cryptography Law provides for a government inspection and control system implemented by the SCA and its local agencies. This system provides for the SCA and its local agencies to have complete access to the cryptography system and to the data protected by that system. The systems are also subject to the MPS supervision and control system that is being implemented under the Cybersecurity Law and the MLPS 2.0 system described here and here. So both the SCA (a CCP office) and the MPS (working with the MSS) will have full access to encrypted servers, including full access to the decryption keys and the passwords. Once this access is achieved, end to end encryption disappears. For a description of how this works, see this.

So in the end, inviting foreign providers and users of cryptography is just a trap for the unwary. Once data crosses the Chinese border on a network, 100% of that data will be 100% available to the Chinese government and the CCP. Cryptography may work well to prevent access by the public, but all this data will be an open book to the PRC government.

This then raises major issues for U.S. and other country entities that are relying on end to end encryption in China as an exception to U.S. export control rules. Under China’s new system, end to end encryption will no longer exist in China and for this reason this exemption from U.S. export controls will no longer be effective. As the U.S. expands the scope of technology subject to export controls, the risks for foreign companies will become progressively more significant.

Many U.S. entities look at cryptography as their escape from China’s Cybersecurity Law, but that will not work because the PRC government will not let it work. The Chinese government knows exactly what it is doing. The Chinese government has set up a system that will allow it to achieve a fully transparent system.

There is no workaround.

There is no place to hide.

UPDATE:  We have been hearing completely unsubstantiated rumors that the talks to ratify “Phase 1” of a US-China trade deal blew up over the United States’s anger over China’s efforts to control and use American company data. FBI Director Wray’s recent testimony regarding Chinese intellectual property theft on an unprecedented scale and his warning that “China Can Compel Companies Doing Business In Country To Turn Over Any Information China Wants” may also have played a part.