Speaking at the World Economic Forum’s 2014 Summer Davos in Tianjin three years ago, Lu Wei (鲁炜), the director of what was then China’s State Internet Information Office (SIIO) — and soon to become the Cyberspace Administration of China (CAC) — said proper controls must be built into the technical infrastructure of the internet in order to ensure global security. Lu, who was in fact talking about what China sees as necessary controls on information and public opinion, likened the process to considering basic passenger safety in the design of automobiles.
“The internet is like a car,” said Lu. “If it has no brakes, it doesn’t matter how fast the car is capable of traveling, once it gets on the highway you can imagine what the end result will be. And so, no matter how advanced, all cars must have brakes.”
In its latest regulation, released yesterday, the CAC, now the country’s most powerful information control body, directly under a central leading group chaired by President Xi Jinping, seems to be mandating brakes for any new internet information product or application — a requirement that could put the government in the room with product innovators.
Following on a series of regulations since the implementation of China’s Cybersecurity Law on June 1 this year that seek to enforce information controls along every aspect of internet service provision and consumption, the “Regulation on Security Assessment of New Technologies and New Applications for News and Information Services” now addresses the key phase of new technology adoption.
Although it is unclear exactly what the enforcement process will look like, the import of the regulation seems to be that any new technology-based information product — of a “public opinion character” (新闻舆论属性), say the regulations — or any key adjustment to such an existing product, must go through a process of “security assessment.”
“Security” clearly refers, in this context, to the state’s maintaining of regime stability through restrictive information policies, and does not address the issue of personal data or other forms of security. In its official announcement of the regulation, the CAC wrote that “direct broadcasting and other new technologies and new applications have been used by certain lawbreakers (不法分子) to disseminate illegal information, and carry out illegal activities online.” Information service providers, said the announcement, had had “a poor sense of responsibility over security,” and this had “impacted the creation of a healthy and orderly online news and information broadcast ecology.”
The new regulation suggests that any technology company introducing products broadly construed as “new technologies or new applications for internet news and information services” (互联网新闻信息服务新技术新应用), which would include new or changing product functions, will need to undergo a security assessment before the product is released. The CAC will have overarching responsibility for the assessment process, according to the regulations, and will ensure that “full and comprehensive information security management systems and safe and controllable technical protection measures are in place” so that content prohibited by the law is not disseminated.
As the Global Times reported, “The security assessment will examine the risk level of new technology and application for their ability to shape public opinion and social mobilization.”
It’s hard to say yet what this will look like in practice, but it certainly sounds like the CAC will be intimately involved in the process of internet innovation from the ground up, assessing the political implications of new products, and alterations of existing ones, before they are introduced.
A Q&A with a CAC official, released shortly after the regulations, said that firms would be responsible for conducting their own internal security assessments, which would then be reported to the authorities, meaning the CAC, for an official assessment phase.
QUESTION: What specific demands are made by the Regulation in terms of service providers upholding their responsibility for implementing security assessments on new technologies and new applications?
ANSWER: The Regulation makes clear stipulations on service providers’ responsibility for security assessments. First, is the full and comprehensive building of a security assessment management system for new technologies and new applications, strengthening the building of personnel teams. Second, is the carrying out of security assessments on new technologies and new applications in accord with the law. When service providers employ new technologies, or make adjustments to already implemented technologies or applications that have a news and public opinion character (新闻舆论属性) or social mobilization function (社会动员能力), or major changes are made to such technologies, they must carry out security self-assessments (安全自评估). Within 10 days of the completion of security self-assessments, a report must be made to responsible units, which will conduct a security assessment. Third, they must cooperate as necessary with the security assessments of responsible units, and fully implement improvements in a timely manner.
The implication here is that the CAC will coordinate closely with technology companies to ensure that they have properly planned for any foreseeable impact on information and public opinion.
Also of note is a second regulation released by the CAC yesterday, which tightens discipline and training of information and content monitors at service providers, mandating that they properly “adhere to the political line and guidance of public opinion,” the latter being synonymous with the Party’s propaganda controls to maintain regime stability.