In new regulations released on Thursday, the Cyberspace Administration of China (CAC) required that all providers of internet services of “a public opinion nature” (舆论属性) or “having the capacity for social mobilization” (社会动员能力) “must voluntarily conduct security evaluations” (安全评估). The regulations are designed to create formal mechanisms by which the government can ensure that any and all internet services with the potential to impact the news cycle, set the public agenda or support collective action have systems in place — subject to regular government oversight and participation, and properly supported in terms of personnel and technology — to prevent “security risks.”
The regulations make clear that “security risks” are understood as arising from the online population itself, and we should understand this not as an attempt to make the internet a more secure space for users (through data protection, etc.), but rather a more secure space politically for the government and for the Chinese Communist Party. The regulation is premised on the fundamental fear that communication technologies might overwhelm the government, making it impossible to achieve what has long been a central objective — the control of public opinion in order to ensure social and political stability.
Of particular interest to understanding the impetus behind these regulations are several stipulations contained in Article 3, about the need for active review and reporting on “new technologies or new applications that result in a dramatic shift in terms of the functional attributes of information services . . . . resulting in major changes to the public opinion nature [of communications] or to the capacity for social mobilization.” Right after this comes mention of circumstances “where there is a clear increase in user scale, resulting in major changes to the public opinion nature or capacity for social mobilization of the information service.”
Over the past decade, China’s leadership has repeatedly found itself in a reactive position regarding the impact of new communication technologies such as Weibo or WeChat. But cyber policy under Xi Jinping has become far more proactive. The above language takes into account the potential for shocks that might come as a result of new technologies, or even modification of existing ones. The government does not want to be caught on its back feet. It wants to prepare for and neutralize such shocks, and so incorporating this in the system of “voluntary” security evaluations makes a great deal of sense from the standpoint of this underlying fear.
Our partial translation of the new regulations through the end of Article 6, covering most of the basics, follows:
Regulation on Security Evaluation for Internet Information Services of a Public Opinion Nature or Having Capacity for Social Mobilization
具有舆论属性或社会动员能力的互联网信息服务安全评估规定
Cyberspace Administration of China (CAC)
November 15, 2018
Article 1: In order to strengthen the safety management of internet services of a public opinion nature (舆论属性) or having the capacity for social mobilization (社会动员能力), and of relevant new technologies and uses, in order to regulate internet information service activities, protect national security, social order and the public interest, this regulation is formulated in accordance with the Cybersecurity Law of the People’s Republic of China,
the Regulation on Internet Information Service of the People’s Republic of China and Measures for Security Protection Administration of the International Networking of Computer Information Networks.
Article 2: For the purposes of this regulation, internet services of a public opinion nature or having the capacity for social mobilization include the following circumstances:
(1) The opening of [discussion] forums, blogs, microblogs, chatrooms, communication groups (通讯群组), public accounts, short video, live broadcasting, information sharing, mini programming and other information services or corresponding associated functions.
(2) The opening of other internet information services that provide public channels for voicing of public opinion (公众舆论表达渠道) or the capacity to engage social participation in particular activities (发动社会公众从事特定活动).
Article 3: Providers of internet information services in any of the following circumstances must voluntarily conduct security evaluations (安全评估) and take responsibility for the results of these evaluations:
(1) Having online information services of a public opinion nature or having the capacity for social mobilization, or other information [existing] information services that add such facilities;
(2) Using new technologies or new applications that result in a dramatic shift in terms of the functional attributes of information services, the implementation methods of technologies, or the allocation of foundational resources (基础资源配置), resulting in major changes to the public opinion nature [of communications] or to the capacity for social mobilization;
(3) Where there is a clear increase in user scale, resulting in major changes to the public opinion nature or capacity for social mobilization of the information service;
(4) Where illegal and harmful information is disseminated, demonstrating that the existing security measures cannot effectively prevent online security risks;
(5) Other circumstances when notices made by affiliated offices of the Cyberspace Administration of China at the prefectural level or above (地市级以上) require that security evaluations be carried out.
Article 4: Providers of internet information services may voluntarily conduct security evaluations, or may entrust the process to a third-party security evaluation body.
Article 5: In carrying out security evaluations, providers of internet information services must conduct comprehensive evaluations to determine the the effectiveness of their security measures in terms of the legality of their information services and new technologies or applications, their implementation of laws, administrative regulations, departmental rules (部门规章) and standards, and their effectiveness in preventing security risks, with priority placed on evaluation of the following content:
(1) The situation with regard to determination of the security management personnel, information audit personnel (信息审核人员) and/or the situation with regard to the construction of the security management structure;
(2) Measures to check the true identities of users and maintain their registration information;
(3) Measures to maintain logfiles of the account numbers, times of activity, nature of activity, source IP address and destination address, network source port, client hardware, etcetera, as well as logs of the information sent by the user;
(4) Measures to maintain records for users and distribution groups (通讯群组) of names (名称), nicknames (昵称), bios (简介), notes (备注), logos or signs (标识), information posted (信息发布), [information] shared (转发), comments (评论), as well as records of the prevention or handling of illegal or harmful information through distribution groups and other services;
(5) Technical measures taken to protect personal information and prevent the spread of illegal or harmful information, and the risk that control is lost of social mobilisation functions;
(6) The situation with regard to timely handling of information regarding complaints, [the operation of] informant systems (举报制度), the making public of procedures for complaints and informing [of illegal or harmful information by users];
(7) The situation with regard to the establishment of technical, data and assistance mechanisms to assist cyberspace authorities in carrying out their legal supervision and management of internet information services;
(8) The situation with regard to the establishment of technical, data and assistance mechanisms to assist national security agencies in carrying out their legal investigation of crimes;
Article 6: When internet information service providers discover security risk in the course of security evaluations, they must rectify these in a timely manner and ensure that they these security risks are eliminated.
When security evaluations are carried out, in accord with laws, administrative regulations, departmental rule and standards, these must be compiled as a security evaluation report (安全评估报告). The security evaluation report must include the following content:
(1) Basic information and licensing concerning the functions and service scope of internet information services, the hardware and software facilities involved;
(2) Results in terms of the operation of the security management system and technical measures to prevent risk;
(3) Conclusion of security evaluation;
(4) Other relevant circumstances that require elaboration.