Give the Chinese some credit for this one. At least they are being open about the demand. This pledge seems a bilateral acknowledgement of the situation. China can demand backdoors and so can the US (calea). Such things are legal in their respective countries. Companies, especially those that are publicly-traded, must appease local governments if they want to keep shareholders happy.
Our anger should instead be focused on solutions to surveillance that do not rely on trusting corporations. F/OSS tools and client-side encryption is the path forwards, not extracting unenforceable promises from trillion-dollar tech giants.
I disagree completely. If corporations do not make a stand on surveillance and censorship then official demands are only going to get more brazen and receive less public attention and scrutiny.
FOSS and client-side encryption alone are not going to solve this problem. If governments can openly demand and enforce whatever they like, then users of these technologies can be threatened with draconian punishment and be prosecuted as terrorists and pedophiles.
There needs to be counter pressure from consumers, consumer groups, experts and corporations in order for client-side technologies to remain a viable option for people outside the Ecuadorian embassies of the world.
Corporations are not in the business of appeasing local governments. Corporations are in the business of pleasing consumers so that they make a profit. They appease local governments only to reach consumers and they can't do it in a way that causes consumers to distrust them as that would be self defeating.
Also, what is in the economic interest of a corporation is not self evident. It's the people at the top of these companies who make these judgements. I'm sure many of them value their privacy more than the average person and their judgement is going to be influenced by that. The same goes for shareholders.
It's always going to be a balancing act for global internet companies so let's make our weight felt!
> I disagree completely. If corporations do not make a stand on surveillance and censorship then official demands are only going to get more brazen and receive less public attention and scrutiny.
You're describing a world where corporations represent you, the consumer. But you're not a constituent of the corporation, you're a resource. Corporations want to keep you happy in the same way that dairy farmers want to keep cows happy, so they'll keep on producing money or milk. The constituents are shareholders.
The ones representing your interests are the elected parts of the government. Which, I know, is laughable in the US. But still, corporations are not it.
Your comments on open source and consumer counter pressure describe something hopeful.
>You're describing a world where corporations represent you
Not at all. I'm describing a world of partially shared mutual interest.
>Corporations want to keep you happy in the same way that dairy farmers want to keep cows happy
No. I have a voluntary business relationship with some corporations. Cows do not have a voluntary business relationship with farmers. Corporations cannot milk me against my will or slaughter me when I stop giving milk. All they can do is try to trade with me.
My relationship with the people of the country I am allowed to vote in is not voluntary. It's a result of the birth lottery. I don't even share many intersts with them as I don't live there and it's not a global superpower.
That said, it's not my intention to deny one fundamental fact: The extent of my influence on corporations as a consumer and as a shareholder depends exclusively on my wealth. My influence on elected politicians is much more complex and there is at least some chance of my being human to count for something regardless of wealth.
Fundamental rights to privacy cannot be based on wealth, but that doesn't mean we should ignore our shared interests with corporations where they exist.
> The ones representing your interests are the elected parts of the government. Which, I know, is laughable in the US. But still, corporations are not it.
a bit off-topic, but is there a country that is not laughable and the general public actually trust and believe the government have their needs in mind?
That isn't the US model. US corps report only to shareholders and governments who provide access to markets. What you describe is closer to German model whereby corps also report to employees who elect board members. But in no country does a corporation respond to the people at large. If they did, then we would probably call them a government agency rather than a corporation.
>But in no country does a corporation respond to the people at large
"respond to the people at large" is an awfully general characterisation.
What corporations typically do is respond to wishes of their customers and prospective customers, provided they can make money from doing so. If one corporation does not, a competitor probably will. So there are potential alliances to be formed between consumers and specific corporations regarding specific political issues.
Again, I'm not saying that the market or consumer power magically replaces democracy or that the interests of consumers and corporations are naturally aligned in general.
> the interests of consumers and corporations are naturally aligned in general
Maybe in the perfect magical world of highschool civics where consumers have total freedom to choose from amongst competitive products and corporations are perfectly open about privacy. The reality is much less idealized. Corporations lie to customers daily. Contracts bind customers to not adopt competitive products. And state-sanctioned monopolies in many counties (US/Canada/China) severely limit choice.
Any publicly traded corporation, by definition, is only interested in money. Sometimes appeasing customers helps that bottom line, but often it doesn't. Sometimes screwing over you customers is the way, especially when those customers have nowhere else to go.
My sentence that you are quoting starts with "I'm not saying that ...". It doesn't make sense to drop the negation from a sentence and then refute what's left.
Those who would violate our rights are fighting this war on multiple fronts. F/OSS is an effective tool for defending against government hackers for some attack vectors, but aren't a panacea. There are a number of firmware and hardware attack vectors that F/OSS can't defend against currently.
And at best, F/OSS only protects those who use it and use it correctly and end-to-end. Human rights don't just apply to people who think they need them. Facebook/GMail/Baidu users still have a right to privacy even though they've chosen to use services run by companies whose business models inherently involve violating their rights. Users who think they are anonymous on Reddit/Imgur still have a right to privacy even though they don't understand that they are being tracked through ads.
I know that this is somewhat of a losing war, but we've won battles here and there. Remember that if it weren't for the legal side of this fight, many of the technical solutions we which are widely available today would be classified as weapons and therefore unavailable to many people.
>not extracting unenforceable promises from trillion-dollar tech giants.
Of course you can enforce it. Create a law that tech giants must comply with FISMA/FEDRAMP, ISO 27001, DFARS 252.204-7012. I don't see why that's such a bad thing anyways. Compliance is a necessity because its just thorough hygiene.
Why DON't we have a written process to change our firewall rules, a written process to review our code, a written process to rotate our keys. These don't seem like a burden to me at all.
Now this is the sort of thing that should have been in the Transpacific Trade Agreement - prohibiting countries from requiring backdoors.
In some areas, the US prohibits cooperation with the laws of other countries. The Arab League requires vendors to agree not to do business with Israel, and the US has a law forbidding US companies from complying with that. So there's a precedent for this. That's been enough to more or less break the Arab League's boycott.
> Now this is the sort of thing that should have been in the Transpacific Trade Agreement - prohibiting countries from requiring backdoors.
The U.S. would likely be the TPP country most opposed to this. In fact, due to its copyright provisions (as of last leaks), TPP almost implies mandating censorship and internet filtering (in the form of take down notices).
1) The Arab League is not a country. It is a group of representatives from several countries, few of which really get along with each other. Statement and edicts from the league are not law to be obeyed by people but by countries (they need to ratify by passing local laws). The league cannot directly require anything of any vendor.
2) Lots of laws in the arab world are not enforced. Outsiders often find these and assume they mean something. They do not. In totalitarian states what matters is what the ruling group wants to do. The existence or non-existence of a written law is very much beside the point.
The existence of laws that are not usually enforced is the basis for arbitrary enforcement if and when there is a 'need' to persecute somebody. Facile attitudes towards evidence are further enablers. The Rule Of Law is as much about parsimony of laws as it is of uniform enforcement.
The rest is expected but this to me is the most interesting one of the lot. We've seen these requests come up now and again, but I think we will be seeing the importance of "where" data is stored more and more in the upcoming years.
As a US citizen, I know that Google/Apple/Facebook/etc. have tons of data on me and acknowledge that the US gov't can generally get some of this data, but I'll be damned if those companies let Chinese/Russian/etc. governments access that data. More to the point, I don't think the US government wants information on its citizens stored elsewhere, and readily accessible to government inspection.
So let's not be naive and ask how dare China ask for the same thing. Of course they would ask that.
> Over here in europe we're asking for pretty much the same thing from US companies.
However, the reasoning is quite different.
The EU wants data stored in the EU so that it is nominally protected from hostile country intercept and is subject to EU protection laws.
Whereas, China actively intends to use the locally stored data for intercept.
Now, one can argue that the local EU governments also want to intercept the data. Nevertheless, until we see The Great Internet Wall of Europe I'm willing to give those countries a little more slack that they might actually be trying to do the right thing.
I'm sure the chinese government is genuinely concerned about foreign powers spying on their citizens, just as the US is concerned about the same thing. I don't think the fact that they both spy on their own citizens, as well as foreign citizens, makes that less relevant.
As for GFW, yeah it's evil, but I don't see how that means that the chinese government is not concerned with others spying on them.
EDIT: Just to clarify, I hate all this spying with a passion. Just saying that the motives are the same for everyone here.
>Over here in europe we're asking for pretty much the same thing from US companies.
New TPP agreement explicitly prohibits those laws.
>"To do so, American negotiators are leveraging trade deals with much of the developed world, inserting language to ensure “cross-border data flows”—a euphemism that actually means they want to inhibit foreign governments from keeping data hosted domestically."
http://motherboard.vice.com/read/the-trans-pacific-partnersh...
The entire issue is kind of weird. Like, what should happen if I move from Poland to Australia? Will Microsoft have to move my data from EU datacentres to Australian ones? What if it was just one hacker in Australia logging into my account after resetting the password via a phishing attack? What if it's actually the Australian government (well, a cybersecurity branch of it) that does so, in order to force the data to move to Australia and then use their laws to forbid me from accessing it, while they do whatever they damn please with it?
Can't we get the same result by declaring data warehouses neutral territories for the purposes of data storage? I.e. if you run into one, you're still in whatever country the warehouse is in, but the servers themselves and the data stored on them is a neutral territory in itself.
> As a US citizen, I know that Google/Apple/Facebook/etc. have tons of data on me and acknowledge that the US gov't can generally get some of this data, but I'll be damned if those companies let Chinese/Russian/etc. governments access that data.
I see this a lot, but I don't understand the viewpoint at all. Surely, as a US citizen, you should be concerned about your information finding its way into the US government? Why would you care what the Chinese government knows about you? What are they going to do?
Blackmail you into doing something illegal, including, but not limited to, stealing trade secrets from your employer to be shared with state-backed companies. The reach of foreign countries doesn't stop at their borders.
I wonder what limitations exist for storing server farms in a satellite or in international waters. Or in weather balloons and UAV's...a la Project Loon and whatever Facebook did with those ever flying UAV's
rdl tried that with HavenCo/SeaLand but it was unsuccessful, largely, I believe, due to corrupt/incompetent "government" influence.
Even if you locate your server farm outwith unfriendly jurisdiction, you still need to connect it to the rest of the world, and it's difficult to do that without engaging the services of a company that is susceptible to influence by an unfriendly government. You're also susceptible to being effectively (if not literally) sanctioned via the financial system.
Sidestepping jurisdictional issues altogether by operating entirely virtually is a better bet right now (c.f. ASICminer).
The big thing is that these things are law in China. The chinese government is basically making the tech companies sign a document saying they will comply with the law. The laws in China are insane and if tech companies want to do business there they must accept them or pack up and leave like google did.
Hosting data for chinese users within china has been part of law for a while now, all servers hosting content that is licensed to be displayed in china must also be hosted in china. There are tons of rules that allow the government to control tech companies. If the law is not there and some tech company does something the government wants to control they can pass a law the next day if they wanted to. Laws are pretty arbitrary in china because there is only one party and they vote practically unanimously on anything the leaders propose
> It will be interesting to see if the US Government, who wants backdoors, will condemn China for wanting backdoors.
Where have you been for the last 10 years? The US regularly condemns China for backdoors in their equipment, they even do it with a straight face after the Snowden revelations.
When the US and other countries tries to do it, it is some how portrayed as "those pesky government people" but when China wants to do it, its all ":O"
Pretty sure most people who oppose one, oppose the other as well. Personally, I think the only "principles" technologists should be signing with regards to this sort of thing are these: https://projects.eff.org/~barlow/Declaration-Final.html (yes, I am being hyperbolic, but only up to a point)
Not at all. I endorse both restricting location of data to safer places and security review of products. The specifics vary considerably from country to country. The consensus is that a Swiss ownership/company offering services in their country evaluated by INFOSEC professionals would be ideal. If any L.I. exists, it would have low likelihood of abuse. Iceland may not have L.I. or crypto regs but it's unknown how they will handle future U.S. pressure. Swiss handled it pretty well and aren't NSA SIGINT partners unlike most of Europe.
Then, there's Europe with its data protections of unknown effectiveness for me as an American. Then, there's America where the sue happy, LEO's, and courts can get away with a lot. Your actual trade secrets, source code, etc are more protected here plus stronger patents. Then we have China and Russia where some employees and external parties on the network will be hacking the crap out of you while the government protects them when caught.
So, quite different situations in different countries even for same topic.
Because China is one of the biggest I.P. thieves in the world. The likes of Huwei have played that to huge advantage with real losses for U.S. companies. Having an I.P. thief wanting to look at your I.P. or have it in their jurisdiction to "protect them" is different than the norm in U.S. and Europe.
Plus, most products certified in those don't even have to turn in their source code. It's one of the reasons I call bullshit every time companies get such a certification and say it means something.
Any company who moves essential business data to China in order to do business there is a fool.
Unfortunately, the CEO who authorizes this kind of stupid action is rarely the CEO who gets bitten when China steals the business data, trade secrets, and the cuts the company out of the loop for a domestic company.
Exactly. I've been telling them that for years. The country's M.O. is:
(a) sucker businesses over there with lure of cheap labor
(b) steal their intellectual property
(c) combine that I.P. with domestic activities to steal market share
(d) try to dominate the market with combo of cheap labor, domestic R&D, and freshly stolen I.P.
It's a dumb game for American companies to get into in the long-term. In short- to mid-term, there's plenty of money to be made while you have the I.P. and market. And, like you said, someone else takes the hit in the future. An externality.
This is part of the reason for the server demands as well as spying.
When a business has things on a server somewhere and a relatively dumb client, it's REALLY hard to pirate, steal, copy, modify, etc. You can bake your "crown jewels" into the server and it never gets into the hands of the client.
One of the phone chipset manufacturers used to run service where they would compile your code for you. But they would NOT give you the compiler.
I was really annoyed as a developer, but I also understood the reasoning as it effectively kept the Chinese from cloning their kit.
That is a strategy people try but it's usually weak. The Chinese have stolen TB from clients and servers across industries. One still has to protect the server from attacks from the client, other servers, or networks. Whole problem remains.
The main benefit of that architecture is to protect against non-technical insiders and others who have less opportunity for physical attack. The compute nodes are stored in a hopefully-secure location with files similarly centralized. Additionally, if the mechanisms are technology agnostic, there's potential for further hardening, monitoring, obfuscation, recovery, etc.
Doesn't eliminate a Chinese-style threat, though, if it's connected to a network in any way and doesn't use high assurance components.
The more of these articles I read about US tech firms being asked to kowtow to the political whims of the countries they operate in, the more I'm reminded of the fight in the Middle Ages between church and state. Each is dependent on the other so they can't fight an all-out war, but the politics can get pretty nasty.
Hmmm ... there was no church in the French revolution. The state/church war was mostly during the Holy Roman Empire and the 30 year war. But by the time Richelieu has finished with it - the papacy was no longer a determining factor in the continental politics.
That is just not true. The Church was front and centre in the French Revolution. The whole problem was that the first two estates (Church and Nobility) didn't want to cede power to the third estate (the Commons). Removing the King was the only path the Commons found to get their share of the power (the King was actually well-loved by his subjects, at least at the start of the Revolution, in 1789). Many churches were severely vandalised during the Revolution, and Church-imposed taxes were banned.
So yeah, without getting into the weeds, the Church was very much one of the major causes of the Revolution, and it lost plenty of it's authority as a result of the Revolution.
Well, we are doing the same thing so we can't even stand up against it. What are we going to say? Don't do what we do? Tell our companies that they will have to risk having their Chinese markets shut down over night for non-compliance?
> The Chinese government, which has long used its country’s vast market as leverage over American technology companies, is now asking some of those firms to directly pledge their commitment to contentious policies that could require them to turn user data and intellectual property over to the government.
This first paragraph seems to be an egregious and willful misrepresentation of the document[1] by the New York Times. Most of these promises appear to be good and reasonable ideas without an ulterior motive. The only part that I don't quite understand is #6 where they talk about the "supervision of society".
Farther down the article:
> The letter also asks the American companies to ensure their products are “secure and controllable,” a catchphrase that industry groups said could be used to force companies to build so-called back doors — which allow third-party access to systems — provide encryption keys or even hand over source code.
I don't see that phrase anywhere in this document, though the individual words do appear several times. Moreover, I don't see how anyone can reasonably argue that anything in the document implies third-party access to secure or proprietary information.
This first paragraph seems to be an egregious and willful misrepresentation of the document by the New York Times.
No, if anything it is an understatement of how problematic this pledge is.
The only part that I don't quite understand is #6 where they talk about the "supervision of society".
"Supervision of society" is what the modern government of China has moved to as an quasi-alternative to traditional communist "Command and Control" planning[1].
It encompasses both the type of business regulation that is more familiar in the West (business licenses, safety regulations) along with comprehensive state surveillance of both financial/economic indicators as well as what many societies would consider "private speech".
The point of the PRC's tech company pledge that you say you find difficult to parse happens to be the one where the phrase "secure and controllable" is used:
Article #6 states:
"Accept the supervision of all parts of society. To promise to accept supervision from all parts of society, to cooperate with third-party institutions for assessment and verification that products are secure and controllable and that user information is protected etc. to prove actual compliance with these commitments."
I don't think so. NYT is pointing out that dangerous language is buried in a bunch of innocuous items, which is totally true, i.e. keeping all data in China (5) and to "accept supervision of all parts of society" (6), which both sound pretty clear as to intent tbh.
Our anger should instead be focused on solutions to surveillance that do not rely on trusting corporations. F/OSS tools and client-side encryption is the path forwards, not extracting unenforceable promises from trillion-dollar tech giants.