New China encryption rule could pose headaches for U.S. vendors

Rule requires companies to share encryption codes with Chinese authorities

Vendors of some technology products will soon face a new hurdle when selling their products in China.

Starting Saturday, the Chinese government will require vendors in several product categories to disclose details of encryption technologies used in their products, in order for them to be able to sell to government agencies.

The new rules cover 13 technologies, including firewalls, routers, smartcards, database security tools, as well as anti-spam and network intrusion detection products. Under the new requirement, vendors who sell these products to government purchasers will need to first get them tested and certified by China's Certification and Accreditation Administration (CNCA), a process that involves their sharing encryption key codes.

The information security testing and certification requirement was first proposed in 2008 by China's General Administration of Quality Supervision, Inspection and Quarantine (AQSIQ). Initially, the rule was supposed to go into effect last May and applied to all sales of the covered products in China, not just those to government agencies. But following protests from the U.S. and the European Union, the implementation deadline was pushed back a year, and the requirement was narrowed to cover only sales to government agencies.

Officially, at least, the rule is not really about encryption, said Christopher Cloutier, an associate partner with law firm King & Spalding's intellectual property practice group. Rather, it is about certifying certain information security and technology products to China's Compulsory Certification System (CCC) mark, Cloutier said. The CCC mark is a quality certification standard that is applied to a wide number of products sold in China. The standard is overseen by the CNCA and AQSIQ.

While on the surface the requirement is about quality, the fact that it touches upon sensitive encryption technologies could mean other motivations, Cloutier said.

"If I were a foreign-based producer of products with encryption, I would be very reluctant to give all my secrets to the government of China," he said.

"So now they have an excuse to buy only Chinese-origin technologies," Cloutier said. The new requirements "feed into a sort of growing nationalism and assertiveness in China to openly favor Chinese companies versus foreign ones," Cloutier said.

Foreign vendors covered under the new requirement will face a difficult choice, Cloutier maintained. "They either decide to sell to the government of China, or to everyone else," he said.

"Let's say you make a particular product and you have encryption in it and you sell it to the government of China," Cloutier said. That fact could well influence purchasers outside of China who might be concerned about the security of that company's encryption technologies, he said. "If you sell to the government of China you've got to tell them how the stuff works," and that could be off-putting to other customers, Cloutier said.

There is also concern that sharing encryption technologies with China will enhance Beijing's Internet monitoring and surveillance capabilities and result in the information being leaked to Chinese rivals.

An Intel Corp. spokesman said the regulations have "some very specific applications not related to our business." Even so, the company has been working closely with the Information Technology Industry Council on the issue, the spokesman said without elaborating. The Washington-based ITI is a trade association for high-technology companies.

1 2 Page 1
Page 1 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon