China Forces Foreign Firms Selling to Government to Provide Encryption Codes
Photo: außerirdische sind gesund/Flickr (CC)
There are many security companies that provide a wealth of products from
security software to portable hard drives that use encryption to
protect the data. The key to keeping the data secure on the drives is
the security of the encryption keys.
These keys are often the same for all of their products no matter what country they are sold in. That would mean a security key given to a foreign government could potentially be used to decrypt data that a competitor in another country has stored. The Chinese government has demanded that security companies provide it with the encryption codes used to protect the data on devices they sell to the Chinese government.
When these rules were initially announced, the keys were being demanded on all products that were being sold to anyone in China. The U.S. government and other officials in Europe stepped in and put enough pressure on China that the rules were modified to cover only products sold to the government. The rules are now in effect and some are still crying foul. The rules went into effect on May 1 and cover products including the follow reports DefenseTech:
- Firewalls (hardware & software) but it does not apply to personal firewalls
- Network security separation cards and line selectors
- Security isolation and information exchange products
- Secure network routers
- Chip operating systems (COS)
- Data backup and recovery products
- Secure operating systems
- Secure database systems
- Anti-spam products
- Intrusion detection systems
- Network vulnerability scanning products
- Security auditing products
- Web site recovery products
fear with providing China with the encryption codes is that if the
same products are used in other countries it opens the data up to
possible hacking by China. China was the origin of high
against Google late in 2009. Christopher Cloutier from law
firm King & Spalding told ComputerWorld that
the requirement for the encryption codes to be handed over was
products to the China Compulsory Certification System (CCC)
mark. The CCC mark certifies that products sold in China meet a
However, Cloutier said, “If I were a foreign-based producer of products with encryption, I would be very reluctant to give all my secrets to the government of China.” He continued, “So now they [Chinese government] have an excuse to buy only Chinese-origin technologies.”
The choice for companies that operate globally will be if they want to turn over encryption codes to China, allowing them to sell to the Chinese government. On the other hand, if they want to do business in other parts of the world where buyers might be scared away from their products with the Chinese government having access to the encryption codes.
Cloutier said, “Let’s say you make a particular product and you have encryption in it and you sell it to the government of China. If you sell to the government of China you’ve got to tell them how the stuff works.”
Selling any device using encryption once the encryption codes are known to any government is hard to do to firms interested in data security._© 2009, DailyTech.