US authorities warn on China's new counter-espionage law
Almost anything you download from China could be considered spying, but at least one analyst isn't worried
The United States' National Counterintelligence and Security Center (NCSC) has warned that China's updated Counter-Espionage law – which came into effect on July 1 – is dangerously ambiguous and could pose a risk to global business.
US cyber ambassador says China knows how to steal its way to dominance of cloud and AIREAD MORE
The NCSC publishes non-classified bulletins titled "Safeguarding Our Future" on an ad hoc schedule to "provide a brief overview of a specific foreign intelligence threat, as well as impacts of that threat and steps for mitigation."
On June 30 it issued a new one [PDF] titled "US Business Risk: People's Republic of China (PRC) Laws Expand Beijing's Oversight of Foreign and Domestic Companies." The first item discussed is China's recently revised Counter-Espionage Law, on grounds it "Expands the definition of espionage from covering state secrets and intelligence to any documents, data, materials, or items related to national security interests, without defining terms."
That vagueness, the Center argues, means "Any documents, data, materials, or items could be considered relevant to PRC national security due to ambiguities in the law" and adds up to potential "legal risks or uncertainty for foreign companies."
Should you therefore think hard before reading email from your China office, or Chinese partners?
Probably not. in May, China Law Translate – a crowdsourced translation and analysis service for Chinese laws – in May rated the updated law "probably less consequential than some imagine."
"Many of the amendments incorporate previously released legal authority that has already gradually expanded counter-espionage work and powers since the law was adopted in 2014," wrote Jeremy Daum, a senior fellow at Yale Law School's Paul Tsai China Center, in Beijing, and the founder of China Law Translate.
- China makes it even harder for data to leave its shores
- China's cyberspace regulator details data export requirements
- China puts continuous consent at the center of data protection law
- Beijing explains what China's new data protection law really means – a month after it took effect
He summarizes the changes to a definition of espionage by emphasizing (with italics): "Attempts to illegally obtain or share state secrets, intelligence, or other data, materials, or items related to national security or national interests, which are carried out by or for foreign elements other than espionage organizations."
Again, Daum believes the changes don't represent expansions of power. "The scope of 'espionage' has already been so broad that it isn't immediately clear what the impact of the expanded definition will be" he wrote, adding that while the revised bill contains "a clear expansion of the scope of protected materials" it is "unworkably vague on its face."
But the previous law, he asserts, "was already so broad and unworkably vague, that it is not immediately clear what the expansion includes."
Daum is more concerned by amendments that address what he translates as "seeking to align with an espionage organization" – language he said "is troubling as it may justify penalizing more casual interactions with foreigners."
Another change adds a new definition of espionage as "Network attacks, intrusions, or disruptions targeting critical information infrastructure or entities involved with secrets." Daum argues that that insertion doesn't make more acts criminal, but does elaborate on obligations to report such conduct.
And as individuals committing acts of espionage can be detained for up to 15 days and deported or barred from China, that's of concern.
Yeah, OK. That email from your China office does now look a little risky – especially as Chinese law means local businesses can be fined for espionage. ®