News >> Browse Articles >> Company Hiring & Layoffs


China Forces Foreign Firms Selling to Government to Provide Encryption Codes

China Forces Foreign Firms Selling to Government to Provide Encryption Codes

Photo: außerirdische sind gesund/Flickr (CC)

Shane McGlaun

May 11, 2010

There are many security companies that provide a wealth of products from security software to portable hard drives that use encryption to protect the data. The key to keeping the data secure on the drives is the security of the encryption keys.

These keys are often the same for all of their products no matter what country they are sold in. That would mean a security key given to a foreign government could potentially be used to decrypt data that a competitor in another country has stored. The Chinese government has demanded that security companies provide it with the encryption codes used to protect the data on devices they sell to the Chinese government.

When these rules were initially announced, the keys were being demanded on all products that were being sold to anyone in China. The U.S. government and other officials in Europe stepped in and put enough pressure on China that the rules were modified to cover only products sold to the government. The rules are now in effect and some are still crying foul. The rules went into effect on May 1 and cover products including the follow reports DefenseTech:

  1. Firewalls (hardware & software) but it does not apply to personal firewalls
  2. Network security separation cards and line selectors
  3. Security isolation and information exchange products
  4. Secure network routers
  5. Chip operating systems (COS)
  6. Data backup and recovery products
  7. Secure operating systems
  8. Secure database systems
  9. Anti-spam products
  10. Intrusion detection systems
  11. Network vulnerability scanning products
  12. Security auditing products
  13. Web site recovery products

The fear with providing China with the encryption codes is that if the same products are used in other countries it opens the data up to possible hacking by China. China was the origin of high profile attacks against Google late in 2009. Christopher Cloutier from law firm King & Spalding told ComputerWorld that the requirement for the encryption codes to be handed over was to certify products to the China Compulsory Certification System (CCC) mark. The CCC mark certifies that products sold in China meet a certain standard.

However, Cloutier said, “If I were a foreign-based producer of products with encryption, I would be very reluctant to give all my secrets to the government of China.” He continued, “So now they [Chinese government] have an excuse to buy only Chinese-origin technologies.” 

The choice for companies that operate globally will be if they want to turn over encryption codes to China, allowing them to sell to the Chinese government. On the other hand, if they want to do business in other parts of the world where buyers might be scared away from their products with the Chinese government having access to the encryption codes.

Cloutier said, “Let’s say you make a particular product and you have encryption in it and you sell it to the government of China. If you sell to the government of China you’ve got to tell them how the stuff works.”

Selling any device using encryption once the encryption codes are known to any government is hard to do to firms interested in data security.

_© 2009, DailyTech.