China Law Blog | China Law Blog | China Law for Business | Harris Bricken
Time 2020-10-13 10:03:47Web Name: China Law Blog | China Law Blog | China Law for Business | Harris Bricken
WebSite: http://www.chinalawblog.com
ID:80487
Keywords:
Blog,Law,China,Description:
This is the second in a multi-part series on China cybersecurity. This series stems from the recent webinar at which I discussed cybersecurity in China. To watch that webinar, go here. To read part 1 of this series, go here. Part 1 described the cybersecurity situation in China. This part 2 explains why cryptography is not a solution and then it looks at the Golden Tax Malware Program as an example of CCP malware.IV. Cryptography is not a solution.The PRC National People s Congress enacted the long-awaited Encryption Law (密码法), which came into effect on January 1, 2020. The official text of the law can be found here and an English language summary can be found here.Cryptography is a key technology that will be used to achieve the goals of the comprehensive cybersecurity program. Normally, cryptography is used to protect the confidentiality of information transmitted and stored on networks. But its use presents the Party with a dilemma: the same cryptography that hides information from the general public can also be used to hide information from the government itself. In this case, the Chinese government is presented with the issue of how it can require cryptography while still maintaining its open access to the network system.The Law divides encryption into three categories: core, common and commercial. Core and common are intended for systems that transmit and store PRC state secrets. Commercial encryption is intended for business and private use. Foreign encryption systems can be sold in China, if approved and certified through a certification system that has not yet been described. Use of encryption will be subject to the provisions of the Cybersecurity Law and the associated MLPS 2.0 regulations. Article 26. The State Cryptography Administration (SCA), an office of the CCP, will have authority to monitor and inspect implementation and use of the cryptography system. Article 31.This three-class system ignores the way cryptography is normally implemented. The most important cryptography systems are not commercial systems. Most systems are based on the Gnu Privacy Guard system. This is a completely open system. The source code is generally available to the public. You can download the source code here. It is not conceivable that the organizations that offer PGP systems will cooperate with the PRC government in obtaining review and certification of their product when the focus of these PGP systems is to allow companies and individuals to hide their information from the government. Cooperation with any government would be contrary to that principle.This then leads to the first question under the new Law. Most cryptography systems are freely downloadable as open source systems. The PRC government is free to examine the source code used to implement the PGP and related open source systems. The real issue is whether the PRC government will allow companies and persons who operate in China to use PGP and related systems, given that that these systems will NEVER be submitted to the PRC government for review and approval. If the answer is no, then the entire set of provisions for foreign encryption systems is meaningless. If the answer is yes, then the designation commercial has no meaning.This then leads to the most important issue. Cryptography techniques are not secret. The most important algorithms are public and available to anyone to use. Governments know exactly how the algorithms work because governments have been the inventors of most of these algorithms. The Cybersecurity Law s focus on cryptography products is nothing more than a head fake. What is critical in cryptography is not protection of the cryptography algorithm; what is critical is protection of the key that allows decryption of the encrypted message or data.The Cryptography Law is silent on the issue of decryption and it is also silent on protection of passwords and other keys that prevent decryption. Its ultimate plan is to break all forms of end to end encryption by putting all passwords and decryption keys into the hands of the PRC government and the CCP. In other words, opaque to the public but transparent to the government.Article 31 of the Cryptography Law provides for a government inspection and control system implemented by the SCA and its local agencies. This system gives the SCA and its local agencies complete access to the cryptography system and to the data protected by that system. The systems are also subject to the MPS supervision and control system that is being implemented under the Cybersecurity Law and the MLPS 2.0 system described here and here. So both the SCA (a CCP office) and the MPS (working with the MSS) will have full access to encrypted servers, including full access to the decryption keys and the passwords. Once this access is achieved, end to end encryption disappears. For a description of how this works, see this.In the end, inviting foreign providers and users of cryptography is just a trap for the unwary. Once data crosses the Chinese border on a network, 100% of that data will be 100% available to the Chinese government and the CCP. Cryptography may prevent access by the public, but all this data will be an open book to the PRC government.This then raises major issues for U.S. and other country entities that rely on end to end encryption in China as an exception to U.S. export control rules. Under China s new system, end to end encryption will no longer exist in China and so this exemption from U.S. export controls will no longer be effective. As the U.S. expands the scope of technology subject to export controls, the risks for foreign companies will become progressively more significant.Many U.S. entities look at cryptography as their escape from China s Cybersecurity Law, but that will not work because the PRC government will not let it work. The Chinese government knows exactly what it is doing. The Chinese government has set up a system that will allow it to achieve a fully transparent system.V. A Concrete Example: The Golden Tax Malware ProgramThe ultimate goal of the Chinese system is for the Party to install malware on computer systems that allows the Party and its agents full access to the system. This malware is normally some form of a remote access trojan (RAT), a malware technology in which the Chinese are world leaders. The Golden Tax malware program provides a concrete example of how this can be done.The Chinese government and its state-controlled banks have worked hard over the last decade to digitize financial reporting and procedures. These days, a business operating in China virtually never needs to visit a Chinese government agency office or a bank. Transactions and reporting are done online.For normal daily operations, this means the following are done through the Internet:Day to day bankingMonthly tax reportsMonthly tax and social insurance paymentsIssuance of VAT tax receiptsPeriodic reports to government agenciesFor importers/exporters, reporting to customsIf you try to do this kind of work by visiting Chinese government offices, you will be turned away.All this appears to be modern and efficient, but this extensive use of the Internet conceals a hidden danger. In all these transactions, Chinese government agencies and the banks require the business make use of software provided by the agency or the bank. No independent software is allowed. This software is usually a package that includes connection software and anti-virus protection. In my experience, these packages are poorly written, buggy, slow and difficult to use. When this software is installed on a business’s central computer, it slows operations to the point of being unusable.But the real issue runs deeper. As discussed above, the goal of the Chinese government is to make information networks in China closed to outsiders but completely open to the Chinese government. Once on the Internet, the goal of the system is to ensure all information can be accessed by the Chinese government. To state things more bluntly, the Chinese government has become the most active information hacker in China. The software the business is required to install on its systems is being provided to it by a hacker – the CCP. The risks are obvious.The reality of the risk has recently been exposed by Trustwave, a U.S. based cybersecurity consultant, in its report on a case where malware was included in software required by a Chinese bank for tax payments. See The Golden Tax Department and the Emergence of Golden Spy Malware, subtitled, Trustwave SpiderLabs has discovered a new malware family, dubbed Golden Spy, embedded in tax payment software a Chinese bank requires corporations install to conduct business operations in China. The basic story is typical of China. The bank requires installation of its mandated software created by a private big data Chinese company working under contract with the Chinese national tax department. In other words, the mandate requiring use of this spyware comes straight from China s national government in Beijing.The software contains a backdoor that takes two actions. First, all data submitted to the bank and all other data on the host computer is transmitted to a server owned by a private Chinese company connected with China s national tax department. This server is housed on the Alibaba cloud. Second, the software allows the operator of the backdoor complete access to the entire host computer system. Trustwave provides standard advice on best practices for dealing with this type of infection. Their advice to remove the software is, however, simply not practical, since companies are required to use this spyware to do business in China. Their alternative is to install the software on a dedicated laptop insulated from the main company computer system. This approach prevents infection of the main company network system. However, it does not prevent the private data transmitted to the local tax authority from being transmitted to the malware server to be used for undisclosed purposes. It also is not clear how the Chinese government will treat a foreign company that isolates its exposed data to a sole, non-networked computer.So now we know why all this Chinese government mandated software works so badly. The software is so filled with malware, backdoors and surveillance protocols that normal operation is slowed to the point of making many systems unusable. Those of us who work in China have always assumed this and now the Trustwave report provides a concrete example.The larger issue is that this forced installation of backdoor malware is a constant issue in China. It is not just the case of one piece of software from one bank. As this case shows, the national government works with government-controlled banks, local governments, private software/big data companies and Chinese based cloud service providers to implement a system that allows total access to all information available on the networks located in China.It might be possible to implement protections against one single piece of malware, as Trustwave advises. But as a practical matter, it is impossible to implement protection against the constant and pervasive measures the Chinese government takes to access private company data. There are too many points of access. For example, government mandated inspection of company networks allows for installation of similar backdoor malware as part of the inspection process.The issue is not simply the compromise of the China based system of foreign investors. Once the China system is compromised, the hacker (Chinese government) can almost always then gain access to the entire international network linked to the hacked system. The infection spreads from China around the world. Informatization, big data and full spectrum dominance is the Chinese government s highest priority. This has important implications for companies operating in China and this reality must be carefully assessed.The standard response to the tax malware risk from cybersecurity consultants is to claim Western-style cyber security measures can be successfully used to defend against government lead hacking in China. These proposals will not work, and the suggestion they will work creates a false sense of security that actually increases risk. To put it starkly, in China, the government itself is the hacker and it will not allow foreign or domestic technicians to provide services that will defeat the hacker s ultimate goals.Let me explain why the normal cybersecurity techniques will not work.Cybersecurity consultants usually start by explaining how setting up banking operations on a separate laptop can seal the compromised site from the safely protected main site. The use of a dedicated laptop for banking purposes is standard practice in China. I did that in China myself when I had to step in to help run a company there. The reason a separate laptop is required reveals where the problems lie. The Chinese bank software is written so it will only run on a Chinese version of the Windows operating system.Moreover, it will only run on an outdated, unpatched, unsupported version of Windows usually an outdated version of Windows 7. The reason is that the malware hidden in the software depends on exploiting various flaws that are endemic in unpatched Windows operating systems. For this reason, anyone using a dual language, patched, supported version of Windows 10 simply cannot make use of the bank provided software. Use of the separate laptop is therefore forced.In the daily life of a normal business in China, this use of a separate laptop becomes completely impractical. It is important to understand that under the new system I described, the entire financial and regulatory life of a business in China is done over the Internet. For full protection, then, we would need multiple separate laptops: one for each bank, one for the tax department, one for VAT receipts, one for the local government, one for the national government, one for freight forwarders, one for customs, one for the (government controlled) accountant, one for the bookkeeper, and one for the employee benefits service. The list becomes endless. There is thus pressure to combine all these software systems onto one single laptop. This laptop is then used throughout the entire working day. It is not linked to the receiver (let s say the one bank) and then immediately shut down. It remains linked to someone on the Internet for virtually the entire day.But wait, it gets worse. Now all of the business s important data is located on one or more dedicated laptops sealed off from the company s main system. But to do business, the company needs the data from its laptops to go to its main system. Imagine for just a minute if all your company s bank information were on one laptop in one office and not a part of your main system. So data from the laptops has to be regularly transmitted to the main system.Not only must data from the laptop go to the main system at some point for the company to function at all smoothly, but it is also necessary for data from the main system go to the laptop for use of the various systems located on the laptops. Again, just imagine how you will smoothly move only certain financial data from your main system to your laptop every day.As a practical matter, it is not possible to keep the systems separate and during these required data transfers, your door is opened for malware infection. In the most primitive way, malware is transferred when a thumb drive is used for data transfer. However, many businesses just do the data transfer through some form of Ethernet or wireless link between the various systems. In some cases, companies just give up and shift all their important financial operations to the dedicated laptop, or even to a Chinese Windows desktop.This is what actually happens on the ground in China, and there is no way to prevent it. Foreign owned companies in China will often install a system based on advice from a foreign cybersecurity expert. They will use patched, updated operating systems, the most modern anti-virus protections, the best cryptography and a sophisticated VPN. This work is all in vain because when a network connection is required, China Telecom or some other Chinese government agency will install the network system. And they will say it is fine for you to use these systems for your personal purposes, but you cannot use these systems for any operations that make use of the Internet in China because China s rules require the following:China approved virus software.China approved cryptography.A China approved ISP.A China approved cloud provider.China approved connection software.A China approved version of Chinese language Windows that we will provide to you.Support service provided only by a China approved (and controlled) network consultant.To top it all off, as discussed above, China s local authorities have the right to inspect your networked system at any time without notice and this inspection is done without the participation of company staff. During that inspection, your data will be removed using a thumb drive. If the government inspectors want to do it, they can then install the malware through the use of that same thumb drive. Most large network connections in China are done through use of a cloud system. Chinese government authorities have the same rights to inspect the cloud system. In accordance with the rules, the client of the cloud provider will not even know its system has been inspected.Network systems are provided to businesses in China exclusively through the Chinese government and/or by Chinese government agencies and/or by IT consultants approved and controlled by the government. The Chinese government is the primary hacker in China, with your cyber security being performed by the hacker itself. This goes beyond a simple network connection. The Chinese government provides the landline phone system and the cell phone system. The Chinese government provides the Internet connection. The Chinese government provides the email server. Many Chinese government agencies will not use email; they instead require all contacts be through WeChat, a completely insecure platform constantly monitored by the Chinese government. By using the extreme efforts suggested by the best cybersecurity advisors, a foreign company doing business in China might be able to avoid one of these assaults on its data. But when the attacks come from every direction and are organized by the Chinese government itself and backed up by threat of imprisonment, any defense will ultimately fail.This is the first in what will be a multi-part series on China cybersecurity. This series stems from the recent webinar at which Steve Dickinson discussed cybersecurity in China. To watch that webinar, go here.I. Cybersecurity with Chinese Characteristics: The Party is the leader of everything.Under the guidance of the Chinese Communist Party (CCP), the Chinese government is working to create a cybersecurity system with Chinese characteristics. This system is designed to make all networked information that crosses the Chinese border a) transparent to the Chinese government and b) closed to unauthorized access by foreign and domestic hackers and governments not affiliated with the CCP.The primary goal is to use this system for surveillance and control. Surveillance means acquisition of information. As a result, the transparency of the system means all information that crosses the Chinese border should be available to the CCP and its agents. There are no secrets from the Party. As a result, from the standpoint of an individual or a business entity, whether domestic or foreign, this system is a cyber-insecurity system. As the system is implemented with progressively greater refinement and scope, there will be no place to hide from the eyes of the party.All foreign entities operating within China are subject to this cyber-insecurity system. Since network systems and communication are central to the work of every modern company, understanding how the Chinese system operates is essential. The impact is not limited to foreign entities that establish foreign invested enterprises in China. It also applies to anyone who transmits information, personal or technical, into China via any network. It also applies to any person who transmits information into any country in which the Chinese digital authoritarianism system has been implemented through the Digital Silk Road project. It also applies to anyone who transmits information into any country or region (Hong Kong/Taiwan) that has become the target of Chinese based data gathering operations.To understand the basis of this system, certain features of the current Chinese system of government must be understood. First, we must understand the role of the CCP. There are two key features:One, the CCP has been recognized as the “leader on everything”. Under Deng, Jiang and Hu, the goal was to remove the Party from the dominant leadership role so as to release the economic and creative power of the people and non-party institutions. This plan worked so well that many in China began to question the role of the Party.The primary goal of the Xi Jinping administration has been to reverse this trend. Through the efforts of Chairman Xi, the CCP is now the leader on everything. There is no limit on its role in directing all aspects of China. Accordingly, in 2018 the CCP constitution was revised to state:The leadership of the CCP is the primary characteristic of socialism with Chinese characteristics. The Party, government, military, civil and education, north, south, east, west and the center, the Party is the leader on everything.中国共产党的领导是中国特色社会主义最本质的特征,是中国特色社会主义制度的最大优势。党政军民学,东西南北中,党是领导一切的。This statement is a rejection of the policy of Deng, Jiang and Hu. It hearkens back to the position of Mao Zedong as stated in 1962. 1962年1月30日,中国共产党中央委员会主席毛泽东在扩大的中央工作会议.Though the CCP is the leader on everything, the primary goal of the Party is to lead in economic development. As stated in the Preamble to the CCP Constitution:In leading the cause of socialism, the Communist Party of China must continue its commitment to economic development as the central task, and all other work must take an ancillary role and serve this center. The Party shall implement the strategy for invigorating China through science and education, the strategy on developing a quality work force, the innovation-driven development strategy, the rural vitalization strategy, the coordinated regional development strategy, the sustainable development strategy, and the military-civilian integration strategy. It shall give full play to the role of science and technology as primary productive forces and the role of innovation as the primary force driving development, draw on advances in science and technology, improve the quality of the country’s workforce, and ensure higher-quality and more efficient, equitable, and sustainable development of the economy.In keeping with this broad role, the CCP has also greatly expanded the concept of national security. Under Xi Jinping’s Comprehensive National Security Concept (总体国家安全观), the traditional military, protection of borders approach to national security is transformed. Under the new security concept, two features are critical. First, the primary goal is to preserve the absolute power of the CCP as ruler of China. Second, the focus is on these threats to CCP power: Failure of the PRC to develop quickly into a high technology country. Failure of the Party to control ideology and information.The cybersecurity concerns of private persons and business entities do not enter into the analysis. It is the Party that must be protected, not the public. In particular, it is not possible for any member of the public to be in conflict with the Party. Any such conflict is anti-Party and therefore anti-China. This issue is not addressed in any way. All of this is explained in detail in the standard collection of Xi Jinping’s speeches and writings on the comprehensive national security concept: 习近平关于总体国家安全观论述摘编,2018. A good summary in English can be found at Matthew D. Johnson, Safeguarding Socialism: The origins, evolution and expansion of China’s total security paradigm,In order to be the leader on everything, the Party has to know everything. In the cyber realm, the CCP and its agencies have responded to this need to know in two ways:Domestically, the CCP has embraced digital technology to create a surveillance state within China. Through facial recognition, control of the Internet, mobile phone, WeChat and related sources of information monitored and controlled through AI and big data, the PRC has created a surveillance and control system that has been termed digital authoritarianism. See U.S. Senate Committee on Foreign Relations, The New Big Brother: China and Digital Authoritarianism.Internationally, the Party and its agents, the Ministry of State Security (MSS) and the Ministry of Public Security (MPS), have become the primary cyber-hackers of technology and trade secrets. The role of the MSS in cyber-hacking is well documented. Recent criminal indictments and U.S. and foreign government responses can be found here for the United States and here for the United Kingdom.What then is the CCP?1. The CCP is the CEO of Chinese state owned and private businesses that direct compete with foreign entities.2. The CCP is the director of the research centers charged with developing technology per the Made in China 2025 program and other high-speed high-tech development projects.3. The CCP is commander in chief of the Chinese military, a military from which foreign persons are banned from dealing. Under the doctrine of civil/military fusion, the military has access to all information and technology obtained by the CCP.4. The CCP is the manager of the worldwide cyber hacking system conducted by the MSS and the People’s Liberation Army (PLA), along with the domestic cyber hacking system conducted by the MPS.The Party is entirely in control of this system. The Party is the leader of everything: north, south, east, west and center. Any attempt to defeat this system is doomed to failure. All networks and digital data within the Chinese border will be made transparent to the CCP with no exceptions. There is no place to hide.So, how does it work? That will be discussed below.II. China’s Comprehensive Network Security ProgramThe Chinese government has been working for several years on a comprehensive Internet security/surveillance program. This program is based on the Cybersecurity Law adopted on 2016. The plan is vast and includes a number of subsidiary laws and regulations. On December 1, 2018, the Chinese Ministry of Public Security announced it will finally roll-out the full plan.The core of the plan is for China s Ministry of Security to fully access the massive amounts of raw data transmitted across Chinese networks and housed on servers in China. Since raw data has little value, the key to the Ministry s success will be in processing that data. Seeing that this is the key issue, the Ministry has appointed Wang Yingwei as the new head of the Cybersecurity Bureau. Wang is a noted big data expert and he will be tasked with making sense of the raw data gathered under the new system.The plan for the new system is ambitious and comprehensive. As explained by Guo Qiquan, the chief cheerleader for the plan, the main goal of the new system is to provide full coverage . “It will cover every district, every ministry, every business and other institution, basically covering the whole society. It will also cover all targets that need [cybersecurity] protection, including all networks, information systems, cloud platforms, the internet of things, control systems, big data and mobile internet.”This system will apply to foreign owned companies in China on the same basis as to all Chinese persons, entities or individuals. No information contained on any server located within China will be exempted from this full coverage program. No communication from or to China will be exempted. There will be no secrets. No VPNs. No private or encrypted messages. No anonymous online accounts. No trade secrets. No confidential data. Any and all data will be available and open to the Chinese government. Since the Chinese government is the shareholder in all SOEs and is now exercising de facto control over China s major private companies as well, all of this information will then be available to those SOEs and Chinese companies. See e.g. China to place government officials inside 100 private companies, including Alibaba. All this information will be available to the Chinese military and military research institutes. The Chinese are very clear that this is their plan.In the past, foreign owned companies in China were generally able to avoid the impact of this type of system in two ways. They did this primarily by establishing VPN internet servers in their own offices. These servers used VPN technologies to isolate data from the Chinese controlled networks, allowing for a company intranet to maintain the secrecy of emails and data stored on the company servers in China. As cloud computing has advanced, foreign owned companies typically use the same VPN technologies to isolate their cloud-based servers from the Chinese controlled system. Though the Chinese authorities often complained about these VPN systems, foreign companies were usually able to claim their special WFOE status exempted them from Chinese data controls.However, with the roll-out of the new system, that will all change. First, the Cybersecurity Law and related laws and regulations are clear that they apply to all individuals and entities in China without regard to ownership or nationality. There are no exceptions. More important, the new Foreign Investment Law that went into effect on January 1, 2020 eliminates any special status associated with being a WFOE or other foreign invested enterprise. Foreign owned companies will be treated in exactly the same way as Chinese owned companies. See China’s New Foreign Investment Law Benefits: Like Putting Lipstick on a Pig. This means the Cybersecurity Law will apply to foreign owned companies (WFOEs, joint ventures, and Representative Offices) in the exact same way it applies to Chinese owned companies and individuals. There will be no place for foreign owned companies to hide.This means using intra-company VPN systems will no longer be authorized in China for anyone, including foreign companies. This in turn means all company email and data transfers will be required to use Chinese operated communication systems fully open to China s Cybersecurity Bureau. All data servers that make any use of Chinese based communications networks will also be required to be open to the Cybersecurity Bureau s surveillance and monitoring system.It is important to fully understand what this means. Under the Cybersecurity Law, the Chinese government has the right to obtain from any person or entity in China any information the Chinese government deems has any impact on Chinese security. The Chinese government understands foreign companies and individuals will be reluctant to simply turn over their information to the Chinese government when asked. For that reason, the Chinese Cybersecurity Bureau does not plan to politely make a formal request for the information. The fundamental premise of the new cybersecurity systems is that the government will use its control of communications to simply take the information without discussing the matter with the user. All data will be open to the Chinese government.This system of constant and pervasive access to and monitoring of data sets up a fundamental conflict for U.S. and many foreign companies operating in China because U.S. law in many cases mandates much information be kept secret. But Chinese law now requires complete government access to those secrets if those secrets cross the Chinese border for any reason. This conflict puts many U.S. and foreign companies in an impossible legal bind. I include foreign companies because foreign companies with U.S. subsidiaries or even certain sorts of relationships with U.S. companies will also be bound or at least impacted by these U.S. secrecy laws.First, as the scope of what the U.S. government designates as controlled information and technology begins to expand, the restrictions on what cannot be transmitted across the Chinese border increases. See this post on what will likely constitute a restricted emerging technology under U.S. law. U.S. companies used to take the position that their information in China is on a private server isolated from the Chinese government and if the Chinese government requests this information, we will refuse to comply. This argument will no longer work because the Chinese government will no longer ask for the information; it will simply take it.Second, much intellectual property is protected as a trade secret rather than because it is registered as a patent. In fact, the value of many U.S. patents lies in its supporting trade secret know-how. Trade secrets are a form of property protected under U.S. law. However, the general rule for being able to maintain something as a trade secret (under U.S. and China and EU law) is that the holder of the trade secret must take reasonable steps to maintain its secrecy. Once a trade secret has been intentionally or unreasonably revealed by its holder, its protection as trade secret property is terminated. This then leads to the conflict.Under the new Chinese system, as a practical matter, trade secrets hidden from the CCP will no longer exist. This means U.S. and EU companies operating in China will now need to assume any “secret” they seek to maintain on a server or network in China will automatically become available to the Chinese government and then to all their Chinese government controlled competitors in China, including the Chinese military. This includes phone calls, emails, WeChat messages and any other form of electronic communication. Since no company can reasonably assume its trade secrets will remain secret once transmitted into China over a Chinese controlled network, they are at great risk of having their trade secret protections outside China evaporating as well.The U.S. or EU company may have an enforceable agreement with the Chinese recipient of its confidential information that protects that information with respect to that authorized recipient. But if the secret is easily available to the Chinese government, there is no real trade secret protection.By giving the Chinese government and its cronies full access to its data, the U.S. or EU company may very well be deemed to have illegally exported technology to China, and it could face millions of dollars in fines and even prison sentences for some of its officers and directors. There is an inherent conflict between foreign laws mandating a company not transfer its technology to China and China s laws which effectively mandate that transfe III. China’s Regulatory System: The Multi-Level Protection Scheme (MLPS 2.0)A core concept in the CCP system of control is that China must be ruled by law. The law is the expression of the will of the Party. That expression of will must be clear and inflexible. In keeping with that basic policy, the cybersecurity system that will be rolling out over the next decade is documented in detail as the Cybersecurity Multi-level Protection Scheme (“MLPS 2.0”), which is came into effect on December 1, 2019. This scheme sets out the technical and organizational controls all companies and individuals in China must follow to comply with MLPS-related Internet security obligations mandated by China s Cybersecurity Law. All companies and individuals must abide by the following three standards:1. GB/T 22239 – 2019 Information Security Technology – Baseline for Multi-level Protection Scheme2. GB/T 25070 – 2019 Information Security Technology – Technical Requirements of Security Design for Multi-level Protection Scheme.3. GB/T 28448 – 2019 Information Security Technology – Evaluation Requirements for Multi-level Protection Scheme.The Chinese language versions of these standards can be found here; I am not aware of any English language translations of these standards.My personal file on the laws and regulations relating to the MLPS 2.0 system consists of 800+ pages of very technical Chinese. But even this vast documentation is not sufficient to fully understand the function of the system. To fully understand all this, one must also consider the objectives of other key Chinese government planning documents, such as the national artificial intelligence program, the Internet+ program, the social credit system for individuals and businesses (See China’s New Company Tracking System: Comply, Comply, Comply), and various other network/Internet/data gathering and surveillance programs being implemented in China.When one examines these various different programs together, it becomes apparent the MLPS 2.0 system is the hardware component of a comprehensive data gathering, surveillance and control program. China s plan is to create a system that covers every form of network activity in China: Internet, mobile phone, WeChat type social networks, cloud systems, domestic and international email. China s goal is not to create a commercial system where individual players can participate and make money. Its goals are surveillance and control by the PRC government and the CCP.To achieve those goals China is creating a system to achieve two ultimately contradictory objectives: the system will be closed against intrusion by bad actors (foreigners and internal dissidents), but completely transparent to the Ministry of Public Security and other internet security agencies of the PRC government and the CCP. Transparency to the Ministry of Public Security means what it says: No technology that blocks access by the Ministry of Public Security is permitted. No VPN, no encryption, no private servers. If the Ministry of Public Security is required to install back doors or other message/data interception devices or systems to achieve full access, then China Telecom and Chinese based ISPs are required to comply. But because providing open access to the Ministry of Public Security directly conflicts with the goal of hardened security from intrusion, how to mediate between these conflicting goals is the chief reason for the length and complexity of the MLPS 2.0 standards.The legal basis for allowing China s Ministry of Public Security to access networks and data comes from a regulation not included within the MLPS 2.0 standards. As I noted above, full understanding requires pulling together all the applicable regulations. This is just one example of this. The written regulations that give the Ministry of Public Security the right to just take it are the Regulation on Internet Security Supervision and Inspection by Public Security Organs (公安机关互联网安全监督检查规定). This regulation was promulgated on September 15, 2018 and came into effect on November 1, 2018. My references to this regulation below are to the articles of the Chinese language version published by the Chinese government. It is important to base comments on the Regulation on what was actually adopted, not to earlier discussion drafts containing provisions that were not adopted.As a preliminary issue, a key matter confirmed by the Regulation on Internet Security Supervision and Inspection by Public Security Organs is that the Ministry of Public Security has lead authority to take on the front-line enforcement duties related to the Internet and to network security in China. This means MIIT (China Telecom), CAC, CNNIC and the alphabet soup of other Chinese agencies that sought a role in cybersecurity administration have been pushed aside in favor of the Ministry of Public Security. This means enforcement will be handled by the police rather than by local bureaucrats. This decision on enforcement has real meaning for foreign companies doing business in China and for its foreign employees who live and work there. When a Chinese bureaucrat shows up at your door asking for information, you can perhaps send that bureaucrat on his or her way. But when two or more uniformed police officer show up at your door, you have no option but to comply.The Regulation on Internet Security Supervision and Inspection by Public Security Organs provides for two levels of inspection of networked servers: on-site inspection and offline, remote access. See Article 13. When an on-site inspection is conducted, a minimum of two local police officers must be present. See Article 14. The police officers will be accompanied by local government agency staff charged with Internet security. If local government agency staff are not sufficient, the Ministry of Public Security may employ independent contractors to do the work.The inspection team has complete access to the network system. Inspection can cover both the technical aspects of the network system and the data/information maintained on the servers. See Article 10.The inspectors can fully access the system and copy any data they find. See Article 15. The only restriction on the inspectors copying the data in your company s system is that they must provide you with a receipt. Though Article 10 restricts access to matters involving national security, the definition of national security in China is so broad there is no real limitation on what can be accessed, copied and removed.In cases where the Ministry of Public Security determines there is an Internet security issue, it has the right to perform a remote access inspection. the scope of which is set out in Article 10. Prior notice of remote access is required. There are two issues related to such notice: First, the purpose of the notice is not to protect the rights of the party being inspected. Rather, the purpose of the notice is to ensure that the server has been completely opened to access by the Ministry of Public Security. Second, for servers maintained by a cloud provider, it is not clear whether notice goes only to the cloud provider or to both the cloud provider and its customer(s). It is therefore not clear whether the cloud customer will ever receive notice that its server and data were viewed and copied by China’s Ministry of Public Security. Time will tell on this, but my guess is the cloud customer will never know unless its cloud provider tells them, which is unlikely.This off-site access rule is awkward to manage. The structure of the MLPS 2.0 standards suggest the Ministry of Public Security plans to work with cloud providers and Managed Service Providers to get them to install systems that will allow the Ministry of Public Security easy off-site access at any time, without need to go through an incident by incident prior notice then access procedure. However, this type of constant access system is not contemplated by the Regulation. Even if the Regulation on Internet Security Supervision and Inspection by Public Security Organs is strictly followed, there is no getting around the fact that it provides for China s Ministry of Public Security to have essentially unfettered access to all servers and data. Referring to this as cybersecurity is fundamentally misleading. As the Regulation itself states, this is a regime for inspecting and controlling by the Chinese government. It has nothing to do with cybersecurity as normally considered in the open Internet world.The key issue then becomes what happens to the data collected by China s Ministry of Public Security your company s data, for instance. The Ministry is permitted to copy and remove virtually any information or data it finds on the servers it inspects. What about the confidentiality of that information? Article 5 of the Regulation on Internet Security Supervision and Inspection by Public Security Organs addresses this issue : The personal information, privacy, trade secrets and state secrets that the public security organs and their staff members are aware of in the fulfillment of the duties of Internet security supervision and inspection shall be strictly kept confidential and shall not be disclosed, sold or illegally provided for others. This provision must be read carefully because it provides for confidentiality with Chinese characteristics .The key point is that the term others does not include any agency of the Chinese government or of the CCP. In other words, it does not include universities and other research centers operated or controlled by the Chinese government. It also does not include the Chinese military or Chinese arms manufacturers. It also does not include China s State-Owned Entities (SOEs). Though not clear, the term others also probably does not include nominally private entities controlled by the CCP. See e.g., Huawei.So again, what does this confidentiality provision mean? As applied in China, the confidentiality rule of Article 5 is intended to prevent Ministry of Public Security officers from doing two things: selling data to Chinese or foreign companies for personal profit and two, disclosing data to foreign agents (spies). This rule is not intended to prevent the Ministry from sharing the data it collects with the insiders described above. In fact, such sharing is mandated as part of the data needs of the entire Chinese government and the CCP. The Ministry of Public Security is not permitted to hoard the data; it is required to spread it around within China’s Party- controlled system.This result then leads to the key issue. Confidential information housed on any server located in China is subject to being viewed and copied by China s Ministry of Public Security and that information then becomes open to access by the entire PRC government system. But the PRC government is the shareholder of the State-Owned Entities (SOEs) which are the key industries in China. The PRC government also essentially controls the key private companies in China, such as Huawei and ZTE, and more recently, Alibaba and Tencent and many others. See China is sending government officials into companies like Alibaba and Geely and China to place government officials inside 100 private companies, including Alibaba. The PRC government also either owns or controls China s entire arms industry.Simply put, the data the Ministry of Public Security obtains from foreign companies will be available to the key competitors of foreign businesses, to the Chinese government controlled and private R D system, and to the Chinese arms industry and military.The negative consequences of this should be obvious. But the critical issue is that the consequences go far beyond just the commercial impact. China s new systems will become a matter of national security for the U.S. and other governments. This then sets up a conflict private companies will not be able to avoid. Do they make their data available to China s Ministry of Public Security as required by Chinese law or do they keep that data from the Ministry (and in turn the Chinese Military) as required under the laws of their home country? In other words, do they simply stop using or providing data to their China operations?The final result will be that as far as China is concerned, free trade in the critical areas of technology will end up being severely curtailed. Welcome to the New Normal.My future posts will address oft-proposed solutions that do not work and solutions that can actually make the situation a bit better.China distribution contractsIn China Distribution Contracts: The Questions We Ask, we wrote about some of the initial questions we ask our clients for whom we are drafting China distribution contracts. That post started out discussing how forming and then operating a China WFOE is difficult and expensive see Forming a China WFOE: Ten Things To Consider and Doing Business in China with Deportation or Worse Hanging Over Your Head on why having a WFOE is a must if you will be doing business within China. It then discussed how our China lawyers have been seeing many more foreign companies choosing to sell their products to China via distribution relationships rather than via a WFOE. For the basics on what it takes to establish and document distribution relationships with Chinese companies, check out the following:China Trademarks and Your Chinese DistributorGetting Your Product Into China Via DistributorshipChina Distribution Contracts: The BasicsExclusivity In China Distribution AgreementsToday s post focuses on some of the additional questions we often ask our clients who retain us to draft their distribution agreement with a Chinese company or companies. The below is a portion of an email from one of our lawyers to a client for whom we were in the process of drafting a China distribution contract.1. How are you planning to deal with warranties? A standard approach is for you to draft the warranty and then have your distributer pass on this warranty to consumers without any changes. Under this approach you will need to work with your distributor to design an appropriate warranty that a) works for your products, b) works for your company and your distributer, c) meets market demands, and d) complies with Chinese law.The alternative is to allow your distributor to provide whatever warranty it wants to consumers. Your warranty is with the distributor and you will not cover any warranty beyond that which you have specifically agreed with your distributor. Under this sort of arrangement you have no contractual relationship with the consumers and the consumers have no legal basis to assert warranty claims against you. They are limited to making claims only against your distributor. This option is consistent with the legal status of a distributor that buys and then resells your products. However, under this approach you no longer control the nature of the warranty and many of our clients do not want to give up this control.Much can depend on the nature of your product, your consumers and your trust in your distributer. We should discuss all of these things by telephone.2. Determining the sales price to consumers. Normally, the distributor is free to set the prices it wants for the products, since it has purchased the product and therefore owns them. However, many of our clients wish to exercise at least some pricing. Absolute resale price maintenance is not legal in China so you cannot dictate the sales price. You can, however, require your distributor to work with you on pricing and even set a pricing product range, both maximum and minimum. Please advise on how you want to proceed on the pricing issue.3. What form training will you provide to your distributor? Where will your provided this (in China or in your home country)? How will training costs be determined and who will pay those costs?4. Do you want to require all communications from your distributor be in English?5. Will your technical documents be translated into Chinese? If yes, who will do this? You or your distributor and who will cover these costs? Please advise on the above. We will begin drafting your distribution agreement when we get your responses to the above.Same same but differentOne of the less endearing featuresof the Chinese trademark system is that the Chinese Trademark Office (CTMO) and the Chinese court system have different standards for what makes one trademark “confusingly similar” to another, which is the statutory basis for determining whether one trademark conflicts with another. To make things even more confusing, neither the CTMO nor the Chinese court system has a uniform, clearly articulated standard.That being said, experienced practitioners know CTMO examiners are generally stricter than Chinese judges. The CTMO continues to hire vast numbers of inexperienced trademark examiners who are under tremendous time pressure to crank through a huge number of trademark applications. They’re following a playbook, just like an offshore customer service representative, and they aren’t rewarded for making appropriate judgment calls. I haven’t been to one of their training sessions, but I have to believe the mantra drilled into new recruits is “When in doubt, reject.”None of the CTMO examiners are native English speakers and many don’t speak English particularly well. They are trained to look for similarities in phonetics, pronunciation, appearance, and meaning, which can lead to absurd results for English-language marks that superficially appear similar. For instance, “Big Work” and “Big Dork” might well be considered confusingly similar brand names by the CTMO even though there isn’t a single native English speaker who would ever confuse the two. In fact, the CTMO would probably consider “Work Big” and “Big Dork” to be confusingly similar. At a very high level, you can see why: the order of the words is flipped and one letter is different, but otherwise they are identical.It’s possible to rationalize the CTMO’s unsophisticated approach to English-language trademarks by noting that many Chinese consumers have limited English-language skills and might indeed think that “Work Big” and “Big Dork” brands were produced by the same company. But this argument doesn’t hold up under further scrutiny, because the CTMO examiners take the same approach with logos (that are not in any particular language).The Trademark Review and Adjudication Board (TRAB) hears appeals of trademark rejections, and they have a more objective and sensible approach to the “confusingly similar” standard. But they, too, are overworked and understaffed, and far more often than you might expect, they will uphold a ridiculous CTMO decision. So it is entirely possible that in real life, an existing registration for “Work Big” would block an application for “Big Dork.”Meanwhile, the Chinese court system would almost certainly not find that the “Big Dork” brand infringed upon the “Work Big” registration. The owner of “Work Big” could not get an injunction or damages, and would be hard pressed to take any action at customs. Frankly, it probably wouldn’t even occur to them because the marks are so different.So where does that leave the owner of the “Big Dork” brand? They are unable to secure a trademark registration in China, but they can’t be sued for infringement either. Effectively, they’re in the same position as anyone using a descriptive trademark: nobody can stop them from using it, but they can’t stop anyone else from using it either.Whether this is acceptable to the “Big Dork” brand owner largely depends on what they want to do in China. If all they want to do in China is manufacture goods and be assured that their goods will not be seized at Customs for alleged trademark infringement, they should feel reasonably confident. It s not ideal, though, since CTMO s decisions are not binding and if a trademark squatter files an application a couple years down the line and gets a CTMO examiner with a more relaxed standard, that squatter might be able to secure a registration after all. The best decision would be to use a trademark that they could definitely register in China, whether by appealing the CTMO s rejection or by picking a new trademark. Better safe than sorry.And if they plan to sell goods in China, they absolutely need to find another trademark, because it’s guaranteed that someone else would copy the Big Dork brand name and they wouldn’t be able to do a thing about it. See Make China Trademarks a Priority.Photo by Quinn DombrowskiOne of the things my law firm s China lawyers are always saying and seeing is how China is constantly getting more legalistic, especially with foreign companies doing business in China. I used to believe this would lead foreign companies to become more careful, but this has not happened. Too many foreign companies for all sorts of different reasons remain far too nonchalant and increasing legalization only increases the likelihood this attitude will eventually harm them.Forming a China company is a prime example of this, both with WFOEs and Joint Ventures. What usually causes the problem to bubble to the surface is different as between a WFOE and a Joint Venture, but what caused the problem in the first place is nearly always the same: the foreign company trusted without verifying.The WFOE Problem.The WFOE problem is a somewhat simple one. The foreign company believes it has formed a WFOE in China (oftentimes long ago) and that it is now operating completely legally there. The foreign company typically then has a problem with its most important China employee and it wants to terminate that employee. The first thing our China employment lawyers usually do in this situation is to look at the official Chinese government corporate records for the WFOE to get a better handle on the employee s authority at the company. Sometimes we discover there is no WFOE.At this point, the legal issue is no longer terminating an employee of a WFOE; it s figuring out what makes sense in light of a messed-up China situation and a company s present-day China goals. You cannot terminate an employee from a company that does not exist.How does a company get to this point? What leads a company to believe it had a China WFOE when it didn t? Ninety percent of the time, the fatal mistake was trusting the person the company now wishes to terminate. That person claimed to have formed a WFOE for the foreign company but never did. Maybe he or she formed a Chinese domestic corporation he owns. Or maybe this person never formed any Chinese entity at all. In any event, the foreign company paid money to this person believing the money would go to form a WFOE. Virtually always, the company then paid more money to this person believing this money would go to pay rent and personnel and taxes and other business expenses. Probably some of the money went to these things, but it is likely a good chunk of it went straight into the pockets of the person who lied about having formed the WFOE.The Joint Venture Problem. This is really two different problems. One, the non-existent Joint Venture, which is very similar to the WFOE problem, but usually a bit more complicated. The putative JV partner is put in charge of forming a China Joint Venture and it either never formed any company at all or it formed a company in Hong Kong or even the United States that the foreign company believes to be a China Joint Venture. The foreign company thinks the Hong Kong or US company owns a company in China and that this corporate structure is itself a China Joint Venture. It isn t and the China entity into which the foreign company ends up pouring time and money and technology is not in any respect owned by the foreign company. The foreign company at some point becomes concerned about never having received any money from its Joint Venture and now the Joint Venture has gone completely silent and is not even responding to emails or the Joint Venture is now successfully competing directly with the foreign company. See China Scam Week, Part 6: The Fake Joint Venture.The foreign company trusted its Chinese Joint Venture partner and the lawyer its Chinese Joint Venture partner chose to prepare the necessary Joint Venture documents. Now there is a problem and those documents were written in such a way as to favor the Chinese side so completely there is nothing the foreign company can do to resolve it. See China Joint Ventures: The Tide is Out.How does a company get to this point? Trusting their Joint Venture partner to such an extent that it never verified a thing. Some wrongly believed the Chinese lawyer who drafted the Joint Venture agreements was acting a neutral. China Joint Ventures are complicated and fraught with risk and they require experienced and trusted counsel. See China Joint Ventures: A Warning.Do you have a Chinese company? Are you sure? With China using its social credit system to crack down on foreign companies, now is the time for you to double-check on this.We are on record (and then some) about the importance of registering your trademark in China. In spite of our efforts or perhaps because of them nearly every week someone contacts us after discovering someone else has registered “their” trademarks in China.Most people lump all such third party registrants together under the common rubric of “trademark squatters,” but in fact, the registrants can be separated into five distinct categories, and the appropriate response (and the likelihood of success) depends on the category in which they fall.Category One – The ExtortionistChina’s laissez-faire attitude towards bad-faith trademark registrations has created a cottage industry for people who register brand names belonging to foreign companies and then hold those brand names for ransom. Anyone who deals with China trademarks has run into this sort of trademark squatter. They have filed hundreds of applications, for a wide variety of brand names and in a wide range of Nice classes. The registrations may be for different sorts of goods or services than what the brand is known for. The trademark squatter has no connection to any of the brands, and no intention of ever using them in commerce. They are a classic non-practicing entity, and their sole intent is to monetize the trademark registration by selling it to the highest bidder. They will sometimes approach the trademark owner, or they may sell the trademark to another third party on one of China’s trademark clearinghouse websites. The prices can vary but US$10,000/registration is a common starting bid.Such registrations are the very definition of bad-faith, and you would think they would be easy to invalidate. Not so. China is slowly getting better at dealing with these situations, but even in egregious cases, it’s far from a slam dunk. The typical route involves an invalidation proceeding and an appeal and then maybe another appeal. All this can take years and cost thousands of dollars, and there’s no guarantee of success. It’s easy to see why many foreign brand owners just pay the money and move on, as with a nuisance lawsuit. Alternately, some brand owners will wait three years and file a non-use cancellation. See China Trademarks: When (and How) to Prove Use of a Mark in Commerce.Category Two – The CounterfeiterCompanies find the first category of trademark squatter exasperating, but they find the second category infuriating. These squatters have registered foreign companies’ trademarks not to hold them for ransom, but to use them in commerce. Indeed, these squatters’ business model is to produce counterfeit goods they can sell in China (and in any other country where the foreign company has not registered its trademark) without fear of reprisal from the true brand owner – because the squatter legally owns the trademark in China! Sometimes they will sell the same kinds of goods as the true brand owner, sometimes not – it all depends on how well-known the brand is, and what the squatter thinks will generate more money for them. Oftentimes you’ll see these squatters register several foreign brand names in China, all in the same classes of goods. If one foreign brand is good, four are better.It is usually more expensive for the true brand owners to purchase these registrations because the registrations are worth more to the trademark squatter. Moreover, a non-use cancellation will not succeed, because the marks are actually being used in commerce. It is sometimes possible to succeed with a bad-faith invalidation, but this will largely turn on whether the mark was well-known in China, which is a difficult thing to prove. For many years the de facto Chinese position has been that if foreign brand owners cared about their marks in China, they should have registered them there. Here, the alleged trademark squatter is using the mark in commerce and probably also employing people and paying taxes on its income. That looks a lot better to Chinese authorities than a sole-proprietor non-practicing entity who lives with his parents in Kunming or Kansas.Category Three – The CompetitorThe third category of squatter looks a lot like the second category – they file trademarks covering a certain, fairly narrow set of goods. But this type of squatter isn’t a counterfeiter and has no plans to use the marks in commerce. Rather, this squatter is your competitor, and their goal is to prevent you from entering the Chinese market (at least under your preferred brand name). The more specialized the market, the more likely this is to occur because everyone knows the other players. More than once I’ve seen a Chinese manufacturer in a specialized industry register the trademarks of all its European and American competitors. They then offer the competitors a Hobson’s choice: buy the trademark at a grossly inflated price (upwards of $250,000K) AND designate the competitor their exclusive distributor in China, or say goodbye to their brands in China.The competitor will also often threaten to block products manufactured with its trademark by anyone else from leaving China. In other words, they may threaten to effectively shut down your entire business worldwide by choking off your sole production point.Brands that are actually well-known in China may have some success in wresting trademark registrations from such registrants, but as noted above that rarely happens. Most foreign brand owners in this position are out of luck. The argument that these trademark squatters gamed the system is not going to get much traction.Category Four – The “Helpful” SupplierSometimes companies will find their brand names have been registered by a familiar entity – their own supplier or distributor in China. If the supplier or distributor is still producing or distributing goods for the company, the proffered explanation is usually benign: the supplier or distributor registered the mark to prevent any squatters from doing so first. This may be true, but the brand owner should wonder why the supplier/distributor didn’t inform them first and/or ask if the brand owner wanted to register the mark itself. Nonetheless, if the relationship is still positive, it is a relatively straightforward process for the supplier/distributor to assign the mark to the brand owner. Some suppliers/distributors will attempt to retain ownership of the trademark but this should be resisted.If the relationship has turned ugly, which is usually the case when the trademark owner is a former supplier/distributor, a simple assignment may be difficult to procure. But this situation is the easiest one in which to prove a bad-faith registration. So long as you can prove the existence of a business relationship with the supplier or distributor (e.g., through purchase orders, contracts, and other documentation), it is quite likely the squatter will be forced to give up the registrations. Needless to say, the process is a lot easier if you have a signed, chopped manufacturing agreement or a distribution agreement in which your Chinese counter-party agreed not to register your IP. See China Trademarks and Your Chinese Distributor.Category Five – The Coincidental CopycatThe last category isn’t really a traditional trademark squatter and arguably shouldn’t even be part of this list. Occasionally, someone in China registers “your” trademark because they came up with it on their own independently. This usually only happens with word marks – it is highly improbable two applicants would come up with the same logo by blind chance. In these cases, the trademark owner may be willing to sell the trademark, but if they’re not, there’s little you can do about it. The registrant simply followed the dictates of China’s Trademark Law: they were the first to file (not you), and so they get to keep the mark.In sum: if you find that your brand has been taken by a trademark squatter in China, first determine the category they fit in, and then plot your strategy accordingly. Better yet, register your trademark right away and prevent having to strategize at all.There is plenty that could be written about the plight of Uyghurs and other ethnic groups in Xinjiang, most of it negative. And with Xi Jinping declaring his Xinjiang policies completely correct, there is pretty much no room for hope things will improve (unless you view the complete sinification of Xinjiang as a desirable end goal).The purpose of this post, however, is not to decry the abuses taking place in Xinjiang: There are many more qualified voices doing that. Rather, this post is about what foreign companies (especially U.S. companies) doing business in China need to know about the situation in Xinjiang. And to keep things simple, we will not dwell on the ethical considerations (which should of course be paramount), just the practical ones.Any company manufacturing in China is at risk of getting entangled in the widespread use of Uyghur forced labor by Chinese companies (NB all references to Uyghurs include other ethnic groups from Xinjiang). To be clear, Uyghur workers are being exploited not only within Xinjiang, but at locations throughout China. According to Uyghurs for Sale, a landmark report on the issue, the Australian Strategic Policy Institute (ASPI) has identified 27 factories in nine Chinese provinces using Uyghur labour transferred from Xinjiang since 2017.Those factories claim to be part of the supply chain of 82 well-known global brands. Between 2017 and 2019, we estimate that at least 80,000 Uyghurs were transferred out of Xinjiang and assigned to factories through labour transfer programs under a central government policy known as ‘Xinjiang Aid’ (援疆).It is extremely difficult for Uyghurs to refuse or escape these work assignments, which are enmeshed with the apparatus of detention and political indoctrination both inside and outside of Xinjiang. In addition to constant surveillance, the threat of arbitrary detention hangs over minority citizens who refuse their government-sponsored work assignments.Meanwhile, according to U.S. federal law (19 U.S.C. § 1307),All goods, wares, articles, and merchandise mined, produced, or manufactured wholly or in part in any foreign country by convict labor or/and forced labor or/and indentured labor under penal sanctions shall not be entitled to entry at any of the ports of the United States, and the importation thereof is hereby prohibited, and the Secretary of the Treasury is authorized and directed to prescribe such regulations as may be necessary for the enforcement of this provision. Forced labor , as herein used, shall mean all work or service which is exacted from any person under the menace of any penalty for its nonperformance and for which the worker does not offer himself voluntarily. For purposes of this section, the term forced labor or/and indentured labor includes forced or indentured child labor.Simply put, the importation of goods made using forced labor into the United States is prohibited. The question of how the use of convict labor in the United States (expressly allowed by the Thirteenth Amendment of the U.S. Constitution) squares with this import prohibition is an interesting one, but completely irrelevant in this context, certainly from a practical standpoint.Federal regulations (19 C.F.R. 12.42(e)) provide for the issuance of withhold release orders (WROs) if information available reasonably but not conclusively indicates that merchandise within the purview of [19 U.S.C. § 1307] is being, or is likely to be, imported. In addition to not getting their products (and good luck to them getting a refund from their supplier if that happens), importers could also be subject to significant fines. In August, CBP announced it had collected $575,000 in civil penalties from a company that had imported at least twenty shipments of stevia powder and derivatives produced from stevia leaves that were processed in China with prison labor in violation of U.S. law. (Breaking Bad fans: Lydia Rodarte-Quayle had it coming even more than we thought.)There is no indication the stevia case had anything to do with Xinjiang, but it provides a timely reminder that all goods made using forced labor (not just those made using by Uyghurs) are subject to the prohibition of 19 U.S.C. § 1307. This includes goods made using prison labor, which, as we pointed out in Forced Labor in China: Don’t Trust AND Do Verify, is commonplace in China.This is also a good time to mention that reports suggest Xinjiang-style labor programs are now in place in Tibet. Especially given the overall sensitivity of Tibet-related issues, it is probably only a matter of time before the USG s attention turns to products made by Tibetans. And while Beijing s suppression of Mongolian culture in the Inner Mongolia Autonomous Region does not appear to include a labor component, it is worth noting the producer in the stevia forced labor case was a company from the region (no sweet success for its workers, unfortunately).No amount of due diligence will completely eliminate the risks associated with forced labor in China, but foreign companies should certainly look for obvious red flags, such as the presence of Uyghur workers (or prisoners, for that matter) at factories. Yes, there could be instances of voluntary Uyghur labor; after all, workers from all over China have flocked to the industrial areas of the country in search of work. However, most foreign businesspersons will be ill-equipped (to put it mildly) to make determinations regarding the voluntariness of Uyghur workers. Coerced laborers do not always look the part.As CBP continues to receive information regarding use of forced labor at Chinese factories, it is reasonable to expect more WROs will follow, and in fact CBP has indicated this will be the case. Recently, there was speculation a blanket ban on Xinjiang cotton would be imposed, but some in the business community breathed a sigh of relief when, instead, WROs were only issued against five producers. This suggests that, going forward, the U.S. government (USG) approach will be to issue a steady trickle of WROs: enough to let officials and voters feel something is being done, but not enough to really inconvenience big business (or the agencies tasked with enforcement). That said, for the companies that end up getting slapped with half-million dollar fines, the big picture will be of little comfort.Stepped-up enforcement of import regulations is not the only USG response the situation in Xinjiang. The Treasury Department s Office of Foreign Assets Control (OFAC) has sanctioned Chinese officials and agencies involved in human rights abuses in Xinjiang. These sanctionsgenerally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons. The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person or the receipt of any contribution or provision of funds, goods or services from any such person.One sanctioned entity that presents a unique challenge for foreign companies is the Xinjiang Production and Construction Corps (XPCC), described by the South China Morning Post (SCMP) as a sprawling conglomerate, which functions like a government in running schools, policing and health care facilities across a number of cities in Xinjiang for its employees and their families. It reports its revenue as GDP, and its COVID-19 cases as if it was a separate province. According to the SCMP, the XPCC is involved in a myriad of industries, from construction and infrastructure to property and farming, has stakes in more than 800,000 companies and groups in 147 countries. A report cited by the SCMP notes that some of these companies reach as far as 34 layers of ownership from the XPCC. There is also action being taken in Congress. This week, the House of Representatives approved the Uyghur Forced Labor Disclosure Act (UFLDA), introduced by Rep. Jennifer Wexton (D-VA). The UFLDA would require all publicly traded companies to report to the Securities and Exchange Commission whether they are involved in Xinjiang. This comes a week after the House approved the Uyghur Forced Labor Prevention Act (UFLPA), introduced by Rep. Jim McGovern (D-MA), which would, with some exceptions, treat all products made in Xinjiang as if they were made using forced labor. While most Republicans voted against Rep. Wexton s bill, the UFLPA passed almost unanimously, meaning it stands a better chance of clearing the Senate.While welcome, the USG s focus on Xinjiang tiptoes somewhat around the fact the Uyghur forced labor problem extends far beyond the borders of Xinijang. If the USG does not begin to squarely address this reality, all the Xinjiang legislation and WROs will be little more than sops to appease our national conscience, while Uyghurs continue to be trucked out to factories in other provinces.This all said, companies must not be complacent. It goes without saying that doing business with anyone in Xinjiang is almost certainly a bad idea these days. But wherever they manufacture in China, this is an issue companies must keep on their radars. Now is the time to conduct due diligence into their suppliers labor practices not when CBP comes knocking. And if they see something concerning, they must not rationalize it away. Finally, it is critical to bear in mind this will be an ongoing challenge for companies. Everything might be fine the day their auditors visit a supplier, but the next day they could be paid a visit from local Party officials asking them to do their part to help Uyghurs seek development outside Xinjiang. And since the supplier s bosses do not want to end up picking stevia leaves in Inner Mongolia, they will say yes.How many China trademarks do you need?Our trademark clients often ask how many trademarks they ought to register in China. The answer is not as straightforward as it may seem.As an initial matter, companies should register the brands they are actually using (or plan to soon use) and on the goods or services actually in use in China. But sometimes clients are unable to register their actual trademark (either because it was too descriptive or too similar to an existing registration) and instead opt to file applications for a similar trademark they have no intention of ever using. Their rationale is that if they can register the similar trademark, it would block any applications for their actual trademark. This is not an approach I recommend, but it’s not as bizarre as it sounds. Just because their application was rejected doesn’t mean a trademark squatter’s application for the exact same mark would be rejected. CTMO examiners are not bound by previous decisions and their decisions do not always make sense. More on this below.The more famous the brand, the more likely a trademark squatter will attempt to file a phonetically or orthographically similar mark, so as to take advantage of credulous consumers. This is especially common with the Chinese version of a foreign brand; the Chinese brand name is often new and not well known, so who’s to say which Chinese name is accurate? Companies that can afford it should apply for as many similar trademarks as they can afford, especially Chinese-language marks. See Chinese Brand Names, Copycats, and Soundalikes.Chinese law also allows (if not implicitly encourages) trademark applicants to file in multiple classes, covering a range of goods and services beyond what the applicant actually provides. We often cite Starbucks as a prime example of a company that has taken full advantage of this strategy by (for example) registering “STARBUCKS” as a trademark in all 45 classes of goods and services. See China Trademarks: Register in More Classes, Take Down More Counterfeit Goods.Another question is whether companies with a logo that contains some text should file separate applications for both the logo and the text itself. The short answer is yes: filing separate applications for both the logo and the word mark provides more protection than just the logo by itself. You can use the word mark with all fonts and in all contexts, and you won’t need to file a new word mark application if you change your logo (which happens all the time). And though a logo that includes text is typically considered more distinctive than a word mark by itself – and therefore more likely to be registered – the CTMO examiners are unpredictable enough that even this isn’t always true. I was reminded of this recently when we received different decisions on two almost-identical trademarks. One was a word mark that was approved without incident. The other was a slightly stylized version of the word mark that was rejected due to a perceived conflict with a preexisting mark. It makes zero sense that the CTMO issued these two decisions, but consistency has never been that agency’s strong suit.You never know for sure what will work with the CTMO, but on a sheer numbers basis, the more trademark applications you file, the more likely you are to get one registered.Software as a Service (SaaS) works great when confined to the Internet of a single country or region such as North America or the European Union. The core concept of SaaS is that an open Internet exists on which SaaS can be built and delivered. But what happens when companies attempt to deliver SaaS into China s closed Internet system?That is the ultimate issue in providing an SaaS product in China. SaaS products not approved by the Chinese regulators are either blocked or in danger of being blocked. Gmail, Google Docs, Dropbox, and GitHub are all examples of SaaS products that are always at risk of being blocked in China. For SaaS products housed on servers outside China, Chinese regulation makes active commercial exploitation difficult.This applies to new SaaS products. Both IBM and HP are planning to roll out SaaS-based blockchain products. HP even calls their new offering Blockchain as a Service. Almost by definition, the blockchain system is intended to be global. But what happens when that service hits China s closed Internet?There is essentially only one way to deliver SaaS in China. The system must be housed on a server located in China and be licensed to a Chinese owned entity that has direct contact with Chinese customers.The China server/China licensee model works like this:1. The SaaS software is housed on a server located in China. This means the Chinese government will at all times have the right to access the server and inspect the contents of the software and all related data and information.2. The SaaS service typically must be provided by a Chinese owned entity even though the regulations suggest this entity may be a Sino-Foreign joint venture.3. The SaaS service is licensed to the Chinese entity in accordance with a very expensive and restrictive set of minimal requirements.4. The SaaS software/platform has received the required approvals.It has been difficult for many foreign SaaS developers to accept that the China server/China license model is in most cases the only way to sell their SaaS products to Chinese consumers, but the major SaaS players have already figured this out.For example, the developers of video games have always been plagued by pirating in China. Game developers moved to the online model and developed the Massive Multiplayer Online Game model (MMOG), which is a form of SaaS. All of the major U.S. MOOG game developers now deliver their product in China using the China license model:Valve Software s Dota 2 is provided in China by Perfect World.Blizzard Entertainment s World of Warcraft is provided in China by Netease.Riot Game s League of Legends is provided in China by Tencent.In the field of business software, Microsoft provides its Office 360 and Azure cloud service in China through a license with 21 Vianet.Having accepted that a license in China is required, the real difficulties begin. The Internet infrastructure in China is quite advanced and due to the work of 21 Vianet and others, there is plenty of server space and bandwidth available for effective delivery of even the most complex SaaS products. The success of MOOG products in China is proof of this.The real problem in China is in finding an appropriate partner/licensee. For the Chinese entity, operating as a licensee is expensive and technically demanding. So the challenge is to find a licensee that is a) willing to take on the burden, b) has the technical capability to do the work, and c) the financial ability to take on the burden of ICP licensing, obtaining and maintaining approvals and then operating the complex server and software systems. Finding a willing licensee is oftentimes difficult for small SaaS systems and start-up products with no existing base of customers to provide immediate cash flow for the licensee.For large, established SaaS providers, the issues are different but still significant. In this setting, due to the advanced technical requirements, the licensee will often be a direct competitor. So the challenge for large SaaS developers comes from managing the business in China, in protecting IP, and in dealing with the development and marketing of spin-off products. For many SaaS developers, these spin-off products are where the real value is generated.In trying to evade the rules to avoid the China server/China licensee requirement, foreign SaaS developers are missing their opportunity to access the Chinese market. The real challenge is in finding ways to work within the China system so the foreign SaaS developer both remains in control and earns a profit from China.So resistance to China s system for foreign involvement in SaaS is futile, but success is possible, so long as you get clear on what needs to be done.About our China Law Group Our deep knowledge of China’s legal system, culture, and business climate make our China practice one of the most sophisticated in the US.Our lawyers have earned international acclaim for providing cutting-edge legal solutions to US- and foreign-based companies doing business in or with China. Our vast experience handling China-specific entity formation, contracts, intellectual property matters, and dispute resolution gives our clients the security of knowing they have a truly seasoned legal team behind them.<<< Thank you for your visit >>>
China Law Blog discusses Chinese law & how it impacts business in China.Websites to related : Senior Living Apartments in Dove
Come fall in love with The Grande, Dover's brand new premier active adult community. Choose from beautifully laid out one, two, and three bedroom open
Shaping Youth - Using the powerThis page contains a slideshow that requires Javascript. Your browser either doesn't support Javascript or you have it turned off. To see this page as
Grand Home Furnishings - FurnituJavaScript seems to be disabled in your browser. You must have JavaScript enabled in your browser to utilize the functionality of this website. Homew
Grande Ford Truck Sales Inc. | FRegistration Successful!You're now logged in as and will receive alerts when price changes, new offers become available or a vehicle is sold. Access y
Grande Communications - Phone MGrande Phone Manager To access Phone Manager you will use your Grande ID (Email Address) and password. Upon your first login, you will be asked to pro
The Grand Theatre | Movies, ShowThe Grand Theatre ExperienceGrand Premium ExperienceHeated Recliners, Dolby Atmos Premium Sound, Laser Projection, and a Super Large Screen.Explore Sh
Grande’s is a Farm to Table ItaGraziella Giuseppe Luppino decided to share their love of food and dining with the world when they opened Grande s Bella Cucina of Palm Beach Gardens
Etymologie OccitaneIndex occitan français_________________________________________________________Mode d emploi :Dans ce site vous trouverez l étymologie de centaine
Acoustic Music CampAcoustic Music Camp has been postponed due to restrictions on travel and gatherings.We are doing everything we can to reschedule at a later date.Than
Modèles linguistiquesDepuis trente ans, Mod les linguistiques a pour ambition de publier en langue fran aise le meilleur de la recherche en linguistique. Sa politique dito
adsHot Websites