China’s VPN Ban Takes Effect but Cat-and-Mouse Game Continues

China’s VPN Ban Takes Effect but Cat-and-Mouse Game Continues
AP / 達志影像
What you need to know

This is not the first volley fired against virtual private networks, but stricter enforcement means that data leaving China is about to become less secure.

Listen
powered by Cyberon

Life is about to get more complicated for businesses operating in China as the government tightens its grip on data coming into or leaving the country.

China’s Ministry of Industry and Information Technology (MIIT) issued a notice on Jan. 21 saying that they intended to ban unlicensed virtual private networks (VPNs) by March 31.

There have been many fears that China would tighten its VPN enforcement in the past ... but this one is backed up by official statements.

The “clean up,” as the ministry puts it, has its legal basis in China’s Cybersecurity Law, which went into effect June 1, 2017. The law provides for greater government intrusion into data held in China – foreign businesses will be required to use state-approved channels to send “personal and important data” overseas, something that VPNs are designed to circumvent. The law also requires that foreign businesses keep more of their data on Chinese servers.

A VPN is a way to connect to a private network over the internet, commonly used by individuals and businesses in China to get around web censorship and keep data away from prying eyes.

Dr. Tim Stevens, a security lecturer at King’s College London, told The News Lens in an email, "What this VPN policy does is translate 2017's Cybersecurity Law into practice, specifically its commitment to data localization. This prohibits the movement of Chinese data beyond China unless an operator is officially licensed to do so.” He added that this is designed to incentivize all internet goods and service providers to “respect Chinese internet and data laws as a condition of doing business in China.”

In other words, he said, China is still open to investment, as long as foreign companies play by its rules.

There have been many fears that China would tighten its VPN enforcement in the past – with rumors circulating of bans on Jan. 11 and Feb. 1 – but this one is backed up by official statements. The MIIT announcement came less than two weeks after the state-run Global Times denied that a ban was in the works, quoting a “China Telecom staff member.”

WeChat expert and frequent technology commentator Matthew Brennan told The News Lens that these moves should come as no surprise: “The Chinese government's stance with regard to enforcing sovereignty over its citizens’ use of the internet has been consistent. This will become a game of cat and mouse between an increasingly sophisticated firewall and VPN service providers.”

A ban would be excellent news for the approved VPN providers, who happen to be the three state-run telecom companies, China Telecom, China Unicom and China Mobile, who advertise direct links to the outside world, a service geared towards corporate clients.

The crackdown that cried wolf

Private VPN services operating overseas will continue to try to offer their services. Eugene Michaels, a representative from Panama-based NordVPN, told The News Lens that they expect the main target of the crackdown to be non-licensed domestic VPN providers. Michaels was noncommittal as to how international VPNs would fare, saying: “NordVPN plans to operate in China as much as possible and to work on ways to circumvent the Great Firewall. We have numerous servers optimized for the Chinese internet specificities.”

Michaels said that while China had been attempting to clamp down on VPNs for years, they still understood the necessity of access to the global internet for local and multinational businesses, adding, “If China follows through with its policy to ban non-licensed VPNs, many international and local businesses will suffer as they will be unable to access the global Internet freely.”

While using a foreign VPN is now technically illegal and the government has signaled this will be enforced, and with the punishment for the offense as yet unclear, many in China are willing to keep taking their chances. Elsa Zhang, a French woman employed by a multinational drug company in Shanghai who has lived and worked in China for a decade, told The News Lens: "The first question is, is it going to work? Our company uses a corporate VPN approved by the Chinese government. We use servers in Singapore and Malaysia and this is no longer allowed, so it will affect the company.

"On a personal level, they have said they are going to shutdown VPNs hundreds of times and it has not happened. The government is very good at issuing rules that they know people will break so that when it suits them they can say you have done something illegal. But I'm not going to stop using my VPN."

A British resident of China who asked not to be identified also said that he planned to keep using his VPN service and hope for the best, adding that the speed of internet he received over his VPN had increased drastically in the past month.

Running sensitive data through state-owned enterprises raises additional security concerns, as VPN traffic can be intercepted and read in some cases. Kings College London's Stevens said, "It will blur already ambiguous boundaries between public and private, with attendant opportunities for further convergence between state and corporate surveillance.”

In response to these measures, the U.S. filed a complaint with the World Trade Organization (WTO) on Feb. 23, saying that the VPN crackdown could hinder cross-border business. The complaints were overshadowed by a back-and-forth flurry of accusations stemming from U.S. President Donald Trump’s tariffs on steel and aluminum that went into effect on March 23.

Because companies are being strong-armed into compliance, using a VPN can’t always keep data private. Apple moved their iCloud servers to China’s state-run Guizhou-Cloud Big Data Industry Co. Ltd. in late February, meaning that anything stored there could potentially be legally accessed by China’s state security apparatus.

Apple has already transferred its iCloud encryption keys to Chinese servers.

While privacy from prying Communist Party eyes has already been compromised, censorship will not be absolute. The restricted use of VPNs and which sites are blocked varies widely depending on location, the level of political tension, and a host of other reasons, and there is no reason to believe that this will change.

As Brennan said, “Right now, it's still relatively easy for anyone who is determined to do so to jump over the firewall. Whether that's still the case in a year's time, we'll have to wait and see.”

Read next: In Xinjiang and Tibet, Police Surveillance 'Exceeds East Germany'

Editor: David Green