Mapping China’s Technology Giants
Supply chains and the global data collection ecosystem
This report accompanies the re-launch of our Mapping China's Technology Giants project.
What's the problem?
Most of the 27 companies tracked by our Mapping China’s Technology Giants project are heavily involved in the collection and processing of vast quantities of personal and organisational data — everything from personal social media accounts, to smart cities data, to biomedical data.1 Their business operations—and associated international collaborations — depend on the flow of vast amounts of data, often governed by the data privacy laws of multiple jurisdictions. Currently, however, existing global policy debates and subsequent policy responses concerning security in the digital supply chain miss the bigger picture because they typically prioritise the potential for disruption or malicious alterations of the supply chain. Yet, as we have defined it in this report, digital supply-chain risk starts at the design level (Figure 1).
For the People’s Republic of China (PRC), the designer is the Chinese party-state, through expectations and agenda-setting in laws and policy documents and actions such as the mobilisation of state resources to achieve objectives such as the setting of technology standards. It’s through those standards, policies and laws that the party-state is refining its capacity to exert control over companies’ activities to ensure that it can derive strategic value and benefit from the companies’ global operations. That includes leveraging data collection taking place through those companies’ everyday global business activities, which ASPI’s International Cyber Policy Centre (ICPC) described in the Engineering global consent report.2 Technology isn’t agnostic—who sets the standards and therefore the direction of the technology matters just as much as who manufactures the product. This will have major implications for the effectiveness of data protection laws and notions of digital supply-chain security.
What’s the solution?
This report recommends that governments, businesses and other organisations take a more multidisciplinary approach to due diligence. That approach needs to take into account the core strategic thinking that underlies the ways the Chinese party-state uses technology. It must also take into account the breadth of what’s considered to be ‘state security’ in China and the ramifications of the PRC’s cyber- and data-focused laws and regulations.
All governments should improve their regulatory frameworks for data security and privacy protection.
Doing so will put them in better ethical and legal positions to take meaningful long-term policy actions on a whole suite of issues. However, those efforts in isolation won’t solve all of the unique challenges posed by the Chinese party-state or other geopolitical challenges described in this report.
A more holistic approach, which would help to ensure that data is better protected, also requires a better definition of digital supply-chain risk and a reframing of global policy debates on these issues. There needs to be a greater understanding of how supply-chain risks manifest, including the intentional introduction of access and more subtle monitoring and information collection by malicious actors. Specific actions for managing potential data insecurity and privacy breaches in supply chains should include improving risk-based approaches to the regulation of data transfers.
Figure 1: Compromise of the digital supply chain without a malicious intrusion or alteration
Source: ASPI authors’ illustration.
1The PRC’s data ecosystem
The PRC’s global data collection ecosystem was outlined in the ASPI ICPC policy report Engineering global consent: the Chinese Communist Party’s data-driven power expansion.3 In that report, we described ways the Chinese party-state directly and indirectly leveraged PRC-headquartered commercial enterprises to access troves of data that those enterprises’ products help generate.
That report was based on how the Chinese party-state articulated its objectives on data use and state security and a case study of the propaganda department–linked company Global Tone Communication Technology Co. Ltd (which we expand on in the ‘Downstream data access’ section of this report).
As part of the Mapping China’s Technology Giants project, we have identified the need to further define the PRC’s ‘global data ecosystem’ concept. In this section, we focus on the nature of interactions between political agenda-setting, active shaping of international technical standards, technical capabilities, and data as a strategic resource. This directly affects companies’ business activities, both domestic and global (Figure 2).
Figure 2: The PRC’s data ecosystem
Source: ASPI authors’ illustration.
The PRC’s data ecosystem begins with technical capability. That includes China’s advanced cyber offensive skills, but also extends to its companies’ normal business operations anywhere in the world providing access, collection, data processing or any combination of the three to the party-state.
The party-state’s ability to obtain large amounts of personal information and intellectual property through its state-sponsored cyber operations has been widely reported in detail, including in indictments by the US Department of Justice.4 However, the PRC’s policies and legislation— purposefully shaped by the Chinese Communist Party (CCP)—mean that the party-state’s ability to access data is extended even further than the normal operations of PRC-based companies with a global presence. It’s also consequential that those globally influential PRC-based technology companies occupy every layer of the ‘technology stack’.
In Table 1, we illustrate the ‘technology stack’ by using the ISO standard Open Systems Interconnection model as a reference (because it’s used for networking and data exchange but can also be illustrative of the technology industry ecosystem).5 We then charted it against the relevant companies in the Mapping China’s Technology Giants project and their US counterparts, which for several decades have had a dominant presence in every layer.
Table 1: Technology business ecosystem, referencing a simplified Open Systems Interconnection model
Source: ASPI authors’ illustration.
Technology companies everywhere are primarily driven by commercial interests. The difference between the US and China is that in China the way the state conceives of the usefulness of data goes beyond traditional intelligence collection. For the Chinese party-state, data and the information derived from it contribute to everything. Domestically, that ranges from solving policy problems to information control and state coercion. Globally, it ranges from expanding the PRC’s role in the global economy to understanding how to shape and control its global operating environment. In the next two sections, we elaborate on how the Chinese party-state’s laws, policies and actions, which apply to PRC-based technology companies, create an ecosystem that provides it with access to the data that those companies can obtain.
1.1 Who sets the standards matters
Technology isn’t values-agnostic. It takes on the values of its creator. Therefore, who sets the standards, and consequently the direction of the technology, matters. We know, for instance, that artificial intelligence has a history of racial and socio-economic bias built in from the design stage, reflective of the inherent biases of the designers and the choice of data used to train the algorithms.6
Technologies must be designed to be ‘values-neutral’7 to avoid those problems, but that aspiration might not ever be realistic.8
Liberal democracies don’t agree on what ‘values’ mean in this context. The European Union, for example, is increasingly prioritising indigenous technology development not just because of strategic competitors such as the PRC but also because of the US. That requires navigating often complex relationships with US-based technology giants such as Google, Apple and Facebook.9
Part of protecting values in any liberal democracy is about preventing the creep of illiberalism from sources both domestic and foreign. It’s also about introducing regulations and standards that protect the norms and freedoms underpinning democratic values. When it comes to Europe and the digital economy, much of that effort is currently targeted towards holding US technology companies accountable.10
The Chinese party-state is creating mechanisms and power structures through which it can ensure its ultimate and maximum access to datasets both domestically and globally. This is apparent through its agenda-setting (articulated in party and policy documents), its expectation-setting (signalled through new laws) and communications from the CCP (such as speeches and state media reporting). Part of the CCP’s effort takes place through the PRC’s attempts to set standards that guide the design of technologies. For example, PRC facial recognition systems are required to be designed to recognise ‘Uyghur faces’.11 Another example is big data platforms and systems designed to categorise individuals based on a politicised version of whom the CCP deems suspicious or potentially threatening (such as petitioners, Tibetans, Uyghurs or Falun Gong practitioners).12 Within the PRC, technologies are already being researched and developed to meet the needs of the party-state (see section ‘Data regulations: setting the standards’). When those technologies are exported, such design features can’t be erased by the technology’s end-user, whether it’s a global company or a foreign government.
1.2 Harnessing the strategic value of data
The Chinese party-state has deliberately formulated a strategy to harness the strategic value of data and the power of information to grow the power of the CCP over society. In 2013, Xi Jinping was quoted as saying, ‘big data is the “free” resource of the industrial society. Whoever has a hold of the data has the initiative.’13
In 2016, China’s 13th Five-Year Plan pushed for the creation of a ‘big data security management system’ alongside efforts to improve cyberspace governance by building an international consensus around the PRC’s ideas on cyberspace security.14 The 14th Five-Year Plan, unveiled in 2021, continues the party-state’s multifaceted priorities for the development and use of big data for economic and social governance and calls for building new data infrastructure and improving the rules governing data collection, storage and use.15
In addition to economic development, the party-state often describes big data technologies as contributing to ‘social management’ (also called ‘social governance’).16 Social management covers a broad and overlapping list of agenda items, from creating capabilities to improve public service administration to strengthening ‘public security’. Ultimately, social management refers to the party-state’s management of itself as well as of society. This process relies on shaping, managing and controlling its operating environment through capabilities that enhance service provision and the capacity for risk management.17
New and emerging digital technologies are valued because they’re viewed as a resource that can improve everyday governance capacity and facilitate problem-solving. In simplifying government service provision, the implementation of those technologies can in future facilitate communication across the PRC’s sprawling government apparatus.18 Digital and data-driven technologies obviously have multiple uses. For example, they can help streamline urban and social welfare services. In other respects, those same services can feed into the party-state’s totalitarian model of governance and the way it identifies and responds to what it believes are emerging threats.
This use of data occurs in ways that provide both convenience and control. Routine services are intertwined with surveillance and coercive tools in ways that are often not legally possible in liberal democratic societies—or, when they do occur, can be genuinely challenged by the public, media and civil society. That distinction doesn’t simply apply to the ways different PRC Government departments use similar technologies (such as ways the public security bureaus use technologies versus the ways industrial work safety offices use them).
One example is Human Rights Watch’s findings on Xinjiang’s Integrated Joint Operations Platform, which is used to centrally collect data on individual behaviours and flag ‘those deemed potentially threatening’. One metric used to identify threats is energy usage from smart electricity meters: abnormally high energy use could indicate ‘illegal’ activity, but such meters in their normal use would also improve the accuracy of meter readings.19 Another example is building datasets for use in the PRC’s ‘national defence mobilisation system’ (a crisis response platform) using data sourced from a variety of government cloud networks, from smart cities to tourism-related cloud networks (Figure 3).20
Figure 3: The concept of defence mobilisation and smart cities data integration and processing
Source: ASPI authors’ illustration.
Despite the benefits it can derive, the CCP also sees sources of harm emerging from technology and its use, and it realises that technology isn’t an all-encompassing solution to its problems. Xi Jinping has described science and technology as a double-edged sword: ‘On one hand, it can benefit society and the people. On the other hand, it can also be used by some people to damage the public interest and the interests of the people.’21 Such risks could include companies or officials having the ability to exercise too much power with the aid of technology.22 They could also include the use of technology by the CCP’s political opponents to organise against the party-state, from either inside or outside the PRC.23
1.3 A global outlook
The PRC’s plans to harness the strategic value of data and the power of information to grow state power are also globally oriented. The party-state sees its reliance on technologies originating in the West (especially the US) as a threat to state security, for fear of how foreign powers might exploit that reliance, especially in a crisis.24 That fear helps drive the development of the PRC’s indigenous technology capabilities.25 Its capability effort includes planning on big data development to build an ‘industry ecosystem’ with ‘globally oriented key enterprises and innovative small- and medium-sized enterprises with distinctive features’.26 It also includes a plan to export PRC-originated technology standards, envisioned through the China Standards 2035 project.27 Economic benefits and objectives are included in each plan, but through them the CCP also sets specific political ambitions.
As part of its global vision (see Figure 4), the Chinese party-state ensures that it’s a part of the market-driven expansion and success of its global technology giants. Under Xi Jinping, the government has increasingly demonstrated the extraterritoriality inherent in PRC state security concepts and law. Moreover, the fact that companies have the right to do business in China at the party-state’s discretion has become abundantly clear. The ability to harness the benefits of data would help to achieve the CCP’s global vision because, through the processing and application of that data, the party can improve the sophistication of its efforts to shape, manage and control its global operating environment.
Figure 4: Explainer: The Chinese party-state’s vision for the PRC in the world
Sources: ASPI authors’ illustration. See endnote for detailed citations.28
2The PRC’s developing data security framework
PRC legislation related to state security29 provides reasons for foreign governments to be concerned about the exposure of any PRC-based commercial enterprise to the political demands of the party-state.30 Recent state security laws, such as the 2017 Intelligence Law, haven’t changed the longstanding de facto practice of state power in the PRC, but have further codified expectations in China that every citizen is responsible for state security.31 Assessments of those risks have helped address what should be the obvious political and legal risks of doing business with PRC-based technology companies.
Some analysts have attempted to downplay the significance of such laws by claiming that the law is never black and white in the PRC and by describing compliance with PRC law as ‘a negotiation’.32 The latitude of officials to enforce the law and corporations’ efforts to maintain their freedom of action leave open grey areas, but that claim, in the context in which it’s being made, is false. Law may be a negotiation in the PRC, as it is elsewhere, but the party-state decides whether there’s a negotiation at all, and where that negotiation ends.
Critically, the party-state itself isn’t bound by the law when it’s challenged or when its interests are threatened. A recent illustration of this is Alibaba and its founder, Jack Ma, who briefly ‘disappeared’ at the end of 2020 following his public criticism of PRC regulators’ attitude towards big business, accusing them of having a ‘pawnshop’ mentality that stifled innovation.33 In April 2021, it was announced that Alibaba would be fined US$2.8 billion after a probe determined that it had abused its market position for years.34 Nobody in the PRC is too big or too powerful to be subject to the party-state’s demands.35
PRC-based technology companies themselves have acknowledged their exposure to legal risks emanating from the PRC. It’s standard practice for global companies to acknowledge in their privacy policies that user data may be transferred and governed by laws outside of their own jurisdiction.
According to most privacy policies for websites and products of the 27 companies in our Mapping China’s Technology Giants project, users who live outside the PRC may have their data transferred to and processed and stored in a country that isn’t where they reside or have ordered services from, including the PRC, where all of the companies have business. When the data is transferred it will be governed by the law in that country’s jurisdiction, not only the law in the place where the data originated (Figure 5).36
Figure 5: New Mapping China’s Technology Giants product—‘Thematic snapshots’
Source: Mapping China’s Technology Giants project website, online.
Most of the 27 companies state that they’re committed to protecting personal information, but acknowledge that they may be required to disclose personal data to meet law enforcement or state security requirements. The definition of what meets the threshold of being a national security or criminal case can be highly politicised in the PRC, and the process of definition isn’t similar to those that occur in a liberal democracy.
The political system of the PRC creates this risk. Law in the PRC is first and foremost political and a governing tool that enforces political power. It’s meant to be wielded by the party-state and to uphold and expand the power of the state. Its implementation is reliant on the CCP’s leadership and is used to strengthen the party’s governing capacity, but the law isn’t above the party-state even if it’s used to manage its members.37 Nonetheless, the law is more than a blunt weapon of state power. It’s important to think through the implications of the fact that the law also functions as a tool to set and communicate the state’s expectations of its apparatuses, its entities and individuals. New developments related to data collection, storage and transfer make these issues more apparent.
The Chinese party-state is currently deliberating on a draft Data Security Law (DSL) and draft Personal Information Protection Law (PIPL).38 In April 2021, second draft versions were issued publicly (see the appendix to this report for translations of the articles of the draft laws that we focus on in this section). Both are expected to become law in 2021. The third and probably final version of the draft DSL is expected to be deliberated at a National People’s Congress Standing Committee meeting on 7–10 June 2021.39
These laws don’t exist in a vacuum. They should be read along with a suite of other relevant state security legislation, including, for example, the State Security Law (2015) and the Cybersecurity Law (2016).
2.1 Data regulations: limiting individuals and organisations while empowering the state
The draft DSL and draft PIPL should be read together. The main distinction is that the draft DSL lays out the responsibilities of the state in creating a data security system and in guaranteeing data security, whereas the draft PIPL defines the boundaries and personal information protection requirements for individuals and entities.40
What makes the framework unique, compared to any other country’s laws regulating data security, is that data security is unambiguously part of the party-state’s security strategy and is first about protecting the CCP’s monopoly hold on power (Figure 6). The draft DSL says that the effort to guarantee data security must adhere to the party-state’s ‘comprehensive state security outlook’.41
The draft establishes the state as the leader of the data security system, stating that the ‘central state security leading mechanism’ is ‘responsible for decision making and overall coordination on data security work, and researching, drafting and guiding the implementation of national data security strategies and relevant major guidelines and policies.’42
Figure 6: Explainer: The PRC’s state security concept
Figure 6 (continued): Explainer: The PRC’s state security concept
Sources: ASPI authors’ Illustration. See endnote for detailed citations.43
The law says not only that a party entity is in charge, but also that any significant policies will originate there. The term ‘central state security leading mechanism’ in legal documents is synonymous with the Central State Security Commission, which is a CCP body led by Xi Jinping.44 Therefore, the activity of other state regulatory departments and public and state security organs responsible for implementing data security efforts would flow from the decision-making and strategy that the Central State Security Commission is tasked with overseeing and implementing.45
The draft DSL also applies to data-handling activities taking place ‘outside the territory of the PRC’, if those activities are seen to ‘harm the state security, the public interest, or the lawful rights and interests of citizens’ and organisations of the PRC, they are to be pursued for legal responsibility ‘in accordance with law.’ Existing law and practice illustrate the global application of such concepts.
Hong Kong’s new National Security Law, passed in 2020, criminalises ‘separatism’, ‘subversion’, ‘terrorism’ and ‘collusion’ in addition to support for any of those activities by anyone, no matter where in the world they’re located.46
The draft PIPL, meanwhile, is intended to regulate the power of individuals and entities who handle the personal data of PRC citizens both inside and outside the country. It establishes a more robust system for protecting individuals’ data privacy from individuals and companies.47 It applies to activities outside the PRC involving the handling of personal information of natural persons within the territory of the PRC when those outside actors are providing products or services to persons within the PRC, analysing and assessing the conduct of natural persons within PRC or ‘other situations provided for by law or administrative regulations’. Just like the draft DSL, it leaves open the potential that the law can be used as intended: to protect the CCP’s power wherever necessary. Laws such as the Intelligence Law illustrate specific cases in which other legislation might be used to justify this reach, and a law such as the Hong Kong National Security Law illustrates the fact that political opponents of the party-state might also be targeted in vague ‘other situations’.48
The draft PIPL also superficially applies to the state. For example, it says that any retrieval of personal information requires following ‘legally prescribed duties’ and must be done ‘in accordance with the authority and procedures provided by laws’.49 Yet, Article 19 establishes that: [W]hen personal information handlers handle personal information, where there are circumstances that laws and administrative regulations provide shall be kept confidential or need not be announced, it is acceptable not to notify the individual.
On the basis of that logic, any case in which the 2017 Intelligence Law applies could be excluded from the PIPL’s protections. Article 7 of the Intelligence Law says that: [A]ny organisation and citizen shall in accordance with the law, support, provide assistance, and cooperate in national intelligence work, and guard the secrecy of any intelligence work they are aware of.50
The important takeaway is that digital technology can be applied in ways that expand the aforementioned capabilities of the party-state, but governance of its use can be managed in ways that restrict officials’ discretion in applying it. This doesn’t mean, however, that these regulations limit the party-state’s influence. In reality, the regulations enhance their ultimate influence over digital technologies and the flow of data.
2.2 Data regulations: setting the standards
Both draft laws contain directives on how the party-state expects data security and data privacy regimes to develop. They establish that, in the PRC, data shall be collected, stored and processed in a manner that’s consistent with the party-state’s paramount security concepts and objectives. Especially given the party-state security concept guiding data security, it’s notable that Xi Jinping has called for strengthening ‘the Party’s leadership over standardisation work’ and has described standardisation as the ‘commanding heights’ of international economic and technological competition.51
Beyond establishing which institutions are in charge and who is responsible for data security, the draft DSL also establishes expectations about how the PRC’s standardisation system is to function that are specific to data security. The draft DSL says that State Council administrative departments and other relevant State Council departments are responsible for organising ‘the formulation and appropriate revision of standards related to technology and products for the development and use of data and to data security.’52 The most relevant body under the State Council is the Standardisation Administration of China (SAC), which is an agency under the State Administration for Market Regulation. According to the revised 2017 Standardisation Law,53 the SAC is required to oversee standards initiation and implementation. At the practical level, technical committees develop standards, which are then accredited by the SAC.54
The technical committees working on the standards consist of stakeholders that are mostly government entities, government-linked research institutes and commercial enterprises. Many standards they develop are mandatory requirements, which companies must also meet to successfully bid for a project domestically. A March 2021 report by IPVM pointed to documents such as ‘GA/T1400.3—2017’ on ‘public security video image information application systems’ developed by the Science and Technology Information Technology Bureau of the Ministry of Public Security in coordination with several companies included in the Mapping China’s Technology Giants project, including Uniview, Hikvision and Dahua.55
As the standards develop domestically, they’ll also be projected globally, not just through market activity but also as the PRC seeks to participate and shape international technology standards. The SAC is also responsible for representing the PRC at international standards-setting bodies.56 Both the draft PIPL and the draft DSL have provisions stating that the state is required to participate in setting international rules and technology standards for data security and personal information protection.57
The expansiveness of that expectation-setting creates normalised pathways for the PRC to exploit data-sharing downstream in ways that can undermine the security of other countries, as we describe in the next section.
3Rethinking digital supply-chain vulnerability
Not all methods used to acquire data need to be intrusive, subversive, covert or even illegal—they can be part of normal business data exchanges. Figure 1 illustrates how a digital supply chain can be compromised without a malicious intrusion or alteration. The data-sharing relationships that bring commercial advantages are also the same ones that could compromise an organisation.
Thinking about risk solely in terms of potential disruption ignores the ways in which supply-chain risk can emerge from normal processes, in which no disruption is required.
The vulnerability of supply chains was made apparent by the Covid-19 pandemic, which made supply-chain resilience even more important. As we become more digitally interconnected, the breadth of what’s considered a risk to the supply chain has grown to include risks to the digital supply chain—the electronic products we rely on and the data that flows through them.
Discussions about digital supply-chain security typically prioritise the potential for disruption or malicious alterations of the supply chain. Examples include cyberattacks, altered components inserted into the supply chain and limited access to critical supplies such as semiconductors. That kind of risk from well-resourced state and non-state actors is already well understood by governments thinking about supply-chain security.58 As we noted in the section on ‘The PRC’s data ecosystem’, the PRC’s sophisticated offensive cyber capability and its ability to obtain data through those methods are also well known. But a digital supply chain threat doesn’t necessarily require malicious alterations or cyber intrusions into a network.
The SolarWinds supply-chain attack of 2020 is one example of a supply-chain cyberattack perpetrated through the malicious insertion of software. In that case, threat actors, probably of Russian origin,59 compromised the software update service for the SolarWinds Orion platform to facilitate the distribution of malicious code to Orion customers.60
Another cybersecurity risk in the supply chain that’s hidden in plain sight comes from ‘white labelling’ of original equipment manufacturer (OEM) products.61 That was the case with US-headquartered Honeywell, which came under scrutiny in 2018 for selling Dahua cameras under its own brand, as Dahua was banned in the US under the National Defense Authorization Act.62 A simple example of risk for customers in this situation is that they may be monitoring cybersecurity vulnerabilities for Honeywell products, not knowing that in fact they should also be monitoring vulnerabilities for the underlying Dahua product.
Other areas of discussion include vendor trustworthiness. The 5G vendor debate within Australia a few years ago brought to light the importance of the ownership and control of network infrastructure.63 More broadly, it made organisations consider the risk of the vendors whose equipment their organisations’ data would be passing through and the obligations that those vendors have to their ‘home’ governments.64 Australia’s lead cybersecurity agency, the Australian Cyber Security Centre, in its guidance to organisations on identifying digital supply-chain risks, addresses this need to take into consideration foreign control, influence and interference.65
While these discussions are likely to lead to important policy responses that address some digital supply-chain vulnerabilities, they don’t capture the full scope of risk that currently exists. In the SolarWinds and Honeywell examples above, those charged with ensuring cybersecurity usually look for changes to normal activity as an indicator of a problem or threat. In cases where the risk lies within standard data exchange processes, therefore, it could be easily missed.
3.1 Downstream data access: the GTCOM case study
The ASPI ICPC policy brief Engineering global consent focused on Global Tone Communication Technology Co. Ltd (GTCOM), which is a subsidiary of a state-owned enterprise directly controlled by the Central Propaganda Department of the CCP that collects bulk data globally in support of the party-state’s propaganda and state security objectives.66 The data ecosystem emerging from GTCOM’s commercial partnerships includes some of the PRC’s largest and most important technology companies. For GTCOM, strategic cooperation with globally recognisable PRC-based companies—notably Huawei and Alibaba Cloud—provides assistance in two key areas in the form of:
- the opportunity to conduct bulk data collection by providing translation services to both companies, which have deeper market penetration
- the development of or access to capabilities that support its bulk data collection.
As Figure 7 shows, GTCOM has commercial partnership agreements that provide it with access to bulk data from other PRC-based technology companies.
Data transfers can occur through processes built directly into the ecosystem. A technology company such as GTCOM provides an important case study in how the data ecosystem could reach far beyond the PRC’s data regulatory regime.
Figure 7: GTCOM and the global data collection ecosystem concept
Sources: ASPI authors’ illustration.
3.2 Processing power
The party-state prioritises data collection domestically and globally. As we’ve described above, it’s building an ecosystem that enables access to any bulk data collected through commercial enterprises.
It further recognises that technology will eventually catch up to its ideas for processing and generating specific outputs. Being able to collect data is useful, but it’s the ability to access and aggregate data for analysis and derive useful insights from it that’s powerful.
The business model of internet giants such as Facebook, Google, ByteDance and Tencent heavily relies on data and the use of artificial intelligence. They collect large volumes and many varieties of data from users of their service platforms. For example, they may collect such things as user platform preferences, platform behaviours (such as how long it took an individual user to click from one page to another), how long the user stayed on a page, what products they put into their shopping cart and who their friends are, as well as real-world information such as the running routes of the user and the user’s home location. The data is aggregated to generate profiles of individual users for marketing and advertising purposes, and also to improve the platform. That in turn leads to greater user engagement and provides additional opportunities to collect more data. Data brokers perform a similar aggregation and analysis task, but they usually use data that they’ve mined freely from the internet or purchased from other sources.
The concern isn’t necessarily that data is being collected, but rather the ability to infer sensitive details about individuals from the aggregation of seemingly innocuous bits of data from a variety of sources.
A single geolocation coordinate out of context isn’t meaningful, but, using location data from a single mobile device collected over time, it’s possible to identify an individual in a household and their pattern of life. All that’s needed is to identify their three primary locations—home, work and one other regularly used location.
That kind of data can be used to target individuals, such as by identifying and tracking the movements of the US President,67 and can identify sensitive military locations en masse,68 but it can also be used to create convenience. Google Search results provide popular times, wait times and visit durations for all users searching for a local business by using ‘aggregated and anonymised data from users who have opted in to Google Location History’.69
The use of big data analytics to monitor operations in smart cities can bring greater efficiency benefits to operations, facilitate data sharing and assist with decision-making and situational awareness overall. However, that same data, in the hands of adversaries, could give them macro-scale insights that would otherwise be difficult to obtain. If those systems are under the control of adversaries, the concern isn’t just about others having access to the data but also about adversaries’ ability to control or modify the data. As a consequence, the information used to create convenience, improve efficiency and enhance situational awareness is the same information that can be used by an adversary. The ability of some PRC-based technology companies to process big data is sufficiently large.
According to reporting in Foreign Policy, they’ve been used by the party-state to carry out intelligence tasks. According to ‘current and former officials’ cited in the report, this has included the acquisition of datasets from large data breaches, such as the 2014 cyber intrusion into the US Office of Personnel Management.70 It’s big data analysis like this that the US Central Intelligence Agency believes enabled the exposure of its undercover officers in Africa and Europe.71 The question that requires further research and analysis is why those PRC-based companies were chosen. For instance, were they chosen not just for their processing ability but also because, by ingesting the datasets and combining the data with their own holdings, they could enrich the information that could be derived from the data?
Commercial businesses aren’t the only entities carrying out large-scale data processing in the PRC.
The party-state is also doing it at the national level. The People’s Bank of China has included a ‘Big Data Analytics Centre’ as part of the design of the PRC’s ‘Digital Currency / Electronic Payments’ system. The bank’s officials have said that the data collected through the system will be used to improve macroeconomic policy. The bank will ‘analyse how money is being used, transacted, and stored; support tracking and surveillance using both static and real-time data; provide data and analysis inputs for monetary policy; and flag financial fraud’.72
Goals associated with harnessing the strategic power of data are a natural extension of long-enshrined goals in authoritative party-state documents and embedded in detailed economic policies and plans to ensure progress toward those goals.73 However, the party-state’s development of theory and policy is an iterative process and has always involved a degree of experimentation to ensure progress without too many unintended consequences.74 Control or the preservation of the CCP’s power isn’t a goal unto itself, but rather a prerequisite for achieving those ambitions. The collection, storage and processing of big data will play an increasingly key role in those efforts in future.
Adequately evaluating the risks associated with doing business with PRC-based technology companies, or companies that rely on their technologies in their supply chains, requires an understanding of the Chinese party-state’s articulation of its own intentions. It also requires an understanding of the implications of policy and legal documents that signal what steps will be taken to realise intended outcomes, as well as, of course, analysis of the party-state’s actual behaviour (domestic and global).
We recommend as follows.
1. Invest resources to better understand the PRC’s and the CCP’s articulation of their own intentions in order to set the tone for a more informed public debate that will generate targeted responses to the identified problems.
Incorrect assumptions are often made about the party-state’s intent. In addition, what’s being articulated and signalled through PRC policy and legal documents is too often ignored or not placed into the context in which it’s being articulated or signalled (such as being placed in an appropriate political context) or being described (for example, in the light of the CCP’s view that data security is a problem of state security, as the party-state defines ‘state security’).
2. Recalibrate data security policy and privacy frameworks to account for the Chinese state’s use of data to reinforce its political monopoly.
Companies and governments too often assume that other governments’ data and privacy regulations share the same goals as their own. That isn’t true when it comes to the Chinese party-state and PRC-based companies, even if common vocabularies are used or if some policy drivers are similar. In the PRC, unlike in liberal democracies, data security and privacy concepts (including draft legislation) reinforce the party-state’s monopoly power. Companies and governments need to recognise this risk and calibrate their policies to account for it.
3. Collaborate with like-minded countries to develop systems for improving risk-based approaches to improving the regulation of data transfers.
Organisations must assess the value of their data, as well as the value of that data to any potential party in their supply chain that may have access to it or that might be granted access. In an age in which information warfare and disinformation campaigns occur across social media platforms and are among the greatest threats to social cohesion, data that’s about public sentiment is as strategically valuable as data about more traditional military targets. Risk needs to be understood in a way that keeps up with the current threat landscape, in which otherwise innocuous data can be aggregated to carry meaning that can undermine a society or individuals.
4. Take a multidisciplinary approach to due diligence.
Governments, businesses and other organisations need to develop frameworks for conducting supply-chain reviews that take into account country-specific policy drivers. Developing such a framework shouldn’t be limited to just assessing a vendor’s risk of exposure to political risk. It should also include detailed analysis of the downstream actors who have access to the vendor’s data (and must include analysis of things such as the broader data ecosystem they’re a part of and the obligations those vendors have to their own governments). Taking this more holistic approach to due diligence will better ensure that data can be protected in an effective way.
Appendix: The draft Data Security Law and draft Personal Information Protection Law
Please download the PDF to access the appendix.
08 Jun 2021