SinoTech: Huawei Keeps Pushing 5G, Apple Localizes Data in China, and the U.S. Airs China Data-Privacy Grievances at WTO

Editor’s Note: SinoTech is a new bi-weekly Lawfare series on technology-related legal and policy issues in China and the United States with a focus on implications for U.S.-China relations and national security.

This inaugural post addresses several cross-border data transfer issues and security concerns that have surfaced in recent weeks. SinoTech’s next update expects to cover legislative developments from the ‘two meetings’ of China’s National People’s Congress and the Chinese People's Political Consultative Conference, which kicks off this week.

Huawei continues 5G push despite opposition from U.S. intelligence

Chinese telecommunications giant Huawei has continued its campaign to win 5G network construction contracts in foreign countries, including many American allies, amid warnings from U.S. intelligence agencies that the company’s ties to the Chinese government raise security concerns. Richard Yu, chief executive of Huawei’s consumer business group, asserted on Feb. 25 that these security warnings disguised the protectionist commercial concerns of U.S. officials. Speaking at the World Mobile Congress in Barcelona, Yu stated that American competitors “cannot compete with us on product, on technology, on innovation, so they compete with us [using] politics.”

Huawei was quick to distance itself from Yu’s accusation, but the company defended its innocence and declared its continued commitment to openness and transparency. Huawei’s rotating chief executive Ken Hu told reporters at the Mobile World Congress that he would welcome a “factual debate” on the accusations Western intelligence officials have made against Huawei. Chen Lifang, the company’s head of communications, opined that “we can only try harder, maintain our openness and transparency and wait until the other party is willing to communicate with us.” An executive from ZTE, a fellow Chinese telecom firm singled out for suspicion by U.S. intelligence agencies and legislators, responded with similar prudence, counselling that ZTE should make “more effort to build the trust among the people in Washington.”

Six top U.S. intelligence chiefs had previously warned American customers against using products or services from Huawei or ZTE in a Feb. 13 Senate Intelligence Committee hearing. FBI Director Chris Wray testified that the Bureau was concerned consumer adoption of Huawei equipment might grant Huawei “the capacity to exert pressure or control over our telecommunications infrastructure,” to “maliciously modify or steal information,” and “to conduct undetected espionage.”

The security worries surrounding Huawei’s efforts to break into the U.S. market were also evident earlier this year when a deal for AT&T to sell Huawei’s newest smartphone in the U.S. market was abruptly called off due to political pressure. On Dec. 20, members of the House and Senate intelligence committees reportedly sent a letter to the Federal Communications Commission warning of Huawei’s ties to China’s intelligence and security services. In early January, AT&T abandoned the deal. A similar deal between Huawei and Verizon was reportedly called off later in January after similar pressure. In February, Sens. Tom Cotton of Arkansas and Marco Rubio of Florida proposed a bill to block U.S. government agencies from purchasing equipment from Huawei, ZTE, and other manufacturers “controlled by, or otherwise connected to,” the Chinese government. CFIUS has also ordered a full investigation into Singaporean chipmaker Broadcom’s attempt to acquire U.S. competitor Qualcomm after fears emerged that the move would allow Chinese firms to consolidate their lead in the 5G market.

Despite the controversy, Huawei appears primed to spearhead the construction of national 5G networks. To date, Huawei has signed memoranda of understanding to trial 5G equipment with 45 telecom operators, including in close U.S. allies like Britain, Canada, France and Germany. Huawei has even continued overtures to the Australian government, despite that government’s recent suspension of Huawei smartphones from its Defense Department and a law passed last year that some have dubbed the “anti-Huawei bill.” Meanwhile, the White House’s leaked proposal to construct a government-run 5G network has been roundly criticized.

Apple moves Chinese user-data to domestic server farms

After months of castigating editorials, Apple finally began moving Chinese users’ iCloud data and encryption keys to Chinese servers on Feb. 28. The transfer was prompted by China’s much-discussed cybersecurity law (CN/EN), which requires critical information infrastructure providers to localize storage of Chinese citizens’ personal information. After the law went into effect in June 2017, Apple quickly announced its plans to store Chinese user data in Guizhou as part of a $1 billion partnership with the provincial government and Guizhou-Cloud Big Data, its government-owned cloud storage provider. Guizhou, one of China’s poorest provinces, has made an aggressive push to establish itself as a leader in data storage.

The transfer has raised concerns that the Chinese government may be able to access its citizens’ iCloud data. Apple has promised that its encryption will continue to protect user privacy, assuring users in a statement that the company “has strong data privacy and security protections in place and no backdoors will be created into any of our systems.” Apple will retain formal control over its encryption keys, but skeptics are likely to remain unconvinced as long as those keys are stored on Chinese servers, especially since Apple has repeatedly indicated its willingness to abide by Chinese domestic law. Apple has also promised, however, only to hand over data to the Chinese government for requests that it considers lawful.

U.S. criticizes China’s data-transfer policies at WTO

As Apple was moving its data to Chinese servers, the American government expressed its own dissatisfaction with China’s data transfer regime. On Feb. 23, the U.S. Trade Representative submitted a communication to the WTO Council for Trade in Services “expressing concerns with certain measures China has adopted ... that could significantly impair cross-border transfers of information.” The USTR’s criticism centered on the 2017 Cybersecurity Law and on a directive (EN/CN) issued last January by China’s Ministry of Industry and Information Technology (MIIT) prohibiting the use of unlicensed virtual private networks (VPNs) to send or receive data from abroad. The directive is scheduled to reach full implementation by the end of March, and MIIT officials recently confirmed (CN) that it would be enforced against corporations and individuals using cross-border VPNs that have not been approved by the Chinese government. The USTR complained that the directive, along with China’s data localization requirements, would “disrupt communications between a company's China facilities and its other global operations, increase costs, and reduce rather than enhance data security.”

The communication reflects recent American attempts to challenge China’s ostensibly security-minded data-transfer regime as a protectionist barrier to trade. In its 2016 National Trade Estimate Report, the USTR began listing China’s technology policies as impediments to American companies attempting to enter the country. (It continued doing so in its 2017 report; the 2018 report is expected later this month.) In a January 2017 report to Congress on China’s WTO compliance, the USTR reiterated its view that China’s data transfer policies “impose severe restrictions on a wide range of U.S. and other foreign ICT products and services with an apparent long-term goal of replacing foreign ICT products and services.” (These allegations were repeated in the USTR’s January 2018 report to Congress.) And in September 2017, the USTR submitted a first communication to the WTO Council for Trade in Services claiming that the Cybersecurity Law and its implementing regulations would “impinge on commercial choices and longstanding business arrangements supported by robust trade rules” and urging the Chinese government to delay implementation.

Despite the rhetoric, the USTR has so far declined to lodge a formal WTO complaint. Using the WTO to combat Chinese internet policy was suggested in a 2007 paper by Tim Wu and has received intermittent support in the years since, but it has never been put into practice.

In Other News

• While the Western media has focused on Xi Jinping’s move to eliminate constitutional term limits on the presidency and vice presidency, Chinese domestic coverage has been limited, and state officials have ramped up censorship of content critical of Xi in the days following the announcement.
• Cybersecurity firm Cloudstrike’s annual report linked China-based actors to repeated attacks against Western think tanks and NGOs.
• Chinese regulators are reportedly considering allowing shares of domestic tech companies currently listed abroad to be traded on Chinese markets through depositary receipts.
• A Chinese state-backed investment fund abandoned a deal to purchase U.S. hardware testing company Xcerra due to concerns that the acquisition would not pass CFIUS review. Another deal, between U.S. data analytics firm Cogint, Inc. and BlueFocus International Limited of China, was also scuttled after CFIUS indicated unwillingness.
• Human Rights Watch has accused the Chinese government of using big data to crack down on dissidents in its restive Xinjiang province.
• Chinese regulators promised to crack down on citizens trading cryptocurrencies through offshore brokers.

Analysis & Commentary

Elsewhere on Lawfare, Christopher Mirasola takes an in-depth look at China’s internet policy and the WTO, and Robert Williams outlines his recent essay on the “China, Inc.+” challenge to norms of nation-state conduct in cyberspace. A full version of the paper is available from the Hoover Institution. In the latest issue of the Cyberlaw Podcast, Stewart Baker and company discuss CFIUS’s treatment of recent Chinese tech acquisition attempts and Apple’s data shift (CFIUS-specific discussion begins at 12:30; Apple’s shift is briefly mentioned at 25:00).

At Just Security, Amie Stepanovich and Michael Karanicolas use Apple’s transfer of encryption keys as an argument against government backdoors, and Tim Maurer and Kathryn Taylor lay out several paths that the development of international cyber norms might follow.

On the Artificial Intelligence front, Paul Triolo and Jimmy Goodrich analyze the early indicators from the Chinese government’s AI push in a paper for New America, Elsa Kania studies the intersection of this push and quantum computing in the Bulletin of the Atomic Scientists, and the Wall Street Journal’s Saturday Essay focuses on China’s push to develop AI for military purposes.

In other broadsheets, Paul Mozur reviews China’s increased oversight of its citizens’ activities on foreign web platforms for the New York Times, where Cecilia Kang and Alan Rappeport also analyze Huawei’s struggles as an indicator of the broader technology race between China and the U.S. In the Wall Street Journal, Stu Woo asks “Why Washington Is So Obsessed With China’s Huawei.”

CORRECTION: An earlier version of this article incorrectly stated that CFIUS had rejected Broadcom's attempted acquisition of Qualcomm. In fact, CFIUS has only delayed their vote and called for a full investigation into the deal.