How China Uses its Cyber Power for Internal Security

 
 

 On April 13, the Chinese Communist Party (CCP) and State Council issued new guidelines on strengthening internal security in the wake of unprecedented terrorist attacks inside the country, rising public order concerns, and increasing online dissent. The guidelines called out the use of new high-technology and cyber-based assets, including data mining, closed circuit TV, and satellites, to help restore central government control. This is the first in a series of five brief items by Greg Austin, based on his 2014 book, Cyber Policy in China, providing some political context on how the country is using its cyber power in the service of internal security. See also the author’s earlier post on how China will want to use artificial intelligence to support its internal security objectives.

Part I: The National Database as a Security Tool

In new guidelines on internal security issued on April 13, 2015, the Chinese Communist Party (CCP) and the State Council reiterated a measure announced last year to put the national citizens’ database to better use in internal security. For a country already deemed to be one of the most authoritarian in the world and possessing adequate technology already to allow the use of a nation-wide system of electronic identification cards (e-IDs) linked to a central database as a major tool in internal security, it is surprising that China is far from perfecting this database or its e-ID system into the Orwellian devices that they might become.

Enjoying this article? Click here to subscribe for full access. Just $5 a month.

 Under a 1985 regulation, China started lawfully compiling a national (paper-based) register of its citizens through a laminated plastic ID card system that was authorized to record only “name, sex, nationality, birth date, and address” — the address being that of the citizen’s registered residency. The ID system has been controlled ever since by the “public security organs.” The regulation provided for validity periods ranging from ten years to indefinite.

In the late 1990s, China moved to digitize this database. By 2002, the U.S. company Cisco reported in an internal document that China had a national automated database of its citizens, containing basic data on 1.1 billion people, with more detailed information on 600 million of them. Cisco was bidding for work with China’s Ministry of Public Security (MPS) at the time. In June 2003, the country’s legislature approved the issuing of an e-ID card, which was to contain a microchip but which would in print only reflect the same information as on the old ID cards. Roll-out of the new e-IDs was expected to take several years. It is still not complete.

It appears to be the case that in this area of policy, as in so many others, Chinese agencies over the last 15 years have not moved as rapidly as the potential of the cyber technology might have allowed. One important modification was introduced in 2012, when the government required card holders to register their fingerprints with the public security agencies the next time the ID card was to be used. This, if fully implemented, would provide a nation-wide fingerprint database.

In reports surrounding the release of the 2015 guidelines, and in other reporting from China, it appears that the government will move more robustly to promote “real identity” use on the internet and to prevent registration with false names or even no names. The reports suggest that authentic e-ID cards will now be needed for such things as “registering at hotels, for trade of second-hand goods, for motor refitting, and for recreation services,, according to Xinhua. A researcher at the Chinese Institute of Law in the Academy of Social Sciences, Zhi Zhenfeng, was quoted by the People’s Daily on April 15 as saying that “requiring citizens to give their real names in key industries and unifying citizens’ information by identifying them through identity cards and databases are also innovative measures” to promote security.

Yet the shortfall between existing information in the national database and what might be seen as the maximum needs of a police state have been all too evident. For example, in the list of future collection priorities identified in April 2015 for the national e-ID system, things such as travel bookings and hotel bookings were mooted, suggesting that these things are now not tracked in the national MPS database. Yet there are wider issues apart from how the e-card system might be programmed. For example, The Diplomat website reported on March 12, 2015 on the subject of the country’s unregistered children, estimated to number as many as 13 million.

The limitations of the central database for internal security have been further highlighted by the country’s inability to enforce a real name registration system for internet users. The Wall Street Journal reported in February 2015 that China would implement tough new regulations to ensure real name registration. This article referenced the government’s plan to link internet account registration to the unique identifier on the e-card, and to automate the linkage back to the central database. What the article did not mention is that China first imposed a real name registration obligation in 2002, and its officials have regularly reported, falsely, that it has been successfully implemented. In 2013, the MPS reported there were as many as 100 million users of mobile phones (and therefore potentially user of mobile internet technology) who were not using real name registration. In January 2015, in announcing a crack-down on false name registration or no name registration, China reported that number as 130 million.

China’s MPS has shown itself to be expert at use of cyber assets for monitoring internet traffic for censorship purposes and taking down offensive posts. After all, censorship has been an institutional strength of the Chinese political system. One transition the MPS is yet to make is automating the collection of information against specific IP addresses and netizen identities in a way that can be fed into the national database and linked to their e-card. In April 2015, the authorities revealed that their grid-based (block by block) personal activity data system, introduced as a trial more than a decade ago, should be completed for central urban areas (not all areas of the major cities) only by 2020.

This short post is not the place to analyze the maze of technological, organizational, social, and cybernetic challenges involved in China’s effort to compile a high quality national database for internal security based on new e-cards. It seeks merely to make the observation that China’s shortfalls so far in developing a comprehensive citizens’ database that matches the leadership’s control ambitions may continue to be the norm rather than the exception. While the government’s capability for citizen surveillance by electronic means will improve gradually, the country’s citizenry has shown a high degree of civil disobedience in ignoring certain legal obligations in this area for over a decade.

The opinions expressed in this article are the author’s own and do not reflect the view of the EastWest Institute

Up next this Wednesday: The Ministry of Public Security as Driver of Cyber Policy

Newsletter
Sign up for our weekly newsletter
The Diplomat Brief