There have been a number of cases on Chinese social media recently recounting instances of administrative fines being imposed on individuals who through one means or another bypassed the great firewall, which is a violation of Article 4 and Article 10 of the Provisional Rule for International Connection of Computer Networks (the “Interconnection Rule”). These rules prohibit the establishment and use of illegal communication channels (shadowsocks/VPNs/TOR/Garlic Routing … etc).
Many Irish expatriates and/or companies maybe concerned that they could face administrative penalties related to their own practices in bypassing the firewall. As China is increasing its control over their digital dominion the legal risks associated with circumventing the firewall are naturally increasing.
Although the majority of us should not worry too much, the use of VPNs for the connection to servers outside of China while illegal is very rarely prosecuted, regardless it is advisable to adopt a number of technical measures and/or managerial measures to mitigate the risks of using a VPN.
Legal obligations under the Interconnection Rule
The Interconnection Rule imposes the following two obligations on international connections between computer networks.
(1) The connections to overseas networks must go through an exit channel permitted by the Chinese authorities; and
(2) The connection to internet must go through an access network again permitted by the Chinese authorities.
Of these obligations, the first is satisfied by using a Chinese internet provider, typically if a connection is provided by one of the major suppliers, (Telecom, Unicom, Mobile) the international connection will go through an exit point permitted (“monitored”) by the Chinese authorities government. (This also explains why despite the fact many of us in China will have gigabyte broadband, our speeds to international serves will be throttled.) Corporate VPNs which many multinational companies lease for their Chinese entities are also connected through the exit points permitted by the Chinese authorities.
The second obligation is the prohibition of bypassing the great firewall. This obligation demands that a connection to internet must go through an ISP recognized by the China government and via an access network operated by it. This is so that the ISP is able to block access to prohibited websites on the government’s blacklist/smartfilter. Thus, access to the internet through an access network outside of China is a violation of this obligation.
Consequences of non-compliance
Typically, the public security bureaus(police) take a serious approach towards bypassing the firewall, and have been progressively more emboldened with enforcing the legislation. On the other hand, the industrial and telecommunication bureaus (administrative bodies) have taken a more relaxed attitude towards circumvention of the firewall.
The administrative bodies are guided by the Notice on Further Regulations on Internet Data Center Business and Internet Service Provision Business (2012), and the Notice on Clearance on Internet Network Access Service Market (2017), which states that their prime focus is to prevent the illegal operations of internet access businesses. These notices do not prohibit individuals or companies from using VPNs for their own business and private purposes.
However, from the police’s perspective, the use of VPNs to bypass of the firewall, the matter has been taken more seriously in recent years. Typically, they will charge the accused with either: (a) the illegal operation of VPNs, or (b) the provision of programs and tools to facilitate intruding into or taking illegal control over computer systems. The second charge is more frequently levied against VPN companies who collect and make use of the data to which they are privy to. It is crucial to know that many free VNP providers will make use or sell your data which is not anonymised.
Practical issues for Irish companies
Many companies for data security reasons will integrate their IT systems to their global networks by connecting their local servers to their regional or global servers. This will typically happen in the manner in the below diagram.
There are many other reasons to do so other than data privacy: companies may wish to (a) to share information and resources internally; (b) to connect to their private cloud; (c) to mitigate lag when connecting to overseas websites or video conferences; and (d) to allow China based personnel to visit commercial resources which may be blocked by the firewall. Unfortunately, this structure does not satisfy the requirements under the Interconnection Rule as it enables China-based personnel to connect to the internet through access networks outside of China. However, enforcement of the rules on this structure occurs very rarely, and is unlikely to be of issue for any private enterprises.
Although to date, no multinationals have been penalised for the above structure, taking into consideration the recent promulgation of the Cybersecurity Law and the upcoming Data Protection law, it is clear that China is seeking to strengthen cyber security legal regime. As such it is advisable that Irish companies take some measures to mitigate their liabilities and provide a reasonable defence should the authorities find issue with their behaviour. Such measures could include:
(a) Build multi internet connections for domestic employees and expatriate employees: with respect to domestic employees, companies should block the internet connecting functions through its servers outside of China, and provide a separate connection to internet through a domestic access network.
(b) Apply a comparable to the Chinese banned website list companywide firewall and only provide access only to websites which are necessary for the business. This may have the side benefit of improving employee productivity.
(c) Establish internal management systems, prepare IT usage manuals and to provide routine trainings, which require that employees only use the networks in compliance with the PRC law and keep network operational logs according to the Cyber Security Law. This will provide a defence to vicarious liability, should an employee misuses VPN or the overseas connection to internet, the company will have a defence by showing that the company rules expressly prohibit such behaviour.
Practical Issues for Irish expatriates
As it stands, using a VPN and circumventing the great firewall is illegal, the same standards apply to individuals as they do to companies. Enforcement is spotty, and unlikely to ever pose an issue, unless the police wish to get you on another charge. The golden rule for rule breaking is that you only break one rule at a time, charges levied against an individual for VPN usage will likely be an ancillary charge to a different crime. Of course, if you are traveling to the far west of china or other autonomous regions, it is advisable that you temporarily remove your VPN from your devices, if you wish to be cautious.