Trapped behind the firewall, foreign VPN services disrupted in China
Following the recent tightening of Internet control measures, a Ministry of Industry and Information Technology (“MIIT”) official explained in a public statement that only companies acting in accordance with Chinese law are protected under Chinese law, implying that the delivery of services by companies acting outside of the parameters of Chinese law, as many if not all foreign VPNs apparently do, remain vulnerable to disruption and interference.
China regulates the Internet, including commercial VPN services, through a telecoms licensing system which for the most part is closed to foreign investors, despite heavy interest and demand for foreign technology and services. This telecoms licensing system is set forth in the 2000 PRC Telecommunications Regulations and the 2003 Circular of the Ministry of Information Industry on Readjustment of the ‘Classified Catalogue of Telecommunications Services’. Under this system, commercial VPN services are classified as a value-added telecoms (“VATS”) service, requiring a VATS licence.
According to the 2002 Provisions on the Administration of Foreign-Invested Telecom Enterprises (Amended), in theory foreign investors can obtain a VATS licence to provide commercial VPN services in China through the establishment of a Sino-foreign joint venture (“JV”) enterprise, with a maximum foreign equity ratio of 50 per cent. In practice, however, this licence is generally not open to foreign investors at all (an exception to this may be for Sino-foreign JVs established in the China (Shanghai) Pilot Free Trade Zone under new policies there that may make foreign participation in providing IP-VPN services in China by foreign investors a reality).
This licensing regime is generally limited to engagement in telecom activities or telecom-related activities within the PRC. And while a number of factors can be at play in deciding whether a VATS service is occurring within the PRC, in practice, a good rule of thumb seems to be the location of the servers involved. Generally speaking, servers located in China are within the MIIT’s regulatory reach, and those located outside of China are not.
So the physical location of the server is important from a jurisdictional perspective, but, as we know, the World Wide Web is known for crossing geographical borders, and it is on this cross-border basis that foreign companies have offered VPN services to customers within China. Yes, there are some practical difficulties to the cross-border model –for example, payments for services must usually be paid in foreign (i.e. non-Chinese) currency, which is inconvenient for some consumers within China – but over the past few years this model has generally worked.
That does not mean that the MIIT does not regulate cross-border Internet activity. In fact it does, or at least tries to, by regulating the international Internet
infrastructure gateways that link the Chinese Internet with the rest of the world. Under the 2002 Measures for the Administration of International Communications Gateway Exchanges, international gateways in and out of China are heavily regulated and only state-approved, state-invested actors may operate the switches, which they must do in conformity with the MIIT’s laws and policies. Setup of virtual networks for the purpose of operating telecoms
services via the international Internet gateways (this would include foreign VPN service providers operating on a cross-border basis) must be reported to the MIIT for approval. And, on a related note, setup of VPNs for internal use via the international Internet gateways must be record-filed with the MIIT, although it is not clear whether the recording requirement for internal use of VPNs has been strictly enforced in practice.
Thus, commercial VPN service providers are subject to MIIT licensing/approval whether they operate on a domestic basis or a cross-border basis, and those that
do not secure such licensing/approvals run a constant risk that the Chinese authorities will use their selfasserted rights of ‘cyber-security sovereignty’ to shut
down their services. Recent shutdowns, therefore, are not due to a change in the law, but rather result from a change in the level of enforcement, perhaps due to
advances in the government’s technological capabilities in identifying and blocking VPN traffic.
There has been new legislative activity in other aspects of cyber-security, however, including the publication of draft cyber-security review rules, which require foreign companies selling phones and tablets to build ‘back doors’ into their products and to provide source code to the government. Additionally there is the publication of a draft anti-terrorism law, which calls on companies to store all data related to Chinese users on servers in China.
These laws may be viewed as a benefit or even as necessary to some degree by the government from a security perspective, but at the same time they may have
detrimental impacts on the business environment in China and foreign investment, which has already been feeling the impact from the existing restrictions related to the Internet, let alone any new ones. Many businesses and individuals have used VPNs to lessen these impacts, but this channel has been clamped down as of recently, and the foreign-invested business community is reporting increased difficulty doing business. A recent European Chamber of Commerce member survey published 12 February 2015 revealed that:
● 86% of respondents reported a negative effect on their business as a result of certain websites and online tools being blocked, a 15% increase compared
to June 2014.
● 80% of respondents have recorded a worsening business impact as a result of the recent further tightening of Internet controls beginning in early 2015.
● 13% of respondents have recently deferred R&D investment or have become unwilling to set up R&D operations in China since Internet restrictions were
tightened in early 2015.
Given China’s interest in sustaining economic growth and its recent indications elsewhere that it intends to improve its business environment for foreign investment, it will be interesting to observe how the PRC government will balance its concerns for cyber-security against its interest in continued economic development.