Chinese internet regulators are purportedly considering new methods to safeguard users’ personal information online. Their solution, however, involves giving the government greater control over user data. The proposal has rekindled a debate over online privacy and best practices for data security. Adding to fears about government surveillance and abuse, censors have taken down online posts from experts and commentators who critiqued the plan. Meaghan Tobin and John Liu from The New York Times summarized the proposal, which would entail giving every Chinese netizen a unique user ID to verify their identity across the Internet:
The Ministry of Public Security and the Cyberspace Administration of China say the proposal is meant to protect privacy and prevent online fraud.
A national internet ID would reduce “the excessive collection and retention of citizens’ personal information by internet platforms on the grounds of implementing real-name registration,” the regulators said.
Use of the ID system by websites and apps would be voluntary, according to the proposal, which is open for public comment until the end of August.
[…U]ntil now, [the Chinese government’s] control has been fragmented as censors have had to track people across different online platforms. A national internet ID could centralize it. [Source]
According to the draft, the ID will take two forms: one as a series of letters and numbers, and the other as an online credential. Both will correspond to an individual’s real-life identity, but will exclude any plaintext information. A government national service platform will be responsible for authenticating and issuing the IDs. Even though the draft is still in its consultation period, at least 67 apps—including Taobao, WeChat, Xiaohongshu, QQ, and others—have already rolled out beta tests of the national ID system. South China Morning Post conducted a survey and reported that “popular apps like image-editing platform Meitu, as well as merchant terminals for Alibaba’s Taobao and Tmall, Meituan and ByteDance-owned Douyin, have added a new login option for the virtual ID.”
Tests by China Digital Times found that, although the proposal is currently open for public comment, censors have restricted online discussions about the proposed Internet ID system in order to contain the public backlash. The following Weibo search terms have been blocked: “national Internet ID system is coming,” “Internet IDs are coming,” “national Internet ID,” “government plans to issue Internet ID numbers to all users,” “WeChat, Taobao, Xiaohongshu, others begin beta-testing national Internet ID system,” and “national online ID system is an important signal that the Internet is moving towards standardization.” In addition, the comment function has been disabled under nearly all posts by verified accounts that wrote about the topic.
Many observers expressed reservations about the proposal. Tom Nunlist, associate director at China-focused consultancy Trivium, told The Financial Times that the proposal could “significantly expand the government’s ability to monitor people’s activity online. It would give the police much greater insight into what people are doing online.” Xinlu Liang from South China Morning Post reported on legal experts’ concerns over the proposal’s implications for privacy and government oversight, specifically its potential to intensify surveillance over individuals’ online activities:
Shen Kui, a law professor at Peking University, acknowledged that a unified network identity could simplify the authentication process during online transactions and make the misuse of personal information less likely.
[…] But he cautioned that the idea of mandating a uniform network identity raised fears of a centralised surveillance system that could comprehensively track and analyse an individual’s online footprint.
[…A] unified network ID could connect all online activities to real identities via a centralised system, risking “complete exposure”, which would make users hesitant to express opinions, engage in discussions and explore freely online, Shen wrote.
“The vibrancy of the digital economy and internet society relies on a multi-centred system rather than centralised monopolies.” [Source]
One expert who weighed in was Lao Dongyan, a criminal law professor at Tsinghua University who is well known for her opposition to mass surveillance, facial recognition, and other methods of government surveillance and coercion. Her recently published—and later censored—WeChat critique of the National Internet ID proposal argued that the proposal’s true purpose is to more effectively control people’s behavior on the Internet:
Firstly, is the true intention of this draft proposal to protect individual user data, as the drafters claim it is, or is it aimed at strengthening control over individuals’ online speech?
In the 12 years since the online real-name verification system was introduced, more than one billion netizens have provided various Internet service providers with the personal information required to authenticate their identities. Given this fact, how much practical significance would the implementation of a national Internet ID system have? The online real-name verification system was originally launched in the name of protecting the general public, and we all know how that turned out. This means that the new proposal serves much the same purpose as the real-name verification system: controlling people’s behavior on the Internet. The so-called “protection of individual user data” is nothing more than a ruse; at the very least, it is not the main purpose of this proposal.
Secondly, what is the true nature of the [proposed] national Internet ID system?
Metaphorically speaking, the national Internet ID system is similar to the COVID pandemic-era health code app. Both are based on the same philosophy of control, the only difference being that the social controls enforced by the health code app became routine and normalized. The Internet ID system is the equivalent of installing a monitor on each individual’s online behavior, allowing convenient, instantaneous access to all traces of an individual’s Internet activity (including their browsing history). The Internet ID system means that going online or using services provided by ISPs will essentially become special privileges that require permission. If the relevant government departments deny that permission, an individual will find it very difficult to access certain Internet services, including (but not limited to) the ability to post, comment, or to utilize other online services. [Chinese]
WeChat blogger and social commentator Song Qingren wrote a post, also now censored, arguing that the proposal would make it easier to silence people on the Internet, and that the opt-in measure is not actually voluntary in practice:
Once the Internet ID system goes into effect, individual online speech will be further curtailed. Not only will we see a drop in individuals posting evidence of wrongdoing or publishing exposés, the Internet ID system will also make silencing online voices easier than it was through the platform-based censorship of the past.
[…] The proposal’s use of the term “voluntary” is interesting, because if you don’t have a valid Internet ID, you won’t be able to access any online services. It’s hard not to suspect that they’re just paying lip service to the “voluntary” nature of the plan.
Of course, applying for the ID is voluntary, but without it, it’s unlikely you will even be able to go online, report problems, or make complaints related to the Internet. [Chinese]
Cissy Zhou from Nikkei Asia spoke to three Chinese lawyers (based in Shanghai, Beijing, and Shenzhen, respectively) who all agreed with Lao Dongyan’s critical assessment of the proposal, but asked not to be named due to the sensitivity of the topic:
“The real purpose is to exert comprehensive control over individuals’ internet access rights and expression, as a more stringent social control measure,” said the Beijing-based lawyer. He added that although the government can already obtain whatever personal information it wants from internet platforms, implementing the ID proposal would remove the need to do so. Instead, they could simply access anyone’s online activity directly.
“Furthermore, the issuance of cyberspace certificates means that individuals’ access to the internet will be cut if the authority is unhappy with their online speech or behavior,” he predicted.
The lawyer was also skeptical of the justification of protecting personal information. He said that the official reason for requiring real names for mobile phone numbers in 2010 was to prevent telecom fraud, yet the number of such fraud cases in China has surged since. [Source]
China Law Translate, conversely, argued that while many of these concerns about government control and infringement on privacy are justified, they may already be moot, given the scope of China’s existing real-name verification system:
Under existing “real-name” requirements, web services and platforms are already required to verify users’ valid identification information.
The current verification system sometimes goes unnoticed by users, because it often relies on cell phone numbers as ID. All SIM cards and mobile numbers are linked to official IDs, and there are limits placed on how many phone numbers individuals can register, to prevent sharing.
[…] My own take is that while concerns about the erosion of privacy are very real, the real harm comes from the real-name verification requirements already in place, and the proposed rules don’t add much further damage. [Source]
China is already one of the few countries in the world that requires netizens to attach their real names to online accounts, a policy that has been relentlessly enforced through the years. In 2019, the Ministry of Industry and Information Technology announced that applicants for new mobile and data service plans would need to have their faces scanned by their telecom providers. The ability to hide one’s identity from other users (rather than from platforms and services) is also being eroded: last July, Q&A site Zhihu announced that users would no longer be able to post anonymously. In May 2022, Weibo, Douyin, Toutiao, Zhihu, Kuaishou, and Xiaohongshu announced that they would begin displaying users’ IP addresses.
Given past precedent, there is also scant trust that the government will handle user data responsibly. The Ministry of Public Security’s “National Anti-Fraud Center” app that launched in 2021 was found to track user access to foreign websites. During the COVID-19 pandemic, numerous online accounts described how the government-imposed mandatory health-code app was selectively used to impede the movement of certain citizens, such as those who protested bank scams in Henan, and even those who police incorrectly assumed would protest. Privacy concerns were also fiercely debated when Beijing and Hong Kong attempted to introduce digital tracking bracelets to impose COVID quarantine compliance in July 2022.
Even if the government were more responsible with user data, there is no guarantee that the data would be secure in its hands. A trove of personal information from a Shanghai police database was left online and unsecured for months before a hacker allegedly obtained it in July 2022. The hacker claimed that they had procured information on one billion Chinese citizens, including names, addresses, ID numbers, phone numbers, passport numbers, and case details. During that time, another anonymous netizen offered to sell a separate police database from Henan containing information on 90 million citizens.
Translations by Cindy Carter.