The narrative in the US that the Chinese don’t care about data privacy is simply misguided. It’s true that the Chinese government has built a sophisticated surveillance apparatus (with the help of Western companies), and continues to spy on its citizenry.
But when it comes to what companies can do with people’s information, China is rapidly moving toward a data privacy regime that, in aligning with the European Union’s GDPR, is far more stringent than anything on the books in the US.
For the September/October issue of MIT Technology Review, senior reporter Karen Hao picks apart the common Western perceptions about how Chinese people think about data privacy. This week on Deep Tech, she joins Editor in Chief Gideon Lichfield to discuss how consumers’ private data is protected in the world’s largest surveillance state.
Full Episode Transcript
Gideon Lichfield: You’ve probably got this notion in your head that if you live in China, there is no such thing as data privacy.
The government spies on everything you do. Your data can be used to create a social credit score–that’s like a measure of whether you’re a good citizen.
Now, during the coronavirus pandemic, you have to download an app called Health Code. It gives you a red, yellow or green code based on your data and it has to be green for you to get on a train, say, or enter a store.
Many countries have data protection laws. In Europe, there’s GDPR, that lets people decide what data is collected and kept about them. Other countries and some US states have been adopting their own versions. And the common view is that in China, giant tech companies like Alibaba can basically collect as much data as they want and people either don’t care or can’t do anything about it. But that’s a misperception.
The Chinese government does spy on people and is doing so more and more. But when it comes to how private companies use their data, Chinese citizens have actually been demanding more privacy. As a result, China’s been developing a pretty sophisticated data protection framework.
And during the pandemic, there’s been a very healthy debate among Chinese citizens on social media about just how much data the authorities should be able to collect for the sake of public health–and what they should be allowed to do with it.
Today on the show, I’m talking to our senior Artificial Intelligence reporter, Karen Hao. Her story in the latest issue of MIT Technology Review–our techno-nationalism issue–really picks apart the common Western perceptions about how Chinese people think about data privacy.
I’m Gideon Lichfield, Editor in chief of MIT Technology Review, and this is Deep Tech.
Anchor for China 24 News: Life was supposed to be full of wonder and hope for 18 year old Xu Yuyu. She was just admitted to Nanjing University of Posts and Telecommunications. However, one phone call put an end to her future.
Karen Hao: In the fall of 2016, in the coastal Chinese province of Shandong, a young woman named Xu Yuyu (???, Xuyuyu) was celebrating her admission to college.
Xu came from a poor family. Only her father worked and he had a small income. And very few of Xu’s relatives had ever been able to go to college. But her parents had painstakingly saved for her tuition.
And Xu also applied for financial aid. And a few days later, she received a call saying she’d been awarded a scholarship. To collect the money, she needed to first deposit nearly 10,000 yuan, or fourteen-hundred dollars, into an account connected to the university.
In a later recounting of the story, Xu’s father said his greatest regret was asking the police whether they might still recover their money. The answer–“likely not”–only exacerbated Xu’s devastation. And on the way home, Xu who was otherwise healthy collapsed from a heart attack. She died in a hospital two days later.
At a press conference, the Director of the Dept. of Student Affairs at Nanjing University said a scholarship call to Xu had never been made.
Sun Xiucheng [via China 24 News]: We didn’t know about this until the media reported. What we had was some basic information related to her performance in the college entrance exams. This doesn’t include her family conditions.
Karen Hao: The call had instead come from scammers who had paid off a hacker for her number, admissions status, and her request for financial aid.
For Chinese consumers who’d become all too familiar with their personal information being stolen, Xu became a symbol. Her case sparked a national outcry for greater data privacy protections.
Gideon Lichfield: So Karen, where did this idea come from that the Chinese just don’t care about data privacy?
Karen Hao: Yeah, so I think there is a grain of truth in that, at one point when comparing US consumers with Chinese consumers, perhaps the US consumers did care more than Chinese consumers. But I think part of that is because each country had their own respective cycles of technology development.
So if you think about our cycle in the US, when we first started having tech companies in tech services, we were actually pretty happy with the idea of giving up some of our data privacy in exchange for that convenience.
And it wasn’t until tech giants became really big and powerful and we started having data breaches that we then realized that data privacy is actually something we should care about and something we should be advocating for. So I think China is undergoing that same cycle.
Gideon Lichfield: But for Western tech companies like Facebook, this belief that the Chinese don’t care about privacy has actually been kind of convenient, hasn’t it?
Karen Hao: Oh, definitely. I think the most infamous example of this is in 2018 when Mark Zuckerberg testified to the Senate after the Cambridge Analytica scandal.
Mark Zuckerberg [via CSPAN coverage of his 2018 Senate testimony]: We still need to make it so that American companies can innovate in those areas or else we’re going to fall behind Chinese competitors and others around the world.
Karen Hao: He’s literally saying to regulators, don’t clamp down on us too hard for privacy invasive technologies like face recognition because American companies still need to innovate in these areas to outcompete Chinese companies.
Karen Hao: Yeah. Again, Mark Zuckerberg. If you look at his written remarks, he said, don’t regulate us too hard because we need to compete with Chinese companies. And these latest hearings weren’t necessarily focused on data privacy this time. But this narrative continues that if the US government is too hard on US tech giants, They will be at a disadvantage because the Chinese government doesn’t restrict Chinese tech giants at all, in any regard.
Gideon Lichfield: So Karen, you’ve been to China on reporting trips. Have you had conversations with people there about data privacy? What sorts of things have you heard?
Karen Hao: Yeah. So from my conversations with people who live in China, I think there’s this growing sense of a loss of control. And honestly I think the conversations are pretty similar to the ones that we have in the US in that people are realizing and recognizing that their data is being used increasingly by tech giants in ways that they don’t really understand.
Like in the US we talk about how we often end up seeing ads that follow us around the internet. After we searched something on Google and in China, that’s what they’re talking about too. They use Baidu, that’s their search engine, and they’ll search something and suddenly have an ad pop up on a different app for the exact same thing. So they feel uncomfortable with that. Just like we feel uncomfortable with that.
Gideon Lichfield: And actually it was Western companies that helped China construct this surveillance state, right?
Karen Hao: Yeah. I mean, at the time, China really didn’t have very good technology infrastructure. So they actually had to rely on Western companies who had far more advanced technologies in this regard.
So it was companies like American conglomerate Cisco, Finnish telecom giant Nokia, Canada’s Nortel networks that were all enlisted to help work on different parts of the project. So these companies help build a nationwide database for storing information on all Chinese adults. And they developed a sophisticated system for controlling information flow on the internet, which eventually would become what we now know as the great firewall.
And conveniently, a lot of these technologies were basically standardized for state spying because the FBI had worked with the US government to pass the Communications Assistance for Law Enforcement Act in 1994 to help with their spying. And so many of these companies had updated their systems based on this law. And were now exporting these technologies to China to help build China’s digital state surveillance system.
Gideon Lichfield: So the infrastructure of this surveillance state starts to get built in 2000, but the crackdown, the censorship, all of that really takes off after Xi Jinping becomes president in 2013. So how did that play out?
Karen Hao: When Xi Jinping came into power in 2013, one of the biggest things that he started doing is trying to update the censorship systems of the government to match the growth and the adoption of the internet. The internet at that point had given rise to social media platforms. Like WeChat WeiBo and there was a flourishing of online activity and online public discourse that caused the censorship systems to lag behind.
So in the fall of 2013, The party basically put their foot down. They were like, people have gotten too comfortable with saying whatever they want. Some of them have gotten too comfortable with criticizing and ridiculing the Chinese communist party, and they arrested hundreds of influential social media users for what they described as malicious rumor-mongering. And then they paraded a particularly influential social media user on national TV.
Gideon Lichfield: But now Chinese citizens are starting to demand more personal data privacy. How did that movement begin?
Karen Hao: I think it roughly started around 2016. So in that year there was. Basically a series of very high profile cases where people had their personal data stolen and they were defrauded of significant amounts of money. One particular case, of course, is the tragic death of Xu YuYu, which I spoke about earlier.
And so when cases like hers happened, it provoked this huge anger among the Chinese public, because they saw themselves in these people, there was actually a survey in 2016 by the internet society of China that found 84% of the people they’d surveyed had suffered some kind of data leak–whether that was their phone numbers, their addresses, their bank account details.
So this was getting increasingly concerning because the services that people were using were starting to collect more and more personal, intimate data, more quantities of data. And that’s when there became this push from the public to really start caring about data privacy.
Gideon Lichfield: I think a lot of people would be surprised to learn that China now has a data protection standard not entirely unlike Europe’s GDPR and it’s in fact more comprehensive than what the US has at a national level. Is this GDPR with Chinese characteristics enforced?
Karen Hao: Yeah. So one of the reasons why China’s data privacy regime now looks kind of like GDPR is because they were actually looking at GDPR. The committee that was tasked with fleshing out China’s approach to data privacy, they basically scoured the world for legal documents that had already been written to approach this problem.
And they translated all of them into Chinese. So they translate GDPR. They translated California, consumer privacy act. They translated the OECD privacy guidelines and a bunch of other things. And then they studied the articles and the language to figure out what they wanted to transplant and what they wanted to modify into the Chinese context.
The product of this was the Personal Information Protection Specification, which is not a law but a series of recommendations around the handling and processing of data. So it can’t actually be enforced. But there is a law on its way.
So right now, the national people’s Congress, China’s top legislative body, is in the process of drafting, and expects it to quickly pass, the personal information protection law.
Gideon Lichfield: Ok. So there’s this personal information protection law designed to protect consumers, but will it limit the state’s ability to spy on people too?
Karen Hao: In theory, the law is supposed to apply to any entity that collects data. So it’s not actually just for private actors, but then this goes back again to the question of enforcement. Is there actually any incentive for the government to enforce itself and restrict its own data collection operations. That’s a thing that China scholars have been puzzling over for a really long time.
Gideon Lichfield: So here we are. 2019 2020. There is this uneasy balance between state surveillance and increasingly strong consumer data protection. And now along comes COVID-19. So what happened then?
Karen Hao: COVID-19 is a really interesting moment for data privacy in China. I think the reason why the uneasy balance was able to exist for so long is because Chinese citizens don’t actually know how much data is being collected from them by the government.
But when COVID-19 hit, the government launched this health code app initiative with the help of Chinese tech giants, where different local government authorities released these apps that required citizens to input their data about where they traveled to what kinds of symptoms they were experiencing.
And then the app would spit out this color code based on their risk of infection. So if you’re likely not infected, you get a green color code and you can actually go about your day to day life, like go buy food, go to a cafe, go to a bookstore, board the subway. But if you might be infected, you get a yellow or red code and then you have to quarantine in your home immediately.
So this is the first time really that we’ve seen an instance where there’s actually a somewhat centralized digital platform that is successfully collecting data on so many citizens. It’s basically mandatory to have it, if you want to be able to move about the world, but at the same time, it’s also the first time that Chinese citizens are seeing that the government collects this data at such a huge scale.
So in one sense, There’s been this huge leap in the capability of the government to collect this kind of data that it’s always wanted to collect, but there’s also been this huge leap forward in citizen awareness of this data collection happening and that’s made them anxious and they’ve started to push back.
Gideon Lichfield: So do you think now that the momentum towards tougher privacy laws in China is building and is going to continue?
Karen Hao: I actually asked that same question to Samm Sacks. Who’s a China scholar at New America and Yale. She’s been studying this for quite a while and says to answer that question you have to look at the objectives of the Chinese leadership.
Samm Sacks: You have national security objectives. You have economic objectives. Clearly, overreach in terms of government use and access of private data helps national security goals, but it could very much undermine Economic goals. This is a government that has talked about building China into a quote-unquote cyber superpower. And part of that vision is having globally successful, competitive Chinese brands like Huawei, like Tik Tok, right.
Karen Hao: But, she says those brands aren’t going to be viable in overseas markets if there’s suspicion about the way that data is accessed by the Chinese government.
Samm Sacks: And so that’s where if we were to take a sort of pessimistic stance, I’d say, look, one, why would the government reign in its own ability to access the data? And I’m sort of looking for indication that this is a government that has economic, pragmatic interests at heart. But we’re seeing sort of the predominance of the security side. And not to play political relativism here, but I will say that we are also in the United States seeing a more national security focused, dominant view when it comes to looking at technology and global supply chains.
Gideon Lichfield: So Karen, we’ve been talking about how China thinks about data privacy and how to regulate data, but how exactly is this going to influence the rest of the world?
Karen Hao: Well, I think there are two big ways. First of all, Chinese tech giants are increasingly having a global footprint. And when we use these services, it’s really important for us to know what data is collected, how it’s processed and who gets access. That’s the whole crux of the fight that’s happening right now with Tik Tok. The app is owned and developed by the Chinese company Bytedance, and people are worried that this means the Chinese government will get access to all its user data. Our lack of understanding around how Tiktok handles its data is being used as grounds for its potential ban in the US and that could result in a less free internet. So I think that’s number one.
Number two is, it’s not just about Chinese tech companies. The way that data privacy legislation develops around the world is very much connected. When the EU released GDPR, China was not the only one watching. There were a number of countries around the world that started adopting very similar models, Brazil, for example. China’s data privacy law is going to have a very similar impact.
They’re essentially proposing a new model to the world of how countries can have strong consumer protections without limiting state surveillance. And I think that’s going to be a very persuasive and appealing proposition to a lot of countries around the world.
Gideon Lichfield: That’s it for this episode of Deep Tech. This is a podcast just for subscribers of MIT Technology Review, to bring alive the issues our journalists are thinking and writing about.
Gideon Lichfield: You’ll find Karen Hao’s article “China’s Data Privacy Paradox” in the September issue of the magazine.
Gideon Lichfield: Deep Tech is written and produced by Anthony Green and edited by Jennifer Strong and Michael Reilly. Our technical director is Jacob Gorski. And I’m Gideon Lichfield. Thanks for listening.