topic Re: China and laptop encryption in Chapters

China and laptop encryption

rdhdallas — Thu, 02 Nov 2017 14:33:09 GMT

Hello all,

I'm reaching out to this knowledgeable group for direction. My current company is about to expand it's business into China and I'm not having much luck tracking down the current China law on bringing encrypted devices into China.

Any pointers on where I can find current information?

Thanks,

Robert

Re: China and laptop encryption

str12 — Fri, 03 Nov 2017 13:12:46 GMT

Try the Chinese Consulate.

Re: China and laptop encryption

T0deaC — Wed, 06 Dec 2017 13:20:46 GMT

What specific encrypted devices and what scenario you are talking about? Generally, the national cybersecurity law and OSCCA does care about any crypto products to be used in China.

Re: China and laptop encryption

T0deaC — Wed, 06 Dec 2017 13:22:24 GMT

better reach out to USITO.

Re: China and laptop encryption

dhouser — Fri, 08 Dec 2017 05:58:30 GMT

I am not a lawyer, but I've been on multiple big projects launching into China with enormous investment $$$ floating around, so have a bit of experience. Consider this advice, and not authoritative.

There aren't hard and fast rules. It's all geo-political, and risk-based decisions.

If you're a technology company, the answers might be different, particularly if your corporation is on unfriendly terms with China (I'm looking at you Google) or if Snowden papers showed your firm colluded w/ the NSA. But, let's presume you're not on that small list.

Basically, they're not going to care what laptop OS or crypto your team members are carrying flying into China, doing business, and flying home. Could they? Absolutely, your guys could be back-roomed at the border. Will they? Almost certainly not. The dreaded, "They're going to ask for our keys" seems an exception rather than the rule, and is more common to network infrastructure than executive laptops. I think the better questions are, "What should {execs/privileged account holders} carry into China? What contingency & OpSec plans should be utilized while there? What should happen upon return?"

For deployment into China, you're not going to want to import anyway, because that gets you into import/export restrictions, tariffs, and all kinds of headaches. Buy equipment local, software local, install local and you'll be fine. Will your supply chain be secure? Nope. But, are you going to frisk the cleaning crew every night?

This is a very complex field full of land mines... and I don't want to write a book on here because part of my consulting practice is supply chain security assessment, and helping firms make entry into new markets, China in particular, navigating privacy & security concerns. As I said, there aren't hard & fast rules, so I can't provide absolutes that, "if you do this, then XYZ will be true".

Happy to chat over a coffee. 🙂

-ddh

Re: China and laptop encryption

Early_Adopter — Fri, 08 Dec 2017 10:51:03 GMT

IANAL.

Agree with dhouser, getting shaken down for decryption keys is probably quite unlikely.

Bit locker is not a great option if it needs TPMs in PRC, you can take them in OK but PCs in china are not sold with them.

You will be more likely to need to secure your Cinese companies laptops working as part of you r expansion.

For Foreign Invested Enterprises (FIEs) it is permissible to import encryption products as long as you follow the right forms around business licenses etc. Foreign-developed encryption products may be imported into China for internal use only by FIEs.

FIEs include Sino-foreign equity joint ventures, Sino-foreign cooperative joint ventures, wholly foreign-owned enterprises, foreign-invested joint stock limited companies, etc

Foreign Invested Commercial Enterprises (FICEs) can act as importer. There are certain document requirements: SEMB Import and Use permit from the FIE customer, Import Agent Agreement between the customer and the FICE, Import Contract between the oversees seller, FICE, and the customer in China.

So likely any laptop encryption project you run in PRC is going to use software from McAfee, Checkpoint or Symantec. Seem to remember Sophos mostly focuses on bit locker management and the other disk encryption vendors are quite niche.

I've traveled to China with encrypted laptops before, WDE and FileVault and never had any Issues - doesn't mean you won't though.

Again all of this is potentially subject to change, could be wrong and your best option is to speak to a reputable law firm.

https://www.freshfields.com/en-us/our-thinking/campaigns/digital/data/china-rules-on-encryption/