Llinks Review | Is it legal to bypass great firewall?

By Xun Yang

Generally speaking, the Interconnection Rule imposes the following two requirements on the international connection of computer networks. 

(1) The connections to overseas computers must go through an export channel permitted by the China government; and 

(2) The connection to internet must go through an access network permitted by the government.

Among the two requirements, the first one is usually complied with: generally speaking, if a connection is provided by one of the “Three Big Carriers,” the international connection goes through an export channel permitted by the China government. VPNs which multinational companies may lease for connecting its China entities with their overseas companies are also constructed on the export channels permitted by the China government. Only in rare situations some companies build up connections by themselves through subscriptions for overseas connection services. 

The second abovementioned requirement prohibits the so-called “bypassing the great firewall.” This requirement demands that a connection to internet go through an ISP recognized by the China government and via an access network operated by it.  As a result, the ISP is able to block visits to illegal websites which fall within the government’s blacklist. This requirement reflects national sovereignty in the cyber space. The connection to the internet through an access network outside of China violates this requirement. 

Generally speaking, the public security bureaus take a serious approach towards bypassing the great firewall. And their enforcement of the laws is increasingly strengthened. The industrial and telecommunication bureaus take a relatively relax attitudes towards bypassing the great firewall. 

The Interconnection Rules was issued as early as 1996 but there is only few cases decided based on it.  Thus, the activities of bypassing the great firewall are considered connivance for a long period of time. This situation has been changing since 2012 when the government started paying much attention to cyber securities.  Consequently, there are an increasing number of cases involving bypassing the great firewall. 

From the point of view of the industrial and telecommunication bureaus, according to the Notice on Further Regulations on Internet Data Center Business and Internet Service Provision Business issued in 2012, and the Notice on Clearance on Internet Network Access Service Market issued in 2017, the focus of their enforcement is to prohibit illegal operations of internet access business and other cross-border network connection business. These regulations, however, do not prohibit companies from using VPNs for its own business and management purpose. They remain silence as to whether the use of internet connection function incidental to use of VPN is considered legitimate. 

From the point of view of the public security bureaus and the procuratorate offices towards the use of VPN and the bypass of the great firewall, they have clearly strengthened enforcement against illegal sales and provision of VPN since 2012.  During prosecutions, they accuse these activities either as: (1) illegal operation, or (2) provision of programs and tools to facilitate intruding into or illegal control over computer systems. The first accusation is obvious.  The latter suggests that the use of VPN may be considered intruding into or legal control over computer systems. Fortunately, up to now, there is no person who has ever been criminally convicted for the use of VPN.

The abovementioned administrative penalty imposed on individual for its bypassing the great firewall is, as far as I know, the first case where an individual is penalized for bypassing the great firewall. This may indicate that the public security bureaus have strengthened the enforcement against behaviors of bypassing the great firewall. 

As I understand, many multinational companies, due to business reasons, integrate their IT systems to the global systems by connecting their local servers to their regional or global servers. The IT structure is illustrated below.

Multinational companies adopt such IT structure due to the following reasons: (1) to share information and resources internally; (2) to visit companies’ private cloud or to manage their business on cloud; (3) to speed up the visits to overseas websites; and (4) to allow China based personnel to visit some blocked websites due to business reasons. Obviously, this IT structure does not satisfy the requirements under the Interconnection Rule because it enables China-based personnel to connect to the internet through access networks outside of China. 

In reality, the government must have knowledge about the existence of this IT structure. However, as far as I know, there is no company which has ever been penalized merely for adopting this IT structure, because companies usually have legitimate business reasons to use such structure.

Although, there is no multinational company which has ever been penalized for adopting the abovementioned networking structure, considering the increasing strengthened cyber security legal regime, some companies have been taking measures to adjust its IT practice and to revise its IT structure in order to mitigate its risks. These measures include:

(1) To build up dual channels for internet connections for domestic employees (or most of the domestic employees): with respect to domestic employees, companies block the internet connecting functions through its servers outside of China, and provide a separate connection to internet through a domestic access network. 

(2) To set up internal gateway screening: some companies voluntarily block the access to illegal or sensitive websites by taking reference to China government’s “black list” and taking into consideration the companies’ own information security requirement (which will likely be a more important reason), or provide access only to websites which are necessary for the business. 

(3) To establish internal management systems, to formulate IT usage manuals and to provide routine trainings, which require that employees only use the networks in compliance with the PRC law requirements and that companies retain network operational logs according to the Cyber Security Law. As such, if an employee misuses VPN or the overseas connection to internet, the company will have a defense.

Author:

长按下图识别二维码关注我们

© 通力律师事务所

本微信所刊登的文章仅代表作者本人观点, 不代表通力律师事务所的法律意见或建议。我们明示不对任何依赖该等文章的任何内容而采取或不采取行动所导致的后果承担责任。如需转载或引用该等文章的任何内容, 请注明出处。