China enacted a sweeping new data privacy law on August 20 that will dramatically impact how tech companies can operate in the country. Officially called the Personal Information Protection Law of the People’s Republic of China (PIPL), the law is the first national data privacy statute passed in China.
Modeled after the European Union’s General Data Protection Regulation, the PIPL imposes protections and restrictions on data collection and transfer that companies both inside and outside of China will need to address. It is particularly focused on apps using personal information to target consumers or offer them different prices on products and services, and preventing the transfer of personal information to other countries with fewer protections for security.
The PIPL, slated to take effect on November 1, 2021, does not give companies a lot of time to prepare. Those that already follow GDPR practices, particularly if they’ve implemented it globally, will have an easier time complying with China’s new requirements. But firms that have not implemented GDPR practices will need to consider adopting a similar approach. In addition, U.S. companies will need to consider the new restrictions on the transfer of personal information from China to the U.S.
Implementation and compliance with the PIPL is a much more significant task for companies that have not implemented GDPR principles.
Here’s a deep dive into the PIPL and what it means for tech firms:
New data handling requirements
The PIPL introduces perhaps the most stringent set of requirements and protections for data privacy in the world (this includes special requirements relating to processing personal information by governmental agencies that will not be addressed here). The law broadly relates to all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, but excludes anonymized information.
The following are some of the key new requirements for handling people’s personal information in China that will affect tech businesses:
Extra-territorial application of the China law
Historically, China regulations have only been applied to activities inside the country. The PIPL is similar in applying the law to personal information handling activities within Chinese borders. However, similar to GDPR, it also expands its application to the handling of personal information outside China if the following conditions are met:
- Where the purpose is to provide products or services to people inside China.
- Where analyzing or assessing activities of people inside China.
- Other circumstances provided in laws or administrative regulations.
For example, if you are a U.S.-based company selling products to consumers in China, you may be subject to the China data privacy law even if you do not have a facility or operations there.
Data handling principles
The PIPL introduces principles of transparency, purpose and data minimization: Companies can only collect personal information for a clear, reasonable and disclosed purpose, and to the smallest scope for realizing the purpose, and retain the data only for the period necessary to fulfill that purpose. Any information handler is also required to ensure the accuracy and completeness of the data it handles to avoid any negative impact on personal rights and interests.
For many players these days, the video game industry’s increasing reliance on online connections is an afterthought. But for the significant portion of the world without a quality Internet connection, it can sometimes feel like the game industry at large is leaving them behind.
Pointing out the frustration of large day-one updates has been a feature of the gaming industry for more than a decade now. The topic perhaps reached its global breakthrough with the November 13 announcement that the Xbox One would require a day-one update to function. More recently, the Xbox Series X requires a one-time online check-in before some disc-based games will work.
Both Sony and Microsoft also introduced disc-drive-free options for their latest consoles, perhaps presaging the day when those drives are gone from consoles for good. And that’s not even mentioning the many multiplayer games that require a strong online connection for a reasonable play experience or the offline games that require not only day-one updates, but sometimes months of patching and downloadable fixes before they begin to resemble the product which consumers had hoped for.
Scientists have known for decades that an extreme solar storm, or coronal mass ejection, could damage electrical grids and potentially cause prolonged blackouts. The repercussions would be felt everywhere from global supply chains and transportation to Internet and GPS access. Less examined until now, though, is the impact such a solar emission could have on Internet infrastructure specifically. New research shows that the failures could be catastrophic, particularly for the undersea cables that underpin the global Internet.
At the SIGCOMM 2021 data communication conference on Thursday, Sangeetha Abdu Jyothi of the University of California, Irvine presented “Solar Superstorms: Planning for an Internet Apocalypse,” an examination of the damage a fast-moving cloud of magnetized solar particles could cause the global Internet. Abdu Jyothi’s research points out an additional nuance to a blackout-causing solar storm: the scenario where even if power returns in hours or days, mass Internet outages persist.
A large chunk of the internet dropped offline on Thursday. Some of the most popular sites, apps and services on the internet were down, including UPS and FedEx (which have since come back online), Airbnb, Fidelity, and others are reporting Steam, LastPass, and the PlayStation Network are all experiencing downtime.
Many other websites around the world are also affected, including media outlets in Europe.
What appears to be the cause is an outage at Akamai, an internet security giant that provides networking and content delivery services to companies. At around 11am ET, Akamai reported an issue with its Edge DNS, a service that’s designed to keep websites, apps and services running smoothly and securely.
DNS services are critically important to how the internet works, but are known to have bugs and can be easily manipulated by malicious actors. Companies like Akamai have built their own DNS services that are meant to solve some of these problems for their customers. But when things go wrong or there’s an outage, it can cause a knock-on effect to all of the customer websites and services that rely on it.
Akamai said it was “actively investigating the issue,” but when reached a spokesperson would not say if its outage was the cause of the disruption to other sites and services that are currently offline. Akamai would not say what caused the issue but that it was already in recovery.
“We have implemented a fix for this issue, and based on current observations, the service is resuming normal operations. We will continue to monitor to ensure that the impact has been fully mitigated,” Akamai told TechCrunch.
It’s not the first time we’ve seen an outage this big. Last year Cloudflare, which also provides networking services to companies around the world, had a similar outage following a bug that caused major sites to stop loading, including Shopify, Discord and Politico. In November, Amazon’s cloud service also stumbled, which prevented it from updating its own status page during the incident. Online workspace startup Notion also had a high-profile outage this year, forcing the company to turn to Twitter to ask for help.
The General Services Administration has denied a senator’s request to review documents Zoom submitted to have its software approved for use in the federal government.
The denial was in response to a letter sent by Democratic senator Ron Wyden to the GSA in May, expressing concern that the agency cleared Zoom for use by federal agencies just weeks before a major security vulnerability was discovered in the app.
Wyden said the discovery of the bug raises “serious questions about the quality of FedRAMP’s audits.”
Zoom was approved to operate in government in April 2019 after receiving its FedRAMP authorization, a program operated by the GSA that ensures cloud services comply with a standardized set of security requirements designed to toughen the service from some of the most common threats. Without this authorization, federal agencies cannot use cloud products or technologies that are not cleared.
Months later, Zoom was forced to patch its Mac app after a security researcher found a flaw that could be abused to remotely switch on a user’s webcam without their permission. Apple was forced to intervene since users were still affected by the vulnerabilities even after uninstalling Zoom. As the pandemic spread and lockdowns were enforced, Zoom’s popularity skyrocketed — as did the scrutiny — including a technical analysis by reporters that found Zoom was not truly end-to-end encrypted as the company long claimed.
Wyden wrote to the GSA to say he found it “extremely concerning” that the security bugs were discovered after Zoom’s clearance. In the letter, the senator requested the documents known as the “security package,” which Zoom submitted as part of the FedRAMP authorization process, to understand how and why the app was cleared by GSA.
The GSA declined Wyden’s first request in July 2020 on the grounds that he was not a committee chair. In the new Biden administration, Wyden was named chair of the Senate Finance Committee and requested Zoom’s security package again.
But in a new letter sent to Wyden’s office late last month, GSA declined the request for the second time, citing security concerns.
“GSA’s refusal to share the Zoom audit with Congress calls into question the security of the other software products that GSA has approved for federal use.” Sen. Ron Wyden (D-OR)
“The security package you have requested contains highly sensitive proprietary and other confidential information relating to the security associated with the Zoom for Government product. Safeguarding this information is critical to maintaining the integrity of the offering and any government data it hosts,” said the GSA letter. “Based on our review, GSA believes that disclosure of the Zoom security package would create significant security risks.”
In response to the GSA’s letter, Wyden told TechCrunch that he was concerned that other flawed software may have been approved for use across the government.
“The intent of GSA’s FedRAMP program is good — to eliminate red tape so that multiple federal agencies don’t have to review the security of the same software. But it’s vitally important that whichever agency conducts the review do so thoroughly,” said Wyden. “I’m concerned that the government’s audit of Zoom missed serious cybersecurity flaws that were subsequently uncovered and exposed by security researchers. GSA’s refusal to share the Zoom audit with Congress calls into question the security of the other software products that GSA has approved for federal use.”
Of the people we spoke with who have first-hand knowledge of the FedRAMP process, either as a government employee or as a company going through the certification, FedRAMP was described as a comprehensive but by no means an exhaustive list of checks that companies have to meet in order to meet the security requirements of the federal government.
Others said that the process had its limits and would benefit from reform. One person with knowledge of how FedRAMP works said the process was not a complete audit of a product’s source code but akin to a checklist of best practices and meeting compliance requirements. Much of it relies on trusting the vendor, said the person, describing it like ” an honor system.” Another person said the FedRAMP process cannot catch every bug, as evidenced by executive action taken by President Biden this week aimed at modernizing and improving the FedRAMP process.
Most of the people we spoke to weren’t surprised that Wyden’s office was denied the request, citing the sensitivity of a company’s FedRAMP security package.
The people said that companies going through the certification process have to provide highly technical details about the security of their product, which if exposed would almost certainly be damaging to the company. Knowing where security weaknesses might be could tip off cyber-criminals, one of the people said. Companies often spend millions on improving their security ahead of a FedRAMP audit but companies wouldn’t risk going through the certification if they thought their trade secrets would get leaked, they added.
When asked by GSA why it objected to Wyden’s request, Zoom’s head of U.S. government relations Lauren Belive argued that handing over the security package “would set a dangerous precedent that would undermine the special trust and confidence” that companies place in the FedRAMP process.
GSA puts strict controls on who can access a FedRAMP security package. You need a federal government or military email address, which the senator’s office has. But the reason for GSA denying Wyden’s request still isn’t clear, and when reached a GSA spokesperson would not explain how a member of Congress would obtain a company’s FedRAMP security package
“GSA values its relationship with Congress and will continue to work with Senator Wyden and our committees of jurisdiction to provide appropriate information regarding our programs and operations,” said GSA spokesperson Christina Wilkes, adding:
“GSA works closely with private sector partners to provide a standardized approach to security authorizations for cloud services through the [FedRAMP]. Zoom’s FedRAMP security package and related documents provide detailed information regarding the security measures associated with the Zoom for Government product. GSA’s consistent practice with regard to sensitive security and trade secret information is to withhold the material absent an official written request of a congressional committee with jurisdiction, and pursuant to controls on further dissemination or publication of the information.”
GSA wouldn’t say which congressional committee had jurisdiction or whether Wyden’s role as chair of the Senate Finance Committee suffices, nor would the agency answer questions about the efficacy of the FedRAMP process raised by Wyden.
Zoom spokesperson Kelsey Knight said that cloud companies like Zoom “provide proprietary and confidential information to GSA as part of the FedRAMP authorization process with the understanding that it will be used only for their use in making authorization decisions. While we do not believe Zoom’s FedRAMP security package should be disclosed outside of this narrow purpose, we welcome conversations with lawmakers and other stakeholders about the security of Zoom for Government.”
Zoom said it has “engaged in security enhancements to continually improve its products,” and received FedRAMP reauthorization in 2020 and 2021 as part of its annual renewal. The company declined to say to what extent the Zoom app was audited as part of the FedRAMP process.
Over two dozen federal agencies use Zoom, including the Defense Department, Homeland Security, U.S. Customs and Border Protection, and the Executive Office of the President.