5

In this segment from an RT program with Rick Sanchez, published June 6th 2019, a person named James Jordan, from the Stanford U Hoover Institute, claims (03:20) that "Chinese government agencies have access by law and by right to all tech products made in China, whether sold abroad or not".

Assuming "access" mean "after the product has been sold and its default password etc. changed, ability to monitor all activity on the device and copy any information passing through it" - is this claim true in principle? In practice?

einpoklum
  • 2,101
  • 10
  • 28
  • Why do you think that this would never be mentioned in the public discussion if it were true? – FooTheBar Jun 07 '19 at 11:04
  • Does this ask if there's any legislation permitting this, or if there's some magical way for CGAs to access all devices without notice? – npst Jun 07 '19 at 11:43
  • @npst: Both, which is why I said both in principle and in practice. Of course, if you can only answer one of the questions that's already a good answer. – einpoklum Jun 07 '19 at 13:10
  • 1
    I can not, but am still wondering. Would the FBI "cracking" an iPhone mean the US Gov has access to all iPhones? Is collecting massive data (as google and facebook do) enough access? Are you thinking of complete, back door like access ... ? – npst Jun 07 '19 at 14:51
  • @npst: 1. Not in the sense of my question, because that means it _needs_ a crack and can't just use the government-mandated back door. And by the way - IIANM Apple sends a copy of everything to the NSA anyways, like Microsoft, Google and Yahoo. 2. The collection by non-government entities who operate online services is not access 3. Yes - back, or front, door. – einpoklum Jun 07 '19 at 20:11
  • If you mean something like has patent submissions, that's believable. Other countries do. –  Jun 08 '19 at 05:48
  • @fredsbend: See edit. – einpoklum Jun 08 '19 at 06:26
  • Your definition of access, is that what they said or clearly mean? Can you quote the relevant part? –  Jun 08 '19 at 06:33
  • @fredsbend: It was clearly meant; just follow the link and hear for yourself. – einpoklum Jun 08 '19 at 06:52

1 Answers1

4

They are presumably referring to the National Intelligence Law of 2017 that China passed. That law requires companies to assist the Chinese security services with surveillance and espionage. It's similar to laws in other countries such as the United States (National Security Letters via the Stored Communications Act) and United Kingdom (Regulation of Investigatory Powers Act).

So there is some legal basis for the Chinese government to be able to "access" Chinese products, in the sense that the manufacturer may be required to assist them in doing so by revealing encryption keys or installing backdoors, but there is little evidence that the law has ever been used. Also due to the design of many products it would be difficult, if not impossible to grant such access without it being quickly discovered and damaging the company's reputation.

For example, much has been made of Huawei's potential cooperation with the government, yet no evidence of access via this law has been presented. For what it's worth, Huawei claims that it would close down the company if legally required to provide access to Huawei products.

As such, the claim is technically correct in the terms it was stated. However, to answer your question, can the Chinese monitor and copy all information passing through he device, the answer is no. Even if it were technically possible, such massive and systematic exfiltration of data would be quickly discovered.

dont_shog_me_bro
  • 3,131
  • 2
  • 20
  • 31
  • First, +1. But - does that law mean Chinese companies need to install backdoors to their devices, in general? Or by request? Also, are these requirements secret? – einpoklum Jun 10 '19 at 12:19
  • 2
    @einpoklum It's by request only. And the request is probably unlikely to be "install a backdoor" because it would be found and exploited by other people too, as well as damaging the company's reputation. More likely it's for gaining access to cloud data stored in China, and providing technical assistance such as source code and schematics so that the spies can build their own tools. – dont_shog_me_bro Jun 10 '19 at 15:35
  • 2
    Hunh? [Exactly such](https://www.zdnet.com/article/researchers-find-backdoor-on-zte-android-phones/) a "phone home" exfiltration was _already_ alleged for Huawei and their bargain-basement competitor ZTE. (US cellphone operators aren't allowed to buy ZTE equipment.) – Andrew Lazarus Jun 12 '19 at 15:22
  • 1
    @AndrewLazarus Cisco products are full of backdoors too, like hard coded root accounts with fixed passwords. The question is, are they there due to incompetence or due to the government demanding them? – dont_shog_me_bro Jun 12 '19 at 15:39
  • 1
    @dont_shog_me_bro Let's keep it simple. Cisco isn't relevant, and I don't know whether their vulnerabilities are deliberate or careless. You made a statement about the ridiculousness of data exfiltration _that contradicts known facts._ (Whether such data was always sent or instead there some way to turn it on and off, I haven't been able to check.) Your defense of the statement has led me to add a –1. – Andrew Lazarus Jun 12 '19 at 15:50
  • @AndrewLazarus The very fact that the backdoor was discovered and publicised, leading to reputational damage for ZTE proves my point, doesn't it? At the very least you would hope that the government would make more effort to hide it, like how the NSA does with deliberately broken cryptography. – dont_shog_me_bro Jun 12 '19 at 16:00
  • "like how the NSA does with deliberately broken cryptography" Still wasn't a good effort, if you're referring to the one I'm thinking of, cryptographers were immediately suspicious. To your point, in general, backdoors are easily discoverable and exploitable by those who they weren't intended for, and thus are very quick targets for discovery and exploitation. Though, that isn't a guarantee. – Jarrod Christman Jun 14 '19 at 13:47
  • 1
    It's understated in your answer, but effectively every government has such governmental programs in place. Due to it's secrecy, it's hard to judge how active they are. So, it's more so the pot calling the kettle black. – Jarrod Christman Jun 14 '19 at 13:49