More On the Chinese Data Encryption Law - The Authority Will Involve in Password Management
#ChinaThreats #CryptographyLaw
China has passed a law that will regulate cryptography in the country for both government and private uses when it takes effect on January 1st, 2020. The state's government will coordinate and guide the data cryptography as it is "an important strategic resource for a country."
The Cryptography Law proposed 44 measures which revolves "how to use passwords", "who manages passwords", and "how to manage passwords". The Cryptography Law classifies passwords into three categories: core passwords, ordinary passwords, and commercial passwords. The core passwords and the common passwords are "state-secrets" for the protection of state-level secret messages. Commercial passwords are used to protect messages that are not state secrets and can be used by the Chinese citizens, legal persons and other organizations to protect networks and information security.
The purpose of the Cryptography Law is to regulate the application and management of password, promote the development of cryptography, safeguard network, information security, safeguard national security and public interests, protect the legitimate rights and interests of citizens, legal persons and other organizations, and emphasizes the China Communist Party's leadership in the development of cryptography.
The governments at all levels and their relevant departments shall follow the principle of non-discrimination and treat enterprises such as commercial password research, production, sales, service, import and export, etc., including foreign-invested enterprises equally.
For commercial passwords, it encourages the research and development of commercial cryptographic technologies, academic exchanges, promotion of applications to develop an unified, open, competitive, and orderly commercial cryptographic market system.
The password management department and relevant departments shall not require commercial password practitioners and commercial password detection and certification agencies to disclose password-related proprietary information such as source code to them. Authorities must strictly follow the confidentiality princinple, they must not disclose or leak business secrets and personal privacy that they obtain in performing their duties.
(Editor's Note : It does not prohibit the Chinese State Authorities to use the password and business secrets)