Tech companies should follow ‘Code of Conduct for Businesses Operating in Tibet’
Early this year, Microsoft concluded that Chinese authorities were responsible for hacking thousands of Hotmail accounts belonging to Tibetans and Uyghurs. The hacking occurred from 2009-2011 and involved forwarding e-mails the victim received to an e-mail account controlled by the attacker. At the time Microsoft decided not to inform the victims because it could not identify the source of the attacks. Microsoft has since changed its policy and will warn victims if their accounts are attacked. At about the same time that the Hotmail accounts were being hacked, activists using Gmail had their e-mail accounts targeted. Google was already wary censoring search results and decided to close its Chinese website. The latest revelations about the attacks demonstrate the importance for businesses, including tech companies, to follow the Code of Conduct for Businesses Operating in Tibet published by TCHRD last year.
In the time between the hacking and now there have been major changes for businesses operating in the People’s Republic of China. In 2012, Xi Jinping became the president of the PRC. Xi Jinping quickly consolidated his power and is now the most powerful and influential president since Deng Xiaoping, as president Xi Jinping has led a slide back to authoritarianism. Despite some long-awaited reforms, such as abolishing the one-child policy and launching a large anti-corruption campaign, Xi Jinping’s first four years are most notable for crackdowns on civil society and human rights activists. In 2015, the PRC arrested hundreds of human rights lawyers and their family members in 23 provinces. Simultaneously, the PRC launched a propaganda offensive by publishing stories attacking the lawyers and censoring search results so that only the critical articles could be found.
Technology companies began to recognise the importance of transparency as well. In 2011, the United Nations Guiding Principles prioritised businesses being able to “know and show” that they are not benefitting from human rights violations. A few years later, leaks by Edward Snowden revealed that technology companies had participated in eavesdropping by the United States’ National Security Agency (NSA). After this information became public, tech companies began publishing data about when a government requested information and whether the information was turned over to the government. The PRC responded to the Snowden leaks by accusing Google, Microsoft, Apple, Oracle, Intel, IBM, Qualcomm, and Cisco of infiltrating the PRC for the United States. It also began working on regulations that would require any company that provides technology to a critical sector to turn over source code, build surveillance backdoors into software and hardware, and submit to invasive audits.
The PRC’s demands built upon the existing censorship regime, which requires companies to censor search results and block specific web pages and URLs. None of these requirements are announced in transparency reports. This reveals a flaw in the transparency reports. By only emphasising when a government has followed legal procedures to request information, the transparency reports shift the emphasis away from reporting on threats to human rights. As a result, restrictions by governments of the rights to privacy, freedom of expression, and freedom of assembly can be restricted without being covered in the transparency reports. In the PRC this is a particular problem because so much of the censorship is left to individual companies, who are only told if they allow restricted information. As a result, companies may end up being overly restrictive. In 2014, Microsoft was censoring at least 139 terms, 329 webpages that are never shown to Chinese users, and 1,593 URLs. This was particularly important because Great Fire began searching what was blocked only after Microsoft refused to release a transparency report and because the censorship went beyond censorships by Chinese search engines, like Baidu.
Despite the risks, tech companies have continued to do business in the PRC because of the commercial benefit. The PRC is the second largest economy in the world. There are 668 million internet users in China, which is more than double the total population of the United States. Of these internet users, 88.9% used smartphones to access the internet. To tap into this market, Google is working to create an app store for Android devices that would include only government-approved apps. This may be a response to Apple making US$18.37 billion, just under a quarter of its total revenue, in “greater China,” which includes Taiwan, Hong Kong and Macau. However, the lack of transparency that defines internet access in the PRC also includes its economy and the economic data coming from the PRC is not reliable. After relying on growth in the PRC Apple was forced to forecast its first drop in revenue in 13 years in late January 2016.
For tech companies hoping to work in the PRC they must do things to ensure they do not benefit from or contribute to human rights violations. At a minimum, businesses must ensure that they can show they are not contributing to human rights violations. This includes publishing information about blocked search term and attempts to hack into e-mail accounts. It is not enough for companies to simply trust the government and they should ensure that pages they link to and apps they carry cannot be used to further government spying.
Some tech companies have already implemented some measures to ensure that pages they link to cannot be used maliciously. The China Internet Network Information Centre (CNNIC) was issuing unauthorized certificates for Google domain names. Those pages can be used for man-in-the-middle attacks, which enable eavesdropping or installing viruses on computers that visit the fake web page. After news of the unauthorized certificates broke, Google, Mozilla, and Apple all refused to accept any certificates issued by the CNNIC.
Apple and Android already perform checks to ensure that apps do not contain any malware. However, these checks have not blocked WeChat or other apps that have been used for surveillance in Tibet. TCHRD has reported on cases where Tibetans have been arrested for exercising human rights. In March 2015, Lobsang Dawa was arrested for possessing banned information on WeChat. While the specific information is not known, in the past banned information has included teaching by the Dalai Lama or the Tibetan Flag.
As the PRC continues to expand its surveillance of Tibetans and others, tech companies must ensure that they do not contribute to human rights violations. TCHRD urges tech companies to adopt the Code of Conduct and ensure that they are transparent about threats to user’s privacy and efforts at censorship.