China’s controversial product supplier pledge: An “on the ground” view from the Far East.

The business world is abuzz about the latest moves by China to regulate the behavior of U.S. and other foreign companies that choose to do business in that country.  What’s the real skinny?

contract

While much of the reporting and commentary has been decidedly scant on details, we can actually take a look at the official document that contains the various provisos the Chinese government is intending to impose on foreign companies.

Ostensibly, the declaration is aimed at “protecting user security.” Here are the six provisions that make up the declaration:

Information Technology Product Supplier Declaration of Commitment to Protect User Security

Our company agrees to strictly adhere to the two key principles of “not harming national security and not harming consumer rights” and hereby promises to:

#1.  Respect the user’s right to know. To clearly advise users of the scope, purpose, quantity, storage location, etc. of information collected about the user; and to use clear and easy-to-understand language in the user agreement regarding policies and details of protecting user security and privacy.

#2.  Respect the user’s right to control. To permit the user to determine the scope of information that is collected and products and systems that are controlled; to collect user information only after openly obtaining user permission, and to use collected user information to [sic] the authorized purposes only.

#3.  Respect the user’s right to choice. To allow the user to agree, reject or withdraw agreement for collection of user information; to permit the user to choose to install or uninstall non-essential components; to not restrict user selection of other products and services.

#4.  Guarantee product safety and trustworthiness. To use effective measures to ensure the security and trustworthiness of products during the design, development, production, delivery and maintenance processes; to provide timely notice and fixes upon discovery of security vulnerabilities; to not install any hidden functionalities or operations the user is unaware of [sic] within the product.

#5.  Guarantee the security of user information. To employ effective measures to guarantee that any user information that is collected or processed isn’t illegally altered, leaked, or used; to not transfer, store or process any sensitive user information collected within the China market outside China’s borders without express permission of the user or approval from relevant authorities.

#6.  Accept the supervision of all parts of society. To promise to accept supervision from all parts of society, to cooperate with third-party institutions for assessment and verification that products are secure and controllable and that user information is protected etc. to prove actual compliance with these commitments.

Often with China, there are “official” pronouncements … and then there’s what’s “really” going on behind the curtain.

So to find out the real skinny, I decided to ask my brother, Nelson Nones, who has lived and worked in East Asia for years.  Since Nelson’s business activities take him to China and all of the other key Asian economies on a regular basis, I figured that his perspectives would be well-grounded and worth hearing.  Here’s Nelson’s take:

Points 1 through 3 are fundamentally no different from the provisions of personal data protection laws already on the books in the 27 member states of the European Union, plus Australia, Hong Kong, Iceland, India, Japan, South Korea, Liechtenstein, Macau, Malaysia, New Zealand, Norway, Singapore, the Philippines, Taiwan and some U.S. states.  Nor do they materially differ from privacy policy best practices — so I would not see these as particularly onerous or unreasonable.

The key difference is that these points are not enshrined in law in Mainland China, so compliance is voluntary at the moment (as it was in Singapore until 2013) – presumably binding on only those companies that sign this declaration. 

News reports also indicate that China has asked only American technology companies to sign its Declaration of Commitment, implying that domestic Chinese companies aren’t necessarily held to the same standards — although if this is truly the case, it might actually put Chinese companies at a competitive disadvantage by enhancing the appeal of American technology products to discerning Chinese users.

Point 4 doesn’t generally fall within the scope of existing personal data protection laws, but in my view its provisions fall well within the QA and warranty commitments that any legitimate technology company should be prepared to make in today’s competitive environment.

Comparing Point 5 with legislation currently in force within the European Union, Australia, Hong Kong, Iceland, India, Japan, South Korea, Liechtenstein, Macau, Malaysia, New Zealand, Norway, Singapore, the Philippines, Taiwan and some U.S. states, this point lacks some really key definitions, including:  

  • Who exactly is a “data subject” who is entitled to personal (i.e. user) data protection?
  • Who exactly is the “data controller” who owns the user information that is being collected or processed?
  • Who might be the “data processor” who stores and/or processes user information on behalf of the “data controller”?

EU Data Protection DirectiveThe legislation and regulations I’ve reviewed in this realm provide very explicit (and varied) definitions of these entities. Unlike China’s Declaration of Commitment, for instance, the E.U. Data Protection Directive allows “data controllers” or “data processors” to transfer user data outside the E.U., as long as the country where the data is transferred protects the rights of “data subjects” as much as the E.U. 

It also defines which “data controllers” and “data processors” must comply with E.U. law, based on whether or not they store or process personal information with the E.U., or operate within the E.U. (regardless of where the data is actually stored or processed).

The requirement to keep sensitive user information within China’s borders, in the absence of permission from users or “relevant authorities” to transfer, store or process it elsewhere, could also be seen as an attempt by the Chinese government to enlist the help of American technology companies in circumventing the U.S. government’s ongoing Internet data-gathering programs.

If this attempt succeeds, it might further enhance the appeal of American technology products to discerning Chinese users. 

Point 6 is garnering the most headlines in the West because of the implied threat that cooperating with “third-party institutions for assessment and verification … to prove actual compliance with these commitments” could mean being forced to reveal source code or encryption algorithms.  

However, in classic Chinese style, none of that is actually spelled out. 

Green Dam Youth Escort ServiceA little history about this: Over the past decade, the Chinese government has put forward various proposals for controlling IT – and then abruptly withdrawing them in the face of domestic as well as global criticism. Here are two: 

As for implications, China’s Declaration of Commitment shouldn’t have significant impact on companies that aren’t in the consumer IT market.  At best, its first five points could potentially improve the competitiveness of American IT products in the  Chinese market.    

However, I would advise any tech companies that may be wondering what to do, to sit on their hands for a while. Law in China is always a “work in progress,” so the safest bet is to wait for that “progress” for as long as possible.

So there you have it – the view from someone who is smack in the middle of the business economy in East Asia. If you have your own perspectives to share on the topic, I’m sure other readers would be interested to hear them as well.

Internet Properties: No Longer an American Monopoly

The amount of translated content is also showing big-time growth.

languageAccording to an analysis by venture capitalist and Internet industry specialist Mary Meeker, in 2013 nine of the ten top global Internet properties were U.S.-based.

For the record, they were as follows (in order of ranking):

  • Google
  • Microsoft
  • Facebook
  • Yahoo
  • Wikipedia
  • Amazon
  • Ask
  • Glam Media
  • Apple

Only China-based Tencent cracked the Top Ten from outside the United States — and it just barely made it in as #10 in the rankings.

And yet … the same Top 10 Internet properties had nearly 80% of their users located outside America.

With such a disparity between broad-based Internet usage and concentrated Internet ownership, the picture was bound to change.

And boy, has it changed quickly:  Barely a year later — as of March 2014 — the Top 10 listing now contains just six American-based companies.

Ask, Glam Media and Apple have all fallen off the list, replaced by three more China-based properties:  Alibaba, Baidu and Sohu.

Paralleling this trend is another one:  a sharp increase in the degree to which businesses are providing content in multiple languages.

For websites that offer some form of translated content, half of them are offering it in at least six languages.  That’s double the number of languages that were being offered a year earlier.

And for a quarter of these firms, translated content is available in 15 or more languages.

What are the most popular languages besides English?  Spanish, French, Italian and German are popular — not a great surprise there.  But other languages that are becoming more prevalent include Portuguese, Chinese, Japanese and Korean.

In fact, the average volume of translated content has ballooned nearly 90% within just the past year.

The growing accuracy of computer-based translation modules — including surprisingly good performance in “idiomatic” language — is certainly helping the process along.

Moreover, when a major site like Facebook reports that its user base in France grew from 1.4 million to 2.4 million within just three months of offering its French-language site, it’s just more proof that the world may be getting smaller … but native language still remains a key to maximizing business success.

It’s one more reminder that for any company which hopes to compete in a transnational world, offering content in other languages isn’t just an option, but a necessity in order to build and maintain a strategic advantage.

The “Snowden Effect”: The U.S. cloud computing industry is getting hammered.

cloud computing securityI’ve blogged before about the fallout from the Edward Snowden affair and its effects on the U.S. cloud computing industry.

In fact, back in the summer of 2013 I read an interesting thought piece published by my brother, Nelson Nones, Chairman of Geoprise Technologies.  His experiences as an IT specialist who has lived and worked outside the United States for two decades has made him particularly sensitive to what the international implications of the Snowden revelations may be.

In his 2013 analysis, he claimed that the NSA spying revelations would likely have serious consequences for the cloud computing industry.  As he wrote at the time:

“… these threats will be perceived to be so serious that many businesses could decide to abandon the use of cloud computing services going forward — or refuse to consider cloud computing at all — because they bear full responsibility for compliance yet now realize that they have little or no ability to control the attendant non-compliance risks when utilizing major cloud services providers.  

Out front: Geoprise Technologies' Nelson Nones was among the first to warn about the negative consequences of NSA surveillance programs on the U.S. cloud computing industry.
Out front: Geoprise Technologies’ Nelson Nones was among the first to warn about the negative consequences of NSA surveillance programs on the U.S. cloud computing industry.

 

In view of recent revelations, the tantalizing cost savings and efficiencies from cloud computing may be overwhelmed by the financial, business continuity and reputational risks.”

And his prediction as to what would likely happen as a result if these concerns played out in the market was even more chilling:

“Revenues and profits of U.S.-based service providers will suffer to the extent that businesses of every nationality abandon the public cloud computing services they are now using, or refuse to consider public cloud computing services offered by U.S.-based providers, in response to the heightened customer risks that have now been revealed.”

itif_logoShortly thereafter, I began to notice similar writings back here in the United States – in particular those by members of the Information Technology & Innovation Foundation (ITIF), a DC-based think tank focusing on technology policies.  It projected that the U.S. cloud computing industry would forfeit somewhere between $22 billion and $35 billion in lost business as a result of the NSA-related revelations.

For anyone keeping score, that’s between 10% and 20% of the worldwide cloud computing market.

New-America-Foundation-logoAnd now, one year later, the full scope of the impact is being realized.   New America Foundation, a not-for-profit, non-partisan organization focusing on public policy issues, released a report this past week which outlines the impact of Snowden’s NSA revelations.

Here are just two examples of the findings it published:

  • Within days of the first NSA revelations, cloud computing services such as Dropbox and Amazon Web Services reported measurable sales declines.
  • Qualcomm, IBM, Microsoft, HP, Cisco and others have reported sales declines in China – as much as a 10% drop in overall revenue.

Not only that, foreign governments are giving U.S. tech firms wide berth when it comes to contracting for a range of products and services that go well-beyond cloud computing.

Among the casualties:  The German government ended its contract with Verizon as of June … while the Brazilian government selected Swedish-based Saab over Boeing in a contract to replace fighter jets.

In the current environment of security jitters, it’s much easier for foreign competitors to portray themselves as “NSA-proof” — and the “safer choice” for protecting sensitive information.

Hans-Peter Friedrich
Hans-Peter Friedrich

And unambiguous comments like this one made by Germany’s Interior Minister Hans-Peter Friedrich just add fuel to the fire:

“Whoever fears their communication is being monitored in any way should use services that don’t go through American servers.”

Even more ominous, a number of countries are debating – and indeed close to enacting – new legislation that would require companies doing business within their local to use local data centers.

Sure, some of the countries – Vietnam, Brunei, Greece – aren’t overly significant players in the grand scheme of things.  But others certainly are; Brazil and India aren’t inconsequential markets by any measure.

In all, the New America Foundation report forecasts that the fallout from the NSA’s PRISM program will cost cloud-computing companies multiple billions in lost revenues – from $20 billion on the low end to nearly $200 billion on the high end.

This, plus the collateral damage of lost contracts involving ancillary and even unrelated tech services and manufactured products, may result in a contraction of the U.S. tech industry’s growth by as much as 4% — not to mention seriously undermining the United States’ credibility around the world.

Isn’t that just what America needs to have right now:  international credibility problems not only in the political sphere, but also in the economic one.

Unfortunately, what I wrote in my blog post a year ago still stands true today:  “OK, U.S. government and administration officials:  Have fun unscrambling this egg!”

Expect Stormy Weather for the U.S. Cloud Computing Industry

NSA SpyingMy brother, Nelson Nones, has lived and worked outside the United States for years.  From his vantage point “outside looking in,” I find that his perspectives on U.S. socio-political developments are often somewhat different from the conventional thinking here at home.

This was clearly evident when the news broke In early June about the National Security Agency (NSA) surveillance of e-mail and other digital content.  Within just a couple days, Nelson had penned a thought piece on the implications of these revelations on the cloud computing industry.

In his view, the NSA revelations are likely to have numerous serious implications.  As he states in his analysis:

“… these threats will be perceived to be so serious that many businesses could decide to abandon the use of cloud computing services going forward — or refuse to consider cloud computing at all — because they bear full responsibility for compliance yet now realize that they have little or no ability to control the attendant non-compliance risks when utilizing major cloud services providers. 

In view of recent revelations, the tantalizing cost savings and efficiencies from cloud computing may be overwhelmed by the financial, business continuity and reputational risks.”

Geoprise Technologies logo
Out front: Geoprise Technologies was among the first to warn about the negative consequences of NSA surveillance programs on the U.S. cloud computing industry.

You can read Nelson’s full article on his company’s website, Geoprise Technologies Corporation.

I wondered how long it would take for these views to gain traction here in the United States.

It didn’t take long at all.  In fact, the Information Technology & Innovation Foundation, a Washington, DC-based think tank focusing on technology policies, released a report a few days ago in which it projects the U.S. cloud computing industry to forfeit between $22 billion and $35 billion in lost business as a result of the revelations about the NSA’s electronic surveillance programs.

That represents between 10% and 20% of a cloud computing market that is expected to be a $207 billion industry by 2016 – revenues which are likely to be sucked up by European and Asian companies instead.

ITIF logo (Information Technology & Innovation Foundation)The ITIF report warns that the NSA’s surveillance programs “will likely have an immediate and lasting impact on the competitiveness of the U.S. cloud computing industry if foreign customers decide the risks of storing data with a U.S. company outweighs the benefit.”

The implications are huge because up until now, the United States has been the acknowledged leader in cloud computing usage and innovation, even as other countries have tried to play catch-up.

The ITIF report has garnered the attention of the business press — big time.  The Guardian has published a story as has the Financial Times.  The story has leached into general news and opinion sites as well, such as The Daily Kos — and others are sure to follow suit.

All of this is a pretty major deal because the cloud computing industry represents one of the fastest growing sectors of the digital communications market.  Global spending on cloud computing is anticipated to grow by 100% between 2012 and 2016.

That compares to growth of only about 3% for the global IT market as a whole.

And in case people are thinking that the ITIF report might be unduly alarmist … it appears that the giant sucking sound of cloud computing business going elsewhere has already begun to happen.

Some U.S. tech companies are reporting that they’ve already lost customers, as concerns mount over the NSA’s PRISM program that lets the federal government tap into user information and e-mails held by Internet companies.

The Cloud Security Alliance, a coalition of industry practitioners, corporations, associations and other key stakeholders whose mission is to promote the use of best practices in providing security assurance within cloud computing field, conducted a survey in June and July of companies located outside the U.S.  That survey found that ~56% of the responding companies are now less likely to use a U.S.-based cloud computing service, thanks to the NSA’s spying program.

One out of ten respondents reported that they have already canceled contracts with U.S. companies.  And that’s only within the past few weeks.

Meanwhile, non-U.S. players in the cloud computing market must surely be laughing all the way to the bank.  For example, Artmotion, the largest hosting company in Switzerland, reported a ~45% increase in revenue within just the first month after Edward Snowden’s release of details about the PRISM program.

To be sure, Europeans are wasting no time weighing in on the messy situation the American cloud computing industry suddenly faces.  Neelie Kroes, European Commissioner for Digital Affairs, had this to say:

“If European cloud customers cannot trust the United States government, then maybe they won’t trust U.S. cloud providers either.  If I am right, there are multibillion-euro consequences for American companies.  If I were an American cloud provider, I would be quite frustrated with my government right now.”

Germany’s Interior Minister Hans-Peter Friedrich was even more blunt:

“Whoever fears their communication is being monitored in any way should use services that don’t go through American servers.”

What are the companies that fear their communications are being monitored, as Mr. Friedrich posits?  Pretty much all of the bigger ones, I’d think.

OK, U.S. government and administration officials:  Have fun unscrambling this egg!