This post was written in response to a provocative article by Susan Hennessey and Christopher Mirasola on the Lawfare Blog, entitled “Did China Quietly Authorize Law Enforcement to Access Data Anywhere in the World?”
When first released, the document was fairly controversial in China, because it mentioned that social media content could be used as criminal evidence. What most readers didn’t understand was that this was already true, and that the Regulation wasn’t authorizing carte blanche collection of such evidence, but was only clarifying that such information was subject to the procedural safeguards and rules for admission of electronic evidence found in the remainder of the Regulation. Now, a new controversy about the Regulation is arising outside of China, with some suggesting that the law quietly authorizes Chinese authorities to search electronic data beyond the nations’ borders. As with the initial controversy, a more careful reading and understanding of the Regulation’s purpose and background shows that the document is probably being misunderstood again. The document is not really concerned with authorizing conduct, as much as procedures for how existing powers are to be carried out.
These potential misunderstandings come from viewing the Regulation out of context and without necessary background, so before getting to the specific offending provisions, let’s go over a few basics.
To be admitted, all evidence in China must be relevant and fall within one of the specific categories listed in China’s core procedural laws for Criminal, Civil, and Administrative litigation. Generally speaking, this means it must be characterized as physical evidence, documentary evidence, testimony, statements, forensic evaluations, or investigation records/identifications. Only in the most recent revisions of the procedural laws was electronic data officially added as an independent category of admissible evidence, although it was already being admitted before as part of other categories. Debate has continued however, about the scope of electronic data, and how to guarantee its authenticity and credibility. The new Regulation is a welcome step forward in creating a uniform basis for resolving these issues for all criminal cases.
The Regulation’s first major contribution is providing a broad, open-ended, but clear definition of ‘electronic data’. The very first article provides that pretty much anything created, stored, processed or transmitted digitally is covered, including texts, emails, programs, movies, web pages and so on. It cautions, however, that other forms of traditional evidence, like confessions and witness statements, don’t need to be treated differently just because they were recorded and now have a digital version.
More importantly, the Regulation provides concrete rules for investigators on how to collect and preserve electronic data so as to better ensure its integrity and authenticity. One of the biggest concerns with electronic information is that it is more easily altered, and that any modifications might be harder to detect than in physical items. This means that maintaining clear records on how and where the information was gathered, and the chain of custody over it from collection through its use as evidence against a defendant, are critical to ensuring its authenticity.
Examples of some of the Regulation’s key provisions in this regard include requiring two or more investigators to collect or extract electronic data (reducing opportunity for corruption and abuse), and requiring that they keep detailed documentation of the evidence gathering process, even videotaping the full investigation when possible.
The Regulation also requires that the original storage media containing the data be seized and sealed in such a way that it cannot connect with networks or be altered through any other means. With other forms of evidence, like documents and physical objects, China uses a form of the ‘best evidence rule’ meaning there is a strong preference for having the original, rather than a copy, presented at court. The requirement for requiring a clear chain of custody over the physical storage medium may reflect this long-standing practice even though technical guarantees of the data’s integrity could likely be effective.
The preference for original storage media, however, is just that- a preference. “Best Evidence Rules” tend to have a number of exceptions for situations where bringing in an original isn’t practical and there are other guarantees that the evidence is being accurately presented at court. The classic example is a roadside billboard- far too large for anyone to bring in to court- and a photograph of it, duly authenticated, is unlikely to raise too many concerns of misrepresentation.
Similarly, the Regulation contains a number of situations where electronic data may be extracted if the original media cannot be seized and sealed. These include inconvenience (remember the billboard), that there was no storage media (such as for a transmission), and where the original storage media is outside of mainland China and difficult for investigators to get to.
Article 9: In any of the following circumstances, where there is no way to seize the original storage medium, electronic data may be extracted, but the reasons why the original storage medium could not be seized shall be noted in the record, along with circumstances such as the original storage medium’s location or the source of the electronic data, and integrity check value computed for the electronic data: …
(3) the original storage media is located outside mainland China;
This language doesn’t expand the power to gather evidence in a criminal investigation; but lays out the procedures and best practices by which electronic evidence should be gathered to ensure its authenticity and integrity. “Extraction” here is meant to indicate saving the data to something other than the original storage media. Nothing here authorizes otherwise impermissible searches of, trespasses, or monitoring of computers; it simply waives the requirement of sealing the original storage media.
Looking at the surrounding provisions shows that the purpose of this language is about the form of the electronic data for use as evidence, as opposed to bestowing new powers to access to foreign systems.
- Article 8, provides the general rule requiring that the original storage media be seized.
- Article 9 provides the exceptions to that rule where there is no way to seize the original media, and adds procedural requirements to for explaining the absence of the original media and ensure the data’s integrity through technical means.
- Article 10 provides a final, least-ideal alternative, allowing that a photograph or printout of data may be provided where for some reason the original can’t be collected and the data can’t be extracted.
The three articles 8-10, clearly provide a hierarchy of the ways in which electronic evidence may be collected and reliably preserved for trial: sealed original media > data extracted onto other media > printouts or photos. This isn’t granting a new power for investigators to rifle through foreign storage media, it simply provides that the stringent requirement of having the original storage media should be waived when that media is overseas.
It’s worth mentioning that this portion of Article 9 is largely incorporating Article 15 of a 2014 document on handling electronic evidence in internet crimes that contains the exact same exception to original media requirements for overseas media. This new Regulation has many portions that are simply aggregating earlier rules on electronic evidence which were scattered across several judicial interpretations and normative documents.
Article 9’s list of exceptions to the original storage media requirement are followed by two additional clauses, one of which mentions overseas data, and both of which have further fueled concerns about overseas data security:
Electronic data for which the original storage medium is outside the mainland or which is on a remote computer information system, may be extracted online through the networks.
When necessary to further verify circumstances through investigation, remote inspections may be conducted of remote computer information systems. Where it is necessary to employ technical investigation measures to conduct remote inspections, strict approval formalities shall be carried out in accordance with law
Read in total isolation, it is understandable that someone might think the first paragraph is authorizing exploration into even secured overseas devices and databases to extract information. In light of the discussion above however, we know that the Regulation is concerned with the best method of acquiring and preserving data, and that “extraction” here means only copying data onto other media. The focus on this sentence is not about allowing copying (extraction), which was already provided for in the first part of article 9 discussed above, but is on adding that the extraction may be done online and remotely – rather than the preferred method of duplicating directly from the original source medium. Like most of this Regulation, the emphasis is on protecting the integrity and authenticity of the data, which is arguably further risked and harder to establish when the collection was done online.
The second of these two paragraphs does not mention overseas devices, but mentions remote inquiries to remote computer information systems. Given that the preceding paragraph applied to data for which the original storage media is overseas “OR” remote computer information systems, there is a strong argument that this paragraph has intentionally left out overseas storage media, excluding it from coverage. The two categories are not necessarily mutually exclusive, however, so it’s worth looking more closely.
The phrase “remote inquiries” previously appeared in a legal document in this context in 2015’s Rules for Crime Scene Investigation and Review of Electronic Data of Computer Crimes [计算机犯罪现场勘验与电子证据检查规则] , released by the Ministry of Public Security. There it was defined as carrying out inquiries through the networks so as to extract and fix the status and stored electronic data of remote systems. In the Regulation, the phrasing is largely the same, allowing for “investigation of a remote computer system, to discover or extract data related to the crimes… .to provide leads and evidence for criminal proceedings.” Like the Regulation, that document did not really grant new authority so much as explain how powers included in the Criminal Procedural Law were to be carried out, to ensure the reliability of evidence.
“Technical investigation measures” is also a term of art in Chinese criminal procedure, and the subject of Criminal Procedure Law Part II, Chapter II, Section 8. The section was added in 2012 revisions and is generally understood as including certain ‘covert measures’ for evidence gathering, such as undercover ‘moles’, ‘wiretapping’, and the like. Police may use such tactics only in “cases of crimes that endanger national security, terrorist activities, mafia-type organization crimes, major drug crimes, or other crimes that seriously endanger society”, and Procuratorate can use them when investigating major corruption offenses. As is repeated in the Regulation, these special investigative powers are always subject to ‘strict approval procedures’ (Crim Proc Law Article 148). Their use requires special approvals, but these are given within the police forces.
This final paragraph of article 9, mentioning the use of “technical investigation measures” in “remote network inquiries” is thus absolutely envisioning the use of covert methods to access remote information systems from afar. That does not automatically equate to Chinese authorities assuming the authority to hack into foreign devices and networks any more than the Criminal Procedure Law’s limited authorization of wire-tapping allows for carte blanche wire-tapping overseas, but is probably aimed at cross-jurisdiction domestic investigations- as noted above, foreign networks might even be intentionally excluded.
As has been said elsewhere, the plain language reading of article 9 looks like it might be authorizing its police to hack foreign information systems remotely if authorized under domestic Chinese law. As discussed above, however this plain meaning reading doesn’t necessarily accurately reflect the legal effect.
To believe that article 9 intends to grant broad new powers to police requires believing that China is authorizing conduct which will surely offend, and may be illegal under foreign laws. It requires believing that this intention is being openly announced, but only hidden deep in a document largely concerned with procedures for authenticating digital data rather than investigative powers. A far more natural understanding is that the Regulation assumes police will follow existing rules to act lawfully with respect to other jurisdictions. This would mean that the regulation is talking about publicly or consensually available electronic data accessible on networks, allowing that they can be sources of electronic evidence and discussing their preservation and authentication requirements.
It isn’t usually necessary to say in a regulation that all other rules and practices will be followed, but the Regulation is clear that all collection of data from individuals and entities discussed in the Regulation is to be done in accordance with existing law (article 3), and all previously existing evidence gathering requirements are still applicable. China has a Mutual Legal Assistance Agreement with the U.S. and similar treaties or agreements with many other countries that allow for cooperation in gathering criminal evidence in other jurisdictions. These agreements aren’t binding as the only way to get evidence from abroad, but it is generally understood as the proper channel, and procedures for such judicial assistance are laid out in detail in the Criminal Procedure Law and its accompanying interpretations.
It goes without saying that this doesn’t answer the question of whether Chinese authorities access overseas digital information without permission, and whether this is viewed as legal or illegal under Chinese law. The only question addressed here is whether this Regulation authorizes police to access data anywhere in the world in the course of criminal investigations. It also goes without saying that much tighter laws than this, with stricter, clearer restrictions on police conduct, have been distorted or ignored; and it would not be surprising to hear some Chinese police embracing any reading that legitimized further investigative powers- regardless of what a Regulation was meant to do.