DIGITALEUROPE comments to "Opinions on implementation of testing and certification of commercial cryptography"
DIGITALEUROPE appreciates the opportunity to comment on the opinions on the implementation of testing and certification of commercial cryptography (herewith the ‘Opinions’) released by the State Administration for Market Regulation (SAMR) of China for public comment.
Last year we submitted a response to the consultation on the second draft Cryptography Law put forward by to the Office of State Commercial Cryptography Administration (OSSCA). The issues and concerns raised on that occasion still hold true today:
Modern information and communications technology (ICT) products include elements of encryption (not as core function) for cybersecurity purposes. Most governments around the world do not regulate the importation or domestic use of cryptographic features in mass-market products. Regulating market access because of the use of commercial encryption functionalities translates to restricting the Chinese market and impinging on competition, trade flows and innovation.
According to the World Semiconductor Council (WSC) principles for commercial cryptographic technologies in mass marketed ICT products, the regulation of commercial encryption should be limited and encryption technology mandates prohibited, acknowledging the widespread use of encryption and the limited value in regulating the commercial market. The approach outlined in the SAMR Opinions may not be consistent with the obligations and commitments taken by the Government of China, along with the other members of the Government and Authorities Meeting on Semiconductors (GAMS), under the WSC’s Encryption principles.1
Further assess the scope
The scope of the current proposal for a testing and certification framework is potentially very broad. If authentication-related functionality is included, this would generate massive volumes of products undergoing testing, since almost all ICT products nowadays contain minimal elements of encryption used for integrity or authentication. More alignment with World Trade Organisation (WTO) and WSC/GAMS commitments is needed.
Further assessing the scope and the organisational structure supporting the testing and certification framework; and
Setting up an additional consultation with the private sector to obtain detailed comments.
Preserve and apply the core function concept to all cryptography products and services
For the past two decades, industry has relied upon the concept of Core Function Concept for market access in China since the Commercial Encryption Management Regulation was issued and then clarified (1999-2000). The scope of management is limited to ‘specialised hardware and software for which encrypting and decoding operations are core functions.’ Today products with non-core encryption features are commonplace, therefore preserving and applying the core function concept to all commercial cryptography is essential to avoiding market access barriers for many products and services.
This approach should be applied to all commercial cryptography products and services, including ‘commercial cryptography-based products,’ ‘commercial cryptography-based services,’ commercial cryptography used in ‘mass consumer products’ and commercial cryptography more generally as addressed under the Cryptography Law (2020), in order to avoid certification restrictions or regulations for commercial products with encryption as a secondary feature.
Adequate encryption regulations are crucial to ensuring a free flow of innovative products and technologies into China. The Core Function Concept and the mass market exclusion point to the arrangement where products and solutions can be imported without restrictions or licences. We hope this intent will be reinforced in the more detailed implementation directives.
Free flow of the most innovative technologies into China would be negatively impacted by very broad certification requirements, even if these requirements were voluntary.
Rely on international standards and avoid duplication in implementation requirements
International standards in the area of assessment and certification, such as ISO/IEC 19790 or ISO/IEC 15408, created with the participation of Chinese experts, represent a solid baseline for a broadly applicable certification framework, with the understanding that it is not required for general-purpose consumer environments. International standards and experience would enable non-discriminatory transparent testing and certification frameworks, as well as the development of certification-related processes, with industry involvement, to overcome fragmented approaches.
We recommend that international standards and practices related to cryptography be adopted and that existing relevant guides or recommendations issued by international standards bodies be used for testing and certification.
We also encourage acceptance of testing and certification performed by accredited foreign labs in accordance with globally recognised standards as equivalent to that of licensed local labs to avoid unnecessary duplication.
Finally, we suggest additional consultation with the private sector and industry on the structure and governance of testing and certification bodies.
Further clarify the definition and scope of certification regulatory requirements applicable to ‘commercial encryption’
The 2020 Draft Cryptography Law has the merit of separating ‘commercial cryptography’ from ‘core’ and ‘common’ cryptography. Article 28 clarifies that commercial cryptography used in mass consumer products is not subject to the import licensing system or export control.
This approach – that we welcomed in our letter to OSSCA in September 2019 – should be also reflected in the SAMR Opinions, distinguishing between encryption as a core or secondary function:
Certification should be strictly limited to cases where encryption is the core function, rather than a subsidiary feature of the product or one of its components.
Commercial off-the-shelf products used by businesses for commercial purposes, commercial products used internally and not for commercial sale, and all other commercial products and technologies with elements of cryptography that are not core function should be completely exempt.
Ensure that IP, confidential information and privacy rights are protected during supervision and enforcement
Non-discriminatory transparent testing and certification frameworks, as well as the development of certification-related processes, should include proper mechanisms to safeguard confidentiality and intellectual property rights.
We welcome the opportunity to comment on the SAMR Opinions and we stand ready to provide further input on the implementation of the Cryptography Law.
For more information please contact:
Alberto Di Felice
Director for Infrastructure, Privacy & Security Policy