I manage our global ePO environment, specifically for EEPC. We are engaging our legal teams in APAC and I was wondering if anyone is managing EEPC systems in PRC.
If so, what details can you offer around the process to implement EEPC in PRC? Do you have to apply for permission with PRC government?
Looking for any knowledge transfer.
Thanks for the direction Simon - great map.
I came across a statement on another link that we could contact an authroized McAfee distributer to begin process to obtain permit. Does that sound legitimate?
Might be best to just advise out legal team in PRC to contact the General Office of State Encryption Administration Commission to apply.
Can't seem to find any URL to the commision.
I need to return to this topic, if possible, as I too was swayed by the Princeton advice to contact a McAfee reseller for a license. Do they exist?
Here's an extract from an email I sent to come of my colleagues on travel to China:
There is a wealth of information available but mainly focused on travelling to China from the US, as you might expect. The article below is an "expert" report from Bloomberg Law on the topic of importing encryption technologies, from earlier this year:
The salient points, which I have distilled for your information:
This section is particularly relevant:
Regulations for the Administration on the Use of Commercial Encryption Products
These regulations were issued by the SEAB [State Encryption Administrative Bureau] on March 24, 2007.
According to Article 9, foreign investment enterprises, including Sino-foreign equity joint ventures,
Sino-foreign contractual joint ventures, foreign-funded enterprises, foreign investment enterprises
and so on, may use encryption products manufactured overseas only if they are requested for communicating abroad.
The chances of being stopped have increased but, in all likelihood, as a representative of <xxx>, you’ll be fine. I stand by my original, somewhat glib, advice: write your user credentials on a PostIt note and stick it on your keyboard, inside the laptop. Do not challenge an official in their line of duty; help them to unlock the laptop, if required. Obviously destroy the PostIt after passing through immigration.
You could obtain a permit but only for precautionary purposes. It is not a straightforward process but I’ll contact McAfee directly if anyone insists.
You should go through the RED channel and declare the laptop but most likely you won’t. I wouldn’t.
There is an English version of the customs website but it’s typically long-winded:
So can anyone confirm the existence of said license?
University of Birmingham
UKon 27/10/11 09:52:55 CDT
What licence Dave? It's my understanding that the licence needs to be obtained by the end user - you can't proxy off someone else's.
A note on your advice to your users though - If they loose sight of the laptop - DO NOT connect it back to your corporate environment ever again if you hold sensitive information. There are several reported situations where laptops have had government sponsored spyware installed (both software and hardware) while in the hands of custom officers.
Exactly my point: what license? I'm assuming it's a permit from the Chinese SEAB which shows that McAfee is both a recognised and authorised supplier of approved encryption technologies. In that case, it makes sense that the license is a McAfee thing (otherwise, where did Princeton get the idea that there is such a thing?). I took a look at the application form for a permit and, frankly, it's all Chinese (literally).
Obviously our users are not there to promote use of encryption nor are we in the business of selling it. I'm tending towards prohibiting the use of encrypted laptops on such trips, offering a loan service. Without encryption, our standard policies prohibit the storage of anything classified as Confidential or higher.
I take your point about the state-sponsored malware but there are now strict Chinese laws which prohibit such actions (and in fact, Customs officers and other officials are bound to keep such things as company confidentiality and trade secrets, should they examine business-owned laptops, according to the Bloomberg Law article). I have a feeling that you may be over-paranoid ;-)
Also according to one of my users, who's been travelling to China for 10 years or so, he's never even been questioned over a laptop. Can't be too careful, though, eh?
University of Birmingham
UKMessage was edited by: ravedj (Can't Spell!) on 28/10/11 11:23:01 CDT
AFAIK, every user (company) of encryption within China needs to apply to the Beijing Office of State Encryption Administration Bureau for an import/usage permit. UNLESS they are just in transit, or on a visitor entry visa.
You don't need a licence unless you're a resident user.
It's not possible to leverage a generic vendor licence.Message was edited by: SafeBoot on 10/28/11 12:28:14 PM EDT