1 2 Previous Next 10 Replies Latest reply on Oct 28, 2011 11:48 AM by ravedj

    EEPC in Peoples Republic of China (PRC)

      I manage our global ePO environment, specifically for EEPC.  We are engaging our legal teams in APAC and I was wondering if anyone is managing EEPC systems in PRC.

       

      If so, what details can you offer around the process to implement EEPC in PRC?  Do you have to apply for permission with PRC government? 

       

      Looking for any knowledge transfer.

       

      Thanks.

        • 1. Re: EEPC in Peoples Republic of China (PRC)

          my map - http://mcaf.ee/cryptolaw may help? You need to apply for your own company licence to make permanent imports of crypto into China.

          • 2. Re: EEPC in Peoples Republic of China (PRC)
            Peter M

            Neat map but it might upset the residents of Quebec......

             

            Capture.JPG

            • 3. Re: EEPC in Peoples Republic of China (PRC)

              mille humbles excuses à tout le peuple du Québec!

              • 4. Re: EEPC in Peoples Republic of China (PRC)
                Peter M

                LOL, thanks Simon, or should I say milles mercis.

                 

                ;-)

                • 5. Re: EEPC in Peoples Republic of China (PRC)

                  Thanks for the direction Simon - great map.

                   

                  I came across a statement on another link that we could contact an authroized McAfee distributer to begin process to obtain permit.  Does that sound legitimate? 

                   

                  Might be best to just advise out legal team in PRC to contact the General Office of State Encryption Administration Commission to apply. 

                   

                  Can't seem to find any URL to the commision. 

                  • 6. Re: EEPC in Peoples Republic of China (PRC)
                    ravedj

                    Hi, all

                     

                    I need to return to this topic, if possible, as I too was swayed by the Princeton advice to contact a McAfee reseller for a license.  Do they exist?

                     

                    Here's an extract from an email I sent to come of my colleagues on travel to China:

                     

                    There is a wealth of information available but mainly focused on travelling to China from the US, as you might expect.  The article below is an "expert" report from Bloomberg Law on the topic of importing encryption technologies, from earlier this year:

                     

                    http://www.mmlcgroup.com/sitebuildercontent/sitebuilderfiles/encryptionbloomberg mmlc_murphy_xia_article.pdf

                     

                     

                    The salient points, which I have distilled for your information:

                     

                        • There is an official list of recognised encryption products for use within China.  (McAfee is on it, I believe.)
                        • Unless you are actively selling or distributing encryption products, or promoting their use, you're safe.
                        • The regulations are more widely known by Chinese customs and are being more strictly enforced.

                     

                     

                    This section is particularly relevant:

                     

                     

                    Regulations for the Administration on the Use of Commercial Encryption Products

                    These regulations were issued by the SEAB [State Encryption Administrative Bureau] on March 24, 2007.

                    According to Article 9, foreign investment enterprises, including Sino-foreign equity joint ventures,

                    Sino-foreign contractual joint ventures, foreign-funded enterprises, foreign investment enterprises

                    and so on, may use encryption products manufactured overseas only if they are requested for communicating abroad.

                     

                     

                    The chances of being stopped have increased but, in all likelihood, as a representative of <xxx>, you’ll be fine.  I stand by my original, somewhat glib, advice: write your user credentials on a PostIt note and stick it on your keyboard, inside the laptop.  Do not challenge an official in their line of duty; help them to unlock the laptop, if required.  Obviously destroy the PostIt after passing through immigration.

                     

                     

                    You could obtain a permit but only for precautionary purposes.  It is not a straightforward process but I’ll contact McAfee directly if anyone insists.

                    You should go through the RED channel and declare the laptop but most likely you won’t.  I wouldn’t.

                     

                     

                    There is an English version of the customs website but it’s typically long-winded:

                     

                    http://english.customs.gov.cn/publish/portal191/

                     

                    So can anyone confirm the existence of said license?

                     

                    Regards,

                     

                    Dave Blackshaw

                    University of Birmingham

                    UK

                     

                    on 27/10/11 09:52:55 CDT
                    • 7. Re: EEPC in Peoples Republic of China (PRC)

                      What licence Dave? It's my understanding that the licence needs to be obtained by the end user - you can't proxy off someone else's.

                       

                      A note on your advice to your users though - If they loose sight of the laptop - DO NOT connect it back to your corporate environment ever again if you hold sensitive information. There are several reported situations where laptops have had government sponsored spyware installed (both software and hardware) while in the hands of custom officers.

                      • 8. Re: EEPC in Peoples Republic of China (PRC)
                        ravedj

                        Exactly my point: what license?  I'm assuming it's a permit from the Chinese SEAB which shows that McAfee is both a recognised and authorised supplier of approved encryption technologies.  In that case, it makes sense that the license is a McAfee thing (otherwise, where did Princeton get the idea that there is such a thing?).  I took a look at the application form for a permit and, frankly, it's all Chinese (literally).

                         

                        Obviously our users are not there to promote use of encryption nor are we in the business of selling it.  I'm tending towards prohibiting the use of encrypted laptops on such trips, offering a loan service.  Without encryption, our standard policies prohibit the storage of anything classified as Confidential or higher.

                         

                        I take your point about the state-sponsored malware but there are now strict Chinese laws which prohibit such actions (and in fact, Customs officers and other officials are bound to keep such things as company confidentiality and trade secrets, should they examine business-owned laptops, according to the Bloomberg Law article).  I have a feeling that you may be over-paranoid ;-)

                         

                        Also according to one of my users, who's been travelling to China for 10 years or so, he's never even been questioned over a laptop.  Can't be too careful, though, eh?

                         

                        Dave Blackshaw

                        University of Birmingham

                        UK

                         

                        Message was edited by: ravedj (Can't Spell!) on 28/10/11 11:23:01 CDT
                        • 9. Re: EEPC in Peoples Republic of China (PRC)

                          AFAIK, every user (company) of encryption within China needs to apply to the Beijing Office of State Encryption Administration Bureau for an import/usage permit. UNLESS they are just in transit, or on a visitor entry visa. 

                           

                          You don't need a licence unless you're a resident user.

                           

                          It's not possible to leverage a generic vendor licence.

                           

                          Message was edited by: SafeBoot on 10/28/11 12:28:14 PM EDT
                          1 2 Previous Next