Abstract: Data is a key driver of innovation for China that is poised to become the world’s most data-rich country. Today, some of the businesses choose not to use data at all in order to protect its security. To address this phenomenon, policy must put a greater emphasis on development-driven data protection. Meanwhile, it’s important to ensure accountability with appropriate fault-tolerance when coping with security issues arising from innovation, in order to strike a proper balance between innovation and security and bring the core competitiveness of data into full play.
I recently heard complaints from a friend working for a big tech that her colleagues refused to provide her department with data support, on the ground of preventing security risks when data is transferred across departments, even within the same company. Finding the breach of the Data Security Law unaffordable, her colleagues thought they might just as well don’t give data at all. But how could a department do its job without necessary data input?
Is personal information and data safe when it is not used? This is an unavoidable question to answer if China is to prosper its digital economy.
Should data be used? The answer is of course yes. China shows clear attitude toward this with its development strategy. It clearly defines data as a new production factor in a guideline issued in 2020 on improving the market-based allocation mechanism of production factors. Over the past years, global data accumulation has exploded, and China is poised to become the world’s most data-rich country.
According to Statista, in 2016-19, the world recorded a total data volume of 18ZB, 26ZB, 33ZB and 41ZB (1ZB=1.0E+21 bytes), respectively; while the International Data Corporation (IDC) estimates that China will have the world’s biggest volume of data by 2025—48.6ZB, which is 27.8% of global total. Used well, the enormous data, as a factor of production, would worth no less than land or capital.
China has called for intensified efforts to foster a sound market for data and promote open sharing of government data in order to increase the value of social data, indicating that data use is not only an advantage, but also an urgency, for the country.
But the other side of the coin is data risks.
As a matter of fact, tech giants including Apple, Microsoft, Amazon, Alphabet and Meta with the biggest market capitalization, have all experienced data risks over their course of development. For example, according to firewalltimes.com, in August 2021, Microsoft leaked 38 million records owing to improper configuration by a third-party company. In September 2021, a spyware called Pegasus infected iPhone and other Apple devices, recording phone calls and messages or even turning on cameras and microphones without the users realizing it. In October 2021, hackers leaked files of 125GB on Twitch, a streaming media platform under Amazon, to 4chan, while in previous years there had been several cases where Amazon employees sold customer data or were bribed by third-party companies to disclose internal data for illicit purposes. Google’s data problems most turned up with Google+. For example, an update in November 2018 produced an API error that exposed 52.5 million user accounts. In April 2021, Facebook spilled personal data of over 530 million users.
Hence, there is a trade-off between data security and use. Even big platforms with advanced technologies cannot stay fully immune to data risks.
Then, is data safe if we don’t use it? In fact, this could actually be the least safe idea, for at least several reasons:
First, if businesses rich in data keep the data shelved, they will not be able to know about the data, including its weaknesses. As Sun Zi noted in The Art of War, “knowing the enemy and yourself, and you can fight a hundred battles and win them all.” Companies can’t even know themselves if they don’t use the data, not to mention keeping the data safe.
Second, leaving data unused is a waste of this core competitive advantage. Big data is an edged sword not just because its vast quantity, but also because of its coverage of various dimensions. The core competitiveness of data-rich companies is a high-dimensional database forged by integrating data in different dimensions. If the sharing and flow of data within a big company is artificially disabled because of biased understanding of the Data Security Law, big data would become fragmented and put on the shelve, and data-rich companies would be cooking their own goose in that case.
Third, putting data aside would make it hard to “know the enemy” and prepare for potential attacks. In the battlefield of data security, both platforms and regulators need to learn and accumulate experience by coping with various security risks to equip themselves for future risks.
For example, Alon Gal, who disclosed the leakage of the data of 530 million Facebook users, unveiled the data selling process: in early 2020, the data was sold for 30,000 USD, after which the buyer sold it out again at lower prices; after several rounds of such transactions, the data became cheaper and cheaper until available for free in 2021. The reason behind the leakage was that Facebook failed to implement proper restrictions on API, where Facebook’s contact import function enabled hackers to import as many as 5,000 phone numbers while gaining access to the numbers’ associated accounts with each API inquiry. Hackers then managed to acquire the information of 530 million users by searching Facebook’s database for all phone numbers in the world.
Then, why did this vulnerability exist at all? That’s because Facebook, in order to maintain fast growth, sought to acquire the information of existing users’ friends. That gave the hackers a leg up on information theft.
This story indicates that there is much to learn from every exposure to data risks. Businesses and regulators would be able to get a more comprehensive picture of data sales, data crimes and company strategy, building a sound groundwork for preventing future risks.
Fourth, even if data is kept safe by being kept unused, it would also incur the loss of digital dividends. If data is not efficiently shared within and among businesses as well as between businesses and governments, protecting data security could translate into a waste of data that should have brought immense benefits. Professor Huang Yiping, Deputy Dean of the National School of Development at Peking University , mentioned the fact in his article, Strengthen But Not Weaken Platform Economy’s Innovation Ability, that India has taken over China in terms of the number of unicorns, now second only to the United States, which should ring the alarm bell again for China that it would do no good to digital economy in China and significantly weaken Chinese platforms’ global competitiveness if data as a factor of production is poorly used.
So, how should we ensure data security?
Both the Opinions and the Data Security Law want to "promote security through development", rather than "no development for the sake of security".
For example, the Opinions emphasized the "integration and security of data resources". The document shows that making full use of data based on security is the major attitude towards data as a production factor.
Article 13 of the Data Security Law clarifies the relationship between development and data security:
“The state shall make an overall plan to coordinate development and security, to promote data security through data development and utilization and through industrial development on one hand, and on the other hand, to ensure that data security facilitates data development and utilization as well as industrial development.”
Article 7 also clarifies:
“The state shall protect the data-related rights and interests of individuals and organizations, encourage the lawful, reasonable, and effective use of data, ensure free flow of data in an orderly manner and in accordance with the law, and promote the development of a digital economy with data as the key factor.”
Therefore, the Opinions and the Data Security Law should not be interpreted as a refusal to use data.
How to promote security through development?
Market cultivation, institutional arrangements, risk-controllable data, and sharing tools are the key points. To systematically promote security through development, it is also necessary to establish a high-level data governance committee to coordinate data policies, including formulating guidelines on the trading scope of data production elements, algorithmic governance, personal information protection, and data security. The committee should also be in charge of the application, review, issuance, restriction, and revocation of data licenses, and know the corresponding measures for data security issues.
For example, a common problem in data security is data leakage or misuse, which is closely related to the characteristics of the data. The non-competitiveness and partial exclusivity of data, which is a quasi-public good, lead to a close-to-zero price, difficulty in confirming rights, and inactive transactions in data products. Therefore, the traditional method – confirming rights before trading – is not fully applicable to data products, so there is a problem of insufficient data supply.
One solution is to promote the orderly open sharing and safe utilization of public data, so that the data demander does not need to pay or only pays the cost price, thereby reducing transaction costs and compliance costs. Local governments have been exploring introducing public data regulations. Adding more public data will also make it easier to implement Article 32 of the Data Security Law
“An organization or individual shall collect data by lawful and proper means, and shall not acquire data by theft or in other illegal manners.”
For another example, with the rapid development of mobile Internet and cloud computing technology, more and more data are stored, shared, and calculated in the cloud, making the data security issue in the cloud environment a hot topic. One idea to technically solve security problems and realize "data availability and invisibility" is to use privacy protection technology based on cryptographic algorithms and protocols. The other idea is to build a Trusted Execution Environment (TEE) to achieve safe computing based on hardware-secured memory isolation to solve the problem that privacy-protection computing depends on a large number of complex computations.
Then, algorithm auditing can be used to prevent user data from being abused or sold. The platform can be required to clarify the benefit distribution mechanism reflected by the algorithm to different stakeholders; to report the source and quality of data used in algorithm training, algorithm evaluation, and selection; to report the algorithm prediction or optimization goals; and to report the technology used in algorithms and algorithm operation effect. Through the evaluation of the algorithms, we can have a more comprehensive grasp of the security of the platform enterprise algorithm before risks come.
Finally, to promote data security through development, there needs to be a certain fault tolerance rate in the incentive mechanism, but it is necessary to clarify the responsibilities of relevant subjects in the mechanism and avoid data security loopholes and risks. We cannot rest on our laurels on the grounds of ensuring data security. Encouraging innovation is not an excuse for neglecting the establishment of regulatory mechanisms or having vague responsibilities. Only in this way can we give full play to data and make China's digital economy an important manifestation and guarantee of its international competitiveness.
This article was published on CF40’s WeChat blog on May 24. It is translated by CF40 and has not been reviewed by the author herself. The views expressed herein are the author’s own and do not represent those of CF40 or other organizations.
