A Deep Dive into China’s Network ID Proposal

On 26 July 2024, the Ministry of Public Security and the Cyberspace Administration of China (“CAC”) jointly issued the Management Measure on National Network Identity Authentication Public Service (Draft for Comments) (“Draft Measure”), proposing to establish the Network Identity Authentication Public Service Platform (“Public Service Platform”) to provide services for natural persons to apply for and use Network ID Number and Network ID Certificate for real-name registration on internet platforms (collectively referred to as “Network ID Proposal”).

The Network ID Proposal can be seen as a new milestone for China’s real-name regime. Companies providing digital services in China may be subject to the real-name registration requirements, and the Network ID Proposal could impact the existing data collection and processing practices. MNCs will need to adapt to this evolving regulatory landscape to ensure they comply with local data protection laws.

In this article, we highlight the key provisions of the Draft Measure and set out our observations on the proposed requirements. If you need further assistance, please contact James Gong at [email protected].

I. Background

1. History of the Real-Name Regime

China long enforced a real-name regime for online services, requiring users to provide their real name information to register with internet platforms. Real-name information includes phone number, ID number, etc.

China’s real-name requirement for online services initially emerged through local regulations set by municipal governments. Since 2009, these regulations have required internet service providers to record users’ real-name information for services like bulletin boards, instant messaging, microblogs (similar to X and Thread) and online gaming. ^[1]

In 2012, the Standing Committee of the National People’s Congress (“NPC”) officially established the national real-name requirements for phone and online services.^[2] When internet service providers set up website access, activate landlines or mobile phone services, or offer services for users to post information, they must require users to provide real-name information as part of the service agreement or when the service is confirmed.

In the following years, regulatory authorities such as the Ministry of Industry and Information Technology (“MIIT”) and the CAC have refined the real-name requirements established by NPC. We have summarised the regulations formulated in the table below.

On 1 June 2017, the Cybersecurity Law of the People’s Republic of China (“CSL”) ^[5] elevated the above real-name requirements for online and phone services to a legal requirement, establishing the real-name regime in the form of law for the first time. Subsequently, the CAC introduced regulations such as the Regulation on the Management of Internet User Account Information^[6] to further refine the online real-name requirements. In 2022, the Anti-Telecom and Online Fraud Law of the People’s Republic of China (“Anti-Fraud Law”) ^[7]reiterates the real-name requirements for online and phone services.

2. Current Requirement of the Real-Name Regime and Its Impact

Under the current regime, service providers offering internet information publication and application platform services (including but not limited to internet news information, online publishing, search engines, instant messaging, interactive services, live streaming, and application downloads) are required to register their registered users with real name information. Most platforms meet this requirement by collecting users' mobile phone numbers, thus completing the real-name registration indirectly. This results in the widespread collection of mobile numbers across platforms.

The real-name regime aims to reduce telecom and online fraud by restricting fraudsters' access to communication tools through real-name registration. However, several issues emerged during the implementation of the regime.

• Increased Risk of Data Leaks: Real-name registration often involves the collection of mobile phone numbers and other personal information, which heightens the risk of data leaks.
• Enhanced Fraud Complexity: Data such as phone numbers, financial data, and order details are used to craft more sophisticated and harder-to-detect scams. The relentless innovation of fraudulent schemes remains a challenge despite real-name registration efforts. From January to October 2023, over 34,000 individuals were prosecuted for telecom and online fraud nationwide, marking an increase of nearly 52% year-on-year. ^[8]
• Excessive Data Collection by Platforms: Internet platforms may collect user data on the grounds of fulfilling legal obligations, but the data collected may not be necessary.

We understand that the Draft Measures are developed to enhance security, combat fraud, and reduce the risks of data leakage by centralising identity verification, offering a more secure alternative for real-name registration.

II. KEY PROVISIONS AND OBSERVATIONS

1. What is the Network ID Proposal?

1.1. What is Network ID Number and Network ID Certificate?

“Network ID Number” and “Network ID Certificate” are two different concepts.

• “Network ID Number” refers to a network identity symbol that corresponds uniquely to an individual’s real-name information, composed of letters and numbers without explicit personal real-name information.
• “Network ID Certificate” refers to a network identity credential that carries the Network ID Number and the individual’s non-explicit real-name information.

The relationship between them is akin to that between an ID number and an ID card.

1.2. How to apply for Network ID Number and Network ID Certificate?

Individuals with valid legal identity documents may voluntarily apply for a Network ID Number and Network ID Certificate through the Public Service Platform. Minors can apply with the assistance or supervision of their guardians. Notably, foreign passport holders cannot apply with their passports but may use other documents like Chinese permanent residence cards.

1.3. How to use Network ID Number and Network ID Certificate?

Network ID Number and Network ID Certificate can be used for real-name registration for online services and other services.

The Draft Measure adopt a bilateral voluntary approach - Platforms have the autonomy to decide whether to accept the use of Network ID Number and Network ID Certificate for user real-name registration; and users can also voluntarily choose whether to apply for and use Network ID Number and Network ID Certificate for real-name registration.

However, once a platform opts to accept the use of Network ID Number and Network ID Certificate for user real-name registration, it will be subject to requirements:

• General Rule (Articles 7, 8.1): Once users choose to use Network ID Number and Network ID Certificate for real-name registration, internet platforms will no longer collect explicit real-name information from users. Instead, the Public Service Platform will provide the user’s real-name verification results to the internet platform to complete the real-name registration.
• Exception (Article 8.2): For legal obligations (e.g., KYC in the financial sector), upon the user’s authorisation or explicit consent, the Public Service Platform shall provide required information to the platform adopting data minimisation practices.

2. What is the rationale behind the Network ID Proposal?

According to Article 1 of the Draft Measure and the drafting statement^[9], the Network ID Proposal is designed to implement the network credible identity strategy, promote the construction of national network identity authentication public services, safeguard citizens’ real-name information, and promote the digital economy.

2.1. Protecting the security of citizens’ real-name information

The current real-name regime inadvertently increases the risk of information leaks. Under the Network ID Proposal, internet platforms only have access to the verification results provided by the Public Service Platform, without collecting the users’ plaintext real-name information or contact details. This approach minimised the possibility of intentional or accidental information leaks from internet platforms.

However, since the Public Service Platform will process a significant amount of sensitive personal information. If compromised, it could lead to more severe data security incidents. Therefore, it also presents a challenge for the Chinese government to showcase its commitment to data security by ensuring the protection of this centralised system.

The Public Service Platform is available as the “National Network Identity Authentication Pilot Edition” App (“Network ID App”), where users can apply for Network ID Number and Network ID Certificate. Upon our testing, during application, the Network ID App collects information including name, facial recognition information, identity document number, and mobile phone number. The sensitivity of the data collected by the Public Service Platform is much higher than the mobile phone numbers collected by internet platforms for real-name registration.

The Draft Measure acknowledges risks and attempts to refine the data security for Public Service Platform within the regulatory framework of existing laws such as the CSL, Data Security Law of the People’s Republic of China(“DSL”), and Personal Information Protection Law of the People’s Republic of China (“PIPL”):

• Necessity: The processing must not exceed the scope necessary for providing services such as the application for Network ID Number and Network ID Certificate, and real-name verification.
• Notification & Consent: Before processing users’ personal information, the Public Service Platform shall inform users of the processing details in a prominent manner, in clear and understandable language, through written forms such as user agreements, and obtain their consent or separate consent.
• Security Management and Technical Measures: The Public Service Platform shall strengthen data protection, and establish and implement security management systems and technical protection measures. If passwords are involved, it should be protected in accordance with the laws.
• Penalty: For violations of the above requirements, the public security departments and the CAC shall impose penalties within their statutory duties in accordance with the CSL, the DSL and the PIPL.

However, the Draft Measure seems to fall short when it comes to detailing security management for the Public Service Platform. It largely reiterates the fundamental requirements laid out by existing laws like the CSL, the DSL, and the PIPL without setting more rigorous and detailed security standards, for managing personal biometric data like facial recognition information.

Moreover, in practice, effective implementation of these requirements may be challenging. Taking the necessity requirement as an example, during the application process, the Network ID App’s collection of personal information such as name, and identity document number can be understood as necessary because the Draft Measure stipulates that one must “hold a valid legal identity document” to apply for Network ID Number and Network ID Certificate. However, the necessity of collecting mobile phone numbers in addition to the user’s identity document number remains questionable.

2.2 Promoting the development of the digital economy

It is worth noting that the Network ID Proposal carries great expectations of promoting the development of the digital economy.

Article 6 of the Draft Measure encourages authorities and industries to promote the voluntary use of the Network ID Number and Network ID Certificate, aiming to provide secure and convenient real-name registration and foster a broader application ecosystem.

Although the specific form of this “application ecosystem” is yet unknown, the Network ID Number and Network ID Certificate may be applied to other fields beyond the real-name registration of internet platforms in the future and become as widespread as mobile payments. For instance, in the future, people may use their Network ID for purchasing train and flight tickets or generating QR codes through the Network ID App for boarding. Besides, the privacy notice of the Network ID App also specifies its application in offline scenarios, such as verifying identity in government service halls via a QR code. ^[10]

Beyond that, as internet communication technologies like VoIP and messaging apps gain traction, the dependence on old-school phone calls and text services may decrease. In this transition, electronic identity authentication under the Network ID Proposal, with its ease of use and flexibility, could be better aligned with rapid and continuous innovation.

3. What are the potential implications of the Network ID Proposal?

3.1 Tightening cyberspace regulation?

Since the Draft Measure was introduced, concerns have emerged that the Public Service Platform may be used to monitor online users’ browsing history to tighten cyberspace regulation. However, there is no indication from the Draft Measure that the Network ID Proposal suggest such an intention.

Firstly, the voluntary nature of the Network ID Proposal means that it is not designed to increase oversight over the cyberspace. On one hand, users have the option to voluntarily decide whether to apply for and use the Network ID Number and Network ID Certificate, and the Public Service Platform will not collect any user information unless users opt in. On the other, even if users voluntarily apply, they still have the right to deactivate their Network ID Number and Network ID Certificate. Under the PIPL, users also have the right to delete their data and cancel their accounts with respect to the Public Service Platform. Based on our observation, the Network ID App does offer users a path to deactivate their Network ID Number and Network ID Certificate.

Secondly, there is no provision in the Draft Measure that indicates the Public Service Platform will track online users’ browsing histories to achieve network monitoring capabilities. The Draft Measure does not provide that the Public Service Platform shall track online users’ browsing histories. Instead, Article 9 of the Draft Measure clearly states that “the processing of personal information by Public Service Platform must not exceed the scope necessary for providing services such as the application for Network ID Number and Network ID Certificate, and real-name verification.” Collecting detailed browsing histories clearly exceeds the necessary scope. If the Public Service Platform does collect such browsing histories, users can exercise their right to delete or right to cancel the account, and they also have the right to file a lawsuit for personal information rights infringement.

3.2 Facilitating behaviour tracking by platforms?

Concerns have been raised about whether internet platforms can more conveniently conduct comprehensive user profiling for specific Network ID Number holders. The answer is likely no.

First, under the Network ID Proposal, it may be difficult for internet platforms to use Network ID Number as a basis for user profiling. Unlike traditional phone-number-based registration, where users manually enter their phone numbers, using Network ID Number for real-name registration does not require user input. Instead, the Public Service Platform will provide users’ real-name verification results without providing Network ID Numbers to internet platforms. Therefore, internet platforms cannot use Network ID Numbers as an identifier to conduct user profiling.

Besides, the existing user profiling systems of some internet platforms may be constrained under the Network ID Proposal. Some platforms in China use the user’s mobile phone number as the UID and as a basis to tightly couple all user registration information. Under the Network ID Proposal, platforms may no longer be able to collect users’ mobile numbers forcibly. This shift could limit the existing user profiling systems of some platforms, enabling them to reconsider their user profiling strategies.

3.3 Adjust existing data processing practices?

Considering the long-standing practice of using mobile phone numbers for real-name registration in China, the Network ID Proposal will likely require internet platforms to reevaluate their current practices for collecting and processing personal information. If a platform accepts the use of Network ID Numbers and Certificates for real-name registration, it should no longer require users to provide mobile phone numbers, unless there are other purposes such as contacting the users.

Besides, in the case where users switch to Network ID Number and Network ID Certificate for real-name registration, the originally collected personal information such as mobile phone numbers will correspondingly become unnecessary. Therefore, internet platforms shall, in accordance with PIPL, take the initiative to establish a mechanism for deleting the original mobile phone numbers and other real-name information.

III. CONCLUSION

The Network ID Proposal originates from the special background of China’s online real-name regime, carrying legislative purposes such as protecting the security of citizens’ real-name information and promoting the development of the digital economy. Despite some shortcomings in the Draft Measure, the voluntary nature of the Network ID Proposal and regulatory requirements in the Draft Measure are unlikely to turn it into a tool for overreach.

For internet platforms, it is necessary to continue to stay informed about the development of the Network ID Proposal and assess any potential impacts on their user profiling systems. At the same time, they need to actively take measures to adjust the existing data processing practices to ensure the compliant processing of personal information.