Friday, October 20, 2023

"Security Implications of China’s Auto Dominance"

 From the Jamestown Foundation's China Brief, October 6:

At the end of September, the 2023 China International Automobile Exhibition opened in Tianjin. An official representing the China Council for the Promotion of International Trade (CCPIT) delivered a speech, announcing that China’s automobile exports are expected to exceed four million units this year (Kuai Keji, September 28). According to the most recent data, China exported just shy of three million vehicles from January to August, up 61.9 percent from 2022. This means that China is set to surpass Japan—as it overtook Germany last year—to become the world’s largest automobile exporter for the first time.

Cars are increasingly conceived of as devices connected to a wider digital infrastructure. As such, they present clear security concerns, just as other emerging technologies do. Chinese auto brands in particular pose risks for the West, as do cars that contain core components manufactured by Chinese companies. Much of the debate surrounding Chinese Electric Vehicles (EVs) in recent weeks has focused on the issue of economic security, largely due to EU Commissioner Ursula von der Leyen’s recent State of the Union address, which she used to announce the opening of an anti-subsidies investigation into Chinese auto companies (European Commission, September 13). However, lost in this economic security framing are the additional national security and cybersecurity concerns from a potential influx of certain Chinese vehicles.

Globally, the auto industry is one of the worst offenders when it comes to privacy violations. A new report from the software NGO Mozilla surveyed the privacy policies of 25 American, Korean, German, and Japanese brands, finding that every single one “collects more personal data than necessary and uses that information for a reason other than to operate your vehicle and manage their relationship with you” (Mozilla Foundation, September 6). This data extends to medical and genetic information, and even to drivers’ sexual activity. Many of these companies say they can share or sell this data to service providers, data brokers, and other businesses. More troubling is the fact that over half of the firms surveyed say they can share drivers’ information with governments or law enforcement agencies in response to a mere “informal request.” Given the lax approach to data security from the auto industry more widely, telematic vehicles present an easy avenue for the Chinese government to exploit should they wish to do so. As with previous instances (such as ZTE, Huawei, and TikTok), the ability for the Beijing or state-linked groups to access this data, as well as to potentially push updates to vehicle software that could cause significant damage, is an issue worthy of more serious attention from lawmakers and regulators across the globe.

Telematics and Teslas: Chinese Concerns

Telsa is the worst offender in this regard. An American company, Tesla nevertheless manufactures over half of its EVs at its principal factory in Shanghai (Insideevs, January 8), which the company built thanks to generous policies from the local government. Despite this, the Chinese regime has long been suspicious of the firm’s vehicles, whose abundance of sensors (and permissive privacy policy) allow a high degree of surveillance on the part of the company. For several years, concerns about Teslas being used to spy or to acquire sensitive information have been voiced frequently in Chinese media. One article from 2021 quotes an official as saying that “the lack of regulation has been acknowledged very suddenly, and to some extent, it is equivalent to opening a ‘big skylight (大天窗)’ on our national security system” (LeiPhone, March 23, 2021; Sohu, May 14, 2021). On September 20, a post from a Chinese-language media outlet on the social media platform X (formerly Twitter) showed Xi Jinping visiting Yiwu, Zhejiang Province, and signs saying that the neighborhood was “off-limits to Teslas (附近区域禁止特斯拉 进入)” (Voice of Hope, September 20). This follows a story that emerged in August this year, sparked by a netizen posting a picture of a similar sign in the parking lot of Yueyang Sanhuo Airport, which read “Teslas are prohibited from entering the classified control area.” The stated justification from airport staff to local reporters at the time was the risk of secrets being “leaked (泄密)” to Teslas (Jinguan News, August 15). In August 2022, local officials also banned Teslas from driving in Beidaihe (where Xi Jinping decamps for two weeks in the summer) over matters of “national affairs” (国家事务) (VOA, June 21, 2022).

The Chinese government is clearly concerned about the threat that cars pose for personal data and privacy protection. On September 26, the China Academy of Information and Communications Technology (CAICT), which is subordinated to the Ministry of Industry and Information Technology (MIIT), released a white paper on “Key Elements of Data” (CAICT September 26). This updates white papers from previous years, but usefully summarizes the broad contours of the government’s views on data, noting that “big data” was first included in the government’s work report as early as 2014. Another CAICT report from July is titled “National Telematics Industry Standard System Construction Guideline (国家车联网产业标准体系建设指南)” (CAICT, July 18). This report specifically covers “telematics (车联网),” which refers to the use of information technology to transmit, store, and receive information to and from vehicles. One of the first stated principles of the text is to “build a solid bottom line to ensure safety.” The guidelines go on to map out a multi-phase plan to formulate and revise over 140 standards related to smart, connected cars by 2030, and to develop a synergistic “vehicle-road-cloud” system with domestic and international coordination....

....MUCH MORE