Babbitt Column | Lawyer's point of view: How will the Cryptography Act apply to blockchain companies?
Author: Zhang Ling, a partner at law firm Han
According to the author, the "Cryptography" is not for the blockchain, but can be used for the blockchain, and will regulate and promote the development of the blockchain industry.
For the blockchain industry, this past weekend may be the most exciting weekend since the fall of this year.
On October 24, General Secretary Xi emphasized in the 18th collective study of the Political Bureau of the Central Committee that the blockchain was an important breakthrough for independent innovation of core technologies and accelerated the promotion of blockchain technology and industrial innovation. October 26 On the day, after several years of drafting and soliciting opinions, the “Cryptography Law” was officially promulgated. Some people think that the “Cryptography Law” landed at this time, which is born in the blockchain and will help the development of the blockchain industry.
The author understands that from the historical evolution of the Cryptography Law and the background of the introduction, the Cryptography Law is not specifically designed to promote and standardize the cryptography of the blockchain industry. However, since encryption technology is the key and core technology in blockchain technology, the password and blockchain have a natural close symbiotic relationship, so the Cryptography will naturally apply to the blockchain industry, and will promote and standardize the zone. The development of blockchain technology.
If the central support for blockchain technology innovation is a principled direction and guidance, the choice of the introduction of the "Cryptography" at this time can be regarded as one of the measures the government has indicated to support and standardize the development of the blockchain industry. In this article, the author intends to combine the background and main content of the "Cryptography" to briefly analyze how this common "Cryptography" will be applied to the blockchain industry for reference and discussion by interested parties.
1. The background of the "Cryptography Law"
As early as the 1990s, in order to meet the needs of the development of informationalization of social and economic activities, and to meet the requirements for the protection of information that does not involve state secrets using cryptographic techniques, in 1999, China formulated the Regulations on Commercial Password Management to determine development and management. Commercial password. Since then, the state has formulated a series of regulations (including but not limited to the "Commercial Code Product Production Management Regulations", "Commercial Password Product Sales Management Regulations", "Commercial Password Products" for all aspects of scientific research, production, sales and use of commercial passwords. The use of the Management Regulations, etc., established a legal system for the exclusive control of commercial passwords. At present, commercial passwords have been widely used in many fields of social production and management such as finance, communication, transportation, health, energy, public security, taxation, social security, and e-government.
With the wide application of cryptography in many fields, in recent years, it has brought some new problems and challenges to national, social and personal information security. The necessity of formulating a comprehensive and basic law in the field of cryptography has become more and more apparent. Moreover, with the transformation of government functions, in order to implement the reform and deployment of the central government's “simple government decentralization, integration, and optimization of services”, the traditional special control management system in the password field needs to be adjusted accordingly. In December 2014, the National Cryptography Administration established a drafting group to begin the drafting of the cryptography; in October 2016, a draft for comments was formed; from April to May 2017, the National Cryptographic Administration published the draft for comments to the public. Solicitation of opinions; submitted to the State Council for draft review in June 2017; discussed and approved by the State Council executive meeting on June 10, 2019, and officially released on October 26, 2019. During this period, the state successively revised and abolished some of the original regulations on password supervision (such as the revised Regulations on the Management of Commercial Password Products and the Regulations on the Production and Management of Commercial Password Products) in December 2017, and abolished the commercial password products. Sales Management Regulations, Regulations on the Use of Commercial Password Products, and Measures for the Administration of Passwords Used by Overseas Organizations and Individuals in China, etc.).
Judging from the above legislative background and history of the Cryptography Law, the origin, brewing and landing of the Cryptography Law are not directly related to the blockchain itself. The original intention of the national legislation is not to promote and standardize the development of blockchain technology. Rather, it is based on the importance of passwords for the security of national, social and personal information, and the need to develop a unified and fundamental law for the field of cryptography. However, since cryptography is the core technology of blockchain technology, the introduction of Cryptography will inevitably have a profound impact on the normative development of the blockchain industry.
2. The main content of the "Cryptography" and its related impact on the blockchain industry
(1) Blockchain enterprises mainly involve commercial passwords.
According to the Cryptography Law, "password" refers to technologies, products, and services that encrypt and secure information, etc., using a specific transformation method.
According to this definition and general understanding, (a) password is a technology, it can also be a product or service; (b) the function of password includes two categories: one is encryption protection, which means using mathematical transformation, it will be The read information becomes a sequence of symbols that are not recognized. In short, it is to change the plaintext into ciphertext; the second is to use the mathematical transformation to confirm whether the information has been tampered with, whether it is from a reliable source of information, and whether the confirmation behavior is true. In short, security authentication is to confirm the authenticity of the subject and information; (c) the method used for encryption or authentication is specifically changed; and (d) the object of encryption or authentication includes information and the like.
According to the Cryptography Law, the state has followed the rules and ideas of past password supervision, and still manages the classification of passwords. Passwords are divided into core passwords, normal passwords, and commercial passwords. The core password and the ordinary password are used to protect state secret information, and the commercial password is used to protect information that is not a state secret.
The author understands that in many application scenarios of blockchain technology (such as finance, Internet of Things, intelligent manufacturing, supply chain management, commodity anti-counterfeiting, etc.), most of the protection of password technology is personal information or business secrets of enterprises. Non-state secrets, so in most cases the blockchain industry is primarily concerned with commercial passwords.
(2) The state supports the development of the commercial password industry
In order to improve the unified, open, competitive and orderly commercial password market system and encourage and promote the development of the commercial password industry, the Cryptography Law provides a series of support measures, including but not limited to: (a) Encourage the research and development of commercial cryptography , academic exchanges, transformation of results and promotion and application, protection of intellectual property rights in the field of cryptography; (b) strengthening the training of cryptographic personnel and team building, and commending and rewarding organizations and individuals who have made outstanding contributions to cryptographic work in accordance with relevant state regulations; (c) Require that the people's government at or above the county level should incorporate the cryptographic work into the national economic and social development plan at the same level, and the required funds shall be included in the financial budget of this level; and (d) require the people's governments at all levels and their relevant departments to follow non-discrimination. Principles, equal treatment of commercial password research, production, sales, service, import and export, including foreign-invested enterprises.
Based on the above, in the context of national support for blockchain technology development and innovation, both domestic and foreign-invested blockchain enterprises will be supported and encouraged by the country without any business-related business activities. —— Blockchain enterprises will be in a more complete and orderly business environment, and the commercial password intellectual property developed by them will be protected according to law, and more sufficient password talent reserves and financial support will be obtained.
(3) Promote the standardization of commercial passwords
According to the provisions of the Cryptography Law, the state will establish and improve the commercial password standard system, organize the development of national standards and industry standards for commercial passwords, and promote participation in commercial password international standardization activities. Commercial password practitioners carrying out commercial password activities shall comply with the mandatory national standards for commercial passwords and the technical requirements for open standards of practitioners. In addition, the state supports social groups and enterprises to use independent innovation technology to develop commercial password group standards and enterprise standards that are higher than national standards and industry standards.
The author notes that the provisions of the Cryptography Law on the standardization of commercial passwords are linked to the Standardization Law, which was revised and implemented in January 2018, in accordance with the spirit and requirements of the law. At present, the national standards are managed by the National Information Security Standardization Technical Committee, and the industry standards are formulated by the Cryptographic Industry Standardization Technical Committee. According to statistics, as of June 2018, China has issued 16 national standards for passwords and 68 industry standards.
For the emerging blockchain industry, there are no national standards and industry standards that are specifically applicable to the industry. However, according to the author's observation, standardization work related to blockchain passwords has begun. According to the news released by the Beijing Cryptographic Administration earlier this year, in January 2019, the Cryptographic Industry Standardization Technical Committee submitted 12 cryptographic industry standards and research reports, such as the blockchain cipher application technical requirements, to the cryptographic administrations of the provinces and municipalities directly under the Central Government. And the commercial password practitioners under its jurisdiction solicit opinions. In his recent speech on promoting blockchain technology and industrial innovation development, the General Secretary also emphasized the need to strengthen blockchain standardization research. It is expected that there will be national standards and industry standards that are applicable to blockchain cryptography, products, systems and management in the future.
In addition, in view of the state's support for social groups and enterprises to develop commercial cryptographic group standards and enterprise standards that are higher than national standards and industry standards, blockchain enterprises can seize opportunities, independently innovate, and participate in the formulation of higher than national and industry standards. The commercial password enterprise standard can not only find more market opportunities for its own development, but also objectively promote the further development of the blockchain industry.
(4) Establish a commercial password detection and certification system
Under the previous regulatory requirements, commercial cryptographic products are subject to inspection by a designated cryptographic testing agency before they can be placed on the market. The Cryptography Law has changed the past mandatory testing and certification system, mainly based on voluntary testing. However, for commercial passwords listed in the network-critical equipment and network security-specific product catalogues, the provisions of the Cyber Security Law are required to require mandatory testing. The certification shall be sold or qualified by a qualified institution (for the National Certification and Accreditation Administration, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Internet Information Office, which are jointly recognized by the relevant national regulations). provide.
In June 2017, the above four departments jointly released the "Network Key Equipment and Network Security Special Product Catalog (First Batch)", and in March 2018 jointly issued "Safety Certification and Security for Network-critical Equipment and Network Security Special Products". The list of testing missions (first batch) clarifies 15 types of network critical equipment and network security special products that should be certified or tested for safety, and has designated 16 institutions that undertake certification testing tasks.
In order to further implement the requirements of the "Network Security Law" and provide technical support for the equipment and products listed in the catalogue, the National Information Security Standardization Technical Committee organized relevant assessment agencies, manufacturers and related experts to study and propose "Network Key Equipment and Network Security Special Products". Relevant national standards requirements (draft for comments), and publicly solicited opinions from May to September 2019.
For blockchain enterprises, if the commercial cryptographic products produced or sold fall into the above product catalogue or other product catalogues issued by the four departments in the future, the enterprise needs to select the certification test among the institutions listed in the catalogue of the certification testing task organization. The organization can be put on the market after the product passes the test and meets the requirements. After the formulation of the "Required National Standard Requirements for Network Critical Equipment and Network Security Special Products", blockchain enterprises must also comply with these national standards for the production of commercial cryptographic products.
(5) Illegal activities are strictly prohibited
While encouraging the development of the commercial password industry, the Cryptography Law stipulates that no organization or individual may steal information encrypted by others and illegally invade other people's password protection system; it may not use passwords to endanger national security, social public interests, and the legitimate rights and interests of others. And other criminal activities.
Based on the above, for the blockchain industry, regardless of the nature of the enterprise, regardless of the nature of the enterprise, commercial passwords can be used to protect its network and information security, and to engage in the production, sales and service of commercial passwords. Or import and export. However, if any of these links damage national security, social public interest or the legitimate rights and interests of others, it is not permitted by law.
The author understands that the blockchain is not equivalent to the cryptocurrency. The development and application of the state-supported blockchain technology does not mean supporting the business activities related to cryptocurrencies such as the issue of foreign entities' currency and token transactions. In the current regulatory environment, blockchain companies are still not allowed to use cryptographic techniques for first-time currency issuance (including ICO, STO, etc.) and virtual currency exchanges, as policies have not been liberalized. The liberalization of such services will take time even if it is possible in the future. This requires not only the completeness of the blockchain technology and the cryptographic technology itself, but also the appropriateness and effectiveness of the regulatory technology.
In general, although the Cryptography Law is not born for the blockchain, it is applicable to blockchain enterprises engaged in commercial password-related business, and will be conducive to the norm and long-term development of the blockchain industry.
However, at present, both the development of the blockchain technology itself and the relevant legislation in China are still at a relatively early stage. How the Cryptography Law is applicable to various types of blockchain enterprises, what supporting rules and standards need to be formulated, how to implement effective supervision, etc., and the space for further exploration. What is certain is that with the increasing demand for applications and the diversified development of blockchain application scenarios, it will stimulate and promote safer and advanced cryptography; and the further development of cryptography as the core of blockchain technology, It will also promote the overall progress and innovation of blockchain technology. In the process of mutual promotion of cryptography and blockchain technology, domestic and international standards and regulatory frameworks will be established and improved simultaneously.
Disclaimer: This article only represents the author's personal opinion and does not represent the opinions of the organization. The contents of this article do not constitute legal advice and investment advice. To reprint or cite any of the content in this article, please include the author's name.