Fraud Management & Cybercrime , Governance & Risk Management , Privacy

How China's Algorithm Regulation Affects Businesses

Rules May Increase Cost, Complexity for Global Firms, Experts Say
How China's Algorithm Regulation Affects Businesses

China's lead cybersecurity watchdog, the Cyberspace Administration of China, is rolling out rules to regulate companies that offer algorithm-powered recommendation services.

See Also: Take Inventory of Your Medical Device Security Risks

The regulations, expected to go into effect on March 1, apply to both domestic and international companies that operate in mainland China, according to news platform South China Morning Post. The country's State Internet Information Office will oversee, manage and enforce the ruling, the report says.

The aim of the regulation is to preserve national security and public interest, protect the lawful rights and interests of citizens, promote equal development of information services and "carry forward core socialist values," according to the regulation draft.

Guidelines for Companies

Algorithm-powered recommendation services offer relevant suggestions for users based on their history of choices and are popularly used by video streaming services, e-commerce companies and dating apps.

The CAC's regulation, however, is not confined to just search results or personalized recommendation algorithms that push e-commerce products.

It also applies to dispatching and decision-making algorithms that are used by transport and delivery services and to generative or synthetic-type algorithms used in gaming and virtual environments, says Ed Sander, China tech and policy expert and co-founder of the technology and business website ChinaTalk, in a blog post.

Companies that use algorithm-based recommendations are required to disclose service rules for algorithmic recommendations and periodically review, assess and verify algorithm mechanisms, according to the regulation. The new regulation also says that companies must ensure that their algorithmic models do not induce users to "become addicted, spend large amounts or indulge in activities that go against good public customs."

Firms must also ensure that they identify illegal and negative content, immediately stop transmission of unlawful information and strengthen the management of user modeling, the notification says.

Companies are required to make the rules for searches, sorting, selections, pushing and display transparent and explainable to users, the regulation says. Users must be provided with the ability to opt out of algorithmic recommendations, and algorithmic recommendation service logs must be retained for at least six months, it says.

Failure to comply with the regulations on algorithmic recommendations will result in warnings issued by provisional or state information departments and the setting of a stipulated date within which the violating company must make necessary corrections, the regulation states. If the company refuses to make these corrections, or if the offense is serious, the company will be barred from publishing any sort of information and be liable for a penalty ranging between 5,000 renminbi and 30,000 renminbi ($773 and $4,637).

Impact on Cost, Competition

The new changes in legislation regarding algorithms come at a time when China is placing increasing pressure on regulating the country's technology sector, which has an increasing influence over its citizens' daily lives, says Chris Morgan, senior cyber threat intelligence analyst at San Francisco-based digital risk protection company Digital Shadows.

Although the Chinese government has introduced data protection measures that it claims would safeguard citizens - for instance, limiting the time children play online games - the new measures regarding algorithms will provide the Chinese state further control over what its citizens view, or otherwise have recommended to them through browsing or shopping patterns, Morgan tells Information Security Media Group.

Certain ambiguities in the new regulation make it vulnerable to manipulation, he says. "The regulation states that companies must not use algorithms to do anything that violates Chinese law or endangers national security. This is a fairly vague statement - one that could be highly open to abuse or manipulation."

For instance, the law could prohibit providers from recommending any material that is critical or deemed critical of the Chinese state, he says.

Sander of ChinaTalk tells ISMG that the new regulation makes China the first country to tightly regulate algorithms, specifically those used in recommendation processes. "No internet company will be happy with the new regulations - neither domestic nor foreign ones," he says.

Sander adds that if companies have to explain the mechanics of their algorithms to consumers, it may give away their competitive advantage, while the concerned government authorities must treat the information shared confidentially.

The restrictions, Sander says, will have a negative impact on profitability and increase compliance costs. "The biggest worry might be that companies will have to make currently used algorithms redundant if they violate the regulations. On top of that, the disclosure of the workings and increased costs from having to establish a monitoring entity can impact businesses."

John Bambenek, principal threat hunter at California-based IT and security operations firm Netenrich, echoes Sander's concern over information sharing. At the very least, China must create another regional regulatory regime to manage this concern, he tells ISMG.

"China’s long-used tactic of stealing trade secrets makes it likely that companies will think twice about exposing themselves to the release of their trade secrets," he says.

Call for Regulation

The call for regulating algorithms is not confined to China.

In June 2017, the European Commission fined Google 2.42 billion euros ($2.74 billion at the time) for leveraging its search engine to recommend its own products for market dominance. According to Euronews, Google lost the appeal against paying the penalty in November 2021.

Following the European Commission incident, the Harvard Business Review reported that data monopoly, or "data-opoly," resulted in lower-quality products with less privacy, creating surveillance risks such as covert surveillance, data violations and security breaches, hampering innovation and amassing of wealth within big tech companies.

The U.K. government's Competition and Markets Authority also says algorithms that manipulate consumer choices under the garb of personalization can exclude competitors and lead to algorithmic discrimination or biased AI.

Big Tech Exodus?

Following China's announcement of its new Personal Information Protection Law in September 2021 and its tough stance on cross-border data transfer, The Washington Post reported that global heavyweights LinkedIn and Yahoo had opted to exit the Chinese market.

Bambenek says it seems likely that the new regulation on recommendation algorithms may lead to the same behavior. "China’s money comes with China’s strings. Companies will have to decide if the money is worth the cost. Some will opt out; others may not. Time will tell," he says.

Sander, however, says that Yahoo's retreat was largely symbolic as it hardly had any operations in China. LinkedIn, he adds, failed to gain traction in the country due to its criticism for censorship of LinkedIn China. The professional social networking site had been "slapped on the wrist" by the government on a few occasions, according to Sander.

"LinkedIn decided that it simply wasn't worth their while to operate in China. They have opted for changing it into a job search site, which will most probably be a failure because China has enough of those already," he says.

The more the regulation limits profitability and increases complexity, the more likely it will be that companies will pull the plug, according to Sander.


About the Author

Soumik Ghosh

Soumik Ghosh

Former Assistant Editor, Asia

Prior to his stint at ISMG, Ghosh worked with IDG and wrote for CIO, CSO Online and Computerworld, in addition to anchoring CSO Alert, a security news bulletin. He was also a language and process trainer at [24]7.ai. Ghosh has a degree in broadcast journalism from the Indian Institute of Journalism & New Media.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing devicesecurity.io, you agree to our use of cookies.