Russia and China have moved to outlaw Virtual Private Networks (VPNs), systems which create private networks across the internet to allow secure access between computers in disparate locations. In the wake of a new cybersecurity law, China compelled Apple to remove non-licensed VPN services from its app store, while in Russia a complete ban will come into force in November this year. These systems have numerous benefits; they also allow access to the unfiltered internet, as if one were in the United States or EU, in countries that that censor or limit their internet. These governments are increasingly concerned with monitoring and regulating the information and services available to their citizens, making VPNs an obvious target.
Multinationals rely on VPN services to keep their employees securely connected to their organisation and the outside world. The immediate operational worry for affected companies is maintaining access to business information and services that enable collaboration; for instance, China’s “Great Firewall” prevents access to Dropbox, Google services (including Gmail and Docs) and a range of foreign news and social media websites. In China, a handful of licensed VPNs are still legal and available, but they are mostly operated by state-owned companies and are legally required to record the identities of their users. While regulations specify that businesses can use VPNs, popular providers that many multinationals rely on have been shut down this year. Analysts believe that this is part of a wider push to control the information diet of Chinese citizens in the run up to the Chinese Communist Party’s conference in autumn.
The regulatory tightening presents compliance risks on top of immediate operational concerns. VPNs encrypt data, effectively forming a secure “tunnel” to prevent interception by internet providers in the host country. Without the security provided by VPNs, data confidentiality becomes a greater challenge due to the risk of exposure, either to the governments regulating the traffic or to malicious actors. Weakening privacy and security in one jurisdiction for compliance purposes can expose a multinational to legal action in another.
Governments are demanding greater control and access to private internet traffic across the globe. Russia’s VPN ban compounds existing filters on “extremist” content, while Tanzania has jailed citizens for WhatsApp conversations criticising the president. Western democracies are not immune either; motivated by fears of terrorism and fake news campaigns, the EU is evaluating additional regulation of internet providers. The UK is considering mandating vulnerabilities into encryption protocols: Home Secretary Amber Rudd has threatened technology companies with adverse legislation if they continue to provide end to end encryption services. These restrictions, if implemented, are unlikely to be rolled back, and will affect businesses along with individuals, as in China.
The diversification of internet regulations will place greater demands on multinationals seeking to maintain cybersecurity and compliance across jurisdictions. In the longer term, this risks a more fragmented, balkanised internet that is less able to facilitate the sharing of information on a global scale. Surveys suggest that China’s severe internet restrictions are constraining the revenues of businesses operating there. As global connectivity and access to data is set to underpin the so-called fourth industrial revolution, other governments may come to regret emulating the Chinese model.
Shaun Rein, managing director of China Market Research, said multinationals’ biggest concern was “that there’s a lack of good internet in China, so they cannot make the right business decisions”. Almost half the respondents to a European Chamber business survey in May said tightened control of the internet was having a bigger impact on their business this year than in previous years. More than a fifth said restrictions had cost them 10 per cent or more of their annual revenue in China.