The Biden administration has launched an investigation into China Mobile, China Telecom, and China Unicom over concerns that these firms could exploit their access to American data through their U.S. cloud and internet businesses. The Commerce Department, which is conducting the investigation, has issued subpoenas and completed risk-based analyses of China Mobile and China Telecom, though the probe into China Unicom is less advanced. The investigation underscores growing fears that these companies could transfer sensitive U.S. data to Beijing.
Background of the Investigation
According to sources familiar with the matter, this investigation, which has not been previously reported, aims to assess the risk these state-backed companies pose to American data security. Despite being barred from providing telephone and retail internet services in the U.S., these companies still have a small presence, offering cloud services and routing wholesale U.S. internet traffic, thereby accessing Americans’ data.
Responses from Stakeholders
While the Chinese companies and their U.S.-based legal representatives did not respond to requests for comment, the Chinese Embassy in Washington expressed hopes that the U.S. would cease “suppressing Chinese companies under false pretexts.” The Justice Department declined to comment, and the White House referred questions to the Commerce Department, which also declined to comment. Reuters found no evidence that these companies intentionally provided sensitive U.S. data to the Chinese government.
Broader Implications and National Security Concerns
This investigation is part of Washington’s broader effort to prevent Beijing from exploiting Chinese firms’ access to U.S. data for national security purposes. As tensions between the U.S. and China escalate, this probe aims to close any remaining avenues for Chinese companies to access American data. Regulators, equipped with the authority to investigate internet services from “foreign adversary” nations, could potentially block transactions that allow these companies to operate in U.S. data centers and route data for internet providers.
Historical Context and Previous Actions
China Telecom, China Mobile, and China Unicom have long been under scrutiny in Washington. The FCC denied China Mobile’s application to provide telephone service in 2019 and revoked the licenses of China Telecom and China Unicom in 2021 and 2022, respectively. In April, the FCC went further, barring these companies from providing broadband service. The agency cited numerous instances where China Telecom misrouted internet traffic through China, posing risks of interception and manipulation.
Detailed Analysis of Risks
According to the FCC, China Telecom‘s U.S. operations provide opportunities for Chinese government-sponsored actors to disrupt and misroute U.S. data. The company, which has eight American Points of Presence (PoPs) that sit at internet exchange points, can potentially access and manipulate data flowing through these connections. These PoPs are critical nodes where large-scale networks connect and share routing information.
Bill Woodcock, executive director of Packet Clearing House, noted that traffic passing through these PoPs is vulnerable to metadata analysis and deep packet inspection, which can capture key information about the data’s origin, destination, size, and timing. It might also allow for decryption, exposing the contents of the data.
Focus on Cloud Services
The Commerce Department’s investigation also scrutinizes the companies’ U.S. cloud offerings. The probe, initially prompted by a 2020 referral from the Justice Department, expanded to include PoPs and China Unicom. Regulators are particularly concerned about one data center in Silicon Valley, part-owned by China Mobile, which could offer greater opportunities for data exploitation.
Potential Outcomes and Future Steps
The investigation highlights the potential risks associated with Chinese ownership of U.S.-based data centers. Bert Hubert, a Dutch cloud computing expert, explained that owning a data center allows for easier manipulation of client data, such as installing backdoors for remote access or bypassing encryption.
As the investigation progresses, U.S. regulators have not yet decided how to address the potential threats. However, blocking key transactions could significantly impair the ability of these Chinese firms to offer competitive cloud and internet services in the U.S., effectively crippling their remaining businesses.
Conclusion
The ongoing investigation into China Telecom, China Mobile, and China Unicom underscores the U.S. government’s determination to protect national security by scrutinizing the data practices of foreign adversaries. As the geopolitical tech war between the U.S. and China deepens, the outcomes of this probe could set important precedents for international data security and the regulation of foreign-owned internet and cloud services in the United States.
