Beijing's online ID initiative ignites debate
"I'm from the government and I'm here to help": security vs privacy
Every Chinese citizen is assigned a national ID, an 18-digit identifier unique to each individual. This ID is used for various services such as opening bank accounts and purchasing train tickets, and, since the 2017 enactment of the Cybersecurity Law, is also required for accessing internet services in most cases indirectly, such as via a mobile phone number which is also mandated to be based on the ID.
Until now, individual, non-state companies managing all kinds of online platforms have been burdened by the government in verifying the identity of their users. However, on July 26, China's Ministry of Public Security and the Cyberspace Administration released the Management Measures for the National Online ID Verification Public Service (Draft for Comments) [an English translation is available on China Law Translate]. This draft proposes the establishment of a "National Online ID Verification Public Service," presenting an alternative to the existing ID verification mechanism by offering a state solution for anyone who, at least according to the draft, WANTS it.
According to the draft, individuals can voluntarily apply for "online IDs," digital tokens linked to their national ID, and "online credentials," authentication certificates containing these IDs and other personal information via a state-issued mobile app. This allows individuals to submit these state-run alternatives, instead of directly identifiable personal information such as mobile phone numbers, to internet platforms.
The government says it is here to help because the existing method of verifying ID is redundant and risky. Its theory goes that a user has to submit their ID info multiple times to different sites and the decentralized storage of personal information across these sites are not ideal. It would be better, Beijing says, that everyone now has an additional option by submitting the state-run online IDs, which are unidentifiable to third parties, to the internet platforms, so that they don’t have to surrender mobile phone numbers.
To rephrase, because the link between online IDs/credentials and national IDs is only known to the state and the individual, so third parties such as a shopping site wouldn’t have to know other personal details such as cellphone numbers, minimizing the possibility of privacy being leaked or stolen.
The draft for comments has sparked intense controversy. Opponents have widely criticized the draft, including by publicly questioning if the option would evolve to be mandatory, meaning years down the road everyone in China will have to get an online ID/certificate to access all online services. On the critical side is Zhao Hong, Associate Professor with Tenure at Peking University Law School, who argues that the policy would amount to a form of "licensing internet access."
On the other side, through an interview published by Xinhua, the state news agency, the Chinese government has paraded researchers from think tanks affiliated with the Ministry of Public Security and the National Development and Reform Commission to say the critics are overthinking.
We parallel the two opposing sides' arguments below. During our editing process, the original Chinese text of Zhao’s opinion disappeared, likely due to censorship.
First, on whether centralized, state-run ID verification is more secure than decentralized ID verification by internet platforms, Zhao argues:
In reality, both private entities and the state are prone to excessive personal data collection, misuse of personal information, and even data manipulation or surveillance of individuals. This is why both China's Civil Code and Personal Information Protection Law explicitly state that organizations and individuals must not unlawfully collect, use, process, or transfer the personal information of others; must not unlawfully buy, sell, provide, or disclose others' personal information. "Organizations" referred to here also encompass "state agencies."
Moreover, the Personal Information Protection Law treats private entities and state agencies alike, requiring both to fulfill their obligations in protecting personal information and respecting the boundaries as information processors and collectors. More importantly, when the state, instead of private entities, is the collector and processor of information, individuals may find themselves with fewer means to refuse or defend themselves, a reality that has been repeatedly demonstrated.
Therefore, the assumption that state-led unified collection and verification is inherently more secure and reliable than that by private companies—based solely on information security concerns—may not be justified. In many cases, state agencies may perform worse rather than better than private entities.
The Xinhua interview, on the other hand, not only validates the legitimacy of the draft:
Article 24 of the Cybersecurity Law states that "the State implements a network identity credibility strategy," clearly defining the concept of trusted network identities.
Article 62 of the Personal Information Protection Law stipulates, "support research and development and spread the use of secure and convenient electronic identity confirmation technologies; and advance the construction of public services for online identity confirmation." This clearly outlines the establishment of online ID verification public services at the national level.
Article 33 of the Anti-Telecom and Online Fraud Law stipulates that "the state promotes the development of the public service of online identity authentication and supports the voluntary use of this service by individuals and enterprises. Telecommunications business operators, banking institutions, non-banking payment institutions, and Internet service providers may reverify users' identity through the national online network identity authentication service once discovering abnormal telephone cards, bank accounts, payment accounts, or Internet accounts suspected of being involved in fraud," which establishes the role of the national network identity authentication public service in combating telecom and online fraud.
but also asserts state action as superior to that of private internet platforms in protecting information rights, because it doesn’t ask for new information from individuals
Traditional identity verification methods used by internet platforms typically involve a long chain from front-end data collection to back-end storage, with many stages and a complex transmission environment. This makes ensuring the security of personal information challenging, and data breaches occur from time to time.
…
The National Online Identification Authentication Public Service operates by remotely verifying user identities based on the national population database, which contains information already held by the government. During the process of applying for and using online IDs or certificates, the service collects only the information necessary for identity verification, following the principle of "minimum necessity."…When users delete their online IDs or online credentials, all related personal information is removed. Furthermore, the state will employ robust technological measures to ensure the security of this information.
Second, Zhao is deeply concerned that the issuance of online IDs and online credentials by state agencies will restrict the freedom of the public to access the internet:
From the perspective of administrative law, if an individual needs to obtain a "certificate" to engage in certain behaviors or activities, it means that the state has already intervened in these matters and is regulating them through permission, approval, and other means. Of course, the purpose of regulation is to protect the public interest, but from the legal perspective, the simple "public interest purpose" does not justify the legitimacy or rationality of all forms of intervention. Here, it is crucial to assess whether such intervention and regulation impose excessive or improper restrictions on individual freedom.
Imagine if, with extensive promotion by state agencies such as for civil affairs, culture and tourism, radio and television, health, railways, and post—as well as key internet industries—the adoption of online IDs and online credentials may well become less of a "voluntary" choice, as described in the Draft for Comments, and more of a requirement individuals must comply with to access internet services. This would strongly interfere with individuals' internet freedom.
The essence of internet freedom lies in the freedom of speech exercised by the public through the medium and tools provided by internet platforms. In other words, the internet serves as a context, but its core is individuals' expressed, exchanged, and disseminated views. Compared with traditional media, the internet allows for more open expression, as the key lies in the anonymity and secrecy it affords users. While anonymity can indeed lead to disorder in the online space, it also protects people with different views, enabling them to voice their opinions in a relatively safe environment.
Issuing online IDs and online credentials following identity verification effectively binds all browsing, communication, and speech on the internet to individuals' real identities, eliminating anonymity and secrecy. Once anonymity is removed, the public will likely become more cautious in their speech and actions, fearing later accountability. While this may lead to a more orderly online environment, the chilling effect and the resulting damage to free speech is deeply concerning.
…
Therefore, in the face of the complexities of the internet, it may be better to foster a tolerant environment for public opinion, where the state's primary responsibility is to uphold respect and restraint, rather than resorting to frequent, heavy-handed intervention. After all, social order cannot be sustained through intimidation and punishment alone. As Justice Louis Brandeis said, "The path of safety lies in the opportunity to discuss freely supposed grievances and proposed remedies."
According to the Xinhua interview:
Yu Rui, a senior director at the First Research Institute of the Ministry of Public Security, explained that users' participation in the National Online ID Verification Public Service is entirely voluntary. Users can voluntarily download the national online ID verification app and apply for identity authentication, and there is no coercion or requirement to use it. Regarding the promotion of this public service, internet companies and various institutions can choose to adopt it voluntarily, using it as an alternative rather than the sole option, while maintaining other existing verification methods.
…
Yu Rui explained: "It's not 'licensing internet access.' Instead, users will have a more secure and convenient option when identity verification is required, without repeatedly providing their explicit personal information to different platforms. The traditional identity verification methods remain available, and users can still browse the internet without online IDs or online credentials."
A question also arises around the end of the draft management measures—facilitating the implementation of the internet real-name system. Zhao argues:
The real-name system will always be a double-edged sword. It may create a more orderly and secure online environment, but it also inhibits freedom of thought and expression, leading to the loss and decay of diverse information and opinions. When thought, hope, and imagination are constrained, it inevitably creates greater prejudice and polarization, leading to more danger.
In past discussions on the internet real-name system, many legal scholars have voiced opposition to the one-dimensional focus, i.e. the pursuit of real names for everybody to create a clean online space. While this governance model may have a legitimate purpose, it achieves this aim by supporting one value while suppressing another. This one-dimensional pursuit not only undermines the law's fundamental role of balancing competing values but also risks falling into the pitfall of fighting violence with violence.
In this context, concerns about the state's unified issuance of online IDs and online credentials are, in essence, concerns about the imposition of a comprehensive internet real-name system.
…
When it comes to cyberspace governance, both governments and individuals may need to temper the ultimate pursuit of "order" and "security." The free flow of information is bound to carry some loss of control and harm, but attempting to shackle all rights in order to avoid such risks or even giving up freedom for security amounts to the folly of "giving up eating for fear of choking."
The Xinhua interview makes it clear that part of the government’s motivation is economic. Beijing says the new measure will help individuals establish their own data assets.
Data are the key and core of developing the digital economy, and the active flow of data elements relies on clear data ownership, which in turn is based on confirmation of personal identity. Li Xinyou, senior director at the State Information Center of China, said that with the National Online ID Verification Public Service, individuals can effectively establish and authorize their data ownership, thereby creating and solidifying their own data assets. This process facilitates the orderly flow and appreciation of data, contributing to the development of the digital economy.
In the era of the digital economy, trust is the foundation. According to Li Xinyou, the national online ID verification service provides more reliable identity verification for online transactions and services, reducing economic losses caused by identity theft and improving the business environment by enhancing online credibility. Furthermore, by offering ID verification services, the state helps companies reduce costs and increase efficiency, enabling them to focus more on improving product quality and user experience, thus driving the sustainable and healthy growth of the internet industry and digital economy.
Li Xinyou emphasized that establishing a trusted digital identity system is a widely adopted practice globally and a key strategy for advancing the digital economy. The European Union's eID, Singapore's SingPass, and India's Aadhaar have all developed into robust digital identity systems, each with unique characteristics. Their experiences are worth learning from.
Finally, the not-so-pleasant prospect that the unified issuance of online IDs and online credentials by state agencies could pave the way for state surveillance and manipulation of personal data as well as expanded punishment and accountability. As Zhao writes:
One key justification given in the Draft for Comments for the state's unified issuance of online IDs and online credentials is to protect personal information security. However, when the responsibility for collecting and processing information shifts from private internet platforms to state agencies, individuals may find themselves more vulnerable to data surveillance and manipulation on the grounds of data collection. In the digital era, people often feel as though they are living in a "panoramic electronic prison," constantly observed by those processing their data. After extensive information collection, these processors can not only construct detailed personal profiles but also use the information to manipulate personal behavior and decisions.
If state agencies take over as the information processor, it may also increase the risk of expanded punishment and accountability. A significant portion of actions subject to administrative or criminal penalties occurs online, and once state agencies have easy access to individuals' "online whereabouts," it becomes much easier for administrative and judicial bodies to hold individuals accountable. The mechanisms designed to constrain state power and protect individual rights, which are meant to accompany punishments, could be more easily bypassed.
In the Xinhua interview, the public is reassured that the implementation of online IDs and credentials will respect individuals' personal privacy while also helping the fight against illegal online activities:
The implementation of online IDs and online credentials aims to reduce the collection of personal identity information such as names, ID numbers, and facial data by internet platforms, enabling citizens' identity information to be "usable but not visible."
Telecommunications business operators, banking institutions, non-banking payment institutions, and Internet service providers can use the National Online ID Verification Public Service to dynamically verify the identities of suspicious accounts, such as those involved in fraud. This approach minimizes the occurrence of "real-name registration without real-person verification," raising the barriers and costs for engaging in illegal activities online.