Shen Kui & Lao Dongyan | Opinions on "Net Certificate and Net ID"

The Ministry of Public Security and the Cyberspace Administration of China have released the “Measures for the Management of National Network Identity Authentication Public Services (Draft for Soliciting Opinions).” This measure involves a unified network number and network certificate system, aimed at protecting personal information but has sparked discussions about privacy rights, real-name systems, and social risks. Professors Shen Kui and Lao Dongyan have expressed their concerns about the system from the perspectives of constitutional and administrative law.

Author | Shen Kui & Lao Dongyan

For readability, this website editor has made appropriate modifications without deviating from the original meaning! It is also declared that this article only represents the authors’ viewpoints, and this website serves only to present it for readers to understand historical truths comprehensively!

Shen Kui’s Opinion

On July 26, 2024, the Ministry of Public Security and the National Internet Information Office jointly released the “Announcement on Soliciting Public Opinions on the ‘Measures for the Management of National Network Identity Authentication Public Services (Draft for Soliciting Opinions)’”, along with the full text of the “Measures for the Management of National Network Identity Authentication Public Services (Draft for Soliciting Opinions)” (hereinafter referred to as the “Measures”) and the “Explanation on Drafting the ‘Measures for the Management of National Network Identity Authentication Public Services (Draft for Soliciting Opinions)’” (hereinafter referred to as the “Explanation”). This seemingly unremarkable draft consisting of only sixteen articles indeed concerns the vitality of the online society. The Ministry of Public Security and the Cyberspace Administration of China’s practice of legislative democratic principles, by openly soliciting opinions from society according to the provisions of the “Legislation Law” and the “Regulations on the Procedures for Formulating Rules,” is commendable. Although I am neither an expert in network technology nor network law, it is from the understanding and cognition of the online world we live in, and from the perspectives of constitutional and administrative law, that I raise concerns and worries about the system the “Measures” hope to establish.

The purpose of the “Measures” has been clearly stated in the “Explanation,” mainly to “establish a national network identity authentication public service platform, form a national network identity authentication public service capability, issue ’network numbers’ and ’network certificates’ uniformly to the public, provide real identity registration and verification services based on legal ID card information, achieve the goals of facilitating the use by the public, protecting personal information security, and advancing the network trustworthy identity strategy. Based on national network identity authentication public services (hereinafter referred to as public services), when individuals need to register and verify their real identity information in internet services according to the law, they can voluntarily apply for and use ’network numbers’ and ’network certificates’ through the national network identity authentication APP for non-textual registration and verification, without providing textual personal identity information to internet platforms. This can minimize the extent to which internet platforms collect and retain citizens’ personal information beyond the scope of ‘real-name systems.’"

According to this passage, my simple understanding of the practical operation is: Individuals can consider not providing detailed personal identity information to platforms but instead provide their “network number” and “network certificate” obtained from the national network identity authentication platform when receiving services or engaging in related activities on internet platforms, if legal registration and verification of real identity information are required. Intuitively, this “replacement” may yield three benefits:

First, it is beneficial for network users to perform quick and convenient operations in situations where real-name authentication is legally required. Because, Article 5 of the “Measures” stipulates: “According to laws and administrative regulations, when registration and verification of users’ real identity information are required in internet services, network numbers and network certificates can be used for registration and verification according to law.” Of course, this convenience is not very significant; inputting personal identity information does not have much more trouble than inputting “network numbers” and “network certificates.”

Second, it is beneficial to reduce the extent to which personal identity information is collected by other network platforms outside the national network identity authentication platform (referred to as “public service platform” in the “Measures”). Because, Article 8 of the “Measures” stipulates: “If an internet platform needs to legally verify users’ real identity information but does not need to retain users’ legal ID card information, the public service platform should only provide the result of user identity verification. According to laws and administrative regulations, if an internet platform does need to obtain and retain users’ legal ID card information, the public service platform should provide it according to the principle of minimization with user authorization or separate consent.”

Third, it is beneficial for maximizing personal information security. This can be reasonably inferred from the above two points because the fewer entities that collect personal identity information, the smaller the possibility of being required to provide information beyond the scope, and the smaller the possibility of information leakage or illegal use by entities that collect and store user information.

From these three benefits, it seems we can simply conclude that this system of “network numbers” and “network certificates” based on personal voluntary application—Article 4, Paragraph 1 of the “Measures” stipulates: Individuals holding valid legal ID documents can voluntarily apply for network numbers and network certificates from the public service platform—is beneficial and feasible. However, there are very few systems in the world that are “all benefits and no harm,” and many systems often have both advantages and disadvantages. When we choose systems, the tricky task is often how to weigh the pros and cons to find a system where the benefits clearly outweigh the drawbacks and which can minimize the drawbacks. Such weighing is typically reflected in the constitutional and administrative law by the principle of proportionality, known as the “emperor principle” in public law.

The complete principle of proportionality has four requirements:

First, the goals that the measures and means taken by public authorities aim to achieve are legal and legitimate;

Second, the measures and means taken by public authorities can indeed achieve the declared goals;

Third, the measures and means taken by public authorities cause minimal damage to the rights and interests of the parties involved;

Fourth, the benefits obtained from the measures and means taken by public authorities are appropriate in relation to their costs, avoiding “using a cannon to shoot a mosquito,” even if the mosquito is shot down, it will be a huge waste.

If any one of these requirements is not met, the measures and means taken by public authorities will not meet the principle of proportionality and will fail the constitutionality/legality review. So, can the unified “network number” and “network certificate” system withstand scrutiny?

From the potential benefits of the unified “network number” and “network certificate” mentioned above, this system meets the first and second requirements of the principle of proportionality. The key lies in the third requirement, which is the damage this system might cause to individuals, whether this damage outweighs the possible benefits, and whether there are other systems that can achieve the same benefits without greater damage.

According to the current provisions of the “Measures,” individuals who have unified “network numbers” and “network certificates,” and network platforms accessing network identity authentication services are based on voluntariness rather than coercion. Thus, even if the unified “network number” and “network certificate” might bring some harm, it seems to be voluntarily accepted by individuals or network platforms. However, Article 6 of the “Measures” “encourages relevant competent departments and key industries to promote the use of network numbers and network certificates on a voluntary basis,” and Article 7 “encourages internet platforms to voluntarily integrate into public services to support users in using network numbers and network certificates for registration and verification of users’ real identity information.” Usually, under such encouragement and promotion, the use of unified “network numbers” and “network certificates” will become more common and widespread. It is even possible that platforms implementing real-name systems may directly require users to use “network numbers” and “network certificates” for registration, without giving users the choice.

The most worrying damage of the widespread use of unified “network numbers” and “network certificates” is the significant risk it may pose to personal privacy rights and personal autonomy.

In the internet age, personal privacy and autonomy are much harder to protect compared to the pre-internet era. In the past, I could browse and purchase my favorite books at physical bookstores; I could buy newspapers and magazines I liked from street kiosks and cut out pictures of my favorite stars to post on my wall; I could shop, visit stores, and buy cute items from stores that suddenly caught my eye; I could hike and explore parks, mountains, rivers, and lakes on my own, enjoying the beautiful scenery. All of these I could do at my own discretion. Moreover, what books I read, what news I browsed, which stars I liked, what products I bought, and where I went could remain within my privacy unless I told others.

In the internet age, everything is different. I go to physical bookstores much less frequently. Even if I go, I would buy books online if I like any; I hardly subscribe to or buy printed newspapers and journals anymore because various news, including entertainment news, can be browsed online, and pictures of favorite stars can be downloaded to my computer; I still wander through physical stores, but more often shop online; for scenic spots, I will buy tickets online, purchase high-speed rail or plane tickets, and use navigation for self-driving tours. Thus, I can still largely control these activities, and the internet has broadened my horizons and convenience in ways not achieved before. However, the hidden risks and harms are that traces of my activities online are usually retained as data on the service-providing network platforms. Furthermore, online platforms analyze the collected data based on their algorithms to create a “portrait” of me: what books I like, what news I prefer, which celebrities I admire, what clothes I wear, where I like to go, and even deduce my life philosophy and political stance from the books and news I read. Consequently, privacy spaces that were once easier to maintain have been significantly reduced. Moreover, the realization that every action and word on online platforms might be “monitored by the platform” makes me more cautious, reducing the space where I feel I am in control.

However, the development of internet technology seems irreversible. Under this determinism and fatalism, protecting privacy, maintaining autonomy, and preserving individuality—along with the intellectual, action, and innovative vibrancy that comes with such protection—are somewhat guaranteed by the multi-center nature of the online society. When I read on “WeChat Reading,” my reading preferences are only “portrayed” on this platform and not known by others. “WeChat Reading” also doesn’t know my clothing or cosmetic preferences. When I search on Baidu, I can choose not to have Baidu track my search history through settings, although I will lose the benefits of personalized recommendations—optimized browsing time. Even if I allow Baidu to track, only Baidu, not other platforms, gets my data. These hypothetical scenarios could be further elaborated, but it seems unnecessary, as my point is already made: while privacy exposure is inevitable in the digital age, multi-center and commercialized platforms can only access “a part of me,” not “all of me,” so I am not entirely “naked.” Furthermore, laws such as the Civil Code, Data Security Law, and Personal Information Protection Law, as well as AI ethics guidelines, impose clear compliance requirements on commercial platforms to protect personal privacy, personal information, and data security.

However, when unified “Net IDs” and “Net Certificates” are widely used, it is imaginable that when I register on various platforms with these IDs and certificates, all my activities on these platforms could be—though not necessarily—collected by a centralized platform that links “Net IDs” and “Net Certificates” with real personal identity information and then analyzed. Originally, my online existence was “fragmentedly exposed,” but it could easily become “completely exposed” on a centralized platform. This “complete exposure” may not be immediately noticed by me, nor does it necessarily cause real-time harm, but undoubtedly, I will become more cautious because of this exposure risk. I might become reluctant to agree with or oppose certain claims, hesitate to engage in full communication, limit my reading and browsing, and become hesitant to… If such self-restriction and self-binding become widespread, how will the vitality of the digital economy be stimulated, the digital social environment optimized, and the digital cooperation framework established?

In short, the vitality of the digital economy and online society lies in multi-center rather than centralized monopoly. The potential risks and harms of unified “Net IDs” and “Net Certificates” are substantial, while the possible benefits—such as preventing platforms from over-collecting personal information and preventing data leaks—can actually be achieved through existing other systems. Therefore, whether the unified “Net ID” and “Net Certificate” system can pass the proportionality test and the test of digital economic development should be marked with a big question mark and given serious consideration.

Lao Dongyan’s Opinion

The “National Network Identity Authentication Public Service Management Measures (Draft for Comment)” (hereinafter referred to as the “Measures”), jointly drafted by the Ministry of Public Security and the Cyberspace Administration, was officially announced on July 26. It is currently in the public comment phase. Since it is a public consultation, I also wish to publicly express my opinion.

The “Measures” propose to implement a unified Net ID and Net Certificate system. In my view, this measure will bring significant social risks and lacks a clear basis in higher-level laws as a departmental regulation. Compared to the “Public Security Administration Punishment Law (Revised Draft)” issued in September 2023, the social risks are even greater.

First, is the real intention of the “Measures,” as stated by the drafters, to protect personal information, or to strengthen the control over individuals’ online behavior?

After 12 years of online real-name system implementation, over a billion netizens have already left the personal information required for certification with various internet information service providers. In this context, how much practical significance is there in implementing the Net ID and Net Certificate system? The original intention of implementing the online real-name system was to protect the general public. The effectiveness of this protection is evident to all. This implies that the real purpose of implementing the “Measures” is similar to the online real-name system: to control people’s behavior online, and the so-called protection of personal information is merely a smokescreen, at least not the primary objective.

Second, what is the essence of the Net ID and Net Certificate system?

To put it vividly, the Net ID and Net Certificate system is similar to the health code during the pandemic. It follows the same governance approach, just that it regularizes and normalizes the social control that was implemented through the health code. The Net ID system is akin to installing a monitor on every individual’s online activities, making it easy to collect all online traces (including browsing traces). The Net Certificate system means that accessing the internet or using services provided by internet service providers will essentially become a privilege that requires permission. If relevant departments do not provide certification services, individuals will find it difficult to access corresponding internet services, including but not limited to speaking, commenting, and other services.

附：Public Announcement on the Public Consultation of the “National Network Identity Authentication Public Service Management Measures (Draft for Comment)” by the Ministry of Public Security and the Cyberspace Administration

July 26, 2024, 17:00 Source: China Internet Information Center

In order to strengthen the protection of citizens’ personal information, advance and standardize the construction and application of the national network identity authentication public service, and accelerate the implementation of the network trusted identity strategy, according to laws and regulations such as the “Cybersecurity Law of the People’s Republic of China,” “Data Security Law of the People’s Republic of China,” “Personal Information Protection Law of the People’s Republic of China,” and “Anti-Telecom and Internet Fraud Law of the People’s Republic of China,” the Ministry of Public Security and the Cyberspace Administration have drafted the “National Network Identity Authentication Public Service Management Measures (Draft for Comment).” It is now open for public comments. The public can submit opinions and suggestions through the following methods:

1. Log in to the Ministry of Justice of the People’s Republic of China or China Government Legal Information Network (www.moj.gov.cn, www.chinalaw.gov.cn) and enter the “Legislative Opinion Collection” section on the homepage to submit opinions.

2. Send opinions via email to: wajfzc@sina.com or zqyj@cac.gov.cn.

3. Send opinions by mail to: Ministry of Public Security, 14 East Chang’an Street, Dongcheng District, Beijing, 100741, or Cyberspace Administration of China, 11 Chegongzhuang Street, Xicheng District, Beijing, 100044. Please indicate “National Network Identity Authentication Public Service Management Measures Draft for Comment” on the envelope.

The deadline for feedback is August 25, 2024.

July 26, 2024

National Network Identity Authentication Public Service Management Measures (Draft for Comment)

Article 1 To implement the network trusted identity strategy, advance the construction of the national network identity authentication public service, protect citizen identity information security, and promote digital economy development, these measures are formulated based on the “Cybersecurity Law of the People’s Republic of China,” “Data Security Law of the People’s Republic of China,” “Personal Information Protection Law of the People’s Republic of China,” and “Anti-Telecom and Internet Fraud Law of the People’s Republic of China.”

Article 2 The national network identity authentication public service (hereinafter referred to as “public service”) mentioned in these measures refers to the service provided by the national unified network identity authentication public service platform (hereinafter referred to as “public service platform”) based on legal identity document information to natural persons, including applying for Net IDs, Net Certificates, and performing identity verification.

The Net ID mentioned in these measures is a network identity symbol corresponding to personal identity information, composed of letters and numbers without explicit identity information. The Net Certificate is a network identity authentication credential carrying the Net ID and non-explicit personal identity information. Net IDs and Net Certificates can be used for non-explicit registration and verification of real personal identity information in internet services and related departments and industry management.

Article 3 The Ministry of Public Security and the Cyberspace Administration, according to their respective legal responsibilities, are responsible for the supervision and management of national network identity authentication public services, guiding and supervising public service platforms to fulfill data security and personal information protection obligations according to law.

Departments of civil affairs, culture and tourism, radio and television, health, railways, postal services, and others, within their respective responsibilities and according to these measures and relevant laws and regulations, are responsible for promoting and supervising the application of national network identity authentication public services.

Article 4 Natural persons holding valid legal identity documents may voluntarily apply for Net IDs and Net Certificates from the public service platform.

Natural persons under fourteen years old who need to apply for Net IDs and Net Certificates should obtain consent from their parents or other guardians, and the application should be made by the parents or guardians.

Natural persons aged fourteen but under eighteen who need to apply for Net IDs and Net Certificates should do so under the supervision of their parents or other guardians.

Article 5
According to the provisions of laws and administrative regulations, when real identity information needs to be registered or verified in internet services, Net ID and Net Certificate can be used for registration and verification in accordance with the law.

Natural persons under the age of fourteen using Net ID and Net Certificate for real identity registration and verification must obtain the consent of their parents or other guardians.

Article 6
Relevant authorities and key industries are encouraged to promote the use of Net ID and Net Certificate on a voluntary basis to provide users with secure and convenient identity registration and verification services, fostering a network identity authentication application ecosystem through public services.

Article 7
Internet platforms are encouraged to connect to public services on a voluntary basis to support users in using Net ID and Net Certificate for real identity registration and verification, and to fulfill their obligations for personal information protection and real identity verification.

After connecting to public services, internet platforms must not require users who choose to use Net ID and Net Certificate for identity registration and verification and have passed verification to provide additional plaintext identity information, except as required by laws, administrative regulations, or if users agree to provide it.

Internet platforms must ensure that users using Net ID and Net Certificate receive the same services as other users.

Article 8
When internet platforms need to verify users’ real identity information according to law but do not need to retain users’ statutory identification document information, public service platforms should only provide the result of the identity verification.

According to laws and administrative regulations, if internet platforms must obtain and retain users’ statutory identification document information, this can be done with user authorization or separate consent, and public service platforms should provide it according to the principle of minimization.

Without separate consent from the individual, internet platforms must not handle or disclose related data and information, unless otherwise stipulated by laws or administrative regulations.

Article 9
Public service platforms handling personal information must not exceed the scope and limits necessary for providing services such as issuing Net ID, Net Certificate, and performing identity verification. They must fulfill the obligation to inform individuals and obtain their consent when providing public services. Sensitive personal information must be handled with separate consent from individuals, and if laws or administrative regulations require written consent, those regulations must be followed.

Without separate consent from the individual, public service platforms must not handle or disclose related data and information, unless otherwise stipulated by laws or administrative regulations.

Public service platforms must delete users’ personal information promptly as required by laws, administrative regulations, or user requests.

Article 10
Before processing users’ personal information, public service platforms should inform users of the following matters in a prominent, clear, and understandable manner through written forms such as user agreements:

1. The name and contact information of the public service platform;
2. The purpose, method, types, and retention period of processing users’ personal information;
3. The methods and procedures for users to exercise their rights related to personal information;
4. Other matters that should be disclosed according to laws and administrative regulations.

When handling sensitive personal information, the necessity and impact on personal rights should also be disclosed, except where otherwise specified by laws or administrative regulations.

Article 11
Public service platforms may not disclose the matters specified in the first paragraph of the previous article if there are legal or regulatory requirements for confidentiality or non-disclosure.

In emergency situations where it is not possible to inform individuals in a timely manner to protect their life, health, and property, public service platforms should notify them promptly after the emergency is resolved.

Article 12
Public service platforms must strengthen data security and personal information protection by establishing and implementing security management systems and technical protection measures in accordance with the law.

Article 13
Public service platforms involved in encryption should comply with national encryption management requirements.

Article 14
Violations of the provisions in Article 7, Paragraph 2; Article 8; Article 9; Article 10; and Article 12 of these measures, which should be legally accountable according to the “Cybersecurity Law of the People’s Republic of China,” the “Data Security Law of the People’s Republic of China,” and the “Personal Information Protection Law of the People’s Republic of China,” will be punished by the Ministry of Public Security and the National Internet Information Office within their respective responsibilities; criminal liability will be pursued if crimes are constituted.

Article 15
The statutory identification documents referred to in these measures include resident identity cards, passports of Chinese citizens residing abroad, permits for travel to Hong Kong and Macau, permits for Hong Kong and Macau residents to travel to the mainland, permits for Taiwan residents to travel to the mainland, Hong Kong and Macau resident permits, Taiwan resident permits, and foreigner permanent residence identity cards.

Article 16
These measures shall come into effect on [Year] [Month] [Day].

Explanation on Drafting the “National Network Identity Authentication Public Service Management Measures (Draft for Comments)”

1. Necessity of Drafting

To fully implement the relevant provisions on the national network trusted identity strategy, promotion of network identity authentication public services, and other related regulations in the “Cybersecurity Law of the People’s Republic of China,” the “Data Security Law of the People’s Republic of China,” the “Personal Information Protection Law of the People’s Republic of China,” and the “Anti-Telecom and Online Fraud Law of the People’s Republic of China,” the country organizes the construction of network identity authentication public service infrastructure. The aim is to establish a national network identity authentication public service platform, provide unified “Net ID” and “Net Certificate” issuance to the public, and offer real identity registration and verification services based on statutory identification documents, achieving the goals of facilitating public use, protecting personal information security, and advancing the trusted network identity strategy. Based on the national network identity authentication public service (hereinafter referred to as public service), when natural persons need to register or verify their real identity information in internet services according to the law, they may voluntarily apply for and use “Net ID” and “Net Certificate” through the national network identity authentication APP for non-plaintext registration and verification, without providing plaintext personal identity information to internet platforms. This can minimize the collection and retention of personal information by internet platforms under the pretext of implementing “real-name system.” To further strengthen personal information protection and regulate the operation management of public services, the Ministry of Public Security, the National Internet Information Office, and other relevant departments have conducted thorough research and drafted the “National Network Identity Authentication Public Service Management Measures (Draft for Comments)” (hereinafter referred to as “Management Measures”).

2. Main Content

The “Management Measures” consist of 16 articles, covering four main areas: First, defining the concepts of public services and “Net ID” and “Net Certificate”; second, clarifying the usage methods and scenarios of public services; third, emphasizing the data and personal information protection obligations of public service platforms and internet platforms; fourth, specifying the legal responsibilities for violations of data and personal information protection obligations by public service platforms and internet platforms.

3. Main Considerations

The “Management Measures” clarify the method of network identity authentication using “Net ID” and “Net Certificate” based on the “Cybersecurity Law of the People’s Republic of China,” the “Data Security Law of the People’s Republic of China,” the “Personal Information Protection Law of the People’s Republic of China,” and the “Anti-Telecom and Online Fraud Law of the People’s Republic of China,” and stipulate the conditions for obtaining “Net ID” and “Net Certificate,” usage scenarios of public services, scope of statutory identification documents, and obligations for data and personal information security protection. Additionally, it makes special provisions for minors’ application and use of public services in accordance with the “Personal Information Protection Law of the People’s Republic of China” and “Regulations on the Protection of Minors Online.”

The “Management Measures” encourage internet platforms to connect to public services and support users in using “Net ID” and “Net Certificate” for real identity registration and verification as a way to fulfill their legal obligations for user real identity verification and personal information protection. For users who voluntarily choose to use “Net ID” and “Net Certificate,” internet platforms must not require additional plaintext identity information, except where laws and regulations specifically stipulate or users consent, to minimize the collection and retention of personal information by internet platforms under the guise of implementing “real-name system.”

The “Management Measures” strictly follow the provisions of higher laws such as the “Personal Information Protection Law of the People’s Republic of China” to fully protect users’ personal information rights. It specifies the “minimization and necessity principle” for collecting personal information by public service platforms, which means that personal information must not exceed the scope and limits necessary for providing “Net ID” and “Net Certificate” related services. It also clarifies the obligations for explaining, informing, and protecting data when handling users’ personal information, ensuring users’ rights to know, choose, and delete their personal information.

The “Management Measures” stipulate the “minimization provision principle” and legal handling requirements for identity verification result information. For cases where identity verification is legally required but retention of statutory identification document information is not necessary, public service platforms should only provide verification results to internet platforms. For cases where obtaining and retaining statutory identification document information is legally required, public service platforms should provide necessary, relevant plaintext information to internet platforms according to the “minimization principle” with user separate consent.