Disclaimer: This post does not serve as legal advice and should be considered only as guidelines in your GDPR or China cyber-security planning. You should work with your legal counsel to make the right decisions based on your business needs and circumstances.
What is GDPR?
General Data Privacy Regulation, or GDPR, takes effect on May 25, 2018. The legislation will have a big impact on the way marketers approach their work and the way organizations obtain, store, manage or process the personal data of EU citizens. Even though NiHao Cloud stores its user data outside of the EU, the new law still applies to us, and thus our services comply with GDPR regulations.
How we keep your data safe
Data security has always been the top priority for Sesamedisk by NiHao Cloud. When designing, deploying and maintaining our network, services and applications, we strive to offer solutions that meet the industry’s strictest privacy regulations. Here is how we are compliant with GDPR:
1. Infrastructure:
We choose the biggest and most secure hosting partner AWS (Amazon Web Services) to setup Sesamedisk by NiHao Cloud platform. We ensure a maximum security of you personal data by utilizing AWS tools and services in areas that are applicable for Sesamedisk by NiHao Cloud. Your data is secured by AWS and their GDPR ready compliance certificates:Learn more on how Amazon AWS helps us conform GDPR:
2. Sesamedisk byNiHao Cloud Service:
Sesamedisk by NiHao Cloud only collects essential data to provide professional services for our users/customer. This includes users ID/name, email address, device type & IP. This data can be seen by every organization administrator, as required by GDPR.
When users delete their accounts from Sesamedisk by NiHao Cloud and unsubscribe from marketing mailing lists, we do not keep email addresses and you will not receive any more communications from us.
3. List of Vendors
Sesamedisk by NiHao Cloud has carefully chosen 3rd party marketing and support vendors that comply with GDPR.
Sesamedisk & NiHao Cloud Websites: are based on current tech that is compliant with GDPR.
Sesamedisk by NiHao Cloud Support & Chat: We use support & chat system provided by Zendesk. Learn more about how they abide by GDPR on their website :
Sesamedisk by NiHao Cloud Mailing Notifications: NiHao Cloud uses Drip to send important notifications regarding service and educational or promotional emails. Learn more on how Drip conforms GDPR via their website.
Recommended Resources
Below are a few links for you to assess your own company policies regarding general data collection:
IP loss in China; 6 most common mistakes SMEs & entrepreneurs make.
This article is about IP loss landscape in mainland China.
1. Understanding the IP Legal Landscape.
IP landscape.
At Sesame Disk/Nihao Cloud one of our main goals is to keep the information safe at all times. We provide a secure storage system among other services. Check us out for free.
Many of the “complaints” are made by senior executives who actually do not clearly understand the complexities of IP, nor the mistakes their own companies may have made in protecting it. For example, filling a weak patent application or failing to register their IP at all ( an all-too-common mistake)*
2. Not preparing the way in advance.
Who are you?
Well known IPR lawyer in China, Dan Harris, in his article Protect Your IP From China: It Is Possible? states that your IP has value, and if it can be copied with minimum effort, it will be copied. You must, therefore, prepare for this reality in advance.
3. Believing that since the company has done what is necessary to secure its rights in North America and Europe, there is nothing special they need to do in China. This is a BIG mistake.
Can you really win in China?
When we asked former lawyer Dan Harris, what’s the most common mistake regarding IP loss in China, apart from legal issues, he answered that biggest and most frequent mistake lawyers see is on the IT side where foreign companies/start-ups hire a bunch of people in China to write code. These foreign companies do not form a company in China and do not hire coders as employees. In other words, everything these companies do is illegal. Then, years later when the software is done, Chinese partners just walk off with it and there is nothing the foreign company can do about it because the entire operation was illegal in the first place.
4. Not knowing how to keep your trade secrets safe.
Be non-public – it must not be known by the general public or by competitors;
B- What is a Trade SECRET?
Have actual or potential commercial value – it must give the owner a competitive advantage or be capable of generating economic benefit;
C- What is a Trade SECRET?
Guarded by confidentiality measures – the owner must take reasonable measures to protect the confidentiality of the information.
It is information that your competitors would want to know and would give them a commercial advantage.
Trade secrets may include recipes or formulas, know-how, the status of products or services under development, valuable business information such as customer lists, cost and price information, suppliers and contractors, contract terms, marketing strategy and plans, etc.
What you need to know about Trade Secrets in Mainland China:
The Asian Red GIANT
China, like most other countries, provides a legal framework for the protection of trade secrets, and the law provides for remedies in the case that your trade secrets are unlawfully disclosed. Unlike some other forms of IP rights such as patents and copyrights that have a finite term, trade secrets can theoretically enjoy an infinite term of protection as long as the trade secret remains just that – a secret. However, once the information becomes public information, it no longer enjoys any legal protection. As a result, prevention is the golden rule when it comes to protecting your trade secrets, because once the secret is out, there is usually very little that can be done. Keeping trade secrets safe involves using a combination of physical, technical and contractual barriers.
“ Many firms choose to keep their competitive edge by opting not to patent their inventions and trying instead to keep them as trade secrets”
5. Not adopting preventive measures to protect IP loss.
IP Secrets Security
6 most common mistakes SMEs & entrepreneurs do that result in IP loss in China:
1. Understanding the IP Legal Landscape.
Many of the “complaints” are made by senior executives who actually do not clearly understand the complexities of IP, nor the mistakes their own companies may have made in protecting it. For example, filling a weak patent application or failing to register their IP at all ( an all-too-common mistake)*
2. Not preparing the way in advance.
Well known IPR lawyer in China, Dan Harris, in his article Protect Your IP From China: It Is Possible? states that your IP has value, and if it can be copied with minimum effort, it will be copied. You must, therefore, prepare for this reality in advance.
3. Believing that since the company has done what is necessary to secure its rights in North America and Europe, there is nothing special they need to do in China. This is a BIG mistake.
When we asked former lawyer Dan Harris, what’s the most common mistake regarding IP loss in China, apart from legal issues, he answered that biggest and most frequent mistake lawyers see is on the IT side where foreign companies/start-ups hire a bunch of people in China to write code. These foreign companies do not form a company in China and do not hire coders as employees. In other words, everything these companies do is illegal. Then, years later when the software is done, Chinese partners just walk off with it and there is nothing the foreign company can do about it because the entire operation was illegal in the first place.
4. Not knowing how to keep your trade secrets safe.
Firstly, what is considered a Trade Secret in China?
In China, a trade secret is any non-public information with actual or potential commercial value which is guarded by confidentiality measures. In order for the information to be a trade secret, it must:
1
What is a Trade SECRET?
Be non-public – it must not be known by the general public or by competitors;
2
What is a Trade SECRET?
Have actual or potential commercial value – it must give the owner a competitive advantage or be capable of generating economic benefit;
3
What is a Trade SECRET?
Guarded by confidentiality measures – the owner must take reasonable measures to protect the confidentiality of the information.
It is information that your competitors would want to know and would give them a commercial advantage.
Trade secrets may include recipes or formulas, know-how, the status of products or services under development, valuable business information such as customer lists, cost and price information, suppliers and contractors, contract terms, marketing strategy and plans, etc.
What you need to know about Trade Secrets in Mainland China:
China, like most other countries, provides a legal framework for the protection of trade secrets, and the law provides for remedies in the case that your trade secrets are unlawfully disclosed. Unlike some other forms of IP rights such as patents and copyrights that have a finite term, trade secrets can theoretically enjoy an infinite term of protection as long as the trade secret remains just that – a secret. However, once the information becomes public information, it no longer enjoys any legal protection. As a result, prevention is the golden rule when it comes to protecting your trade secrets, because once the secret is out, there is usually very little that can be done. Keeping trade secrets safe involves using a combination of physical, technical and contractual barriers.
“ Many firms choose to keep their competitive edge by opting not to patent their inventions and trying instead to keep them as trade secrets”
5. Not adopting preventive measures to protect IP loss.
Us-china business council has some great tips on adopting preventive measures and best practices for IP protection in China.
Most important points would include:
Register your IP in China.
Utilize information technology tools to track and protect information: Consider tracking data flows and employee file transfers (both paper and electronic), engage internal stakeholders such as the human resources department in early conversations about developing and implementing policies that monitor employees in this manner.
Closely monitor or prohibit the use of flash disks, portable hard drives, laptops, cell phone cameras, and other devices that could be used to capture and transmit sensitive information.
Establish IT mechanisms to limit employee access to sensitive information, such as separate computer terminals or specialized passwords.
6. Underestimating the importance of proper IT systems to protect IP loss in China.
Bigger companies have their own established IT teams overseas that might be or may not familiar with IT challenges in China, especially with the GFW (the Great Firewall of China). In the article How to choose a right IT company in China, we discuss more closely what every SME should look for when setting up their new IT infrastructure in China.
According to Niels-Uwe Behrens, an IT expert long established in the Chinese IT sector, underestimating the importance of the role of IT in IP protection is a very common mistake:
“ I have been working in IT in China for more than 20 years, but it never stops surprising me how many companies have completely unsecured and open IT systems.”
We asked Niels about the current state of IT security awareness in China:
In my experience, I would say that roughly 80% of SMEs in China have at least one or more security issues that could be breached by amateur opportunistic hackers. But in most cases it is not the hackers to be worried about, even though 50-80% of the world’s IP hacks are traced back to China.
In my experience, there are 2 types of SMEs in China: The first type take security seriously, their IT is set up properly and in a secure way, and their corporate culture prevents any IP leaks.
The second type is less concerned and chooses not to pay much attention to a proper IT set-up since it works as it is. These companies usually adopt the attitude of “real hackers go after big corporations, not small SMEs like us” or “we don’t have any data of such importance that we should encrypt and be overly concerned about security”.
When we think of IP theft we all tend to imagine that there must be some secret hacker organizations that go inside servers rooms and steals secret data in an action movie like fashion. But in reality, everything is much more simple than that. In most cases, especially in China, most trade secrets are stolen by the employees, former or current, who have access to corporate emails or even data server on their personal laptops. In most cases these laptops are not encrypted and can be easily stolen or hacked. Once someone has access to your corporate email or access to the main server, all your important data are at risk of getting out in the open.
This kind of data leaks can be used and will be used to publish your trade secrets or even out-compete your business. Eventually, this event will be registered as one of IP theft cases that are growing ever since 2005.
Civil courts IP cases US vs China
In China employee fluctuation can sometimes reach up to 75% annually, therefore, tendency of data leakage is very high. In Chinese mentality, it is very common that once employees get fired, they feel some sort of ownership of the work they have been doing for the company, and sometimes even devices like laptops or computers have been taken from the workspace. It’s is also very common that entire databases are copied to USB flash drives and later on used to start new businesses and compete with a former employer.
For security reasons bigger foreign companies tend not to use Chinese social media, such as Wechat, Baidu Cloud or QQ, for file sharing or chatting, since these are constantly monitored by the Chinese government. It is better to keep your most important IP and communications isolated securely in your own private server, maintained by yourself or a trusted third party.
Insider IP theft
To maintain safe and reliable IT systems many SMEs are turning to managed service arrangements. From HR point of view, it is much cheaper and more effective to outsource most of the technology hassles to dedicated foreign IT experts, rather than looking for own IT specialists. For an economical monthly fee, these SMEs get a whole IT team responsible for maintaining and updating their systems with the latest security patches.
Regardless of your approach to IT security, keep in mind that organizations are increasingly dependent on technology, and it is, therefore, important to be as proactive as possible to keep technologies up to date and secure important data from both external and internal threats that tend to increase every year.
Do you have a story about China IP loss? Please share your experience in the comments below.
GFW or the Great Firewall of the Chinese Mainland is the subject of this article, basics you need to understand, how it works works- all you need to know about it. After reading this you should be able have a discussion about it or continue a deeper research on how to avoid colliding with it head on.
In this article, I would like to explain how Chinese Mainland is controlling their Internet.
At Sesame Disk / Nihao Cloud we have had a long history of dealing with this “Beast” called the GFW. Give us a try.
Mini Office Firewall
We can compare this with your office or home where your router protects your computers. The router has local “Parental” like settings that gives access to the Internet but it also controls or blocks websites with possible harmful content for your kids. That’s how some companies block Facebook during office hours as well.
Bigger Router- BiggerWall
The GFW works similar but on a much larger scale. Instead of just dealing with your small office, the GFW is filtering all the traffic going in and out of Chinese Mainland.
I will explain how Internet Traffic works in a short and simple way and no you don’t need to be a geek to understand it.
Understanding Internet Traffic Rules
Cities in China
So how does an actual E-Mail gets sent or received over the Internet? How can we browse websites or stream movies?
For the data to travel fast back and forth it has to follow Internet traffic rules. Using these rules all the data gets delivered in little IP packets. So lets imagine we want to look at a funny cat video on Youtube. We click to load the video, Youtube server dissembles that video into thousands of little packets and sends it to your laptop/PC/phone. Then these packets get reassembled back into a video again. This happens very fast.
All you need to know from this, that all Internet Traffic travels in little packets.
IP Address
IP Addresses
So how did Youtube know where to send those little packets? On the Internet every destination: computer, website or cellphone has to have an IP Address to send and receive data on the Internet. Google for “my IP” and you can see your own IP address. IP addresses are a bunch of numbers because computers can then convert them into 1’s and 0’s but we need domain names so we can memorise it.
Otherwise, instead of sesamedisk.com, you would see 52.79.32.36. Not the most memorable web address right?
Whats is DNS?
DNS – Domain Name Server
For the “Internet” to understand those Domains names, we have Domain Name Service (DNS). DNS servers translate domain names back into an IP address that.
(sesamedisk.com → 13.124.52.38). There are thousands of those DNS Servers that translate Domain Names into IP Addresses.
OK, enough of dry and boring theory and back to how does the Great Firewall of China and how it works.
DNS Spoofing
The first and most efficient way to block websites is by DNS spoofing or “DNS Cache Poisoning”.
DNS Poisoning
So let’s go back to our cat video. When we type youtube.com on the browser, DNS Server receives a request to check what youtube.com means and send you to the right IP address. This process happens to any Internet communication like web browsing etc.
Any DNS requests for websites outside of Chinese Mainland will be taken to a Deep Package Inspection (DPI) by the GFW. This means, that each little IP Package will be opened and checked for the content like a customs control.
If any pattern found in that Package matches unwanted content a bogus IP Address will be returned and the Website will not open …
That’s why if you are in China and try to reach Youtube.com you will receive this website:
Result of the DNS poisoning done by the GFW.
What they do in many cases is that they take your request for let say nihaocloud.com and resend it to another IP that is also in their list of DNS poisining.
VPN & Encrypted Traffic
VPN Technology
Even though GFW knows that this traffic is encrypted but it can only can guess what is inside. Here lies the biggest opportunity to get the traffic across the GFW. Now GFW is UNCERTAIN, whether this is a simple Youtube access which can be blocked, or this is the most important connection for the financial transactions where by cutting this connection could cause huge damage to the economy.
In other words you need an encryption that is good enough not to be penetrated by current algorithms, as the GFW has deep inspection algorithms. Uses AI to “guess” what is inside packages, etc.
UNCERTAINTY- that’s the biggest headache for the GFW.
The keyword here is “Collateral Damage” which could be caused by blocking encrypted packets. This Collateral Damage has to be kept to a minimum.
understand collateral damage as the term invented by the Americans to describe questionable things that happened under their watch in the Middle East.
So what is the GFW is doing with this?
As we can imagine the staff behind the GFW are not stupid and came up with an “Active Probing” mechanism. The GFW is now looking for the encrypted traffic and guessing the encryption / VPN Protocols.
Then a Probing Servers at GFW takes encrypted packets and forwards the Package to the receiver then waits for the reply. From those replies, the GFW can decide what to do with that Package, drop it or let it go through.
So to sum it up the GFW is working in 2 ways:
DNS Poisoning
Active Probing
One more interesting thing to know is that different networks in Chinese Mainland are running through different filtering. While public Networks like China Unicom or Telecom have strongest filters, Networks for Universities (eg the CERNet – China Education and Research Network) is filtered less harshly.
We should keep in mind that the GFW is a very dynamic Beast. It is always trying to find the optimal balance between Collateral Damage and efficiently blocking the Internet. So some Services can be blocked today, but not tomorrow and again blocked the day after.
Those who live in Chinese Mainland know that during big public events or holidays the GFW is controlling much tougher than usual. Also, the GFW is learning and being constantly developed and improved. So what we understand today might change tomorrow. The Chinese Government invests on it as if their lives dependents on it. At the end… Who knows?
All we know can be found by research and testing but nobody will explain how it really works. I would also like to mention that this article is not only based on my own 20 year IT experience in Chinese Mainland but also on a Research, presented at the annual Conference of the CCC –Chaos Computer Club Hamburg.
So there will be always a battle between the GFW and VPN Providers and there will always be the problem of Collateral Damage and nobody wants to hurt the economy.
The GFW is well prepared and will always be as far as the Chinese government is concerned. Also, do not forget that Chinese Mainland also has placed legal notices to fight this battle offline.
UPDATE: Sesame Disk / NiHao Cloud was interviewed by BBC Business daily, about China’s Internet Privacy Clampdown. You can listen to the full episode here.
