China is preparing to dramatically expand its digital governance system through a proposed Cybercrime Prevention and Control Law, a sweeping draft released by the Ministry of Public Security (MPS) for public comment on January 31. If enacted, the legislation would mark a fundamental shift from reactive law enforcement to a preventive governance model designed to eliminate what Beijing considers the remaining “gray zones” of the digital ecosystem.
The draft legislation goes far beyond traditional cybercrime enforcement. It seeks to outlaw privacy-enhancing technologies based on their functionality rather than criminal intent, enforce strict real-name identification across the entire network infrastructure, and centralize state control over cybersecurity vulnerabilities. Together, these measures would effectively end technical anonymity in China while consolidating state authority over digital communications and security research.
From Technical Censorship to Legal Enforcement
For more than two decades, China’s digital control strategy has largely relied on the technical architecture commonly referred to as the Great Firewall—a sophisticated system of filtering, blocking, and surveillance that restricts access to foreign websites and content.
However, Chinese authorities now appear to believe that technological controls alone are insufficient. According to the explanatory note accompanying the draft law, the rapid expansion of the internet has enabled traditional crimes to migrate online, creating what officials describe as “massive and deeply entrenched black and grey industrial chains.”
To counter this trend, the government proposes a doctrine based on “combining crackdowns with prevention, prioritizing prevention, ecological governance, and collaborative linkage.” In practice, this reflects a broader governance philosophy within the Chinese Communist Party known as “source governance,” which aims to neutralize perceived threats before they materialize.
Under this framework, the focus shifts from punishing individual cybercrimes to controlling the technological environment itself.
Eliminating Digital Gray Zones
A central pillar of the draft law is the elimination of technologies that enable users to bypass state monitoring systems.
Article 14 prohibits the “illegal production, sale, provision, or use” of tools that could help evade government supervision systems. Importantly, the ban applies to technologies based on their functionality, rather than the intent of the user.
This means privacy-enhancing tools such as virtual private networks (VPNs) or encrypted communication platforms could become illegal if authorities determine that their functions enable circumvention of state monitoring.
The legislation also targets the broader ecosystem supporting digital circumvention. Developers, tutorial writers, and technical facilitators who help others access blocked content could face severe penalties under provisions criminalizing assistance in accessing “illegal information” from abroad.
Additionally, the draft law formalizes censorship operations by requiring network operators to block illicit content originating outside China and by prohibiting the provision of tools that help bypass these restrictions.
Real-Name Internet and the End of Anonymity
The proposed law would expand China’s real-name registration system to the deepest layers of internet infrastructure.
Articles 11 through 13 prohibit any interference with real-name verification mechanisms and specifically outlaw tools such as IP-switching services, proxy networks, or software designed to bypass registration rules.
This would create a direct one-to-one link between a citizen’s real-world identity and their digital footprint, effectively eliminating the possibility of anonymous online activity.
For activists, journalists, and dissidents who rely on anonymity tools for secure communication, the new framework could close the last remaining loopholes used to avoid surveillance.
State Monopoly Over Cybersecurity Vulnerabilities
Another controversial component of the draft law concerns cybersecurity research.
Articles 24 and 25 introduce a strict approval system requiring researchers to obtain authorization before conducting vulnerability scanning or penetration testing on major information systems. Even authorized tests must be reported to public security authorities several days in advance.
The legislation also prohibits the independent discovery, collection, or publication of network vulnerabilities without approval.
Critics warn that this framework would allow the government to monopolize newly discovered vulnerabilities, giving state security agencies first access to potential “zero-day” exploits before they are patched.
Such a system could have significant implications for global cybersecurity, as vulnerabilities discovered within Chinese technology supply chains may remain unreported while being used for surveillance or cyber operations.
Expanding Police Power Through Administrative Penalties
One of the most powerful aspects of the draft law is its reliance on administrative enforcement rather than criminal prosecution.
In China’s legal system, administrative penalties can be imposed directly by public security bureaus without formal court proceedings. The draft legislation dramatically expands this mechanism, enabling police authorities to impose heavy fines and short-term detention for a wide range of digital infractions.
For example:
- Individuals who evade real-name registration could face fines of up to 200,000 yuan (about $29,000).
- Developers or activists providing circumvention tools could be fined up to 500,000 yuan.
- Companies failing to comply with monitoring obligations could face fines reaching 5 million yuan.
In addition to financial penalties, authorities could impose administrative detention of up to 15 days, a form of extrajudicial confinement that does not require court approval.
This structure effectively creates a parallel enforcement system where police authorities can impose severe punishments without the procedural safeguards typically associated with criminal trials.
Corporate Surveillance Obligations
The draft law also expands the responsibility of private companies in enforcing state cyber regulations.
Telecommunications firms, financial institutions, and internet service providers would be required to actively monitor and report suspicious activity. Failure to comply could lead to large fines for both companies and individual executives.
This approach effectively transforms private enterprises into frontline enforcement agents within the government’s cyber governance system.
Given the risk of severe penalties, many companies may adopt overly strict monitoring practices, implementing censorship or surveillance measures even beyond what the law explicitly requires.
Long-Arm Jurisdiction and Global Implications
Perhaps the most controversial aspect of the draft legislation is its extraterritorial reach.
Under Article 54, Chinese authorities could freeze assets, confiscate property, and restrict investments belonging to foreign individuals or companies accused of violating Chinese cyber regulations.
Another provision targets overseas organizations or individuals who publish what Beijing defines as “fake information” that harms China’s sovereignty, security, or development interests.
Because these terms are broadly defined, the clause could potentially be used against foreign media outlets, researchers, or advocacy groups that publish critical reporting on China.
Such provisions effectively create a legal foundation for transnational repression, allowing Beijing to target critics and dissidents beyond its borders.
Border Controls and Exit Bans
The draft law also introduces new border control mechanisms.
Chinese citizens convicted of cyber-related offenses could face exit bans lasting six months to three years after completing their sentences. Meanwhile, foreign individuals accused of violating the law could be denied entry into China.
For members of the Chinese diaspora, this could pose significant risks. Overseas digital activity—including social media posts or research publications—could potentially trigger legal consequences if they later travel to China.
A Digital “Iron Curtain”?
Taken together, the proposed Cybercrime Prevention and Control Law represents a major evolution in China’s digital governance strategy.
Rather than relying primarily on technical censorship systems, Beijing appears intent on constructing a comprehensive legal framework that institutionalizes digital control through administrative enforcement, corporate compliance obligations, and extraterritorial jurisdiction.
If implemented in its current form, the legislation could effectively create a tightly controlled national internet ecosystem with minimal technical anonymity and significant legal risks for those attempting to bypass state controls.
For international businesses, researchers, and journalists, the message is clear: engaging with China’s digital environment may soon carry unprecedented legal, financial, and operational risks.
With the public comment period having closed on March 2, the draft law is expected to move through the legislative process in the coming years. Observers believe it could be formally enacted before the end of the current legislative cycle, potentially by 2027, marking the beginning of a new phase in China’s digital governance model.
