The Biden administration is investigating China Mobile, China Telecom and China Unicom over concerns that the companies are exploiting access to US data through their US cloud computing and communications businesses by providing it to Beijing, three sources familiar with the matter said.
Commerce Department officials are leading the investigation, which has not been previously reported. They have subpoenaed state-backed companies and have completed “risk-based analyses” of China Mobile and China Telecom, but are not far along in their investigation of China Unicom, the people said, declining to comment because the investigation is not public.
The companies still have a small presence in the US, for example providing cloud computing services and carrying US internet traffic in bulk. This allows them to access Americans’ data even after telecommunications regulators banned them from providing retail phone and Internet services in the United States.
The Chinese companies and their US-based lawyers did not respond to requests for comment. The Justice Department declined to comment, and the White House referred questions to the Commerce Department, which declined to comment. The Chinese embassy in Washington said it hoped the United States would “stop suppressing Chinese companies under false pretenses,” adding that China would continue to defend the rights and interests of Chinese companies.
Reuters found no evidence that these companies intentionally provided sensitive U.S. data to the Chinese government or engaged in other wrongdoing.
The investigation is Washington’s latest effort to prevent Beijing from exploiting Chinese companies’ access to US data to harm companies, Americans or national security, amid an escalating technology war between the geopolitical rivals. It shows the administration is trying to close all remaining avenues for Chinese companies already targeted by Washington to obtain American data.
Regulators have not yet made a decision on how to respond to the potential threat, two of these people said. But with the power to investigate Internet services sold in the U.S. by “foreign adversary” companies, regulators could block transactions that allow them to operate in data centers and route data to ISPs, the sources said.
Blocking key transactions could in turn reduce the ability of Chinese companies to offer competitive Internet and cloud computing services to global customers, hampering their remaining U.S. operations, experts and sources said.
“They are our primary global adversary, and they are very sophisticated,” said Doug Madory, an Internet routing expert at Internet analytics firm Kentik. “I think US regulators wouldn’t feel they were doing their job if they didn’t try to eliminate all risks.
DELIVERY THROUGH CHINA
China Telecom, China Mobile and China Unicom have long been in Washington’s crosshairs. The FCC rejected China Mobile’s application to provide phone services in 2019 and revoked China Telecom’s and China Unicom’s licenses for 2021 and 2022, respectively. In April, the FCC went further by banning the companies from providing broadband services. An FCC spokesman said the agency stands by its concerns.
The FCC’s decision was notably prompted by a report published in 2020 by other US government agencies, which recommended revoking China Telecom’s license to provide telephone services in the US. That report cited at least nine cases in which China Telecom botched internet traffic across China, putting it at risk of being intercepted, tampered with or prevented from reaching its intended destination.
“China Telecom’s operations in the United States enable Chinese government-sponsored actors to disrupt and hijack U.S. data and communications traffic,” authorities said at the time.
China Telecom has previously denied the government’s claims, telling US agencies that routing problems were common and occurred across all networks.
The telecom company tried to overturn the FCC’s decision, but a US appeals court rejected its arguments, noting that the agencies had presented “compelling evidence that the Chinese government could use Chinese technology companies for information as vectors for espionage and sabotage.”
ACCESS POINTS, THE CLOUD UNDER ANALYSIS The influence of Chinese telecommunications companies extends deep into America’s Internet infrastructure.
According to its website, China Telecom has eight US Points of Presence (PoPs) located at Internet exchange points that allow large networks to connect to each other and share routing information.
China Telecom did not respond to requests for comment regarding its locations in the United States.
According to the FCC, PoPs pose “serious risks to national security and law enforcement” when operated by companies that pose a risk to national security. In cases where China Telecom’s PoPs are in Internet exchanges, the company “could potentially access and/or manipulate data while in the preferred path of US customer traffic,” the FCC said in April.
Bill Woodcock, executive director of the Packet Clearing House, the intergovernmental organization responsible for the security of critical Internet infrastructure, said traffic passing through these points would be vulnerable to metadata analysis, which captures key information about origin, destination, size and timing of data delivery. They could also enable deep packet inspection, which provides insight into data content and even decryption.
Commerce Department investigators are also looking into the U.S. cloud service offerings of the companies that were the subject of the Justice Department’s 2020 subpoena to China Mobile, China Telecom and Alibaba that triggered the probes. The investigation later expanded to include PoPs and China Unicom, whose cloud businesses were small at the time of the referral, two of the people added. Alibaba did not respond to a request for comment.
Regulators are concerned that the companies could access personal information and intellectual property stored in their clouds and give it to the Chinese government or interfere with Americans’ access to that information, two of the sources said.
Commerce Department officials are particularly concerned about a data center partially owned by China Mobile in California’s Silicon Valley, according to one of the sources.
China Mobile did not respond to requests for comment regarding this data center.
Reuters could not determine the reason for the government’s specific interest in China Mobile’s data center, but owning one provides more opportunities to mishandle customer data, according to Bert Hubert, a Dutch cloud computing expert and former member of a board that regulates Dutch intelligence and security agencies.
He noted that it would be easier to manipulate customers’ servers at night, for example by installing backdoors to allow remote access or to bypass encryption. These actions would be much more difficult in a data center with strict security policies where the company is simply renting space.
“If you have your own data center, you have a unique Chinese territory in the United States,” he said.
