A few months ago, something caught my eye at the CVS near my apartment in Virginia. When I approached the self-checkout counter, I scanned for the options to pay; there was a whole host of options, from Apple Pay to PayPal to credit and debit cards, but the one that jumped out was Alipay—the online payment platform established by China’s Alibaba Group.
Alipay’s availability should not come as a surprise. The platform has over 1.3 billion users globally, including at least four million in the United States. Alipay’s initial U.S. foray was into luxury shops, like those of Lacoste in Las Vegas, to capture the spending of well-off Chinese tourists. But the platform has since expanded into thousands of Walgreens, 7/11, and CVS stores in the United States and Canada—and even into the New York City taxi system. This expansion remains focused on serving Chinese visitors, but Alipay’s presence at the center of ordinary U.S. commerce will expand the platform’s brand awareness among U.S. shoppers, possibly even winning a few adoptees in the process.
Alipay’s expansion seems innocuous enough; why wouldn’t a privately-owned firm, Chinese or otherwise, look to capitalize on the U.S. market? But as Aynne Kokas, a professor at the University Virginia, details in her new book, Trafficking Data: How China is Winning the Battle for Digital Sovereignty, the expansion of Chinese firms like Alipay into the United States presents an opportunity to gather data that can be shared with the Chinese government. In aggregate, such opportunities potentially enable large-scale data trafficking. Specifically, it may facilitate the movement of vast amounts of data from the democratic and less regulated United States into the autocratic and highly regulated China, where the Chinese state can wield that data for geopolitical purposes. The ultimate result, as Kokas writes early in this persuasive book, is a situation that “not only exploits consumers but empowers the Chinese government.”
Kokas’s argument is clear and convincing. The United States’ failure to regulate data gathering by tech firms operating in the United States at the federal level has allowed firms from around the world to gather huge amounts of data on Americans. In the case of Chinese firms, that U.S. failure, coupled with China’s own stringent regulatory approach, potentially allows data from at least certain states to end up in the hands of the Chinese government.
The U.S. government has expressed concern about such possible Chinese access on several occasions. And in September, the Biden White House issued an executive order directing the Committee on Foreign Investments in the United States (CFIUS) to consider whether a pending transaction involves the purchase of a firm accessing Americans’ sensitive data, and whether a foreign entity or government could use that information for exploitative purposes. The executive order did not mention China by name, but the focus is obvious.
These concerns are clearly legitimate. While the United States’ lack of regulation gives U.S. firms access to huge amounts of data needed to produce many of the tech innovations that define our age, China’s requirement that its own firms essentially allow the government access to this same data has intentionally given the Chinese state the ability to utilize this data for future innovations in fields like artificial intelligence. Thus, the mismatch between the United States’ permissive system and China’s closed one, coupled with firms’ interest in doing business in both markets, has created a situation in which the Chinese state can increasingly access Americans’ health, sexual, economic, and other sensitive data.
Trafficking Data helpfully spans several sectors, including agriculture, social media, and gaming to make clear the challenge at hand. Perhaps no case study is more illustrative than Kokas’s examination of Grindr, the LGBTQ dating app. As she points out, Grindr collects a huge amount of personal data from its users, including everything from HIV status to sexual preferences. Yet the United States has at best piecemeal regulation about the storage of this data. So, when the Chinese internet firm Beijing Kunlun Tech Co Ltd. purchased 60 percent of Grindr in 2016, and then acquired all of it in 2018, the firm found itself with troves of LGBTQ Americans’ sensitive information. China’s 2017 Cybersecurity Law, meanwhile, required Chinese firms to store their data in Chinese government-run servers, meaning that the Chinese government was responsible for safeguarding the sensitive sexual data of millions of U.S. users (not to mention those from around the world).
U.S. lawmakers took notice of the risks in Grindr’s Chinese ownership, and—as they are doing today with other Chinese firms—eventually forced Beijing Kunlun to sell Grindr to the German-owned, but California-based, San Vicente Acquisition in 2020. Yet San Vicente, too, had ties to Beijing Kunlun. The sale also had no mechanism to require Chinese state-owned servers to delete Grindr’s existing data; the sale certainly did not prevent China from using that data to generate new artificial intelligence or intelligence tools. The sale might have stemmed the bleeding, but it did not suture the existing wound.
That wound, as Kokas makes clear throughout her book, is the United States’ lack of data regulation coupled with a U.S. tech sector that relies financially both on this open regulatory environment and operations in China. “The flexible US tech regulatory landscape facilities data extraction by Chinese firms,” and thus to the Chinese government, as she points out. “But what is perhaps most challenging is that this regulatory environment drives the United States’ economic growth.”
Her latter point illustrates the trouble Washington will face in completely closing the wound of lacking regulation. Indeed, our open regulatory environment produces innovation and drives massive profit; there is little private sector interest to change the situation absent a push from the government.
To her credit, Kokas grapples with that point. While she expresses hope for more complete data regulation, she concludes the book by noting that she considers “data stabilization” more likely. That approach, she explains, is “not a way out” of the crisis, but a “mechanism for managing an overwhelming challenge.” That is a smart and realistic way for Kokas to frame the issue.
Yet a proposed U.S. federal privacy law is struggling to even reach the House and Senate floors despite bipartisan support, casting doubt on whether the United States can implement the more limited reforms Kokas suggests. She calls for improved corporate governance and reporting, but it is difficult to believe that firms will better their approaches on either front without being pushed by the government. The same goes for suggestions for improved private sector standards-setting; the establishment of data-focused investment indices; digital property rights; and anti-corruption laws, for starters. Her suggestion that the United States create and raise data standards through trade deals is even less realistic at the moment, given the anti-trade sentiment in American politics.
It is troubling to consider that even Kokas’s middle-ground approach seems far from coming to fruition. But that is not Kokas’s fault. In the end, she has triumphed in offering an accessible explanation of a seemingly esoteric problem while also offering clear, if somewhat optimistic, solutions.
Practitioners, scholars, and the public would be wise to read her book. We would be wise also to consider not only how the United States can address this problem on a national scale, but how we can mitigate the risk of our own data being trafficked – because as Trafficking Data demonstrates, solutions will likely lie with us for the foreseeable future.
Charles Dunst is an associate and deputy director of research and analytics at The Asia Group.