ChinaTalk first covered China’s algorithm registry nearly two years ago, back when it was a freshly minted, relatively untested apparatus. How has the system evolved since then? Pseudonymous contributor Bit Wise fills us in.

In July 2023, China issued binding regulations for generative AI services, which, notably, require output generated by chatbots to represent “core socialist values.” These regulations have stirred debate on how tough the Chinese government is on AI: are regulators putting “AI in chains,” or are they giving it a “helping hand”?

These debates have largely focused either on the text of the regulations or on its evolution from a stringent draft to a more lenient final version. What has received less attention is how the regulations are actually being implemented now.

Does China have a genAI licensing system?

In this post, we unpack one key enforcement tool of the Interim Measures: mandatory algorithm registrations 算法备案 and security assessments 安全评估.

Even though the algorithm registry is a central enforcement tool in China’s AI regulations, it is still relatively poorly understood. One big open question is: should we think of it as mere registration, or rather as a de-facto licensing regime?

Two leading scholars on China’s AI policy have come to essentially opposite conclusions (emphasis added):

Angela Huyue Zhang (p. 46): Lawyers have observed that many AI firms are now merely required to register their security assessment filings with local offices of the CAC, instead of obtaining a license before launching public services.

Matt Sheehan (p. 32): [I]n practice regulators began treating the registration process more like a licensing regime than a simple registration process. They did this by withholding their official acceptance of registrations until they felt satisfied with the safety and security of the models.

The two interpretations have widely different implications. A simple registration system would imply a light-touch approach to AI governance. A licensing system, on the other hand, would allow the government to control which models go online — making it a much stronger tool for social control at the moment, but potentially also a more formidable instrument for governing future frontier AI risks.

In this post, we try to get to the bottom of how the genAI registrations actually work.

A note on methodology

We have thoroughly reviewed Chinese-language official policy documents and Chinese legal analysis on the algorithm registry. To triangulate our findings, we have also spoken with several Chinese lawyers with direct experience guiding AI companies through the filing process. These interviews took place from April to June 2024. We are incredibly grateful to every one of them for their willingness to share their insights! We also thank Matt Sheehan for providing valuable feedback on a draft of this post.

Some evidence, though, remains messy, as our sources contradict each other at times. In fact, a common theme recurring throughout our sources and conversations was that the procedures are poorly formalized and constantly changing. This post won’t be the final word on how China’s algorithm registration process works.

Algorithm registry: a short history

The algorithm registry pre-dates the genAI era. It was first introduced in March 2022 with regulations for recommendation algorithms:

Article 24: Providers of algorithmic recommendation services with public opinion properties or having social mobilization capabilities shall, within 10 working days of providing services, report the provider’s name, form of service, domain of application, algorithm type, algorithm self-assessment report, content intended to be publicized, and other such information through the Internet information service algorithm filing system.

第二十四条 具有舆论属性或者社会动员能力的算法推荐服务提供者应当在提供服务之日起十个工作日内通过互联网信息服务算法备案系统填报服务提供者的名称、服务形式、应用领域、算法类型、算法自评估报告、拟公示内容等信息，履行备案手续。

The fact that filings need to be completed within 10 working days of providing services suggests that it was envisioned as a simple post-deployment registration, rather than a pre-deployment license.

The regulation also requires “security assessments” 安全评估:

Article 27: Algorithmic recommendation service providers that have public opinion properties or capacity for social mobilization shall carry out security assessments in accordance with relevant state provisions.

第二十七条 具有舆论属性或者社会动员能力的算法推荐服务提供者应当按照国家有关规定开展安全评估。

In late 2022, regulations on “deep synthesis” algorithms essentially repeated the same requirements; the only minor difference between these regulations was that they defined two separate entities: service providers 服务提供者 and technology support 技术支持者. Slightly different procedures apply to each, but both have to do algorithm registration and security assessments. In practice, one company may file the same model as both a service provider and tech support, if it offers distinct products. For example, Baidu’s ERNIE model 文心一言 has one filing as “service provider” for its consumer-facing mobile app and website, and a separate filing as “technology support” for enterprise-client-facing products.

Note: the definition of “deep synthesis” largely overlaps with that of generative AI. Hence, most generative AI models, such as ERNIE bot, actually undergo model registration under this deep-synthesis regulation.

GenAI regulations: continuity?

So what do the 2023 genAI Interim Measures say? Essentially the same thing!

Article 17: Those providing generative AI services with public opinion properties or the capacity for social mobilization shall carry out security assessments in accordance with relevant state provisions and perform formalities for the filing, modification, or canceling of filings on algorithms in accordance with the “Provisions on the Management of Algorithmic Recommendations in Internet Information Services.”

第十七条 提供具有舆论属性或者社会动员能力的生成式人工智能服务的，应当按照国家有关规定开展安全评估，并按照《互联网信息服务算法推荐管理规定》履行算法备案和变更、注销备案手续。

All of this suggests continuity: we know what this algorithm registry is from previous regulations — now we just apply the same tool for genAI services.

In reality, however, the procedures for genAI models work fundamentally differently from how they worked for other AI systems (such as recommendation algorithms) in the pre-genAI era.

The previous system is still in place, but an additional system just for genAI services has been established in parallel. Chinese lawyers describe a de-facto “dual registration system” 双备案制, consisting of

1. the original “algorithm registration” 算法备案, and

2. a new “genAI large model registration” 生成式人工智能（大语言模型）备案.1

How do the two systems work?

The new system has not replaced the old system. Rather, they co-exist in parallel. Companies typically first undergo the regular “algorithm registration.” For some, the story would end there. For some genAI products, however, authorities would then initiate the more thorough “genAI large model filing” as a next step. The scope of services affected by this additional registration process is somewhat unclear, but it generally applies to all public-facing genAI products (or, in Party speak, models with “public opinion properties or social mobilization capabilities” 具有舆论属性或者社会动员能力). Public-facing genAI includes all typical chatbots or image generators available through chat interfaces and APIs.

Information on how the two systems differ is piecemeal. But many sources confirm the same bottom line:

• The original “algorithm registration” is relatively easy and largely a formality;

• In contrast, the new “genAI large model registration” is much more difficult and actually involves multiple cycles of direct testing of the models by the authorities.

The table below summarizes the key differences.

The term “genAI large model filing” is not actually used by China’s regulators. The CAC gives only one small hint that something has changed: the filing information of genAI models is published not through the regular algorithm registry website, but through provincial-level CACs. The central CAC compiles these announcements into a separate announcement on its website,2 which is distinct from the regular algorithm registry website. This subtly hints at the fact that these are two separate systems.

As one Chinese lawyer aptly put it,

Practice started first, and then formal law-making may follow later.

Foreign AI policy analysts are also not the only ones feeling confused. As the same lawyer noted,

When more than one “security assessment” system exists at the same time, companies will inevitably be confused.

The graph below summarizes the procedure for the new “genAI large model registration”:

A company would typically start with the “regular” algorithm registration. For many models, this would be it! Public-facing products, however, would then be asked to conduct the additional genAI large language model filing. As mentioned above, there is lots of ambiguity on which models are considered “public-facing”. Some anecdotes shared by industry insiders suggest that the scope is interpreted relatively broadly in practice, and may include some products only intended for enterprise users.

Apart from submitting documentation on internal tests (which we will cover in a forthcoming post), the companies need to create test accounts for the provincial cyberspace authorities, granting them access to test the model pre-deployment. Some Chinese lawyers told us that CAC has outsourced these tests to third-party agencies, but we do not have any insight into which institutions these are. The process can involve multiple rounds of renewed fine-tuning until the CAC is satisfied with how the model behaves.

There is no official information on what the CAC (or its endorsed third-party institutions) actually tests in these inspections. All insiders we talked to, however, agreed that content security will be front and center.

Oversight may have evolved beyond a one-time licensing process to a more dynamic approach, similar to how the PRC regulates online content generally. It appears there is ongoing communication between the CAC and AI service providers even after a model went online, mirroring the relationship between regulators and traditional online content platforms.

As mentioned before, some details remain confusing, as different sources contradict each other. For instance, there is conflicting information on whether companies themselves initiate the process, or whether it always starts from a CAC request after the regular model registration. There is also conflicting information on the role of provincial CACs. Some sources claim that they conduct tests on their own, while others claim that they just forward documents to the central CAC. It is possible that both claims are true and that it differs by province, but this is speculation.

Changes in the making?

A running theme throughout all our sources and conversations was that the new processes are still poorly formalized and constantly changing. What happened to one company may be different from what happened to another; what happened three months ago may be different from what happens now.

One Chinese lawyer told us that the CAC struggles to keep up with the large number of filings, so the agency is considering a risk-based categorization, after which only a smaller number of high-risk models would have to undergo the more thorough registration process. This would be a familiar story: in spring 2024, the CAC relaxed data-export security assessments because, among other reasons, the authorities could not keep up with the large number of applications.

There are no official details on when or whether such ideas may become reality for genAI registrations. In August 2024, however, CAC head Zhuang Rongwen 庄荣文 proclaimed that CAC would “adhere to inclusive and prudent yet agile governance, optimize the filing process for large models, reduce compliance costs for enterprises” 坚持包容审慎和敏捷治理，优化大模型备案流程，降低企业合规成本 and “improve the safety standard system in aspects such as classification and grading” 在分类分级、安全测试、应急响应等方面丰富完善安全标准体系. This shows that regulators are still actively exploring ways to tweak the algorithm registration process.

How hard is it to get through this process?

According to CAC, as of August 2024, 190 models have filed successfully. There is no good data on how many models have not passed the filing process; the government releases only successful filings, not failed ones. As one of the lawyers we spoke to pointed out, it is not even really possible to “fail” the process. If you do not pass, you adjust your model and try again. Some companies, though, might get caught up in this circular process for a long time.

In May 2024, China tech news outlet 36kr estimated that there are 305 models in China, of which only around 45% had successfully registered at the time. This rate doesn’t necessarily imply that the other models have failed their applications. For instance, 60 of the 305 models have been developed by academic research institutions; it’s possible that those institutions never intended to put them online in the first place, and thus never tried filing.

Implications

The main goal of this post was simply to provide insight into how algorithm registrations for genAI products in the PRC work right now. But what does it all mean for China’s AI industry? What does it mean for AI safety?

It is clear that Chinese regulators get pre-deployment access to genAI products, and can block them from going online if they are not satisfied with content control or other safety issues. This may mean that,

• The enforcement of China’s genAI regulations is somewhat stricter than that of previous AI regulations, such as those for recommendation algorithms — suggesting the PRC sees a greater threat in genAI compared to previous AI systems;

• Regulatory hurdles for providing public-facing end-user products are significantly higher than for enterprise-facing products. It’s possible that some companies will increasingly focus on B2B rather than B2C, or launch products overseas first while waiting for filing results in China.

Much more to cover

As part of the “genAI large model registration,” AI companies need to submit a number of attachments, such as

• Appendix 1: Security Self-Assessment Report 安全自评估报告

• Appendix 2: Model Service Agreement 模型服务协议

• Appendix 3: Data Annotation Rules 语料标注规则

• Appendix 4: Keyword Blocking List 关键词拦截列表

• Appendix 5: Evaluation Test Question Set 评估测试题集

The state has published detailed technical guidelines for these. In our next post, we will make a deep-dive explainer of the technical AI standard that covers the processes for Appendix 3, 4, and 5. So keep an eye out on your inbox!

2024年大选，不管支持谁还是反对谁，结果都超出很多人的期望，也出乎很多人的意料。共和党不仅赢了总统选举，而且赢得了参众两院多数。

每个人都会有错的时候。只有上帝和骗子才永远对。对于普通人来讲，比出错更有意义的是尊重现实，理解为什么错了。经济学家凯因斯说，事实变了，人的看法会跟着改变。每个人的认知都会产生偏差，正常人会按照现实进展调整认知。

Read more

【和放学以后永不失联】订阅放学以后的Newsletter，每周三收到我们发出的信号：afterschool2021.substack.com 点击链接输入自己的邮箱即可（订阅后如果收不到注意查看垃圾邮箱）。如需查看往期内容，打开任一期你收到的邮件，选择右上角open online，就可以回溯放学以后之前发的所有邮件，或谷歌搜索afterschool2021substack查看。

截至目前，放学以后Newsletter专题系列如下：“在世界游荡的女性”系列、“女性解放指南”系列、“女性浪漫，往复信笺”系列、莫不谷游荡口袋书《做一个蓄意的游荡者》系列、“莫胡说”系列”《创作者手册：从播客开始说起》,播客系列和日常更新等。

写在前面：

本期放学以后信号塔由霸王花木兰轮值。

这是我第一次来到云南大理。9月份回国后便一直在上海办理西班牙签证，中间一度焦躁崩溃，恰好在顺利提交后收到朋友梅朵（不仅是放学以后播客听友，还和瑞士朋友Ruya是共同的朋友，游荡路上神奇机缘让我们相遇相识）来大理游玩的邀请。从上海背包来到大理后，焦躁和抑郁的情绪被灿烂的阳光，苍山洱海的田野风景抚平了不少。在大理居住的两个多礼拜，像是给自己又放了一个悠闲的假期，回看初到大理时写下的这篇文章，惊喜，兴奋和愉悦之情掩盖不住地跃然纸上。现在将这份游荡大理的日常心情分享给阅读文章的各位，文末也附上了详尽可靠的大理游荡攻略，祝大家阅读愉快，游荡愉快。

以下是正文：

10月中旬从上海飞大理的生活出乎意料的惊喜愉悦。从机场打车到达小院住宿一小时的路上和当地司机师傅聊天，讶异于他生于斯长于斯，不会觉得无聊吗？司机师傅对于没有离开这片土地的解释是因为懒，在大理可以慢慢享受生活，因为没有工业，城市最多的污染源就是汽车尾气，所以空气质量好，风景好。请司机师傅帮忙推荐大理特色小吃，师傅说不上来，因为不仅大理古城有美食，大理下辖的州也分别有特色美食。这和我飞机中转的重庆市有些像，重庆市大约不需要美食推荐，因为很少踩雷，下辖的每个区都有特色美食，黔江有鸡杂，万州有烤鱼，沙坪坝有辣子鸡。去到美食聚集的区域，带着好胃口过去就够了。

我在大理小岑村住在朋友梅朵的一个小院里，她10月15日到10月30日刚好不在家，邀请我过去玩耍，顺便照顾隔壁海街日记小院里的猫咪。住在古朴精致的森林系小院，每天推门看山看云看花花草草，听风吹树叶和鸟儿鸣叫，让人忍不住张开双臂拥抱阳光空气和美景。在乡间小路骑车去海街日记小院的路上，两边种着水稻、草莓，空气里扑面而来的柴火香，香气让人回想起小时候偶尔回农村老家抓鱼烧火疯跑玩耍的场景，带来令人安心的亲切感。傍晚院子门口的小灯亮了起来，吸收一整天太阳能后在漫天黑夜里散发点点星光。入夜休息时，只听窗外响起阵阵蝉鸣，天黑得伸手不见五指，夜静得让人心神安宁。作为一名过客的好处是，人在农村田野过着“采菊东篱下，悠然见南山”的田园生活，却因为足够陌生与终究要离开的灵活，不必困于传统的农村社会与人际纠葛中。

好的环境让人禁不住想要好好生活。早上从田园小院醒来，推开门看到风景人的精神就为之一振，总觉得要做些什么来对待这么美丽的风景，于是会想给自己沏个茶，安排下美食探索计划，洗个衣服晒晒太阳，读读书听听音乐，处理下手头的工作，甚至还想活络活络筋骨动一动，毕竟要有个好身体才能多享受一天这样的风景和生活。

为什么会对大理的感受那么好？即便在我入住大理后还能看到网上对于大理游荡的争议与讨论。我想了下，大概是这么几个缘由。

首先是住的田园小院过于美丽。乘坐7点早班机落地大理时因为睡眠不足加上舟车劳顿，头也痛嗓子因为着凉也哑掉了，想着到了住处第一件事就是躺下好好睡个觉。到了小院门口，走进篱笆围栏，看着门前的风景和屋里木质loft小楼细节铺满，处处是色彩搭配宜人的装置，还有暖烘烘的壁炉，客厅还放置了复古风格的自行车，可以自由活动，人就立刻精神了起来。来不及休息就开了小红书“游荡者的日常”直播进行Roomtour，好像在和家人朋友煲电话粥，忍不住分享自己的惊喜感受。此前在播客里曾经说过，好的内容本质上就有被传播的基因，美的东西同样如此。如果来大理游荡，优先选择看得见风景的房间。我们需要在没有天花板的地方多喘几口，呼吸下新鲜空气。

其次是食物丰富好吃又便宜。小院距离大理古城有两三公里，这距离恰到好处，既可以在乡间田野徒步三四十分钟，充分留好肚子去城里大吃一顿，还可以在饱腹之后，一边听着摇滚音乐散步消食一边看日落西山回家，完成Strava软件的运动记录，不必担心吃得太多无法安然入睡；还可以选择骑着自行车，晒着太阳吹着风更快一些赶往美食古城，再买上第二天的食物放在硕大结实的车筐里满载而归。在大理古城可以早上7点多去北门菜市场，看琳琅满目的缤纷水果、新鲜丰富的蘑菇菌子，还有免费试吃的蘑菇酱，我挨个把牛肝菌、鸡油枞菌酱尝了个遍！一大捧鲜花只需10元，玫瑰花瓣茶只要5元一盒，比脸盆还大的破酥粑粑5元一个，还有5元一个甜甜牛奶油脂香的烤乳扇，连点了两天外卖的烧肉加凉拌米线！真是令人好奇，为什么云南人这么会吃，美食如此之多呢？另外一个好奇的问题是，无论是云南还是西藏都很喜欢缤纷强烈的色彩，和南美洲同样处于高原的秘鲁库斯科有异曲同工之处，虽然已经知道南美人和黄种人的渊源不浅，仍然被世界上相隔遥远的两块大陆上，对于缤纷色彩有着相同文化习惯这一现象感到惊奇。后来想了想，在南美我就问过莫不谷：“为什么每一个建筑色彩都如此缤纷美丽？”，莫不谷回答说：“人能够创造出什么颜色，很大程度取决于Ta能看到什么颜色”。生活在彩云之南的人们看到了缤纷色彩，便也创作出这些色彩。

继续回到美食上来。如果下午来逛菜市场，也不必担心不够热闹，还能趁着收摊更低价格买到食物，我就是这样花了10元买了一大袋枇杷，还有满满一大袋阳光玫瑰葡萄。逛菜市有个省钱的小技巧，就是第一遍只逛不买，无论看到多想吃想买的都要忍住，等到全部逛完一圈后，对各个摊位和食物价格有所了解，第二遍就可以直奔心心念的摊位去买了！除了逛菜市场，还有一家瑞士朋友Ruya推荐的包浆豆腐店铺，正宗开远米线。进店后围着一块长方形超大铁板围着坐下来就可以，老板在铁板放上烤物，身后墙上贴着价目表，烤红薯8毛一个，烤臭豆腐8毛一个，烤包浆豆腐1.6一个，烤鸡蛋3元一个，还有凉拌鸡爪4元一个自助盛取。等到食物烤熟，老板就会放在你桌前，一筷子一个，想吃什么吃什么，吃完再结账，包浆豆腐外面烤得像皱皱的腐皮，里面滑滑嫩嫩，蘸着干碟或油碟，一口一个，最令我惊艳的是烤鸡蛋，看起来就是把鸡蛋放在小盘里烤熟，放点调料，加点酱油，普普通通怎么就能这么好吃？！凉拌鸡爪更是击中我口味点的酸辣，一起凉拌的还有不知名的绿色蔬菜，吃起来像是紫苏或是香茅草一样有着刺激又令人上瘾的味道，比鸡爪更加入味好吃！我一个人吃得饱饱胀胀的，结账只花了17块钱。原本和老板说吃了4个包浆豆腐，老板却说给我的豆腐小了，两个算一个收钱才行，也是有些淳朴感人了。说到食物简直有些停不下来，才来两三天，想吃的太多，还没来得及吃得也太多，在这里吃饭的好处是不必担心钱包，也不必担心踩雷（难吃不到哪里去），唯一要担心的是肚子够不够！

除了美食，来了云南哪能不喝咖啡？原本计划来大理学习下咖啡制作，结果光顾着吃吃喝喝逛逛，压根也来不及学咖啡。我住的小院旁边就有一家咖啡馆，解工作咖啡馆，由于距离太近反而没有立马去尝试，看了下评价是三位女性开的咖啡小店，不仅院子里风景好，咖啡也实惠好喝。另外一家咖啡店是朋友推荐给我的，这家咖啡馆只在周三周四营业，老板也是我居住的小院的房东，于是趁着周三天气好我就出门找咖啡馆了。按照地图定位左转右转，前进后退，怎么也找不到这家店，就在要放弃时决定给老板打电话问问，那时我正站在陶渊明的咖啡馆店铺前，感觉在大理开咖啡的老板们心里都种着诗意田园。电话打通后老板出来迎接，才发现如鱼旗袍咖啡馆是一家开在芋头田野里的小店，茂盛的芋头田将咖啡馆遮掩的严严实实，如果没有带路，简直无法发现。看到兼具田野风光和复古精美的咖啡馆，就能理解一周只营业两天也让人心心念想来店里一坐的原因。让我惊讶的不是点的手冲咖啡，而是由于饥饿点的华夫饼，第一层是甜甜的柚子，下面一层是奶油，藏在奶油里的还有坚果，冲淡了奶油的甜度还丰富了口感，最下面是两层华夫饼，佩服老板手艺的时候还惊讶老板的审美。无论是小小的甜品，还是芋头田边的咖啡店，还是村里的田园小院，都透露着老板对于美的设计和想象。朋友还推荐了几家大理古城的咖啡店，还没来得及去。

大理不仅好住好吃，还很好玩。从上海出发时，我一点攻略也没做就过来了。开海街日记小院民宿的朋友不愧相当专业，一落地就立刻给我分享了大理的吃喝玩乐攻略（分享在文末）。小院附近可以步行或骑车去洱海边骑行，坐在草地野餐。天气好时可以去无为寺徒步爬山，一路森林密布，流水潺潺，仿若置身绿野仙踪，如果带上杯子就可以接清冽的山泉水喝，当地人常常来此处打水用来煮茶，如果提前一天电话预约，还可以体验免费的斋饭，不过主持不希望被网络过多传播，每日供应免费斋饭也会是不小的压力，所以吃完的我又去把饭钱交上了。更负盛名的还有寂照庵的斋饭，有个技巧是下午爬山，去寂照庵吃个晚饭，就可以躲避排队的人流。如果时间和体力充足，可以一大早就去苍山玉带路徒步，一路风景宜人，需要注意的是白天就要早早下山，因为苍山连绵十九峰，你以为走在了下山的路线，殊不知还在苍山中，加上入夜天黑，不熟悉路线危险性陡升。

还有关键的一点是错峰出行。听司机师傅说，旺季的时候从机场打车都要排队等半个多小时，而我10月中旬过来时，学生暑期已经结束，国庆假期也已经结束，大理进入了淡季时期，机场门口排了满满的空车，打车1分钟就叫到了车，连大理古城里人也不多，想到大老远计划休闲来到大理结果乌泱泱全是人，时间耗在等等等的场景，就觉得自己真是选对了时间。错峰出行真是提升游荡体验感的重要策略，不仅省钱，还很舒适！错峰出行还有很好的一点是，10月底和11月初大理的气候宜人，每天早晚有些清凉，可一到了白天便是把人晒得暖洋洋的大太阳，天气一暖和人的活力值也会提升。

说了这么多大理的优点，大理真就这么好吗？这里想说一句暴言，越是觉得大理好的时候，我越是在心里想，真希望大理独立，云南独立。毕竟位于边境，山高皇帝远，加上地处云贵高原，地形复杂，多民族分散聚居，对于集中统治有着客观的难度，独立也有着先天的优势条件。在大理居住时看到了一本书《逃避统治的艺术》，翻开几页令我惊奇的是这是一本美国作家研究包括云贵川在内山地居民逃避统治的书籍，引用豆瓣对此书的内容介绍：

为什么想要逃避国家的统治？落地大理后，不可避免的见到各处红旗和标语，这无孔不入的威权宣誓让我已经看够了，看厌了，看烦了。

落地打车和司机师傅聊天，前半段还在分享偏居大理的安逸和舒适，后半段话题深入真实生活便沉重了些，司机师傅原本是上班族，经济形势变差老板也开始变态，想着法地折磨员工，于是他索性辞职开滴滴，做自己的老板，旺季时生意不错，淡季时生意寥寥。司机师傅说，生活不能细想，细想就过不下去，想想油罐车事件每天就吃不了油，想想农药残留就吃不了蔬菜水果，人清醒了却无法逃离比麻木更为痛苦无力。

有天大理举办了户外徒步运动，打车等了半晌司机师傅才来接我，上车后师傅便忍不住吐槽：中国社会就是这样，强制性太强，老百姓没有话语权。好好的一个户外运动霸道地搞交通管制，直接导致交通堵塞，基础设施不行搞啥搞，旺季大理路堵车堵得水泄不通，路窄的连条狗都过不去。办活动也能理解，大理依靠的就是旅游业，需要对外提高知名度，但搞活动是给政府作宣传，给老百姓带来麻烦，好好的一件事搞得民不聊生，管理水平有限就别折腾！再说大的环境不好，带动啥呀，疫情三年到处核酸血本无归，现在财政赤字，城市环卫、协管工资迟迟发不下来，发不下来也没办法，五六十岁的人到哪再找到新工作，还不是得接着干；疫情解封后看着旅客火爆，也只是暂时和表面现象，远远没有恢复到疫情前的水平，人是到处出来玩了，但不消费呀，兜里没钱怎么消费。

原本师傅开的是大巴旅游车，现在经济不行大车换小车转而开滴滴。令我惊讶的是，师傅开旅游大巴，此前光是办车牌就要五六十万，丽江则是要六七十万，因为2016年以前旅游大巴的车牌实施计划管理，车也实行户籍管理，大理的车只能在大理开，不能去丽江，什么东西只要一计划，国家一调控就值钱，一放开就不值钱。师傅接着吐槽说：我是看明白了，咱们这社会就是个金字塔，少数人有钱，大部分老百姓就是个参与者，主要是当个陪衬，啥好事都轮不到。人这活着就像被圈养的一头猪，猪喂饱了肯定得宰杀你。听完师傅一通妙语连珠不说不快的吐槽，师傅是活明白了，快下车要去甜品店的我心情一紧。

大理很好，好住好吃好玩，好到让你快要忘记是待宰杀的牛马，这也是为啥我希望大理独立，云南独立，即便这并不现实，但有这个念头并分享出来的我，是见过自由渴望自由不愿被统治的人。

写在后面：

在大理游荡感受还很好的地方是遇到了很多听友，建立了很多线下连接。即便是在大理，彼此听相同播客有着共同兴趣爱好价值观相同的人们彼此也并不相识，了解，在偌大的威权社会里，无法连接的个体该如何面对孤独呢。在播客《47 女性共居和拼团人生：让Woman住在一起》里，莫不谷分享：女性之间不一定共居，但可以多多gathering，建立一些connection。在大理和听友相约骑摩托车游荡大理，和听友相约法式甜品店聊天，又和偶遇的听友在好事莲莲咖啡店喝咖啡一起尝试素食，还和梅朵一起喝下午茶做饭聊天出门骑行晒太阳，在大理见听友的密集度远胜以往，短时间内的社交也几近饱和，却也同时免于被负面情绪侵蚀，像是《拼团人生》这本书里分享的那样：

“跟其Ta人一起生活，最大的好处就是有了一个很好的转移注意力的对象，这会让自己避免过于专注或被不安吞噬。一边削水果吃，一边闲聊几句，就能在无形中抖落掉抑郁感和不安感”。

最后给想要游荡大理的朋友们一个建议，这也是旅居大理一位听友分享的忠告：“远离男性”，因为在大理的男性只会和你产生两种关系：一是借钱，二是谈恋爱。

附上大理及周边游玩小众攻略

这是朋友梅朵（小红书账号“海街日记小院”）给我分享的大理攻略，已征求本人意见，现分享出来，同时结合我的游荡实地体验有所补充。拿到这份攻略，几乎可以说对大理一网打尽，玩到念念不忘不想走。

一、大理古城的正确打开方式（找不到的可以直接导航）

大理北门菜场上午去逛，很有烟火气。要走菜市场外面的那条路。逛完可以去好事莲蓬咖啡商店喝杯咖啡，就在菜市场附近。（咖啡店旁边有家素食店“食早”，和大理偶遇的两位听友一起在这家吃过饭，价格实惠味道也不错）

1，九孃稀豆粉(在市场内)

2，无矾油条老烧饼

3，喜洲杨记破酥粑粑

4，巍山耙肉饵丝

5，红英小吃

6，普通面包社🍞（店里有两只边牧，其中一只叫“米面包”）

7，唐咖

8，柿子树咖啡☕

9，丽诏记绿豆馅饼店（绿豆饼好吃，最好上午去，下午去了两次都卖完了）

10，大碗岛（大理听友推荐较为隐蔽的一家咖啡店，在这里可以俯瞰大理古城和苍山）

11，舂鸡脚（玉洱路附二楼178号，这是我骑车路边偶遇的一家店，还拍了视频分享在小红书“游荡者的日常”，连买了两次，对酸甜辣没有抵抗力的朋友们不要错过）

大理最好逛的集市

1，大理床单厂集市 ⏰ 每周六周日都有

2，大理三月街集市 ⏰ 每月4天(农历初2，初9，16，23)

最值得逛的3条街道

1，广武路 2，平等路 3，银苍路

二、大理小众攻略和梅朵亲测美食推荐（比上文更全，时间充裕可充分探索）

大理每周有各种丰富多彩的活动，可以关注“大理好在”公众号。

小森林小院子周边可去的地方：

• 下鸡邑洱海廊道（人少景美，走路10多分钟）

• 喜花花农场（小院子背后，可体验各种手工，走路2分钟）

• 吾乡间·林舞鸟鸣咖啡（院子里满是葱郁绿植）

大理比较小众的目的地：

• 无为寺，下山可顺路去苍山自然影像博物馆（很安静，可预约斋饭，提前一天预约）：我去了两次，感受很好！

• 波罗寺（在寂照庵上面，继续爬两三个小时）

• 鸟吊山

• 者摩山

• 云想山

• 寂照庵（20元一份的斋饭特别好吃）：想避开人流可以去吃晚上的斋饭

• 苍山自然影像博物馆（在无为寺山脚，去无为寺可以顺路，经常举办展览）：博物馆免费，里面还有个咖啡馆风景宜人

周边的古镇：

• 凤阳邑（可以顺路先去寂照庵吃斋饭，下午逛）：茶马古道路途中的一个小村落，可以去锹园咖啡坐坐，风景好，咖啡也好喝！

• 喜洲古镇：10月至11月初还有稻田风景，吃饭推荐“麦香炊烟”，当地白族菜好吃便宜，麦香小炒鸡绝了

• 沙溪古镇（先锋书局）：茶马古道上唯一幸存的古集市，瑞士联邦理工大学与剑川县政府联合修复维护的古镇。时间充裕建议沙溪古镇住个两三天甚至一周，古镇自然风光美，小镇美食又多又便宜，咖啡馆风景无敌，适合旅居休闲放松。

• 巍山古城（先锋书局，一定去吃昆师傅饭庄，特别好吃）：适合呆个两三天，在古城喝5元一碗大碗茶各种探索美食小吃，我住的民宿小院还搞了烤鱼烤肉烤火，感受相当愉快！

• 剑川古城：从沙溪古镇坐小车单程20元1小时左右就到，比沙溪更安静的古城，附近5公里有剑湖，风景好的时节看杨树林湿地很美，可以当日往返。

• 诺邓古村

大理特色米线面条：

• 树下小馆·云南经典过桥米线：高颜值的过桥米线，分量十足，一个人吃有些吃力

• 老仓醋米线

• 再回首凉鸡米线：只点8元一碗的凉鸡米线就可以，没想到在古城热闹街区能有这么好吃又便宜的凉鸡米线。

• 蒙自小黄牛米线

• 素乐餐厅（油泼面）

• 正宗开远米线（他家的烤豆腐最好吃）：烤红薯8毛一个，烤臭豆腐8毛一个，烤包浆豆腐1.6一个，烤鸡蛋3元一个，还有凉拌鸡爪4元一个自助盛取。

• 六盘水羊肉米粉

特色小吃：

• 烤乳扇：5元/个，就是烤奶酪的口感，中间夹上玫瑰酱，可以尝试一个，多了会腻

• 杨记饵块

• 杨记喜洲粑粑（北门菜市）：好吃的粑粑是真的好吃，不好吃的破酥粑粑能噎死人

• 九孃稀豆粉（北门菜市）

• 浙江朱记·无矾油条老烧饼（北门菜市）

大理白族菜:

• 挖色菜香园（三塔附近）

• 岛七·白族人家私房菜（古城中和路）：和大理听友一起吃了这家，好吃实惠

• 全月饭店白族私房菜（古城南门）

• 杨飞烧烤（大理很好吃的一家烧烤店，晚上6点之后开门）：和大理听友一起尝了下口感正常，逛三文笔村的时候可以顺便浅尝，不必单独去

• 四季饭店（喜洲）

• 柴米多农场餐厅（古城）

• 野生菌火锅：爱膳菌锅锅（古城店）

• 烤豆腐：正宗开远米线（烤豆腐特别好吃，特别推荐，五颗星）

• 傣味：傣厨·傣族特色手抓饭

• 南五里桥美食街 比较多当地人去吃的美食

• 大理大学周边有很多好吃的，物美价廉

• 私房菜：雅屋（台湾李姐做的菜，需提前预约）

烘焙：

• 普通面包社（广武路）

• 朴石烘焙

• 茶茶的面包

• 美国小馆

• 三内可颂

• 小雨的面包窑（小程序接龙，可送到院子）

• 丽诏记绿豆馅饼店（超好吃的绿豆饼）

• La mure法式甜品面包店：和大理听友约在这家甜品店，甜品小贵，好吃，店里还有女性主义书籍，适合阅读休闲办公，附近是大理左岸区，可以citywalk，时间充裕也可以从这徒步3㎞去爬寂照庵。

素食：

• 素方舟自助素食（中午是素食自助，菜品丰富，晚上自助火锅）

• 無相颂

• 寂照庵斋饭（20元一人）

• 本素食堂

• 一然堂

• 素乐餐厅

• 食早：和大理两位听友一起尝试了这家，实惠味道也不错

• 崇圣寺三塔附近有素食一条街

大理西餐：

• 大意（榴莲披萨好吃）

• 酥虎（性价比很高）

• 向月球飞去

• 广武108披萨小院（环境很美的小院子）

• 朴石烘焙

• 青黄甜品（一家有故事的甜品店）

大理值得一去的咖啡馆:

• 如鱼旗袍咖啡（小岑村，周三、周四开门）：在芋头田野里喝咖啡，很喜欢

• 解咖啡（在小岑村）：在我住的小院旁边，结果直到离开也没来得及尝试

• 六尺咖啡（三文笔村，小路书屋隔壁）：流沙咖啡9元一杯是真的好喝又便宜，奈何男老板女性意识太差，在此不作推荐

• 柿子树咖啡（古城）

• 心邸咖啡（看海景）

• 收获咖啡（咖啡豆品质不错）

• 好事莲莲（逛完北门菜市可以顺路去）

• 唐咖

• 五月家庭咖啡馆（新桥镇小庆洞村）

• 为什么我要开一家咖啡馆（广武路）

• 大青树咖啡（晚上氛围很好）

特别喜欢的两家茶馆：

• 山和茶院（在古城，院子很美）

• 无声茶叙（在S湾附近）

大理值得一逛的书店

• 海豚阿德书店（在床单厂，可以顺路去）：10月去的时候在装修，好像不对外开放

• 小路书屋：在三文笔村里，女性老板开的书屋，二楼有安静阅读的空间，推荐

• 野柚子：大理古城女性老板开的书屋，书品很好，推荐

• 诗酒社：就在野柚子旁边，24小时无人自助书屋，旺季需要预约，淡季walkin阅读休息办公，音响还可以放音乐，推荐！

• 走空书市（很有特色，在森林里的读书地儿）

• 周一闭馆书店：在大理左岸区域，二楼窗景是真的无敌，书品正常。

大理市集：

• 大理古城床单厂艺术区（周六，周日）

• 三月街市集（每月农历的初二，初九，初十六，二十三）

【放学以后文章&书籍&其它】

解锁放学以后《创作者手册：从播客开始说起》：https://afdian.com/item/ffcd59481b9411ee882652540025c377

解锁莫不谷《做一个“蓄意”的游荡者》口袋书：
爱发电：https://afdian.com/item/62244492ae8611ee91185254001e7c00微信公众号：《放学以后After school》（提示安卓用户可下载“爱发电”app，苹果用户可把爱发电主页添加至手机桌面来使用，目前爱发电未上线苹果商店）

Newsletter订阅链接：https://afterschool2021.substack.com/（需科学/上 网）

联系邮箱：afterschool2021@126.com （投稿来信及合作洽谈）

为全球华人游荡者提供解决方案的平台：游荡者（www.youdangzhe.com）

小红书：游荡者的日常

同名YouTube：https://www.youtube.com/@afterschool2021

同名微信公众号：放学以后after school

欢迎并感谢大家在爱发电平台为我们的创作发电：https://afdian.com/a/afterschool

播客收听平台：【国内】苹果播客（请科学/上网）、爱发电、汽水儿、荔枝、网易云、小宇宙、喜马拉雅、、QQ音乐；
【海外】Spotify、Apple podcast、Google podcast、Snipd、Overcast、Castbox、Amazon Music、Pocket Casts、Stitcher、Radio Public、Wordpress

To discuss the Department of Justice’s new proposed rule on data security, we interviewed two brilliant guests from the ChinaTalk Hall of Fame — DOJ National Security Division attorneys Lee Licata and Devin DeBacker.

Before DOJ, Lee was an attorney at DHS and then CBP, while Devin was a partner at Kirkland & Ellis and then worked with the Office of White House Counsel. Today we’ll be discussing the DOJ’s new proposed rule on data security. 

Have a listen on Spotify and Apple Podcasts.

We get into…

• DOJ’s plan to protect your data from foreign adversaries,

• How public comments have shaped the proposed rule since the last time we interviewed Lee and Devin,

• DOJ’s tools for enforcing corporate compliance,

• The differences between data security regulations, privacy laws, and export controls,

• Why some public comments get accepted and some get rejected,

• The DOJ playbook for assembling a dream team of talented bureaucrats.

Shutting the Front Door

Nicholas Welch: Lee and Devin, welcome back to ChinaTalk.

Devin DeBacker: Happy to be back. As repeat guests on ChinaTalk, are we eligible for a plaque or some kind of award? 

Nicholas Welch: You know, I’m not in charge of funding — you’ll have to ask the dictator of ChinaTalk once he’s back from paternity leave. But your request — like the many requests you likely receive in the notice and comment period — is duly noted. 

For those who missed the show back in April, here’s the context — back in February, there was an executive order focused on preventing foreign access to Americans’ bulk sensitive personal data and US Government-related data by countries of concern. This was followed by an advance notice of proposed rulemaking (ANPRM). Now, we are in a period of notice of proposed rulemaking (NPRM), one step closer to the final rule.

Can you give us a 40,000-foot view of this executive order and the proposed rule? What national security risks are they aiming to address?

Devin DeBacker:  The audience might be wondering, “What are these 422 pages of regulatory detritus all about?” 

The primary risk we’re addressing here is the national security threat posed when foreign adversaries or their intelligence agencies access Americans’ sensitive personal data. Such data can be exploited, weaponized, and turned against our national interests in various ways. For instance, adversaries can use geolocation data to track and monitor Americans, or health and financial data to identify vices and vulnerabilities in individuals’ lives, such as behavioral patterns and daily routines. This data can be weaponized to surveil, blackmail, intimidate, or otherwise influence those individuals — whether targeting specific people or analyzing broader population insights. This rule aims to address and mitigate these kinds of threats.

Nicholas Welch: This rule isn’t addressing, say, an intelligence agency hacking in through the back door to steal information. You’re talking about data on the open market that could be purchased by anyone, right?

Devin DeBacker: Exactly. The “front door, back door, and side door” analogy works well here. We’ve got a “barn full of data” on Americans, and we’re trying to close the front door with this rule.

Other mechanisms and tools (especially from DOJ and other agencies) are in place to close the back door.

But we can’t leave any doors open, and the front door has been wide open for a long time. It’s been advertised almost as a free-for-all.

This rule aims to close that front door. Legally speaking, this covers legitimate or lawful commercial transactions where foreign adversaries can access data — either by buying it on the open market or through vendors, employees, or investors who can leverage it through their country’s political or legal systems.

Nicholas Welch: Where does this rule fit in the broader sanctions and export control framework? How does it contribute to the ongoing discussion about the intersection of national security and economic security? Is it similar or different from semiconductor export controls?

Lee Licata: Good question. There are aspects of this rule that resemble the Office of Foreign Assets Control (OFAC) and our export controls regime. This rule seeks to move beyond a case-by-case approach as we see with CFIUS, Team Telecom, or even some of the Commerce ICTS Authority actions, which often look at specific transactions or entities. Instead, it takes a more systemic or holistic approach across holders of this kind of data. The idea is to implement prohibitions and restrictions similar to an OFAC regime. It includes features like advisory opinions and licensing options, which are standard in such regimes. We see this as a foundational step toward a more comprehensive framework.

Devin DeBacker: Zooming out a bit, there are key assets in the US that we want to protect from falling into the wrong hands. Sometimes it’s technology, sometimes capital — we don’t want money flowing to terrorists, for instance. In certain cases, we want to prevent not just capital, but also the know-how that accompanies it from reaching critical sectors of emerging technology. Likewise, we want to protect sensitive American data from misuse. Each of these regimes — export controls, sanctions, outbound investment, and now this data security program — addresses a distinct part of that problem, forming a suite of tools in our national security toolbox.

Restricted Transactions and Covered Persons

Nicholas Welch: Let’s dig into the specifics. The rule says a “US Person” cannot engage in a “restricted transaction” with a “covered person.” What do these terms mean exactly?

Devin DeBacker: The program outlines certain covered data transactions that US Persons either cannot engage in or must engage with restrictions, particularly with countries of concern or covered persons. I’ll let Lee explain the specifics since he’s the architect of this framework.

Lee Licata: Let’s start with the prohibitions. Two types of commercial transactions between a US Person and a “country of concern” or “covered person” are outright prohibited. The first type is data brokerage, and the second type is transfers of genomic data or biospecimens, which is the raw material from which genomic data is derived.

We also impose restrictions in three categories — vendor agreements, employment agreements, and investment agreements that aren’t passive.

For these restricted agreements, we aim to put a box around these transactions to control how they’re conducted. Essentially, certain security measures must be in place to prevent countries of concern or covered persons from accessing sensitive data. These security measures, issued by the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security, were published alongside our proposed rule. They include organizational security requirements, such as having a security officer, system-level security measures, and data-level protections like encryption and anonymization techniques.

Regarding who qualifies as a covered person and countries of concern, we’ve designated six countries — China, Russia, North Korea, Cuba, Venezuela, and Iran. Covered persons fall into four main categories — entities headquartered in or owned by a country of concern, entities owned by other covered persons, entities or individuals working for covered persons, and those predominantly residing in a country of concern. There’s also a fifth catch-all category for those acting on behalf of a country of concern — think proxies, cutouts, or shell entities. Essentially, we’re structuring this like an OFAC regime.

Nicholas Welch: Lawyers sure do love catch-all categories at the end of statutes!

Subscribe now

Tools of Enforcement and the Impact of Public Comments

Nicholas Welch: What does this rule’s compliance and enforcement regime look like? I see due diligence obligations, a licensing regime, annual reports, and even requirements to disclose when a US Person rejects a solicitation to transfer restricted data to a covered person. What should companies anticipate as DOJ finalizes this rule?

Lee Licata: First, we encourage companies to consider submitting comments on the docket during this finalization phase. Their input is vital for us to understand how this will be implemented and what impacts might arise.

Devin DeBacker: The more specific, the better. It helps us to understand the exact types of transactions companies engage in and whether their interpretation of the rule aligns with ours so we can clarify as needed.

Lee Licata: The comment period is 30 days and ends on November 29, 2024. Beyond comments, we want companies to start evaluating their risk profiles concerning these rules. Companies need to understand what data they hold, especially sensitive data regulated here, and the nature of commercial relationships that could involve a covered person or country of concern. They should also identify who has access to that data and what security measures they have in place to protect it.

The compliance and enforcement regime includes features common in export controls or OFAC frameworks — recordkeeping requirements, annual reporting, and reporting rejected transactions, similar to OFAC sanctions. We also require audits for restricted transactions to ensure security measures are in place. Entities must have policies governing compliance with these rules. Lastly, this is an IEEPA-based executive order, so DOJ can leverage IEEPA’s enforcement tools, including criminal prosecution and civil penalties. The rule outlines thresholds for civil penalties and allows us to notify entities of violations without financial penalties, though we’ll make sure they’re aware of their transgressions. This entire framework is about orienting entities to understand their risks and ensuring they take action.

Devin DeBacker: To take a broader view, our compliance approach is similar to that of sanctions programs. Most companies will need an in-house compliance program tailored to their specific risk profile — who they do business with, where, and in what sectors. While some restricted transactions can proceed with terms and conditions, generally, we focus on compliance first. DOJ sees corporate compliance, especially in national security, as a priority. Companies are on the front lines — they hold the data, technology, or capital we’re concerned about. We need them as partners to understand and uphold their obligations. But DOJ is also prepared to use its enforcement tools when necessary. At the end of the day, what matters isn’t the 422 pages of the proposed rule but how it works in practice to protect against these risks.

Nicholas Welch: Let’s say I’m Company X. I read this rule and think, “Wow, this will be massively expensive. I don’t want another compliance regime.” How will the DOJ know if I violate the rule? Will the DOJ really find out?

Devin DeBacker: Oh, we’ll find out. Corporate compliance is our bread and butter, especially in the Foreign Investment Review Section, where this program resides.

My team focuses solely on compliance and enforcement every day, around the clock. We also have the FBI, which excels at investigating violations — whether it’s sanctions, export controls, or this program. Additionally, we have public tips, recordkeeping requirements, and reports that help us follow up and investigate. For companies with higher risk profiles, we can inspect their records and ensure compliance interpretations align. The other key point is that one person can’t engage in a transaction alone — there’s always another party, so if one doesn’t report, the other often does.

Nicholas Welch: Industry, you’ve been warned! From what I’ve read, you engaged in a lot of public feedback. I noticed in the notice of proposed rulemaking that the department even discussed the order with stakeholders at public events, including China Talk. So, if other podcasters want good press, they should invite DOJ lawyers on their shows! There were 114 questions in DOJ’s ANPRM. What were the biggest changes to the rule based on comments and engagements?

Lee Licata: As you mentioned, we received about 70 comments during the ANPRM period, along with feedback from over 100 organizations, companies, trade associations, civil society members, academics — the whole spectrum of regulated communities. We didn’t receive any catastrophic warnings about breaking the internet or collapsing the economy, but we did get a lot of valuable, acute policy input to ensure the rule is implementable without unintended economic consequences.

Subscribe now

Some new elements include an analysis of the six countries of concern, bulk data thresholds, and a detailed assessment of data characteristics. We’ve also conducted an economic impact assessment, estimating compliance costs based on studies like GDPR and other due diligence activities. There are specific exemptions for telecommunications, FDA-regulated clinical trials, and data transfers for post-market approval in regulated sectors. We also clarified financial services exemptions to avoid hidden economic decoupling and specified back-office intra-corporate transfers.

Nicholas Welch: How does the industry feel about this rule? Is DOJ expecting millions in lobbying against it, or does industry seem more receptive?

Lee Licata: It’s early, but the industry seems to understand the issue we’re addressing. No one disputes that adversarial nations are actively seeking American data, and this is a legitimate national security threat. Industry representatives are trying to understand compliance obligations and what this means for their transactions. They provided helpful feedback on policy specifics, though we haven’t seen anyone suggesting it would dramatically impact the economy. Stakeholders seem to be grasping that compliance will be necessary and are evaluating their risk exposure. They’ll advocate for their industries, but the input we’ve received has been useful.

Devin DeBacker: We’ve continued public engagements during this comment period, similar to the ANPRM in spring. We’re open to feedback about specific transactions or scenarios where this rule might have unique implications. We’ve already met with over 200 groups in this short comment period, so it’s a broad, cross-sector engagement. We’re here to listen.

Nicholas Welch: Maybe this is a bit technical, but the rule mentions that several commenters suggested incorporating aspects of international or state privacy laws. DOJ decided against that, stating privacy protections and national security measures have different objectives. Can you clarify why?

Lee Licata: Sure, two examples come to mind. First, most state privacy laws define “precise geolocation data” using an 1850-foot distance from the device — a standard not actually supported by device technology. Major operating systems generally use either 1,000 or 10,000 meters to measure precise geolocation data. We chose 1,000 meters to align with how data is collected and to ensure consistency with real technology practices.

Second, state privacy laws cover all “PII” (personally identifiable information), including basic, public information like names and addresses. Our goal isn’t to regulate the phone book but rather to focus on information that adversaries could exploit. We created a narrower category called “covered personal identifiers,” targeting data combinations like a name and Social Security number or IP address and device identifier, as these combinations could uniquely identify someone. This approach focuses on specific national security risks, departing from broader privacy law constructs.

Devin DeBacker: Another example relates to a consent-based exception. Some commentators suggested we allow cross-border data transfers if individuals consent. From a privacy perspective, which emphasizes individual control over data, this makes sense. But in national security, we’re more concerned about the broader externalities created by individual and company choices.

We don’t have a consent-based exception for export controls. We don’t say that sensitive technology can go to Iran or North Korea with a company’s permission.

Privacy and national security laws serve different objectives, so they complement each other but don’t always align.

Nicholas Welch: Data, unlike semiconductors, moves easily and can be routed through various entities. If US Company A sells data to Company B, which eventually passes it to an adversary, how does the rule address the risk of onward data transfers?

Devin DeBacker: There are two parts to this. As Lee said, we designed the program to balance obligations on US companies. We don’t impose “pass-through liability” — US Company A isn’t responsible for tracking data through every layer, down to whether the data eventually reaches a covered person. However, we’ve addressed the resale and re-export risk by requiring US companies to include a contractual restriction with third-party buyers, preventing them from reselling to a country of concern or covered person. This “trusted data flows” concept allows third parties within the trusted framework.

If a third party violates the restriction, US companies must report it to us. If necessary, we can publicly designate those violating entities as “covered persons.” This approach strengthens trust-based data flows by identifying who falls within or outside the trusted framework.

Nicholas Welch:  Before this rule, did any executive branch mechanism address these specific national security risks?

Devin DeBacker: Yes, sort of — this concept emerged from our experience with transaction-specific authorities, like CFIUS and Team Telecom, which assess individual foreign investment risks. However, as data security threats evolved, we noticed we were addressing similar data security risks repeatedly in foreign investment cases, each time creating tailored compliance solutions. Seeing this pattern, we decided to create a comprehensive, systematic program to address these recurring risks. We still have case-specific authorities, and this program complements them by reducing regulatory duplication.

Why DOJ?

Nicholas Welch: On the last show, you mentioned that the DOJ is a natural fit for this role because you’re highly experienced in corporate compliance. You also said you’re expanding the Foreign Investment Review section, hiring more attorneys and non-attorneys. How is that team expansion going? More broadly, what did interagency collaboration look like for this rule? I assume you had extensive interagency support from Team Telecom, Commerce, DOD, and FTC — but ultimately, the DOJ took the byline for this rule. This is hosted on justice.gov, not another agency’s website. Does that impact the rule’s effect or corporate compliance overall?

Lee Licata: Yes, absolutely. First, stepping back, it took us two and a half years to develop this concept for the executive order and then to draft the proposed rule. Throughout that time, we coordinated with around two dozen federal departments and agencies, as well as White House offices, to build this framework and ensure that all relevant interests within the executive branch were represented.

The interagency coordination was extensive, involving entities like CPS, Team Telecom, the ICTS team at Commerce, CFPB, FTC, and SEC — essentially, every regulator overseeing commercial transactions involving the regulated data. We also engaged continuously with OFAC, BIS, and FARA to incorporate similar concepts and ensure compatibility within our program.

The DOJ byline is indeed significant. As Devin mentioned, corporate compliance and enforcement are central to our work — it’s right there in our name, the Department of Justice. So it’s natural for this rule to land here, combining DOJ’s expertise in this risk area with the department’s enforcement mission. In the interim, as we establish this program, we’re building a team within FIRS to finalize the rulemaking and begin implementation. We’ve assembled a team of mostly interagency detailees to bring together the necessary expertise. As of now, we have 11 attorneys plus paralegals, targeters, and other support, and we’re leveraging insights from across the interagency. We have team members from OFAC, FinCEN, BIS, and the Department of Defense, among others, all working under our roof. By the end of the year, we expect to have about 17 people forming the foundation of a full-fledged team.

Subscribe now

Nicholas Welch: Where do you see this rule going in the future? Financial industries, for instance, face multibillion-dollar fines and have strong compliance frameworks, but with newer regulations like chip export controls, we’re only starting to see big penalties, like Seagate’s $300 million fine from BIS [and a $500m fine on GlobalFoundries]. Recently, a TSMC chip was found in Huawei, which journalists quickly identified as a supply chain weak link. Chris Miller suggests chip companies need to spend more on compliance, and governments should impose stricter penalties. So where do you see data security compliance going?

Devin DeBacker: As my boss, Assistant Attorney General Matt Olsen, said back in March, this program needs to have “real teeth.” Our primary approach is through compliance. We want companies to fully understand their obligations, have strong programs in place, protect data, and follow the rule, especially with security requirements for restricted transactions. Our main goal is to educate US companies and individuals on these obligations.

If enforcement becomes necessary, however, penalties need to be meaningful — they must impact a business enough to reinforce compliance obligations. More than the size of the penalties, though, what's critical is for companies to understand that compliance can’t be an afterthought — it has to be integrated into the business itself. Compliance teams need to be part of business decision-making, not separate from it. For example, if a company is considering opening an office in Shanghai, storing geolocation data on servers there, and hiring covered persons, that decision-making process must include compliance with US government rules. This needs to be part of the broader business risk assessment.

As Lee mentioned, companies need to ask questions like: Where are our offices? What data do we hold? Where is it accessible? What safeguards are in place? Who has access, and what kind of system-level access do they have? Compliance isn’t about merely ticking a box — it has to be woven into the business itself.

Nicholas Welch: Sounds comprehensive! You’ve done an extensive job of justifying this rule based on statutory authority, like Article II in the Constitution, Section 301, IEEPA. Do you think Congress would be better suited to address this risk legislatively rather than through an IEEPA-based executive order?

Devin DeBacker: IEEPA is intentionally broad, and this rulemaking is consistent with typical IEEPA-based rulemakings, which regulate commercial transactions and cross-border activities. This program can and should stand independently, without Congressional involvement. That said, we’ve worked well with Congress, discussing ways to clarify aspects of IEEPA, like the Berman Amendment, and ensuring long-term resources for this program. 

What’s promising is that this area — protecting sensitive US data from foreign adversaries — has broad bipartisan recognition across parties, administrations, and Congress. I believe this will remain a priority across the government, and I’m optimistic this program will become a lasting element of our national security framework in the US.

Submit comments here, and enjoy this mood music from Lee and Devin:

不久前我们发起了「顿悟时刻」征稿活动，一共收到68份回复，感谢姐妹们的热情参与！我们从所有来稿中精选了24个闪闪发光的Dear Moment，并将在接下来的三封信中分享给大家。本次推送包含第1～8则来稿，默认匿名，排名不分先后😊

1、

亲戚家请吃饭，算妈妈那边比较私人的聚会。我印象最深的是只有一张桌子，但没有一个女性。不管是女儿也好、媳妇也罢，都只能站在旁边吃。比较小的孩子也站在旁边吃。我看着桌子上人的脸，突然意识到，即使是“男外来人”，即女婿，也是可以上桌吃饭的；年龄较小的男性，长大后也是可以上桌吃饭的。而女性、唯有女性，不管是辈分很高的姥姥、姨妈还是舅妈，都只能站在旁边吃饭。

当时刚好有一名堂姐结婚了，她老公在桌上吃饭，她在旁边。我看着她的脸，再看看姨妈的脸，恍然发觉，姨妈就是以后的她。而如果我不逃离，我也会变成她。

2、

大概是从我被送人未遂，弟弟出生时全家欢欣鼓舞堪比过年的氛围给刺激到吧。从那时开始，重男轻女的概念就深深烙印在我心里。

3、

初中时期我遭受了校园冷暴力，从此我学会绝不在人前软弱。上高中后我成了“不太好惹”的女生。一次大课间我正准备进淋浴间洗澡，舍友抱怨几个男生很烦、老是惹她，我掀开浴帘说：你不要老是顺着他们，骂他们一顿就好了。此时我已经站在淋浴间，窸窸窣窣脱下衣服，外面传来回复：不是每个人都像你那样的。

站在温热水流下，这句话在我脑中盘旋许久，直至今日依旧清晰。

为什么大家不能都像我这样？

4、

初中一次大考考砸了，我妈指着我说，“你爸已经烂了，我唯一的安慰就是你的成绩还比较好，你要是再烂了我要怎么活下去？！”我第一反应是疑惑：我和我爸怎么样跟我妈有什么关系？难道除了丈夫和孩子，一个女人就什么也不是了吗？甚至，当时的我已经隐隐约约感受到一种可悲的命运程序——女人们被所谓的爱情欺骗着走进婚姻，却发现男人是不合格的伴侣。她们无法从男人身上得到任何价值。这时她们转而寻求生育、期望通过孩子获得自我满足，然而从历经苦难怀孕生产到耗尽精力抚养孩子也是女人燃烧自我的过程。当女人发现生育的回报和付出根本不成正比时，她们会彻底绝望，或者又寄希望于子女的婚姻。因此婚姻中的女人永远无法真正得到幸福，只能在空虚中被不断拉扯。

听到妈妈的那句话以后，我的人生好像没有什么改变，又好像有些微小的改变。我依然想让妈妈开心，依然为了妈妈努力学习、渴望取得好成绩。但当妈妈再劝我“擦亮眼睛找个好男人”时，我会闭上耳朵。后面的故事或许大家都熟悉，我开始了解女权主义，为自己的人生寻找解法。我回看当年的自己，那个为妈妈的话感到愤慨但依然试图拯救妈妈、让妈妈满足的女生，才发现她一直扛着妈妈的命运走到现在。在父权制的压迫下，她的妈妈把自己想要的、匮乏的、被许诺会得到却从不曾得到的、因对未来恐惧而强加于人的所有，都放在了她身上。出于对妈妈本能的爱，她选择把妈妈的问题都当成自己的问题，从而时时愧疚、常觉亏欠。

而如今，她终于敢看见这一切。

妈妈，我依然很爱很爱你，可是我要过自己的生活了。我不能再为你解决连你自己都没有勇气去解决的问题。你无法接受我爱女人、无法接受我不生育、无法接受我不愿复刻身边任何一位女性长辈的人生，那我只能剪断我们之间的脐带，去做我自己的母版。如果前方没有路，那就开路，这正是每一代女性在做的事情。

——by除却巫山俱是云

5、

第一次意识到这个世界不对劲是在复杂的家庭关系中。当时的我只是一个小孩子，但我能看见姥姥对不担负赡养责任的儿子看似失望仍百般让利。家产是他们的，还要付赡养费勉强让他们接纳她。然而对精心照料自己的女儿她说着体己话，却没有给予她们一丝一毫利益。我从小就很精明，我觉得那些男人占了属于我的利益。我明明是她最有出息的孙女、她口中“最宠爱”的孩子，为什么我仍能感受到比起我她更偏爱顽劣又蠢笨的表弟呢？为什么我得到的远比那个家伙少呢？

然而当我向妈妈提出我的疑问，问她辛辛苦苦讨不到好处有什么用，她却说着她很乐意，她孝顺。我忽然就感觉，孝道是一座沉重的大山，是父权制的魔咒。

6、

小时候上语文课，老师介绍“他”可以代指男人和所有人，“她”只能代指女人和一群女人，甚至一群女人也可以用“他们”。那是我第一次质疑老师的正确性。

7、

我的家乡是一个不算落后的小村庄，我在家很少感受到重男轻女的思想。可是前段时间跟妈妈在集市买瓜，问好了价格，结账时却突然涨价。摊主见我犹豫，声色俱厉地呵斥：“你不买可以走人，小女孩家家的这么事多。”诸如此类。然而我身旁还有一个买瓜的男人正在挑选，摊主却转头温声细语对他说：“我说的是她，您慢慢挑。”

二十多年来，第一次感受到性别上的区别对待。我脑海中蹦出第一个念头：倘若我是个男生，摊主应该不会这么肆无忌惮地试图用高喊吓退我。

我们总被教育要待人温和有礼，可没人教我们面对基于性别的不礼貌、胡搅蛮缠时该怎么做。在我浅薄的经验中，第一步要敢于对不合理的事说不，哪怕是微乎其微的声音，起码告诉自己要在不公平中力挺自己；其次我们应该有强健的体魄，不必被“好女不过百”、“筷子腿、直角肩、蚂蚁腰”左右。只有怕你好的人才盼你弱。

有人说：千百年来都是这么过来的，你一个人的力量能改变什么？我不认可。正因为反对声音多、沉默者众，我们就更应该坚持自我。女性一直在被选择、被支配、被漠视，这个“被”令我万分讨厌。我即是我，不是他物，不是任由珠网外衣缚束的复制品，我应正视我、更应成为真正的我。

——by执萌萌

8、

生活在这个世界，愤怒和质询根本讲不过来，所以想分享一个生命早期的温暖时刻。

上计算机课，一个女生肚子疼，冲出去找班任请假。下课回班的时候有男生在队伍里乱窜，跟同学说她是装病，但完全没有女生附和他，都是让他闭嘴或滚。大家平时未必玩得到一起去，但到了这一点上是一致的，不能接受那个男同学的污蔑和打压。

就是那时候突然觉得 “哦，我们是一伙的”，都是女人。