Simone Gao: Hello! Welcome to Zooming In China Tea Time, I am Simone Gao.
The disastrous IPO of Didi Global in early July has set off a firestorm for all Chinese companies looking to be listed on U.S. stock exchanges. Following their $80 billion valuation after two days of trading, Didi, China’s equivalent to Uber, looked to be a rising star with the largest IPO of any Chinese company since Alibaba in September 2014. But in going forward with their IPO, they had rejected a request from the Chinese government to postpone that IPO until their public filing documents could be thoroughly reviewed by the Cyberspace Administration of China. The Chinese government quickly responded, placing Didi under a mandated cybersecurity review and removing their apps from all Chinese app stores.
That review took a more extreme turn on July 16th. Chinese regulators from multiple agencies, from multiple government agencies — including the Ministry of Public Security, the Ministry of State Security, the Cyberspace Administration of China, the Ministry of Transport and the Ministry of Natural Resources — raided the corporate offices of Didi. They announced the move in a public statement, likely to make the punitive response to corporations that disregard their requests obvious to the entire international community.
The outcomes of the review may be more serious than the falling valuation of Didi Global stock. Punishments can include financial penalties, suspension of business licenses or even criminal charges. We can expect the punishment to be severe given the very public nature of this dispute. The CCP can be counted on to make a public example of Didi. To show leniency to a company who disregarded the full control of the Chinese Communist Party would be to weaken that control, and that is unthinkable within the current regime.
Not when there is that amount of data at stake. As reported in the Wall Street Journal, Didi’s 377 million annual active users and their 13 million annual active drivers in China turn over their real names, vehicle information, criminal records, and their credit card and bank information to Didi. Those users often choose to share photos, home and office destinations, and identifying information like their age, their gender, their occupation. And even, they may be subject to submitting facial-recognition data.
The CCP’s response might be understandable, given their dedication to tight control, if their punishments had centered on only Didi. But they did not stop there. Just after the announcement of the cybersecurity review for Didi, they announced the same app restrictions and cybersecurity review for Full Truck Alliance, an Uber-like service for freight trucks, and Kanzhun, an online job recruitment service.
Days later, the Chinese government tightened their grip. The Cyberspace Administration of China posted, for public comment, an extensive revision to their Measures for Cybersecurity Review. The most notable change in that revision is one requiring any Chinese company with control of data for more than a million users to seek permission from government regulators before filing for an overseas IPO. That revision, according to Henry Gao, a law professor at Singapore Management University, “would make it very difficult or even impossible for Chinese internet firms to get listed in foreign exchanges. Many of them would probably choose Hong Kong or domestic listing due to the tedious regulatory approval process.”
In addition to the mandated review process, the revision also extends the period of review from 45 working days to 3 months or longer, marking yet another deterrent to Chinese companies listing on foreign exchanges. Most Chinese tech companies have far more than the 1 million user threshold making every one of them subject to a lengthy review that is likely to end in a denial of permission.
But why now? Why Didi?
Didi has a great deal of data on Chinese citizens, but the data collected on its users is not likely to be cause for this level of alarm. It is certain that Alibaba collects similar kinds of data, and they currently have 811 million users, far more than Didi’s 377 million. Yet, Alibaba had a very successful IPO and remains a success in foreign markets with less interference from the Chinese government.
If it’s not the average citizen data, then there is another source of data at stake.
According China observers, High level Chinese Communist Party leaders use the DIDI app to go to places without using official cars or drivers. These trips can give a lot of information out about these officials in terms of where they went and possibly who they dealt with. Many secrets of these officials could be revealed by the DIDI app data. China is afraid somehow these data could fall into the hands of the American government.
After the Holding Foreign Companies Accountable Act passed in 2019, Chinese companies like DIDI is required to submit original accounting records that will reveal who Didi is funded by, who they are partnering with, how the data gathered by Didi is shared among those players, and the Chinese government is afraid these information will also become available for the Americans.
Whether the primary source of their concern is citizen or corporate data may not be known, but we can be sure that the CCP knows exactly what kind of information is at risk, because they have engaged in an international theft of similar data at a scale previously unseen. On July 19th, President Biden revealed that China has either directly ordered or has allowed ongoing theft of data from numerous countries, theft that includes a partnership with cybercriminals who obtained data for the Chinese government while also engaging in cyber ransom activity for their own financial gain.
President Biden was joined by allies from Australia, the United Kingdom, New Zealand, Canada, Japan, the United Nations and NATO in condemning the attacks and calling for an international inquiry into the type and extent of these attacks. While President Biden stopped short of any direct punishment for these actions, he later stated that the investigation is ongoing and that U.S. officials need a full understanding of the scope of the attack prior to making decisions on the consequences for them.
If the United States is to understand the attacks that have taken place by China, including the 2021 attack on the Microsoft Exchange email server software and other attacks on unnamed companies with ransom demands in the millions, we need to take a closer look at Didi. The international community needs to know why the Chinese Communist Party reacted so immediately and so excessively to Didi’s IPO. What data does Didi have that is different from the data of other Chinese tech companies listed on American exchanges? Why is Didi a threat at a level that is much larger and more notable than any other Chinese tech companies? When we find the answer to those questions, we will find part of the answer to how the CCP has carried out the extensive cyberattacks revealed by President Biden and what data they were after with those attacks.
Thanks for watching Zooming In China. Please like, share, and subscribe to our channel if you like our production. Most importantly, please sign up for our membership website at zoomingin.tv. $5 a month, or $50 a year. We have video audio formats of the show, transcript for the show, we will also have in-depth reports for the members in the future, and also Q&A, live Q&A with me on the website. So thanks again. I am Simone Gao and I will see you next time.