Book Review: Trafficking Data. How China is Winning the Battle for Digital Sovereignty (2023)

Kokas, Aynne (2023). Trafficking Data. How China is Winning the Battle for Digital Sovereignty. Oxford: Oxford University Press, 335 pages.

By Matthias Finger

I have rarely struggled so much to review a book as with this one. Still, I persevered because Aynne Kokas’ illustration of China’s data-strategy is an important and relevant book, especially in the current geopolitical context of high political tensions between the US and China. To be clear, the book is not about cyber warfare between the two countries, nor is it about national security. Indeed, the author devotes only two pages (pp. 27-28) to the US Department of Defense (US DoD) (specifically, its role in the development, during the 1970s, of the Internet and its current focus on developing cyber-weapon capabilities), and she makes only a cursory remark about the “military-civil fusion” in the case of China (p. 59).

Rather, the book is about China’s (globally, not just vis-à-vis the US) hegemonic ambitions in digital matters, i.e., the ambition to become a “cyber superpower” (p. 52). The author’s unique and somewhat intriguing proposition in this context is to link China’s hegemonic ambition to their vision and policies of “cyber sovereignty” (China’s terminology) or “digital/data sovereignty” (the terminologies preferred by the author).

Why was it so difficult to review this book? Much has to do with the book’s style and somewhat loose usage of crucial concepts, for example, equating “policy” with “politics”, and “data” with “digital infrastructures”. To be clear, I have few reservations about the substance, which is solidly grounded in primary field research (especially in Chapters 4 to 9). My initial mistake was to read it as an academic book, given that it is written by a professor (of media studies and public affairs). However, as the author writes more like a journalist and in a matter-of-fact style, the book seems to be written for the media, especially the US media. As a journalist’s book, it contains many well informed and convincing stories that are linked together so as to lead to a seemingly coherent picture about China’s (national-political? geo-political? economic? technological? everything?) ambitions. As such, the book is certain to have an impact, especially in Washington.

What is the book about – China-phobia and/or China-envy?

The book is structured into ten easy-to-read chapters: The first one is more of an executive summary, whereas the last one contains recommendations for remedies and is somewhat at odds with the book’s overall content and narrative. I will therefore return to the last chapter, separately at the end of this review. Chapters 2 and 3 present the two main actors (according to the author) on the global digital stage, namely the United States and China, and these chapters focus on their fundamentally different ways of handling “data governance” (another loose concept, see below). As for the United States (Chapter 2), and after having, in my view, a little bit too easily separated the US DoD (and its focus on cyberwarfare) from the rest of the US government, the author’s critique is quite severe: The civilian part of the US government is said to have no effective data governance, especially when it comes to consumer protection and digital sovereignty.

According to her, this weakness – which puts the US at a clear competitive disadvantage vis-à-vis China – is the combined result of (1) fragmented and even contradictory digital policies and regulation (fragmented by sectors and by level of government, federal, state, local), (2) short-term, inconsistent and even erratic policy-making over time, and (3) on the one hand, competing interests and priorities between national security and, on the other hand, profiteering by the US tech firms.

The following quotes best illustrate the author’s point: “The devolution of US data governance to global corporations (that need Chinese market access) demonstrates the fundamental weakness of relying on US firms to shape long-term data governance in the national interest.” (pp. 41-42). “The US strategy of deferring to Silicon Valley in technology policymaking (…) while limiting regulation spurs domestic innovation in the United States. However, it also leaves both US companies and global consumers vulnerable to the Chinese government’s efforts to control global data …” (page 48). Tellingly, the title of Chapter 2 is, What happens in Vegas, stays in China.

Although the US government is said to have no data-governance strategy to speak of, the Chinese government does: “The crucial difference is that, in China, the government has a comprehensive vision of what constitutes national data governance” (p. 62). Chapter 3 is about making China’s vision explicit, as well as about identifying the corresponding policies to implement it. According to the author, the vision of the Chinese government is to become a “global cyber sovereign”, by which the author means the “Chinese government’s ability to influence, and even control, digital domains beyond the country’s current national borders” (p. 52).

Still, most of what the author identifies as China’s aspiration to become a global “cyber sovereign” has, it seems to me, a mainly national focus. For example, cyber sovereignty means, according to the author, that “national borders extend to the data gathered within its territorial borders, by its military, and – in an increasing number of circumstances – by corporations headquartered on its land” (p.53). The author states that the Chinese government seeks “to assert data sovereignty through suites of laws that control how data generated in China can be stored, used and moved” (p.54).

Kokas refers to the interesting concept of a data corpus and defines it as a “connected system that builds a national digital domain by gathering and integrating consumer, corporate, and government data” (p.55). Building this data corpus therefore “creates strategic national resources, through corporations with unique access to data, a government empowered to obtain corporate data, and highly trained algorithms for governance and prediction” (p. 55). The currently best illustration of this (national) ambition is China’s experimentation with a social credit system, i.e., “a suite of public and private sector tools that gather user data for domestic governance decisions” (p.56).

Although I find the arguments for this Orwellian (my word) vision of Chinese cyber sovereignty rather convincing, I also find that the author’s extension of this same Orwellian vision to the entire planet to be quite an intellectual leap. This extension is grounded, according to Kokas, in China’s “colossal global influence of Chinese tech firms and the Chinese market” … which “helps China to develop corporate tech tools earlier and more efficiently than other countries, tools that they can then export to other nations” … thus gain “soft power through the next generation of data driven products” (p. 56).

The essence of the author’s argument for the reason the rest of the world should worry about China lies here: “With more access to data, the Chinese government, in conjunction with Chinese firms, can also influence new standards for international organizations in critical technologies such as facial recognition, surveillance, artificial intelligence, telecommunications infrastructure, and network consumer products.” … “Chinese regulators are influencing the standards for the global data trade. These tools will shape how the global technology landscape will look like in the future.” (p. 56) “In much the same way that satellites extend sovereignty by expanding the footprint of access beyond territorial boundaries, the impact of the Chinese market extends to influence over the tech sector through the reach of Chinese corporations” (p.57).

Kokas does not explicitly say so, nevertheless, the conclusion of Chapter 3 is that, if nothing is done to prevent China from implementing its vision as a global cyber sovereign, the rest of the world – starting with the US that so freely gives its valuable data away – will soon be treated like the people living in China, namely as an integral part of China’s data corpus.

In Chapters 4 to 9, Kokas illustrates how this vision is being implemented step by step and sector by sector, by Chinese firms “trafficking data” from their users to China: for example, in telecommunications infrastructures by Huawei, in agriculture by Syngenta (a Swiss firm acquired in 2017 by ChemChina), in outer space by China Satcom, in smart city technologies by ZTE, Alibaba, Dahua and again by Huawei, in urban mobility by DiDi, in social media by WeChat and TikTok, in the gaming sector by Tencent Games, in the finance sector by WeChat Pay or Alipay, in the health care sector by WuXi App Tec, and so on in the case of home security, home appliances, child care, sex tech, leisure drones, etc.

These six chapters are all worth reading in detail, as they are highly informative and constitute the original empirical contribution of the book. Still, the reader should keep in mind that all this empirical information remains somewhat tainted by author’s idea that all these data will not end up only in China, but they will also be used by China so that it will become a global cyber sovereign. And because of failing data governance in the US, the data gathered by the US tech companies will have the same fate.

Loose Ends

Unfortunately, the book contains many “loose ends”, by which I mean concepts used by the author that would warrant a deeper discussion because they are central to the argument but are, unfortunately, not fully thought through. Let me highlight here the four most important such problematic concepts.

  • First, there is the relationship between data and (critical) infrastructure, which would warrant some sharper analysis. Indeed, the author basically equates data to “critical infrastructure”. This is, in my view, because much of the data to be trafficked to China is actually generated by (Chinese or non-Chinese) IoT devices, such as smart meters, smart phones, telecom equipment, but also COVID-19 tests. Data is stored in (Chinese, the author claims) servers and data centers, yet another type of infrastructure. I would welcome a clearer distinction between data, its generation (infrastructure), its transmission (Internet) and its storage (infrastructure). A sharper distinction could make the arguments about data trafficking (from where to where? from whom to whom?), data governance (where and by whom?), and data criticality (for whom? in which situations?) more stringent. I understand that it is attractive to say that data generated in Vegas are critical and end up in Chinese (data) infrastructures. However, the reality is much more complex and could be exposed in a more nuanced way.
  • I am also not sure whether the usage of the word “trafficking” is really helpful. Kokas argues for this word because, like in the case of drug trafficking, it “suggest[s] the erosion of national sovereignty”, because “users enter into an exploitative labor agreement, or bargain, when they share their data” and because the word “traffic” simply means volume (p. 11). The author also states that data trafficking is not the same as data theft. Still, the word somehow implies illegality or at least some sneaky back-door behavior that, in the context of this book, is exclusively attributed to the Chinese government, whereas others (firms, countries) do the same.
  • There is also a problem with the concept of “governance” and especially with the concept of “data governance”, also because data and infrastructures are not clearly distinguished (see above). As a matter of fact, there is not much in the book about governance. In the case of the US, it is mostly the absence of governance that is deplored, by which the author primarily means the deficiencies of corporate governance of the US tech firms. The author does not have a high opinion of data governance in China, as the Chinese government controls the firms or at least the data of the firms operating in China (both Chinese and foreign firms). The author does not believe in multilateral governance either: for example, when she says that China is taking leadership in the (UN) Internet Governance Forum or increasing its influence in the (UN) International Telecommunications Union. Occasionally, there are some nice words about the EU’s efforts to govern data, especially through its General Data Protection Regulation (GDPR). But, such regulatory policies do not seem to be an option for remedying the deficient US data governance.
  • Another concept that could have benefitted from a little more attention is the concept of sovereignty, especially when applied to the concepts of cyber, digital, and data, and when combined with global. It would have been worthwhile to discuss whether sovereignty – of nation states that is – still makes sense and whether aspiring to it – be it by China or by the US – is even realistic in a connected world. I wonder whether China’s vision of becoming a global cyber sovereign is achievable to begin with, considering that the same tension the authors observes in the US between the US government (sovereignty) and the US tech firms (profiteering) will inevitably also apply to China and actually already does, as in the case of Chinese financial platforms (as the author observes herself). What if amassing data in China were simply a temporary yet unstable compromise between the Chinese government (that uses these data to control its people including its dissidents abroad) and the tech firms (based in China) that will use as much data as they possibly can get in order to train their algorithms for profit-making purposes?

Stabilizing Cross-Border (US –> China) Data Flows

Kokas’ quite radical and uncompromising diagnosis is in stark contrast to her recommendations. Recognizing that the US approach to data governance (or lack thereof) favors economic growth and that US data sovereignty à la China is not an option, the author proposes a series of strategies (she calls “wedges”) to “stabilize data flows”. Although I do not think that these wedges are unreasonable, they do not fully address the complexities at hand and would benefit from further refinement to achieve proper effectiveness if one takes the nine preceding chapters seriously.

My criticism is not particularly of the proposed policy measures that are mainstream and should and could have been implemented a long time ago, if only the US tech firms were willing. Rather, it is triggered by the intellectual justification used by the author to justify and to foster the “stabilization of data flows” to China, as it is explicitly based on a flawed analogy with climate change. Kokas proposes that, just as we stabilize (CO2- ?) emissions, we should also stabilize data flows. I find this to be a truly intellectual stretch. Apparently, the author does not realize that the stabilization of emissions is no longer the recipe of the day; now, “net zero” is a must. And from this flawed climate-stabilization analogy follows the flawed remedies (policies, wedges), such as socially responsible behavior of firms, good corporate governance, corporate reporting, private-sector standard setting, responsible investment and the likes. But, all these remedies have already failed, at least in the case of climate change.

This edition of the Digital Governance Book Review was authored by: Matthias Finger, C4DT

Image credit: Cover of Trafficking Data. How China is Winning the Battle for Digital Sovereignty  by Anne Kokas, published by OUP.