CAC Issues Landmark Rule to Rein in Deepfake Misuse
CAC Issues Landmark Rule to Rein in Deepfake Misuse
In January 2022, the Cyberspace Administration of China (the “CAC") published the Administrative Provisions on Deep Synthesis of Internet Information Services (Draft for Comments), aiming to strengthen the administration of deep synthesis of Internet information services, maintain a healthy ecology of cyberspace, as well as regulate the development of deep synthesis services. On November 3, 2022, the Administrative Provisions on Deep Synthesis of Internet Information Services (the “Provisions") was officially adopted, and it will come into force on January 10, 2023.
Deep synthesis technology refers to the technology using deep learning, virtual reality and other generative synthesis algorithms to produce network information such as text, images, audio, video, and virtual scenes, including but not limited to text content generation, voice content generation, music or scene sound generation, face or posture generation, image generation, digital characters and virtual scene generation.
It can be seen that the Provisions are drafted in an open-ended form, providing enumerated coverage of existing as well as future categories that may be incorporated into deep synthesis technologies. Overall, enterprises utilizing AI, algorithms and similar technologies in either B2C or B2B model may fall into the scope of the Provisions.
The essential regulatory idea embedded in the Provisions is the vertical regulatory model with three types of targeted entities: deep synthesis services provider (“services provider"), technology supporter for deep synthesis services (“technology supporter"), and deep synthesis services user (“services user").
For an enterprise, to identify whether it falls into the regulation, a “three-step method" may be adopted:
• Step 1: Whether it uses deep synthesis technology in the business operations or not;
• Step 2: Which type of regulated entity it belongs to;
• Step 3: What are the corresponding obligations.
Identifying the type of targeted enterprise and its corresponding obligations is crucial among the three steps. In the following, we sort out the different responsibilities and obligations to different kinds of entities prescribed by the Provisions, aiming to help them better understand the critical compliance issue during the business operation.
1. Services Provider
Services provider refers to the organization or individual who provides deep synthesis services. The Provisions make comprehensive and detailed regulations on the obligations of the services provider, which can be divided into general and special obligations based on their application scope.
General obligations include:
(1) Identity authentication: Identity authentication is a highlight of the Provisions. The services provider may authenticate the real identity of a services user by means of a mobile phone number, ID number, Unified Social Credit Identifier, or national network identity authentication public service. Services provider shall not provide information release services where the identity authentication is not carried out;
(2) Content control: The Provisions set the following obligations for the services provider according to the process of deep synthesis services:
-
Before the services, the services provider should establish a feature database used to identify and prohibit illegal and unhealthy content, and keep the database updated;
-
During the services, the services provider shall review input data and synthesized results by technical or manual means and keep relevant records. Where there is illegal or unhealthy information, the services provider shall report it to the authorities and take such measures as a warning, restricting functions, suspending services and closing the account to restrict the release of such information.
-
After the services/post-release of information, the services provider shall ensure the running of an anti-rumor mechanism and a complaint mechanism. The complaint mechanism shall also apply to the public who are unregistered. In addition, if it is found that deep synthesis services are used to produce, copy, publish or disseminate false information, the services provider is obligated to report to the Cyberspace Administration Authorities and relevant regulatory departments without any delay.
(3) Mark of deep synthesis: services provider shall place a non-disturbing mark of deep synthesis on the content generated or edited through deep synthesis services, and save the log information by law; Meanwhile, the services provider shall provide prominent marking function to the services user, enabling it to make the prominent mark of deep synthesis on the generated content;
(4) System development: The Provisions require several administrative systems for services provider, including management rules, algorithm mechanism review system, science and technology ethical review system, information releasing review system, anti-telecom and network fraud system, and data security and personal information protection system, etc.;
(5) Technical measures: Services provider shall deploy technical measures based on the principle of safety and controllability. Particular attention should be paid to algorithm training management, and necessary measures should be taken to ensure the training data security.
In addition to the above general obligations, services provider may undertake special compliance obligations in the following scenarios:
-
Explicit consent: The provision of deep synthesis services involving biometric information like faces and voices is premised on the explicit consent of the personal information subject. Although the Provisions only require the services provider to prompt the services user to obtain such consent, it does relieve the services provider of its responsibility to verify whether the obligation of the services user has been performed.
-
Security assessment: Where the tools provided by the services provider can generate or edit biometric information such as faces and voices, or may involve state security, state reputation, state interests and public social interests, a security assessment shall be carried out in advance;
-
Prominent Mark: In the following cases, if the deep synthesis services may cause any confusion or misrecognition to the public, the services provider shall disclose the employment of deep synthesis to the public by prominent mark: (1) text generation or editing services through intelligent dialogue, intelligent writing of virtual human or other human simulation activity; (2) human voice synthetic, imitated voice generation, and editing services that can significantly change personal identity feature; (3) face synthesis, face replacement, face control, posture control and other character images generation and video generation, and editing services that can significantly change personal identity feature; (4) synthesis of immersive virtual scenes or editing services; (5) other services with the function of generating or significantly changing information content.
-
Algorithm record-filing and security assessment: services providers with public opinion attributes or social mobilization capabilities shall perform the record-filing procedures in accordance with the Administrative Provisions on Recommendation Algorithms in Internet Information Services and make it public. Security assessment shall also be carried out when the services provider launches new products, applications and functions with public opinion attributes or social mobilization capabilities. This security assessment is perhaps the same one for new technologies and applications stipulated in the Provisions on the Safety Assessment for Internet Information Services Capable of Creating Public Opinions or Social Mobilization.
2. Technology supporter
According to the Provisions, technology supporter refers to the organization or individual that provides technical support for deep synthesis services. The definition does not use the terms “technology providers" or “technology suppliers." Literally speaking, the range of entities seems broader, including enterprises that only provide technical assistance with limited contribution.
Compared with services providers, the Provisions set relatively fewer compliance obligations for technology supporter, namely training data management, prompt of “explicit consent" obligation, security assessment, and algorithm record-filing. The specific requirements are consistent with the corresponding obligations of the services provider. Please refer to the section of Services Provider for details.
It is worth noting that the Provisions require technology supporter to perform the obligation of algorithm record-filing, which expands the application scope of algorithm record-filing obligation stipulated in the Administrative Provisions on Recommendation Algorithms in Internet Information Services[1]. Foreseeably, algorithm record-filing may become a prerequisite for technical solution enterprises when bidding for vendor pool.
3. Services User
The Provisions impose even fewer obligations on services user than for technology provider, including:
-
Cooperation with services provider to complete identity authentication; and
-
Explicit consent from the personal information subject when editing biometric information (e.g., faces and voices). Actually, the “explicit consent" obligation is also underlined by the Personal Information Protection Law for personal information processors.
However, it does not mean that services user undertakes fewer compliance obligations in general. Services user has the greatest autonomy over how to use deep synthesis services, and they are the party that directly cope with personal information subject. They constitute the terminal of the deep synthesis services industry chain, and their compliance risks are higher.
In addition, the Provisions also address two special entities involving deep synthesis services:
-
News Publisher: When reposting news created and released by deep synthesis services, it shall repost news released by the news source party.
-
Distribution platforms for APP, Mini Program, etc.: Internet application stores and other distribution platforms shall deploy security management such as shelf review, daily management, and emergency response, and verify the compliance of security assessment and record-filing of deep synthesis applications.
Based on the above, we summarize the compliance obligations of three types of entities below for your reference:
Conclusion
The Provisions formulate systematic and specialized rules on the deep synthesis of Internet information services, clarify the information security obligations of different entities, and realize the organic connection with the rules on Internet content, algorithms and others, so as to provide solid rule-of-law guarantee for the development of deep synthesis services. We would like to suggest that enterprises of different types prudently identify their obligations per the “three-step method", tig out the incompliance issue and make effective countermeasures before the effective date of the Provisions.
[Note]