By: David Brown

Vietnam’s legislature is expected to vote on a national cybersecurity law by May 12. If enacted, the new law won’t be good for the economy or for people who vent dissident opinions online.

The country’s attractiveness as a manufacturing base and digital services provider depends importantly on its – so far – relatively liberal internet regime, but the legislation in view will substantially tighten surveillance. It will renege on commitments Vietnam has made to the World Trade Organization, to the European Union and to its partners in the 11-nation Comprehensive and Progressive Trans-Pacific Partnership.

The planned law could prevent Vietnam’s fast-growing IT sector from linking into global supply chains that create digital content. Well aware of these downsides, Vietnamese enterprises and their foreign partners have lobbied and testified vigorously, hoping to derail burdensome regulation of their collaboration. Some legislators and government officials agree.

The Ministry of Public Security (MPS) shrugs. National security requires a firmer grip on internet traffic, it says. Vietnam needs to know who is posting defamatory, even traitorous, messages on social media. It’s a tough job, a job for the Ministry’s Department of Internet Security, we gather, and not for the namby-pamby Ministry of Information and Communications.

Skulking behind MPS, out of public view, the Propaganda Commission of the Communist Party nods vigorously. It’s riding high now, serving new leadership that thinks its way.

Before the CPV’s 12th Party Congress convened early in 2016, Vietnam’s government refrained from digital management initiatives that might disturb prospective foreign investors. The prime minister at the time said that instead of stewing over criticism posted to the internet, ministries should make sure that their own version of truth was posted promptly and persuasively. That prime minister has been forced into retirement. The current prime minister doesn’t seem to object when colleagues on the CPV’s Politburo insist that dissident voices must be silenced.

On the streets and online, bad times for dissenters

For citizen activists who’ve agitated for an end to Vietnam’s one-party regime, the two years since the CPV’s 12th Congress have been nightmarish. According to the 88 Project’s database, 42 activists were arrested in 2017, up from 14 in 2016 and 8 in 2015. Significantly longer jail terms are being meted out. In the coffee houses favored by non-party intellectuals, the CPV’s current intolerance of even reasoned proposals for reform has chilled free form debate.

Until very recently, the internet has been a safe place where Vietnamese could vent dissatisfaction with the regime. Ever since Yahoo 360° hooked Vietnamese on social media a decade ago, Hanoi has struggled to prevent citizens from accessing subversive ideas on the Web. In 2013, in Decree 72, it leaned on social media platforms – including Facebook, Google et al. — to locate at least one server in Vietnam and provide data on Vietnamese users on request. Then, international internet service providers (ISPs), united as the Asia Internet Coalition, politely but firmly refused.

Coalition members asserted a duty to guard the privacy of their clients, at least vis-à-vis governmental actors. In 2013, they may have judged that they had little to lose by standing firm. Their business in Vietnam was a rather modest contributor to global revenues. The international ISPs may have reasoned, moreover. that Vietnam’s prosperity depends on easy access to foreign customers. Hanoi couldn’t afford the expense of an impregnable firewall.  It couldn’t prevent its citizens from tweaking their computers’ DNS settings to access offshore websites. Google, Facebook and their allies stood fast and Hanoi yielded.

Now, after years of ineffectual effort, the regime has found ways to disrupt online discourse. What’s changed? For starters, the profit motive that gives Hanoi leverage over the social media giants. It can order Vietnamese firms not to buy advertising on non-cooperating platforms. Vietnam’s a fast-growing market; selling access to its 55 million connected citizens generates considerable revenue for social media providers.

Further, the ideologically driven regime elevated to power by the 12th Party Congress is far less tolerant of dissent than its predecessor. Within months of taking power, it extracted Facebook and Google agreements to take down “toxic” posts identified by Hanoi.

Social media giants back down

And so, scarcely four years after they stared down Vietnam’s would-be censors, the social media giants yielded to Vietnam’s new leaders. Google and Facebook saved face by asserting that they’d decide whether to take down a post based on their own ”community standards.” In practice, however, they’ve been quick to oblige, and often agree also to suspend or cancel the accounts of dissidents who persist in posting content that the regime alleges is obnoxious or defamatory.

Vietnam has put thousands of trolls to work sifting web content. They are members of a cyberwarfare unit the government calls ‘Force 47.’ In the first half of 2017, says Google, Vietnamese agencies asked it to “remove over 3,000 YouTube videos that mainly criticized the Communist Party and government officials.” As 2017 ended, the Minister of Information boasted that Google had “removed 45,00 videos containing bad or toxic content from YouTube” out of 5000 deletions requested by Vietnam. Facebook, he added, had removed 159 “anti-government accounts” at the authorities’ request.

Force 47 cyberwarriors

It appears that neither Google nor Facebook wishes to replay the scenario that led to their expulsion from the Chinese market. The social media giants are feeling pressure in dozens of countries from governments that want to tighten controls on internet content in, their leaders say, the public interest. The Hanoi regime gambled that Vietnam in 2018 is now too big an e-commerce market to lose. Vis-a-vis Facebook and Google, it seems to have won its bet.

Cyberspies emerge

In May 2017, meanwhile, evidence surfaced of Hanoi’s investment in world-class cyberespionage capabilities. Analysts at FireEye, an American cybersecurity services firm, reported the existence of a shadowy group code-named OceanLotus that ”is aligned with Vietnamese government interests” and which targets “companies doing business in, or preparing to invest in” Vietnam, and also “journalists and members of the Vietnam diaspora.”

Six months later, another cybersecurity provider, Volexity, confirmed that “a slew of organizations, many tied to human and civil rights, have fallen victim to a new campaign carried out by the advanced persistent threat group OceanLotus.”

Typically, OceanLotus uses sophisticated phishing schemes to gain access to data, unknown to the target. And sometimes just brute force is enough to take down a site.

“It’s been hell,” says the editor of a popular site that serves up a mix of news and commentary concerning Vietnam. Her publication, resident on a server outside Vietnam, features stories that the national media are forbidden to publish.

Targeting from cybersleuths

“We launched our site in July, 2017. The next month, we registered hits from 575,000 unique IP addresses,” she explained. “Of course we were targeted by the cyberpolice. We got e-mails from readers who said our site had become more difficult to access and stay logged onto. And then, in November, we had to fight off two very big denial of service attacks. We’re fortunate that some NGOs have given us expert help armoring our website and repairing vulnerabilities that these attacks revealed.”

“And what about Facebook?” I asked the web-based newspaper’s editor. “It’s hugely important to us,” she said. “I post some of our stories there to encourage Facebookers to check out our home site. Now the Hanoi trolls keep persuading Facebook to block our account, alleging that we post fake news. Of course that’s a lie.”

In pushing forward its projected Cybersecurity Law, Vietnam’s Ministry of Public Security (MPS) is betting that the global social media giants can be rolled once again. Pending review of a final draft by the CPV Central Committee and its second reading by Vietnam’s normally tame legislature later this month, the draft has been amended sixteen times. It’s thick with detail and in many respects can fairly be called a Vietnamese government collaboration with domestic and foreign industry.

MPS Department of Internet Security chief Hoang Phuoc Thuan, answers questions at a workshop.  From Dan Tri.

However, there’s still one huge problem: ‘data localization’ is made mandatory for all providers with more than 10,000 Vietnamese subscribers. Article 27 requires internet service providers to collect detailed information on Vietnamese users and store that data safely in Vietnam. The draft text doesn’t exactly say providers must render up user data to the national police on demand, but here’s Article 27.4.(dd): “Foreign enterprises, when providing telecommunication and/or internet services in Vietnam, shall…implement requirements from the competent authorities of Vietnam in preventing or removing any information contents that are prejudicial to national security, social order and safety…;provide Vietnamese users’ data and sanction violations of legislation on cybersecurity.”

It’s ours

Such data is Vietnam’s property, Public Security Minister To Lam told the national legislature in October.

”Information contents that are prejudicial to national security” are exhaustively detailed in Article 8 of the draft law, and include “the use of cyberspace to propagate, link or induce other persons to join any organizations, societies or groups against the Party or the State; . . . [and, in Article 16], “information contents in cyberspace that instigate violent disturbances, disrupt security or disturb public order; are embarrassing or slanderous; or are for propaganda against [Vietnam].”

Earlier drafts of the proposed law required foreign providers to locate a server in Vietnam to handle local business. In January, after hard lobbying by the foreign business community, MPS conceded that as long as foreign internet service providers would open a local office and provide data of Vietnamese users on request, they don’t actually have to set up servers on Vietnamese soil.

A freelance expert who advises NGOs and independent media working in hostile information environments on ‘net security issues judges that there’s little likelihood that Vietnam will abandon the pending legislation. Both Russia and China have already enacted similar laws, he said. Though Google and Facebook pulled out of China rather than open their data on Chinese users to inspection, Apple caved. Apple earns nearly half of its worldwide revenues in China, the expert explained. In return, Beijing can demand access to data on Chinese Apple users.

The expert added that the new law, if passed, won’t be fatal to Vietnam’s feisty dissident publishing community. The internet giants (Microsoft, Apple and Amazon, in addition to Facebook and Google) ought to be able to tie up the laws implementation in lots of red tape, he said. To frustrate detailed access, for example, they could insist that Vietnamese requests be submitted through government to government channels, require a proper, detailed subpoena, or require showing of probable cause.

Not completely certain yet?

Nor is it certain that the Hanoi regime is yet resolved to enact the draft internet security law.

An American well-established in the Hanoi business community, commenting on the draft law in January, said it wasn’t yet clear that the Ministry of Public Security had lined up solid government and party support for its project. Some interpret it, he said, as a police grab for control of an issue heretofore managed by the Ministry of Information and Communications.

Occasional reports in Vietnam’s national media since then reinforce speculation that, as the business source suggests, the proposed internet security law is not a done deal. Senior Ministry of Defense officials are said to argue that the role envisioned for MPS encroaches on their responsibilities. Accounts of discussion by committees of the national legislature have highlighted concern that the scope of the draft law is too wide, overlaps parts of existing laws, and is bound to cause confusion.

Other sources point to a growing rift between the CPV’s General Secretary, Nguyen Phu Trong, and Vietnam’s president, Tran Quang Vinh, a lieutenant general of police who has voiced strong support for the cybersecurity draft. Notably, neither Trong nor the head of government, Prime Minister Nguyen Xuan Phuc, seem yet to have endorsed the project, while the chairman of the national legislature, Nguyen Thi Kim Ngan, has been openly skeptical of the law’s workability.

Party leaders may also be mindful that just as in Moscow late in April, efforts to restrict the Vietnamese public’s access to social media could trigger substantial backlash by internet-savvy youth. It’s the sort of issue that could bring tens of thousands of otherwise apolitical young Vietnamese onto the streets.

The CPV’s 200-member Central Committee is meeting now to consider the CPV’s course for the next six months. The cybersecurity project will be one item on a crowded agenda. The Central Committee could postpone its decision pending further interministry negotiation of the draft, or it could shelve the project altogether. In the more likely case that it gives the green light to the cybersecurity project, it’s almost certain that the legislature will then vote it into law.

David Brown is a former US diplomat and a regular contributor to Asia Sentinel.