The Chinese government is following the US lead and is now telling US tech companies operating in China to sign a PRISM-like cyber-loyalty pact:

Much of the pledge document is focused on user privacy rights, outlining policies that would give users the right to know where their data was stored, to control how much of their personal data was collected, to opt out of the collection of personal data, and to “choose to install, or uninstall non-essential components [and] to not restrict user selection of other products and services.” The pledge also asks companies to “guarantee product safety and trustworthiness” by taking measures to build security into products, rapidly patch vulnerabilities, and “not install any hidden functionalities or operations the user is unaware of in the product.”

As part of the requirements for “security of user information,” the pledge would require tech companies to “employ effective measures to guarantee that any user information collected isn’t illegally altered, leaked or used.” All data collected from Chinese customers would have to be stored in Chinese facilities and not be moved outside the country “without expressed permission of the user or approval from relevant authorities”—meaning the government would have oversight over what data could be exported for corporate use (and potentially accessed by foreign intelligence organizations).

Finally, the pledge would also require companies to agree to “accept the supervision of all parts of society”—including third-party evaluation of all products to determine they are “secure and controllable…to prove compliance with these commitments.” It is this clause that the Times’ industry sources suggested could be used by the Cyberspace Administration of China to demand access to encrypted data stored in cloud computing services and to provide source code for review.