NOTE: This translation was originally published on the China Copyright and Media blog, a project of DigiChina’s Prof. Rogier Creemers of the University of Leiden. It has not been edited, double-checked, or standardized with DigiChina’s original content. Read more.

Ministry of Public Security Decree

No. 82

The “Regulations on Internet Security Protection Technology Measures” have been passed on the Ministerial Business Meeting of the Ministry of Public Security on 23 November 2005, are hereby promulgated, and take effect on 1 March 2006.

13 December 2005

Regulations on Internet Security Protection Technology Measures

Article 1: In order to strengthen and standardize Internet security technology precaution work, guarantee Internet network security and information security, stimulate the healthy and orderly development of the Internet, safeguard national security, social order and the public interest, on the basis of the “Computer Information Network International Interconnection Security Protection Management Rules”, these Regulations are formulated.

Article 2: Internet security protection technology measures as named in these regulations, refers to technological installations and technological methods to guarantee Internet network security and information security, and prevent violations of law and crimes.

Article 3: Internet service providers and work units using the network are responsible for implementing Internet security protection technology measures, and guaranteeing that the function of Internet security protection technology measures are given full rein normally.

Article 4: Internet service providers and work units using the network shall establish corresponding management systems. Without agreement from users, they may not make public or divulge users’ registration information, except where laws or administrative regulations provide otherwise.

Internet service providers and work units using the network shall use Internet security protection technology measures according to the law, and may not use internet security technology protection measures to infringe users’ freedom of communication and confidentiality of communication.

Article 5: Pubic security organs’ public information network security supervision departments are responsible for implementing supervision and management of the implementation situation of Internet security protection technology measures.

Article 6: Internet security protection technology measures shall conform to state standards. Where there are no State standards, they shall conform to technological standards in the public security sector.

Article 7: Internet service providers and work units using the network shall implement the following Internet security protection technology measures:

(1) technology measures to prevent computer viruses, network invasion, attacks, destruction and other matters or acts harming network security;

(2) disaster-robust backup measures for important databases and main system facilities;

(3) technological measures to record and preserve user login and logout times, caller numbers, account numbers, Internet addresses or domain names, and system defence records;

(4) Other security protection technology measures that shall be implemented under laws, regulations and rules.

Article 8: Work units providing Internet access services shall, apart from implementing the Internet security protection technology measures provided in Article 7 of these Regulations, also implement security protection technology measures having the following functions:

(1) recording and preserving user registration information;

(2) where internal network addresses and Internet network address transformation methods are used to provide access services for users, being able to record and preserve the Internet network addresses and corresponding internal network address relationships used by users;

(3) recording and tracking the network operation status, monitoring and recording network security incidents and other security auditing functions.

Article 9: Work units providing Internet information services shall, apart from implementing the Internet security protection technology measures provided in Article 7 of these Regulations, also implement security protection technology measures having the following functions:

(1) discovering and ceasing the transmission of unlawful information in public information services, and preserving corresponding records;

(2) where news, publishing as well as electronic announcement services, etc., are provided, being able to record and preserve the published information content and the time of publication;

(3) where portal websites, news websites or electronic commerce websites are run, being able to prevent the website or webpages being distorted, and after distortion, being able to resume them automatically;

(4) where electronic announcement services are run; having the function of auditing user registration information and published information;

(5) where e-mail or online text message services are run; being able to prevent and eliminate the transmission of e-mails or text messages in which the real indication of the information sender if forged or concealed, that are transmitted en masse.

Article 10: Work units providing Internet date centre services and work units using the network shall, apart from implementing the Internet security protection technology measures provided in Article 7 of these Regulations, also implement security protection technology measures having the following functions:

(1) recording and preserving user registration information;

(2) discovering and ceasing the transmission of unlawful information in public information services, and preserving corresponding records;

(3) where work units using the networks use internal network addresses to provide access serviced to users through Internet network address transformation, being able to record and preserve the Internet network addresses and corresponding internal network address relationships used by users;

Article 11: Work units providing Internet surfing services shall, apart from implementing the Internet security protection technology measures provided in Article 7 of these Regulations, also install and operationalize Internet public surfing service venue security management systems.

Article 12: The Internet security protection technology measures adopted by Internet service providers according to these Regulations shall have connection gateways that conform to public security sector technology standards.

Article 13: The recording and preservation technology measures implemented by Internet service providers and work units using the network according to these Regulation’s shall have a record backup function of at least 60 days of preservation.

Article 14: Internet service providers and work units using the network may not carry out the following acts destroying Internet security technology protection measures:

(1) unauthorized cessation or partial cessation of the operation of security protection technology measures or technology means;

(2) wilful destruction of security protection technology measures;

(3) unauthorized deletion or distortion of operational procedures and records of security protection technology measures or technology means;

(4) unauthorized alteration of the use and scope of security protection technology protection;

(5) other acts of wilful destruction of security protection technology measures or the hampering of the regular implementation of their functions.

Article 15: Those violating the provisions of Article 7 until Article 14 of these Regulations, are punished by public security organs according to the provisions of Article 21 of the “Computer Information Network International Interconnection Security Management Rules”.

Article 16: Public security organs shall implement guidance for, supervision and inspection of the implementation situation of security protection technology measures of Internet service providers and work units using the Internet in their jurisdictions.

When public security organs are conducting supervision or inspection according to the law, Internet service providers and work units using the network shall send staff to assist. Public security organs shall put forward opinions for improvement concerning problems discovered in supervision and inspection, and notify the Internet service provider or work unit using the network to timely correct them.

When public security organs are conducting supervision or inspection, there may not be less than two supervision or inspection officers, and they shall show their law enforcement identity certification.

Article 17: Where public security organs and their work personnel abuse their position and engage in irregularities and favouritism in violation of these Regulations, the directly responsible controlling personnel and other directly responsible persons are subject to administrative punishment according to the law; where it constitutes a crime, criminal liability is prosecuted according to the law.

Article 18: Internet service providers as named in these Regulations, refers to work units providing Internet access services, Internet data centre services, Internet information services and Internet surfing services to users.

Work units using the network as named in these Regulations, refers to work units that need to connect to and use the Internet for applications within that work unit.

Work units providing Internet data centre services as named in these regulations, refers to work units providing hosting, renting and virtual space renting services, etc.

Article 19: These Regulations take effect on 1 March 2006.

互联网安全保护技术措施规定（公安部令第82号）中华人民共和国公安部令第82号

《互联网安全保护技术措施规定》已经2005年11月23日公安部部长办公会议通过，现予发布，自2006年3月1日起施行。公安部部长：周永康二零零五年十二月十三日

互联网安全保护技术措施规定

第一条 为加强和规范互联网安全技术防范工作，保障互联网网络安全和信息安全，促进互联网健康、有序发展，维护国家安全、社会秩序和公共利益，根据《计算机信息网络国际联网安全保护管理办法》，制定本规定。第二条 本规定所称互联网安全保护技术措施，是指保障互联网网络安全和信息安全、防范违法犯罪的技术设施和技术方法。第三条 互联网服务提供者、联网使用单位负责落实互联网安全保护技术措施，并保障互联网安全保护技术措施功能的正常发挥。第四条 互联网服务提供者、联网使用单位应当建立相应的管理制度。未经用户同意不得公开、泄露用户注册信息，但法律、行政法规另有规定的除外。互联网服务提供者、联网使用单位应当依法使用互联网安全保护技术措施，不得利用互联网安全保护技术措施侵犯用户的通信自由和通信秘密。第五条 公安机关公共信息网络安全监察部门负责对互联网安全保护技术措施的落实情况依法实施监督管理。第六条 互联网安全保护技术措施应当符合国家标准。没有国家标准的，应当符合公共安全行业技术标准。第七条 互联网服务提供者和联网使用单位应当落实以下互联网安全保护技术措施：（一）防范计算机病毒、网络入侵和攻击破坏等危害网络安全事项或者行为的技术措施；（二）重要数据库和系统主要设备的冗灾备份措施；（三）记录并留存用户登录和退出时间、主叫号码、账号、互联网地址或域名、系统维护日志的技术措施；（四）法律、法规和规章规定应当落实的其他安全保护技术措施。第八条 提供互联网接入服务的单位除落实本规定第七条规定的互联网安全保护技术措施外，还应当落实具有以下功能的安全保护技术措施：（一）记录并留存用户注册信息；（二）使用内部网络地址与互联网网络地址转换方式为用户提供接入服务的，能够记录并留存用户使用的互联网网络地址和内部网络地址对应关系；（三）记录、跟踪网络运行状态，监测、记录网络安全事件等安全审计功能。第九条 提供互联网信息服务的单位除落实本规定第七条规定的互联网安全保护技术措施外，还应当落实具有以下功能的安全保护技术措施：（一）在公共信息服务中发现、停止传输违法信息，并保留相关记录；（二）提供新闻、出版以及电子公告等服务的，能够记录并留存发布的信息内容及发布时间；（三）开办门户网站、新闻网站、电子商务网站的，能够防范网站、网页被篡改，被篡改后能够自动恢复；（四）开办电子公告服务的，具有用户注册信息和发布信息审计功能；（五）开办电子邮件和网上短信息服务的，能够防范、清除以群发方式发送伪造、隐匿信息发送者真实标记的电子邮件或者短信息。第十条 提供互联网数据中心服务的单位和联网使用单位除落实本规定第七条规定的互联网安全保护技术措施外，还应当落实具有以下功能的安全保护技术措施：（一）记录并留存用户注册信息；（二）在公共信息服务中发现、停止传输违法信息，并保留相关记录；（三）联网使用单位使用内部网络地址与互联网网络地址转换方式向用户提供接入服务的，能够记录并留存用户使用的互联网网络地址和内部网络地址对应关系。第十一条 提供互联网上网服务的单位，除落实本规定第七条规定的互联网安全保护技术措施外，还应当安装并运行互联网公共上网服务场所安全管理系统。第十二条 互联网服务提供者依照本规定采取的互联网安全保护技术措施应当具有符合公共安全行业技术标准的联网接口。第十三条 互联网服务提供者和联网使用单位依照本规定落实的记录留存技术措施，应当具有至少保存六十天记录备份的功能。第十四条 互联网服务提供者和联网使用单位不得实施下列破坏互联网安全保护技术措施的行为：（一）擅自停止或者部分停止安全保护技术设施、技术手段运行；（二）故意破坏安全保护技术设施；（三）擅自删除、篡改安全保护技术设施、技术手段运行程序和记录；（四）擅自改变安全保护技术措施的用途和范围；（五）其他故意破坏安全保护技术措施或者妨碍其功能正常发挥的行为。第十五条 违反本规定第七条至第十四条规定的，由公安机关依照《计算机信息网络国际联网安全保护管理办法》第二十一条的规定予以处罚。第十六条 公安机关应当依法对辖区内互联网服务提供者和联网使用单位安全保护技术措施的落实情况进行指导、监督和检查。公安机关在依法监督检查时，互联网服务提供者、联网使用单位应当派人参加。公安机关对监督检查发现的问题，应当提出改进意见，通知互联网服务提供者、联网使用单位及时整改。公安机关在监督检查时，监督检查人员不得少于二人，并应当出示执法身份证件。第十七条 公安机关及其工作人员违反本规定，有滥用职权，徇私舞弊行为的，对直接负责的主管人员和其他直接责任人员依法给予行政处分；构成犯罪的，依法追究刑事责任。第十八条 本规定所称互联网服务提供者，是指向用户提供互联网接入服务、互联网数据中心服务、互联网信息服务和互联网上网服务的单位。本规定所称联网使用单位，是指为本单位应用需要连接并使用互联网的单位。本规定所称提供互联网数据中心服务的单位，是指提供主机托管、租赁和虚拟空间租用等服务的单位。第十九条 本规定自2006年3月1日起施行。