On Christmas Eve in 2014, the government of the Xinjiang Uyghur Autonomous Region (‘XUAR’) released this Notice on Strengthening the Management of Internet Information Security. The Notice requires Internet information service providers who serve users in the XUAR to give the government their encryption technology, to require information regarding real identity as a condition of providing services to their users, and to maintain their servers within the territory of the XUAR. The notice also requires service providers to manage, stop, and record the flow of a very broad variety of content and information including that which ”undermines national religious policies,” “disturbs social order,” or “harms national honor and interests,” amongst other things. These requirements needed to have been complied with by March 24, 2015.
The Notice is an important step in China’s continued approach of combining broad-based definitions of “terrorism” and what it styles as “religious extremism” with highly restrictive internet regulation under the banner of “internet sovereignty.” This approach to counterterrorism is evident in both the framework of the Shanghai Cooperation Organization, and in China’s draft Counter-Terrorism Law (Chinese) released on November 3, 2014, and as amended in February 2015. The draft Counter-Terrorism Law continues to be deliberated upon by the Standing Committee of the National People’s Congress.
Xinjiang Uyghur Autonomous Region People’s Government
Notice on Strengthening the Management of
Internet Information Security
December 24, 2014
[Translation by Human Rights in China]
(1) In order to safeguard national security and social stability, and in accordance with the NPC Standing Committee "Decision Concerning the Strengthening of Network Information Protection," the State Council's "Measures for the Management of Internet Information Services" relevant national, and autonomous region regulations, as well as in accordance with the realities of the autonomous region, this notice is hereby issued in order to crack down hard on, and prevent use of the Internet to copy, distribute, disseminate and store violent and terrorist related information and other criminal activities.
(2) Internet information service providers who provide users with instant messaging, cloud storage, online storage, audio and video sharing and other social networking service platforms, must implement permit or filing procedures, as well as comply with this Notice.
(3) For those [Internet information service providers] registered within the administrative area of the autonomous region, and engaged in Internet service provision activities set out in article (2) of this Notice, or for those registered outside of the administrative area of the autonomous region, but who provide Internet service provision activities set out in article (2) of this Notice to new Xinjiang users, all must maintain servers within the administrative area of the autonomous region; and those who use encryption technology must inform the relevant authorities of their facilities and digital information.
(4) For Internet information service providers who provide services for the distribution of information, their users must provide information regarding their true identity. For users who are individuals, they must provide their resident's identification card or other valid proof of personal identity upon registration. For users who are units, they must register by using the code allocated to their organization [aka their Organization Code Certification] or their business permit.
(5) Internet information service providers have the responsibility to keep registered users' identity information secret. Unless as stipulated by legal process, it cannot be given to others, nor can registration information be applied to other uses; information content cannot be leaked, tampered with or damaged, and the information regarding real identity must not be used for the purpose of making profit.
(6) It is forbidden for Internet information service providers and users to make, copy, disseminate, and store any information which:
(i) opposes the basic principles fixed in the Constitution, or slanders [any of] the Constitution, the laws or regulations;
(ii) harms national honor and interests, endangers state security, divulges state secrets, subverts state power or harms national unity;
(iii) promotes 'jihad' and ethnic splittism, incites ethnic hatred or ethnic discrimination, or harms ethnic solidarity;
(iv) spreads religious extremist thought, undermines national religious policies, or promotes cults and feudal superstitions;
(v) creates or disseminates rumors, disturbs social order, or harms social stability;
(vi) disseminates violent terrorist ideology, or violent terrorist audio-visual materials; or spreads, makes, or uses explosives, explosive devices, firearms, control equipment, hazardous materials and other violent terrorist criminal methods and skills;
(vii) incites violence to endanger the lives of others as well as public and private property;
(viii) spreads [information] that is obscene, pornographic, or related to gambling or instigates the commission of a crime;
(ix) insults or slanders others, or harms the legitimate rights or interests of others;
(x) [involves] other content that is prohibited by [any] laws or regulations.
(7) With regard to actions violating article 6 of this Notice, Internet information service providers must immediately stop their release and dissemination or take other measures for addressing, such as by deleting [such information] and temporarily stopping updates up until the account is closed, as well as to preserve relevant records and report them in a timely manner to the relevant authorities.
Any unit or individual has the right and the obligation to report actions in violation of Article (6) of this Notice to the relevant authority.
Relevant authorities must carry out their duties within the scope of their authority and adopt technological measures or other compulsory measures to stop or investigate activities that violate the provisions of Article (6) of this notice.
(8) Concerning violations of Article (3) of this Notice, relevant authorities must, within the scope of their authority, and according to law, put forward Decisions that prohibit or terminate Internet information service providers' providing services within the administrative area of the autonomous region.
As for other actions that violate the terms of this Notice, they should be handled according to relevant laws and regulations.
(9) Those already engaged in Internet information service activities prior to the promulgation of this Notice, shall, within 90 days of the date of promulgation of this Notice, set up servers in accordance with Article (3) of this Notice, and inform relevant authorities of their facilities and digital information.
(10) This notice shall come into force from the date of publication.
December 24, 2014
 Codes are allocated to organizations in China by the National Administration for Code Allocation to Organizations: http://www.nacao.org.cn/