Provisions on the Administration of Deep Synthesis of Internet Information Services

Scope and obligations

China's Deep Synthesis Provisions are an administrative regulation jointly issued by the CAC, MIIT, and MPS (CAC Order No. 12), promulgated 25 November 2022 and effective 10 January 2023. They govern the use of "deep synthesis" technology — defined in Art. 23 (附则) as the use of deep-learning, virtual-reality, and other generative/synthetic algorithms to produce text, images, audio, video, virtual scenes, or other network information — in internet information services within mainland China (territorial scope set by Art. 2). Core obligations: a baseline requirement that providers add technical identifiers (implicit/embedded markers, i.e. watermark-type tagging) to all generated/edited content and retain logs (Art. 16); a conspicuous/explicit labelling requirement for synthesis services that could confuse or mislead the public, enumerating intelligent dialogue/writing, synthetic/imitation voice, face generation/swap/manipulation/pose control, and immersive simulated scenes (Art. 17); a prohibition on deleting, altering, or concealing those identifiers (Art. 18); real-identity verification of service users (Art. 9); strengthened training-data management plus a requirement to obtain the separate consent of an individual whose biometric (face/voice) information is edited (Art. 14); a rumor-refuting mechanism (Art. 11) and a user-appeal/public-complaint-and-report portal (Art. 12); algorithm-style filing/registration for services with public-opinion or social-mobilization attributes (Art. 19); and a security assessment for products/functions with such attributes (Art. 20). The Provisions are the principal cross-referenced predecessor to the 2023 Interim Measures for Generative AI Services (Art. 12 of the GenAI Measures defers labelling to these Provisions) and to the 2025 Measures/standard on labelling of AI-generated synthetic content. Article numbers cited reflect the FINAL effective text as published on cac.gov.cn (numbering differs from the January 2022 draft for comment). Classifications grounded only in the verified primary source; confidence is capped at medium per §7.11 reduced-confidence rule. AUDIT NOTE: foundation_models, biometric_id, and development_rights_framing citations corrected against the official text (definition is Art. 23 not Art. 2; the encourage-self-discipline language is Art. 5 not Art. 1/4); biometric_id excerpt restored to verbatim.

Provisions on the Administration of Deep Synthesis of Internet Information Services addresses 6 contested AI-governance topics explicitly, 1 via general principles,.

Topics governed

• governs
  Biometric Identification— Art. 14

  §Art. 14

  “深度合成服务提供者和技术支持者提供人脸、人声等生物识别信息编辑功能的，应当提示深度合成服务使用者依法告知被编辑的个人，并取得其单独同意。”

  source ↗
• governs
  Deepfakes / Synthetic Content— Art. 17

  §Art. 17

  “对人脸生成、人脸替换、人脸操控、姿态操控等人物图像、视频生成或者显著改变个人身份特征的编辑服务……应当进行显著标识，向公众提示深度合成情况”

  source ↗
• governs
  Transparency Obligations— Art. 16 & Art. 17

  §Art. 16

  “Art. 16: 对使用其服务生成或者编辑的信息内容，应当采取技术措施添加不影响用户使用的标识；Art. 17: 应当……进行显著标识，向公众提示深度合成情况”

  source ↗
• governs
  Individual Redress— Art. 12

  §Art. 12

  “设置便捷的用户申诉和公众投诉、举报入口，公布处理流程和反馈时限，及时受理、处理和反馈”

  source ↗
• governs
  Training-Data Rights— Art. 14

  §Art. 14

  “深度合成服务提供者……应当加强训练数据管理，采取必要措施保障训练数据安全；训练数据包含个人信息的，应当遵守个人信息保护的有关规定”

  source ↗
• governs
  Synthetic Content Provenance— Art. 16 & Art. 18

  §Art. 16

  “Art. 16: 采取技术措施添加……标识，并依照法律、行政法规和国家有关规定保存日志信息；Art. 18: 任何组织和个人不得采用技术手段删除、篡改、隐匿……深度合成标识”

  source ↗
• implicit
  National Security Carveouts in AI Regulation— Art. 6, Art. 19 & Art. 20

  §Art. 6paraphrase

  Content prohibitions tied to national security/social order (Art. 6), filing (Art. 19), and security assessment (Art. 20) reflect a state-security orientation, but these are obligations imposed on pro

  source ↗

How to cite this article

Does this instrument’s approach work? — the social-science evidence

Aggregated over the 7 topics this instrument governs: whether each harm is empirically real, and whether the peer-reviewed evidence shows governance reduces it. The badge is the epistemic status of the evidence— “thin”/“absent” efficacy evidence is itself a finding (the “second silence”). Each epistemic-status label is Policy Window's editorial assessment of the cited evidence base (a structured classification), not a verdict any single source issues.

Of the 7 governed topics with a social-science evidence review, evidence that governance reduces the harm is established for 0, contested for 0, thin for 3, and absent for 4 — for most, no replicated study yet shows this instrument's approach works (the "second silence").

• Biometric Identification

  • Is the harm real?evidence: established

    Demographic accuracy disparities in facial recognition are robust and replicated. NIST's Face Recognition Vendor Test (189 algorithms, 18.27M images) found one-to-one false-positive rates for Asian and African-American faces elevated 10-100x over white males, with the highest one-to-many false positives for African-American women; Buolamwini & Gebru's Gender Shades found commercial gender-classification error up to 34.7% for darker-skinned women vs 0.8% for lighter-skinned men. Documented downstream harm includes at least 8-15 US wrongful arrests, nearly all of Black people. Honest caveat: magnitude is highly algorithm-dependent — the most accurate algorithms show small or statistically undetectable differentials — so the harm is real but not uniform across systems.

    Sources: Grother, Ngan & Hanaoka 2019 (NISTIR 8280, FRVT Part 3: Demographic Effects); Buolamwini & Gebru 2018 (Gender Shades, PMLR 81); Hill 2020 / Williams v. City of Detroit (ACLU 2021)

  • Does governance work?evidence: thin

    Rigorous evidence that GOVERNANCE of biometric ID reduces the documented harms is sparse. The one quantitative impact evaluation of police facial-recognition policy (Johnson et al. 2024, difference-in-differences across 268 US cities) studies effects on violent crime — a crime-control outcome, not misidentification harm — from a single research group, and does not establish that any safeguard regime curbs wrongful identification. Direct evidence on procedural safeguards points the other way: in the known wrongful-arrest cases police are reported to have bypassed required corroboration/probable-cause standards, and the strongest documented enforcement levers are private-sector biometric-privacy laws — Illinois BIPA (e.g. Meta's $650M settlement) and the separate Texas CUBI law (a $1.4B Meta settlement) — which govern private actors, not the law-enforcement context where the arrests occur. No replicated study shows a specific regulatory regime measurably reduces demographic misidentification harm.

    Sources: Johnson et al. 2024 (Cities, 'Police facial recognition applications and violent crime control in U.S. cities'); Harwell & Schaffer 2025 (Washington Post, 'Arrested by AI'); Illinois BIPA (Rosenbach v. Six Flags 2019; Meta $650M settlement 2021); Texas CUBI (Meta $1.4B settlement 2024)

• Deepfakes / Synthetic Content

  • Is the harm real?evidence: established

    The flagship harm — non-consensual sexual deepfakes — is empirically real and sharply gendered: content audits find ~96-98% of deepfake videos online are non-consensual pornography overwhelmingly depicting women, and a pre-registered 10-country survey (>16,000 people) found 2.2% reporting victimization and 1.8% perpetration of synthetic intimate imagery, with documented mental-health, career, and participation harms. By contrast, the parallel claim that political/informational deepfakes UNIQUELY deceive is contested-to-refuted: experiments find deepfakes about as (not more) credible than equivalent text/audio fakes, and a 56-paper meta-analysis (k=137, N=86,155) puts unaided human detection near chance — implying a detection problem more than an exceptional-persuasion one.

    Sources: Umbach, Henry, Beard & Berryessa 2024 (CHI '24, 'Non-Consensual Synthetic Intimate Imagery ... in 10 Countries'); Diel et al. 2024 (Computers in Human Behavior Reports 16:100538, deepfake-detection meta-analysis of 56 papers); Barari, Lucas & Munger 2025 (Journal of Politics 87(2), 'Political Deepfakes Are as Credible as Other Fake Media'); Flynn et al. 2022 (British Journal of Criminology, multi-country image-based sexual abuse study)

  • Does governance work?evidence: thin

    Direct impact evidence that deepfake governance reduces the targeted harm is sparse and, where it exists, discouraging: the one quasi-experimental evaluation (Cuevas & Horta Ribeiro 2025, synthetic-control across three platforms) found the U.S. TAKE IT DOWN Act's passage plus the MrDeepfakes shutdown did NOT suppress synthetic non-consensual imagery — posting rose above counterfactual baselines and displaced elsewhere. Technical enforcement is likewise unreliable: detectors fail to generalize to unseen generators (notably diffusion models) and are vulnerable to adversarial evasion, with in-the-wild accuracy well below benchmark figures. No rigorous evaluation yet shows a deepfake-specific law, takedown mandate, or watermarking scheme producing a sustained reduction in prevalence or harm.

    Sources: Cuevas & Horta Ribeiro 2025 ('Deepfake Pornography is Resilient to Regulatory and Platform Shocks', arXiv:2602.02754); 'Adversarial Reality for Evading Deepfake Image Detectors' (ICCVW 2025); TAKE IT DOWN Act, S.146 / Pub. L. 119-12 (2025); CRS Legal Sidebar LSB11314

• National Security Carveouts in AI Regulation

  • Is the harm real?evidence: thin

    That civilian AI-governance instruments carve out national-security uses is black-letter and undisputed (EU AIA Art. 2(3); CoE Framework Convention Art. 3(2) on national-security activities, distinct from Art. 3(4) on national defence; US NSM-25 (Oct. 2024) as the national-security-track instrument fulfilling §4.8 of EO 14110); civil-society legal analysis argues a blanket exclusion is harder to square with a necessity-and-proportionality approach than a qualified one (Korff/ECNL 2022; Vogiatzoglou 2024). But whether the carveout itself produces concrete unredressed harm is empirically under-observed almost by construction — the secrecy it confers suppresses the very evidence needed to measure it. The closest analogue, national-security deference in the courts, shows the mechanism is real (the FISC granted all but eleven of 33,900 applications 1979-2012, a 99.97% approval rate; Sinnar 2022 documents downstream harms to securitized communities), yet Clarke (2014) shows that lopsided ex parte approval rates alone do not prove rubber-stamping, because rational case selection and pre-vetting produce similar rates in ordinary Title III wiretaps (99.93%) and delayed-notice warrants (99.6-99.8%) — so the magnitude of harm attributable to the carveout, as opposed to the legitimate secrecy of the domain, remains genuinely contested.

    Sources: Korff 2022 (ECNL Opinion on the implications of the exclusion of national security from AI legislation, Oct. 2022); Sinnar 2022 (Harvard Law Review Forum 136:59, 'A Label Covering a "Multitude of Sins": The Harm of National Security Deference'); Clarke 2014 (Stanford Law Review Online 66:125, 'Is the Foreign Intelligence Surveillance Court Really a Rubber Stamp?'); EPIC FISC statistics 1979-2012

  • Does governance work?evidence: absent

    There is no impact evaluation showing that any specific design of the national-security carveout — categorical exclusion versus parallel governance track versus civilian-compliance-with-override — measurably improves oversight or reduces harm relative to the alternatives; the question is argued doctrinally (Vogiatzoglou 2024; Korff/ECNL 2022) but has never been tested empirically. The closest analogue evaluation literature is on the parallel-track model already in use for intelligence surveillance (the FISC / FISA oversight regime), and even there the evidence that the mechanism delivers effective scrutiny is itself contested rather than established (Clarke 2014; Sinnar 2022). No direct evaluation exists because the carveouts are recent (EU AIA 2024, CoE Framework Convention 2024, US NSM-25 2024), enforcement actions are by design non-public, and private parties typically lack standing to challenge a specific exempt deployment — the structural features that make the harm hard to observe also make the governance impossible to evaluate.

    Sources: Vogiatzoglou 2024 (Verfassungsblog, 'The AI Act National Security Exception: room for manoeuvres?', 9 Dec. 2024); Korff 2022 (ECNL Opinion, exclusion of national security from AI legislation); Clarke 2014 (Stanford Law Review Online 66:125); Sinnar 2022 (Harvard Law Review Forum 136:59)

• Individual Redress

  • Is the harm real?evidence: established

    The premise behind redress — that affected people lack meaningful recourse against automated decisions — is real, but the flagship instrument is weaker than commonly assumed. Wachter, Mittelstadt & Floridi (2017) show GDPR creates only a limited 'right to be informed,' not a binding 'right to explanation' of specific decisions; and controlled work finds the explanations actually delivered do not measurably improve lay decision accuracy over showing the bare AI prediction (Alufaisan et al. 2021; and a 2022 meta-analysis by Schemmer et al. — screening 393 articles down to 9 in the final analysis — reports 'no effect of explanations on users' performance compared to sole AI predictions,' even though XAI overall had a positive effect). Honest caveat: the legitimacy/dignity value of being heard is empirically well established in the procedural-justice tradition even where outcome accuracy is unchanged, so 'redress fails' depends on which aim is measured.

    Sources: Wachter, Mittelstadt & Floridi 2017 (International Data Privacy Law 7(2):76); Alufaisan, Marusich, Bakdash, Zhou & Kantarcioglu 2021 (Proceedings of the AAAI Conference on AI 35(8):6618); Schemmer, Hemmer, Nitsche, Kühl & Vössing 2022 (AAAI/ACM AIES '22, meta-analysis)

  • Does governance work?evidence: absent

    There is no rigorous impact evaluation showing that mandated redress mechanisms (right-to-explanation, appeal, human-in-the-loop review) actually reduce erroneous or unfair automated decisions — the evidence that the rule works is itself missing. The closest experimental analogues are discouraging: explanations increase humans' acceptance of AI recommendations regardless of correctness (Bansal et al. 2021), and algorithm-in-the-loop oversight can introduce racial disparities and exhibit automation bias rather than reliably catching model errors (Green & Chen 2019). The procedural-justice literature (Tyler 1990; Lind & Tyler 1988) robustly supports a legitimacy and compliance benefit of fair process, but it measures perceived fairness, not reduction of the substantive decision harm redress is meant to cure.

    Sources: Bansal, Wu, Zhou, Fok, Nushi, Kamar, Ribeiro & Weld 2021 (CHI '21); Green & Chen 2019 (Disparate Interactions, ACM FAT* '19); Tyler 1990 (Why People Obey the Law, Yale Univ. Press); Lind & Tyler 1988 (The Social Psychology of Procedural Justice, Plenum Press)

• Synthetic Content Provenance

  • Is the harm real?evidence: contested

    The harm provenance targets is real but concentrated, and the technical premise that the mandated signal survives is itself empirically shaky. Synthetic-media harm is well documented in two domains: non-consensual intimate imagery (Ajder et al.'s 2019 Deeptrace audit found 96% of deepfake videos were pornographic and effectively 100% targeted women) and impersonation fraud (the Arup case, ~US$25.6M / HK$200M lost via a deepfake video call). The honest caveat is twofold: a feared broad political-misinformation harm is not yet demonstrated at scale, and CS work shows invisible watermarks are removable in practice (Jiang, Zhang & Gong 2023, WEvade, evade detection via adversarial perturbation; Zhao et al. 2024 prove pixel-level watermarks are provably removable via regeneration attacks), so the provenance signal a rule would mandate is itself contested.

    Sources: Ajder, Patrini, Cavalli & Cullen 2019 (Deeptrace, 'The State of Deepfakes: Landscape, Threats, and Impact'); Jiang, Zhang & Gong 2023 ('Evading Watermark based Detection of AI-Generated Content', ACM CCS 2023); Zhao et al. 2024 (NeurIPS, 'Invisible Image Watermarks Are Provably Removable Using Generative AI'); Arup deepfake fraud (CNN Business, 2024-05-16, US$25.6M)

  • Does governance work?evidence: thin

    There is no impact evaluation showing that mandated provenance/labeling reduces synthetic-media harm; the major mandates (China's GenAI labeling Measures, effective 2025-09-01; EU AIA Art. 50, machine-readable marking) are too new and unevaluated, and the delivery layer is leaky: the C2PA spec's own Security Considerations document the strip-and-repost threat, and platform audits report C2PA/Content-Credentials metadata is stripped by essentially all major social platforms on upload (consistent with Imatag's 2018 finding that ~80% of uploaded images lose metadata, only ~15% retaining it). The closest analogue evaluation literature — Pennycook, Bear, Collins & Rand (2020), the 'implied truth effect' — gives reason for caution rather than confidence: labeling only some content can make unlabeled false content seem more credible, so a partial-coverage provenance regime could backfire.

    Sources: Pennycook, Bear, Collins & Rand 2020 (Management Science 66(11):4944-4957, 'The Implied Truth Effect'); China Measures for Labeling AI-Generated Synthetic Content (eff. 2025-09-01); EU AI Act Art. 50; Imatag 2018 metadata-stripping study (~80%); C2PA Security Considerations (spec.c2pa.org) on manifest removal

• Training-Data Rights

  • Is the harm real?evidence: contested

    That foundation models ingest copyrighted and personal works without consent is undisputed; whether that ingestion produces legally cognizable reproduction harm is genuinely contested. The CS evidence that models can memorize and emit verbatim training text is robust and replicated — Carlini et al. (2021) extracted hundreds of verbatim sequences (including PII) from GPT-2, and follow-up work (Carlini et al., Quantifying Memorization, ICLR 2023) showed extraction scales log-linearly with model size and with example duplication. Honest caveat: verbatim reproduction is the exception, not the norm — the UK High Court held that Stable Diffusion's model weights never stored copies of the training images (defeating the secondary-infringement theory), and Getty abandoned its primary training-infringement claim at trial for lack of evidence, so whether the empirical phenomenon amounts to actionable harm (rather than transient, non-expressive use) remains the open question driving NYT v. OpenAI and parallel regimes.

    Sources: Carlini, Tramèr, Wallace, Jagielski, Herbert-Voss, Lee, Roberts, Brown, Song, Erlingsson, Oprea & Raffel 2021 (Extracting Training Data from Large Language Models, 30th USENIX Security Symposium); Carlini, Ippolito, Jagielski, Lee, Tramèr & Zhang 2023 (Quantifying Memorization Across Neural Language Models, ICLR 2023; arXiv:2202.07646); Getty Images (US) Inc & ors v Stability AI Ltd [2025] EWHC 2863 (Ch) (UK High Court, 4 Nov 2025 — no secondary infringement; primary training claim abandoned at trial); The New York Times Co. v. Microsoft Corp. & OpenAI (S.D.N.Y., No. 1:23-cv-11195; consolidated In re OpenAI Copyright Infringement Litigation, Apr. 2025; ongoing 2025-2026)

  • Does governance work?evidence: absent

    There is no impact evaluation showing that the CDSM Directive Article 4 TDM exception plus its Article 4(3) opt-out reservation regime actually reduces unlicensed ingestion or channels compensation to rightsholders — the evidence that the rule works as designed is itself missing. The only available evidence is early case law and doctrinal scholarship, which document the mechanism's contested operation rather than its success: in Kneschke v. LAION the Hamburg Higher Regional Court (on appeal, 10 Dec 2025) held that a rights reservation in natural language did NOT satisfy Article 4(3)'s machine-readability requirement, invalidating the opt-out (note: the first-instance Regional Court had left the Article 4 question largely open and the case ultimately turned on the Article 3 scientific-research exception, so this machine-readability holding is appellate and not yet settled — a further appeal to the Federal Court of Justice was permitted). Legal scholars characterize the Article 4 opt-out as practically difficult and unharmonized, with no observed market in TDM licences or systematic enforcement to evaluate.

    Sources: Kneschke v. LAION (Hamburg Regional Court, 27 Sept 2024, 310 O 227/23; on appeal Hamburg Higher Regional Court, 10 Dec 2025, 5 U 104/24 — opt-out held not machine-readable; further appeal to BGH permitted); Margoni & Kretschmer 2022 (A Deeper Look into the EU Text and Data Mining Exceptions, GRUR International 71(8):685-701); Quintais 2025 (Generative AI, Copyright and the AI Act, Computer Law & Security Review 56:106107)

• Transparency Obligations

  • Is the harm real?evidence: contested

    Documentation artifacts (model cards, datasheets) are well-specified as proposals and are genuinely adopted, but the empirical premise that mandated disclosure produces meaningful transparency is contested. Selbst & Barocas (2018) argue inscrutability and non-intuitiveness are distinct problems and that disclosing rules does not resolve the latter, and large-scale audits find documentation is sparsely and unevenly completed: a systematic analysis of 32,111 Hugging Face model cards (Liang et al. 2024) found environmental-impact, limitations and evaluation sections least often filled, and Bhat et al. (2023, 45 practitioners) found a substantial gap between the documentation proposal and actual practice. Honest caveat: the documentation frameworks themselves are real and adopted, so the dispute is about whether disclosure conveys decision-relevant information, not whether the artifacts exist.

    Sources: Selbst & Barocas 2018 (Fordham Law Review 87:1085-1139); Liang et al. 2024 (Nature Machine Intelligence, s42256-024-00857-z, 'Systematic analysis of 32,111 AI model cards'); Bhat et al. 2023 (CHI '23, 'Aspirations and Practice of ML Model Documentation', DOI 10.1145/3544548.3581518); Mitchell et al. 2019 (FAccT, Model Cards for Model Reporting); Gebru et al. 2021 (CACM 64(12):86-92, Datasheets for Datasets)

  • Does governance work?evidence: absent

    There is no rigorous impact evaluation showing that AI transparency mandates (model cards, training-data summaries) measurably reduce bias, misuse or accidents — the central regulatory assumption is empirically untested, partly because flagship mandates like EU AI Act Art. 53(1)(d) GPAI training-data summaries are only subject to AI Office enforcement/verification from 2 August 2026 (the obligation itself began 2 August 2025 for new models). The closest analogue, mandated consumer disclosure, shows small and context-dependent effects: Bollinger, Leslie & Sorensen (2011) found mandatory calorie posting cut average calories per transaction by about 6%, while Loewenstein, Sunstein & Golman (2014) review evidence that disclosure effects are frequently diminished or even reversed by limited attention and often change provider rather than recipient behavior. These are analogues, not AI studies; no study demonstrates that AI transparency disclosure achieves its stated downstream safety aims.

    Sources: Bollinger, Leslie & Sorensen 2011 (AEJ: Economic Policy 3(1):91-128); Loewenstein, Sunstein & Golman 2014 (Annual Review of Economics 6:391-419, 'Disclosure: Psychology Changes Everything'); EU AI Act Art. 53(1)(d) GPAI training-data summary (obligation from 2 Aug 2025; AI Office enforcement from 2 Aug 2026)

References

1. 互联网信息服务深度合成管理规定 (Provisions on the Administration of Deep Synthesis of Internet Information Services), jointly issued by the Cyberspace Administration of China (国家互联网信息办公室), the Ministry of Industry and Information Technology (工业和信息化部), and the Ministry of Public Security (公安部), CAC Order No. 12, promulgated 25 Nov 2022, effective 10 Jan 2023 (25 articles, 5 chapters).
2. Art. 14
3. Art. 17
4. Art. 16 & Art. 17
5. Art. 12
6. Art. 16 & Art. 18
7. Art. 6, Art. 19 & Art. 20