We’re excited to welcome Yiwen Lu onto the team as a staff writer on China and AI with her inaugural piece! She joins us after a year at The New York Times as a 2023-2024 Reporting Fellow.

Late last month, developers in China lost API access to OpenAI’s services, according to screenshots of emails circulating on social media. OpenAI said that it was part of the steps it was taking “to block API traffic from regions that are not on our supported countries and territories list,” which does not include mainland China, Hong Kong, Russia, Iran, and North Korea.

Through APIs, developers can integrate OpenAI’s machine learning models into their own applications. This change will mostly affect developers building ChatGPT wrappers, apps that are powered by ChatGPT, as well as local LLM developers who train their models with OpenAI outputs. It’s also a sign of the US extending the scope of export controls from hardware to software.

In this article, we will explore:

• Why OpenAI made this decision;

• How Microsoft Azure and Chinese AI providers are fighting to fill the void to OpenAI’s exit;

• How OpenAI’s API was available to Chinese developers in the first place, whether they were surprised at all by the change, and how they’re coping.

OpenAI’s worry: can China hack AI systems, too?

API access is one of the less-discussed vectors of export control. While OpenAI did not indicate why it chose to send the warning email, it is a possible sign of companies complying with incoming national security regulations.

Early last year, a hacker gained access to OpenAI’s internal forum and stole secrets about employees’ discussions of the company’s technology, according to The New York Times. The story broke on July 4, a date indicating a tactical news dump over a holiday weekend. OpenAI executives did not promptly share the incident publicly, nor did they inform law enforcement, because they believed that the hacker was a private individual with no ties to a foreign government.

Taking them at their word: if a random “lone wolf” hacker can get into OpenAI’s slack channels, it’s safe to assume that state adversaries probably can, too. Both Dario Amodei and Sam Altman understand that state adversaries will come for their firms’ secrets sooner rather than later:

• “Recently, we saw that some fairly high officials of the US government had their email accounts hacked via Microsoft,” Amodei said on the Dwarkesh podcast. “Presumably that relayed information that was of great interest to foreign adversaries. It seems to me at least that the evidence is more consistent with, when something is really high enough value, then someone acts and it’s stolen.”

• And Altman said on the Lex Fridman podcast in March 2024 that as capabilities ramped up, he expected “state actors [to try] to steal the model.”

Leopold Aschenbrenner, formerly on OpenAI’s superalignment team and the author of a 50,000-word essay on AI’s long-term future, sent a memo to OpenAI’s board after the security breach, accusing the company of not doing enough to prevent China from hacking it, the NYT article said.

Weeks after Leopold dropped his essay, OpenAI appointed former NSA chief Gen. Paul Nakasone to its board’s Safety and Security Committee, citing the need to protect proprietary data from cybersecurity threats. In February, OpenAI also terminated the accounts of five cyberattack actors affiliated with China, Iran, Russia, and North Korea. These state-affiliated groups used OpenAI services in malicious acts, such as building malware and creating phishing campaigns, OpenAI found.

It is possible that OpenAI decided to more explicitly withdraw from the Chinese market to signal its displeasure with Chinese hackers — just as Google was spurred to withdraw its search engine from China back in 2010 by a cyberattack from within China that compromised the accounts of several human-rights activists. OpenAI might also be concerned with Chinese actors using its API not just to build applications, but also to use outputs to level up domestic models:

• Some researchers raised concerns over a form of attack known as model extraction, where a bad actor tries to replicate a machine learning model by querying it using API and analyzing its outputs, with the eventual goal of developing a similar model. This process can actually be very cheap: DeepMind researcher Nicholas Carlini, for example, extracted “the entire projection matrix of OpenAI’s Ada and Babbage language models” for less than $20.

• Model inversion is another type of attack that involves using a model’s outputs to infer sensitive information about the model’s training data. Facial recognition tools are more vulnerable to those attacks: research has shown that attackers could produce a recognizable image of a person with only API access.

That said, there is little evidence that foreign adversaries have been hacking AI systems using these attacks — and as Kevin Xu points out in his explanation of model extraction, a lot of research on these kinds of attacks is supported by OpenAI and Google. So the companies are likely aware of the risks and have incorporated measures to preempt these attacks in the models.

API Access: A new frontier for export control

Regardless of why OpenAI warned developers of their unauthorized API uses, it may have just seen the writing on the wall as lawmakers tapped into a previously untouched sphere in AI export control: cloud.

For two years, Washington has been preventing China from accessing advanced semiconductors. Now, lawmakers are becoming increasingly uncomfortable with foreign adversaries having free access to the rapidly developing technologies themselves, delivered through cloud platforms. That gave rise to a sequence of events, including:

• Know-Your-Customer (KYC) Rules for cloud providers: the Commerce Department proposed in January that cloud service providers would be required to verify foreign users’ identities, so as to prevent malicious actors from using US cloud to train AI models. See more ChinaTalk coverage of that here.

• Reuters reported on May 8 that Commerce plans to impose export controls on closed-source AI models.

• The ENFORCE Act, proposed by a bipartisan group of lawmakers in early May, would allow the Biden administration to control the export of AI models which they worry has allowed China to advance its military capabilities. The Commerce Department will have the power to regulate Americans who work with foreigners to develop AI under this bill.

Did OpenAI ever really allow API access in the first place?

In February 2023, Nikkei Asia reported that Chinese regulators told tech companies, including Tencent and Ant Group, to not offer ChatGPT services to the public. This attempt, alongside state media calling ChatGPT misinformation on Weibo, is usually seen as the official sign that China is breaking up with OpenAI.

But in fact, OpenAI was the first to put up barriers.

OpenAI geo-blocked China from the beginning, as mainland China and Hong Kong were not among the supported countries upon ChatGPT’s release. But Chinese users have found ways to get around it, including using VPNs to set up accounts and, in turn, get API keys.

The ability to call an API to access OpenAI services from within China, on the other hand, has been hit and miss. (It is unclear why API access was not previously blocked in China.) Over the past year, developers have reported that, while the ChatGPT browser interface was blocked for Chinese IPs, they could still call the API without using a VPN. But this could fail from time to time, indicating that OpenAI may have been aware it was receiving API calls from blocked IP addresses. In any case, until now, OpenAI had not explicitly said it would ban such uses.

Developers I spoke to said that OpenAI’s latest barrier was nothing new, except that this time OpenAI made it official. Many developers don’t call API directly from their local IP address anyway, and there are a few ways to go around this restriction:

1. Use a VPN while making API calls, in the same way that an individual user would access OpenAI services.

2. Use a third-party LLM router/aggregator. Simply put, these services reroute the data requests so that API calls won’t be traced back to your own IP address. Generally, it’s cheaper to use such services than to purchase a VPN and create your own OpenAI account.

But one particularly interesting business case is Microsoft, OpenAI’s largest backer. Enterprise users in China could in fact use OpenAI services through Microsoft Azure, which provides REST API access to OpenAI.

Where OpenAI sees risk, Microsoft sees market share

On June 25, the day many Chinese developers learned about OpenAI’s new policy, Microsoft’s official WeChat account published a step-by-step guide for users on how to migrate their OpenAI workload to Azure OpenAI.

Azure is Microsoft’s public cloud-computing platform, and Azure China is a joint venture between Microsoft and 21Vianet 世纪互联, one of the largest data center providers in China. It is physically separate and operated by local cloud providers.

To access the OpenAI service through Azure China, customers need to apply with their company’s information or a work email. So far, it has been a fairly easy process: customers reported that they were able to use OpenAI models without hassle, including using it to train their own models. (In a statement to Z Finance, Microsoft said that training violated their terms of service.)

Why does OpenAI ban China, while Microsoft takes advantage of its partner’s exit to attract more Chinese customers? It has a lot to do with the different incentives of both businesses. While there are some portions of revenue sharing (Microsoft gets 75% of OpenAI’s profits until it repays the former’s $10 billion investment), they operate independently from each other — and even compete with each other, since OpenAI is free to sell its technology to any of Microsoft’s rivals.

In this case, OpenAI, a startup with no sales quota, is more comfortable leaving a market for non-revenue reasons, including national security as mentioned earlier. Microsoft, which currently has five Azure regions in China, can hardly do the same. Here’s Kevin Xu:

As a massive global organization where every region carries an ambitious sales quota, Microsoft’s Azure team saw OpenAI’s exit in China as not a signal to do the same, but an opportunity (at least in the short term) to gain revenue and fill that quota.

In some ways, this is probably the puzzle for all big enterprises: despite all the heartache, it still doesn’t make sense to give up on China. Apple, which just had a grand unveiling of its partnership with ChatGPT to develop Apple Intelligence for its products in the US, reportedly held preliminary talks with Baidu about using the latter’s AI technology in its devices in China — precisely because its flagship global partner ChatGPT is not available in China. Similarly, Samsung uses Baidu’s ERNIE 文心一言 within its latest smartphone model in China, and Google’s Gemini outside of China.

Are local LLMs having a Baidu vs. Google moment?

OpenAI’s competitors in China are, indeed, wooing customers. Immediately following the company’s announcement, a handful of LLM developers started to offer developers “moving packages” for free, helping customers transfer their services from OpenAI to other models. These include major cloud players like Alibaba, Baidu, Tencent, and SenseTime, as well as startups like 01.AI 零一万物, Moonshot AI 月之暗面, Zhipu AI 智谱AI, and Baichuan AI 百川智能. (Doesn’t that remind you of Baidu, when Google left China? Baidu’s market share in mid-2010 jumped to over 70 percent from less than 60% in early 2009.)

This could be a win-win scenario for both Chinese LLM developers and their customers.

Previously, the main obstacle was cost: it’s expensive for developers to transfer from one foundation model to another. But a recent article by popular AI-focused media channel leitech 雷科技 estimated that Chinese LLMs could replace GPT by 80% of common use cases (It was unclear how this number was calculated, but Zhipu AI said during the January release of its GLM-4 model that it could reach 90% of GPT-4’s capability.)

So now, the LLM providers are offering attractive deals:

• Zhipu AI said that it would offer 150 million tokens (50 million GLM-4 and 100 million GLM-4-Air) for free, while Qwen 通义千问 would offer 22 million tokens.

• Baidu went as far as to brand its service “the hometown cloud” 故乡的云, offering ERNIE’s flagship model for free for the first time, as well as an ERNIE 3.5 flagship model token package.

I haven’t heard very many responses from customers. On June 26, though, DingTalk 钉钉, the professional communication tool, said that its platform would be made compatible with all LLMs, and that seven local models have already been integrated into the platform.

Are developers similarly hyped? At least on social media, developers don’t seem entirely convinced that local LLMs can replace OpenAI models right away. After all, the fact that firms have been willing to deal with VPNs, pay for third-party routers, and bear with an unstable connection to OpenAI models in the first place is a pretty strong revealed preference indicating the gap between OpenAI and its Chinese alternatives.

Social media reactions

Most of the initial social-media chatter I’ve seen after the new policy was about the fate of startups building on top of OpenAI platforms. But the discourse on Weibo, however, quickly shifted to a discussion comparing domestic AI developments with OpenAI. On June 25, Hongyi Zhou 周鸿祎, the chairman of Qihoo 奇虎 360, a Beijing-based internet security and software company, said that this would be an opportunity for companies to shift to Chinese LLMs.

Then on June 27, a few state-owned media accounts started to use the hashtag “China’s LLM became the best open source model in the world,” referring to Alibaba’s Qwen-2 (according to Hugging Face’s new LLM leaderboard).

That seems to be the internet’s main reaction: OpenAI’s official break-up with the Chinese market is a massive opportunity for local developers. The same story was told with semiconductors, as netizens lauded Huawei’s domestically fabricated Kirin 麒麟 9000s chips and HarmonyOS system.