Surveillance, Privacy and the Right to Know: A Delicate Imbalance in Hong Kong

Hong Kong police’ s cybersecurity center. Hong Kong Government photo via HKFP.

This story was written by Nancy Mak, Grace Liyang, Rammie Chui and originally published on Varsity, a magazine run by students from the School of Journalism and Communication at the Chinese University of Hong Kong on March 31 2017.

Joshua Wong Chi-fung made numerous headlines in 2014 as the youngest of the pro-democracy activists who led Hong Kong's so-called Umbrella Revolution, in which tens of thousands demonstrated in an effort to demand voting rights for Hong Kong citizens.

But this was not Wong's first foray into high-profile activism, or the scrutiny that can come with it. When was just a 15 year-old, Wong led the student group Scholarism in a campaign against compulsory patriotic education in Hong Kong’s schools in 2012. This was the first time that he suspected his phone calls were being intercepted:

I heard strong echoes in my phone, I thought it could be wiretapping. I could hear my own voice and there was a lot hissing noise.

Wiretapping, data theft and seizure of communication devices

It was not just Wong’s phone. Scholarism was disbanded last year, but while it was still operating, there were constant concerns about hacking and theft. One documented incident took place in 2015, when the group noticed documents had been downloaded from its Google account. Scholarism confirmed that an unknown account from Nanjing called “Eastern hunting hawk” had broken into the account and downloaded personal data relating to Scholarism’s members and volunteers over the years.

Wong suspects there may have been other thefts too:

That is why during the Umbrella Movement, all the members of Scholarism, ranging from the most well-known to the least-known, were all on a blacklist and couldn’t enter the Mainland. We think that the blacklist came from the stolen Scholarism membership list.

At the time of the hack, experts suggested it may have been state-sponsored given the political sensitivity of the group.

Wong, who is now the secretary general of the political party Demosisto, believes there are insufficient safeguards to protect citizens’ privacy, particularly from law enforcement agencies.

The Hong Kong police made arrest appointment with four members of student activist group Scholarism, including Wong, on 16 January 2015. Photo from inmediahk.net's Facebook page.

For instance, police can carry out a house search without a court warrant if they have reason to suspect that a person to be arrested is inside the premises. People arrested for political actions may also have their personal communication devices seized. After Wong was arrested at Civic Square on September 26, 2014, his phone and computer were taken away and only returned after half a year.

During this half year, no one knows what they did with my computer and phone. As to whether they could get into my devices, I think it’s not hard to hack into a computer.

Police surveillance of Internet communication

In a bid to protect the personal privacy of Hong Kong citizens, the government has enacted several ordinances, including the Personal Data (Privacy) Ordinance in 1995 and the Interception of Communications and Surveillance Ordinance (ICSO) in 2006. But Wong’s examples show how citizens can have their privacy compromised and their communications intercepted, especially when they happen online. Despite the relatively strong protections for telephone and postal mail communication privacy, neither of these laws covers Internet-based communication at all.

The objective of the Privacy Ordinance is to protect a person's right to keep their data private. According to the ordinance, every Hong Kong citizen should follow six data protecting principles when handling personal data. The principles require that entities collecting data notify clients/citizens about the purpose of the data collection; use the collected data only for the purposes stated at the time of its collection; provide public disclosures about what types of personal data they hold and how the data is used.

In certain circumstances, such as for the protection of Hong Kong security and in the prevention and detection of crimes, exemptions are allowed. The Office of the Privacy Commissioner for Personal Data is an independent statutory body which oversees the enforcement of the Privacy Ordinance.

The Interception of Communications and Surveillance Ordinance was implemented to regulate the communications interception and surveillance conducted by law enforcement agencies, such as the police and customs. The Secretariat for the Commissioner on Interception of Communications and Surveillance (SCIOCS) is an independent oversight authority appointed by the Chief Executive on the recommendation of the Chief Justice.

Under the ordinance, law enforcement must obtain judicial authorisation to carry out any covert surveillance in cases where there is a high level of intrusion, for instance when an officer enters a person's home or private property and installs a covert surveillance device. In other cases, law enforcement must obtain approval from an authorising officer in their department prior to beginning their investigation.

Although acts of interception and surveillance require authorisation, Lokman Tsui, an assistant professor at the School of Journalism and Communication in the Chinese University of Hong Kong, says the authorising bodies are often just a rubber stamp. According to the SCIOCS annual report to the Chief Executive in 2015, a total of 1,481 authorisations (including fresh and renewed authorisations) were issued. Only two applications for interceptions were refused. “The office basically approved all requests,” says Tsui.

Michael Mo Kwan-tai, a campaigner in digital communication at Amnesty International of Hong Kong, says oversight of the ordinance is too weak and can lead to misuse:

There are guidelines, but in practice, how much they comply, you know, is another question.

Mo adds that violations of the ordinance constitute civil rather than criminal offences and the penalties have no deterrent effect while the SCIOCS lacks the authority to take follow-up action:

SCIOCS is a commission but not a department, it is very hard for us to expect them to have such huge capacity like a department to carry out investigations.

The Chinese University of Hong Kong's Lokman Tsui points out another glaring shortcoming of the Interception of Communications Surveillance Ordinance, which is that it does not cover data requests from law enforcement to telecommunication companies and internet service providers (ISPs). The ordinance only regulates wiretapping, and the interception and surveillance of communications made through postal mail and the telephone. But as previously mentioned, it does not cover online communication at all. This leaves citizens with no protection in regard to interception and surveillance via Internet-based communication platforms like email and mobile messaging apps.

User data requests with no court oversight

Internet-based and digital communications are not only unprotected by Hong Kong's laws — they also introduce many relatively new ways to track a person's behavior and activities. Telecommunication companies have access to users’ personal data such as their browser history, their IP addresses and geographical locations. Law enforcement agencies are not required to get court warrants before requesting that telecommunication companies hand over their users’ personal data, and it is up to the companies to decide whether to do so.

According to statistics released by the Innovation and Technology Bureau, the police filed 3,448 requests to ISPs for user information in 2016. This is the highest number of requests among all government departments and the main reason given for the requests was crime prevention and detection.

Cartoon by Doaa Eladl.

Information on how the government requests user data can also be found in the Hong Kong Transparency Report, published annually by the Journalism and Media Centre at the University of Hong Kong. The report tracks government requests to information communication technology (ICT) companies for their users’ data and for removal of online content, as well as how overseas ICT companies respond to such requests. The 2016 report shows a declining number of data requests to ICTs, from 6,008 in 2013 to 4,637 in 2015. However, the government has sent more requests to social media companies, especially to Facebook which has seen a more than two-fold increase in 2015 compared to 2014. There were 184 requests made in 2015, compared to 59 in 2014 and the number of accounts involved increased from 89 to 415 between the two years.

The report found that overseas ICT companies rejected 40 per cent of the data requests from the Hong Kong government. Benjamin Zhou Suibin, the Hong Kong Transparency Report Project Manager, says law enforcement are not legally obliged to provide a court warrant when requesting users’ data. It is wholly up to the company to decide whether to comply. Zhou says overseas companies will release transparency reports annually to disclose how they responded to government requests, but local ISPs do not. He thinks smaller local companies usually just hand over users’ data because they do not have teams of lawyers to evaluate the requests.

The Keyboard Frontline, an internet freedom advocacy group, conducted a project called “Who’s on your side?” in 2015 which reviewed Hong Kong local online service providers’ levels of transparency and respect for user data privacy. Glacier Kwong, the spokesperson for Keyboard Frontline, says “the findings imply that many Hong Kong local ISPs don’t have the awareness to protect users’ personal data.”

Kwong says local ISPs collect excessive data when users register for an account. For instance, to register for an online discussion forum, users are asked for details such as their occupation and income as well as their email. Kwong says ISPs have no clear and comprehensive legal guidelines on how to handle data requests from the government:

If ISPs give users’ data to LEAs [law enforcement agencies] upon request every time, LEAs may form a habit of abusing the procedure.

Kwong adds that because local ISPs do not release transparency reports on how they handle the government’s data requests, customers are unable to ascertain when and whether their personal data has been disclosed.

This can have serious consequences for users. For instance, several netizens were arrested for posting comments on Hong Kong Golden Forum encouraging people to take certain actions, such as charging police cordons during the Occupy Movement protests in 2014. Kwong says officers would not have been able to identify the posters unless Hong Kong Golden Forum passed their relevant data to the police. She points out the definition of “public security” in the ICSO is unclear:

This is very scary. Is it that any form of social activities can be intercepted with this excuse? This will lead to a white terror; it may even affect the Hong Kong’s freedom of speech and assembly.

Craig Choy Ki, the convenor of the Progressive Lawyers Group, says the government has abused existing statutes to arrest social activists on laws that were intended for other purposes. For instance, activists have been charged with “access to computer with criminal or dishonest intent” which was originally implemented to handle hacking and computer fraud. Using this law, police can take away activists’ personal computers and mobile phones.

Mobile phones are held aloft during a pro-democracy protest on September 30, 2014 in Hong Kong. Photo by Flickr user Pasu Au Yeung. CC BY 2.0

Raphael Wong Ho-ming, vice-chairman of the League of Social Democrats, says there should be laws regulating the confiscation of mobile phones by the police. Wong’s phone was seized while he was filming a policeman who tried to snatch his protest banner during the visit of Zhang Dejiang, the National People’s Congress chairman, last year. He was arrested and his phone confiscated – which he says was an intrusion of his privacy. Wong fears that the police may not have only looked at relevant information but also have wanted “to search for new information to add new charges on me.”

Government confidentiality trumps public right to know

Wong demands that every citizen’s privacy should be protected but he also insists that the government should disclose its information to the public because the public has the right to know.

Indeed, there are two sides to the argument for privacy protection. While privacy advocates argue there is not enough regulatory protection of citizens’ privacy, the government cites the need to protect its own “privacy” when it does not want to disclose government officials‘ or corporate activities.

Commenting on government privacy policy, Mak Yin-ting, a member of the Press Freedom Subcommittee of the Hong Kong Journalists Association, said:

Privacy and the freedom of the press is very unbalanced now, obviously it tends to protect privacy more.

Mak says the government always uses privacy protection as a reason for not disclosing information to the public.

Mak also argues that the ordinance regulating interception and surveillance, the ICSO, should include professional privileges for journalistic work. Mak points to a case revealed in the Surveillance Commissioner’s 2009 annual report, in which the judge allowed law enforcement agents to continue intercepting communications even though they had told the judge that journalistic materials were included in the interception.

If interviewees know they are being intercepted, then no one dares to tell the truth in the conversation. If there is no freedom of communication, will there still be freedom of expression?

Originally published in Global Voices.