Big technology companies may already be complying with secret Chinese requests for user information held in Hong Kong. They ought to “come clean” about the vulnerability of the data they hold there, a senior US state department official has said.
Hong Kong can demand data from tech companies, and some are complying
The allegation of possible secret cooperation between major companies and Hong Kong authorities follows the implementation of a sweeping and controversial new national security law. The law allows Hong Kong authorities to demand sensitive user data from companies if it is deemed to threaten national security.
Some tech and social media companies, like Facebook, Google, and Microsoft, said in the immediate aftermath of the law being implemented in June that they would put a “pause” on complying with any Hong Kong data requests. However, interviews with activists, legal experts, and a current and former US government official have raised doubts about their ability to fend off such legal demands and their right to disclose if they have received them.
The state department official said, “There is a possibility that things are happening but because of the restrictions put on by the Hong Kong authorities, they [companies] would not be able to divulge this.” The official added that if the request was “detoured” into the mainland legal system it would fall into a “black hole”. “The company would be told by mainland authorities ‘you will be breaking the [law] if you reveal the fact that I’m asking for this information,’” the official said.
Facebook and Google did not respond to requests for comment.
Microsoft said: “As we would with any new legislation, we are reviewing the new law to understand its implications. In the past, we’ve typically received only a relatively small number of requests from Hong Kong authorities, but we are pausing our responses to these requests as we conduct our review.” Microsoft declined to comment on the remarks by the state department official.
It’s happened before, and it ended badly
For Hong Kong activists like Glacier Kwong, who is living outside Hong Kong at the moment but is a vocal pro-democracy advocate, the threat of having her information turned over to Beijing is reminiscent of the 2004 incident in which Yahoo complied with a Chinese request for identifying information about the journalist Shi Tao after he used a Yahoo account to send information about how China was restricting coverage of the anniversary of the Tiananmen Square massacre to a human rights forum in the US.
Shi was arrested and spent nearly 10 years in prison as a result of Yahoo’s disclosure, an act that was later described by a US congressman as akin to corporate collaboration with Nazi Germany. Yahoo had also shared information about the dissident Wang Xiaoning, who had been posting his writings on Yahoo forums anonymously. The activist was sentenced to a decade in prison after he was identified. He was released in 2012 and Yahoo publicly apologized for the disclosures.
Kwong says it would create “huge problems” for her and fellow activists if their most “highly sensitive and intimate” data – collected over many years of using Facebook and Google – was handed to Beijing. She said: “I don’t want to put it that way but I will. If Google or other technology companies comply with this national security law, it is actually helping indirectly the Hong Kong government, the Chinese government, to oppress or crackdown on the civil society.”
Activists like Kwong are not calling for the companies to abandon Hong Kong, but said all companies ought to minimize the data they collect or store, and end to end encrypt the data that gives even the companies limited access to the information.
Another dissident, Yaxue Cao, who is based in Washington, said companies ought to remember the 2004 Yahoo case and the reputational damage and lawsuit that Yahoo eventually had to settle with Chinese dissidents, as they navigate the new Hong Kong security law. But there was one major difference between then and now: neither Hong Kong nor China would likely now acknowledge in court, as China did in the Yahoo case, that it had obtained sensitive data from a major technology company.
“It will therefore be that much more important for the tech companies to be honest and to have integrity,” she said.
But one former US government official, who has discussed the issue with affected groups, said it would be problematic to rely on companies with a vested interest in expanding their business in China to essentially act as whistleblowers and reveal if they have been asked to turn over information.
“Within companies [the issue] is pretty well understood but companies want to keep it quiet, they want to keep it hush-hush, they want to make their own decisions about what is best for their business,” the person, who asked not to be identified because of possible repercussions, said. “To have data that is from south-east Asia, regional data, or data from Europe or the US, in Hong Kong, at this point, is just nuts. Or, at least, if you have it and don’t have a plan in the next year to get it out … then you’re either naive or you just don’t care.”