Alex Lo
SCMP Columnist
My Take
by Alex Lo
My Take
by Alex Lo

How a US influence operation undermines Hong Kong’s Covid efforts

  • With no expertise in public health or pandemic control, the irresponsible operation behind the US-sponsored expose of ‘Leave Home Safe’ security flaws may well cost local lives

In 2008, researchers at Radboud University in the Netherlands discovered a serious security vulnerability in a smart card, which was being rolled out for the Dutch transit system. The chip has already been used in the transport systems of several major international cities, including Hong Kong.

The researchers informed the chip maker, the Dutch ministry of the interior, and transit agency about the problem and gave them six months to fix it before going public at an academic conference.

The chip maker then tried to impose a restraining order to prevent disclosure, but the court rejected it. The ruling has become a landmark not only for the Dutch, but also many European countries.

Since then, the industry standard or best practice has become known as “coordinated vulnerability disclosure” (CVD), which enables the discoverer of flaws or vulnerabilities to disclose such information in a responsible way and in the public interest.

Hong Kong authorities slam ‘inaccurate’ security audit of Covid risk-exposure app

Giving previous warnings and lead time to those entities or agencies responsible before going public is standard practice. After all, if you sound your “warning” out of the blue, you are not just alerting stakeholders, but potential malicious actors or criminals too.

In light of CVD, it’s highly relevant to consider how a group of US government-affiliated agencies and hired guns suddenly publicised the alleged vulnerabilities of “Leave Home Safe”, the Hong Kong government’s Covid-19 risk-exposure app for contact-tracing and disease control, whose mass usage can save lives.

The Hong Kong Democracy Council, which has close ties with the US Congress-funded National Endowment for Democracy, hired Polish computer firm 7ASecurity to carry out the analysis. It also provides “project coordination, support and assistance, both before and during this assignment”.

The Open Technology Fund (OTC) is named as the sponsor of the 7ASecurity project. The OTC is directly funded by the United States Agency for Global Media, which oversees news groups such as Voice of America and Radio Free Asia (RFA). 7ASecurity released its report on Wednesday, while RFA carried the story at almost the same time. An exclusive, no doubt!

The firm’s analysis may or may not be technically valid, but neither the company nor any of the US-affiliated entities have any expertise in public health or pandemic control. The Leave Home Safe app already has a low take-up rate; the merry-go-round of US-assisted news generation and manipulation may well cost lives.