Hong Kong national security law (NSL)
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
The harsh potential penalties under the new national security law have spooked many internet and smartphone users in Hong Kong. Photo: Shutterstock

Hongkongers, spooked by Beijing’s new national security law, are scrubbing their digital footprints

  • Hong Kong officially adopted a new national security law imposed by Beijing on July 1
  • Internet users worried of falling afoul of the new law are using encrypted messaging apps, scrubbing their social media posts and installing VPN software

Sam Wong remembers exactly when he deleted his Facebook account.

An hour before the clock struck midnight on July 1, Hong Kong officially adopted a new national security law imposed by Beijing. Like many others living in the city, Wong only learned about the full details of the sweeping legislation after it was signed into law. By the time it came into force, he decided that the moment had come for him to quit the social media platform.

The social service manager in his early 30s, who spoke under a pseudonym for fear of jeopardising his job, joins other Hongkongers who are scrambling to protect their online privacy in the face of the new legislation.


What you should know about China's new national security law for Hong Kong

What you should know about China's new national security law for Hong Kong

Under the law, offences of secession, subversion, terrorism and collusion with foreign forces carry maximum penalties of life imprisonment.

Furthermore, the rules authorise the police to search electronic devices believed to contain criminal evidence, and require social media platforms and internet service providers to assist law enforcement without a warrant, according to industry experts.

Hong Kong national security law puts Facebook, Twitter under pressure

TikTok, the short video app that has in the past denied censoring users’ content or sharing data with its Beijing-based parent company ByteDance, said that it had decided to exit the Hong Kong market “in light of recent events”.
WhatsApp owner Facebook, Google, Twitter and Zoom also said this week that they have suspended requests for user data from Hong Kong authorities as they monitor developments and assess the effect of the new law.

Legal experts the Post spoke to said the national security law impacts anyone in the city from active dissidents to ordinary citizens discussing politics privately.

“Any remark that may lead to secession or the subversion of state power – for example, if you proclaim to overthrow the government of the People’s Republic of China – may run afoul of the national security law,” said barrister Anson Wong Yu-yat.

Adding to the uncertainty, it remains unclear whether common law will apply since the power to interpret the new legislation rests in the Standing Committee of the National People’s Congress, China’s pinnacle of power, he said.

The harsh potential penalties under the new law have spooked many internet and smartphone users in the city. Some are turning to encrypted messaging apps to protect their privacy and have conversations that they fear may run afoul of the new law, while others are scrubbing their social media posts and installing virtual private network (VPN) software to elude scrutiny.

Chief executive’s power to pick judges does not undermine judiciary

One app that has caught sudden attention is Signal, an encrypted messaging app. Since July 1, it has become the most downloaded app on Google’s Play Store in Hong Kong, according to analytics company App Annie. It is also the top social networking app in Apple’s iOS App Store.

Just like WhatsApp, Signal adopts end-to-end encryption, which means no one other than the sender and the recipient can read the content of the messages. Neither the government, phone companies nor Signal itself can snoop while conversations are transmitted between devices.

But Signal also goes one step further to enhance security. “Disappearing messages” allow a user to automatically delete messages on both ends of a chat after a certain time, from five seconds up to a week.

Pazu Kong, a travel blogger who describes himself as a “gadget freak”, recently encouraged his 63,000-plus Facebook followers to use Signal. Disappearing messages add an extra layer of protection, he wrote. “Say the person you’re in contact with does not adopt proper security measures, and their phone is being taken away – then it does not matter whether you’re using encryption on your end.”

In the past few days, he has seen a sudden surge in Signal installs among his connections, including both government supporters and dissenters, he told the Post.

From social media to encrypted messaging: tech’s changing role in protests

“Since last year I’ve been asking my friends to install Signal and use VPN, but a lot of them would say, ‘But I have no sensitive information to hide,’” he told the Post. “Recently, though, at least my close friends have all downloaded VPN and Signal. To be honest, I’m quite surprised.”

Even people who have not been particularly vocal about politics say they are paying more attention to their digital footprints. Wong, the man who deleted his Facebook account last week, is one of them. He said he is worried not for himself, but for his more outspoken friends.

If my account is compromised, or if my phone is hacked, or if I am kidnapped and someone else sees what’s on my phone, then it’s not just the stuff that I wrote that is being exposed but also my friends’.
Sam Wong (not his real name), social service manager

“I haven’t really written anything that can’t go public or will get me arrested by the police,” he explained. “But on Facebook, if you’re someone’s friend, you can see what that person has posted. That means if my account is compromised, or if my phone is hacked, or if I am kidnapped and someone else sees what’s on my phone, then it’s not just the stuff that I wrote that is being exposed but also my friends’.”

“With the implementation of the new law, I think the risks for my friends are higher, especially those friends who have a reason to fear.”

Hong Kong police granted sweeping new powers under national security law

People have a legitimate reason to worry about comments they made in private online since there is nothing in the law stopping authorities from surveilling users’ emails and text messages, according to barrister Craig Choy.

“The offences are wide and vaguely defined,” he said. “The chilling effect is already apparent and enough to scare people off from discussing politics with others.”

The chilling effect is already apparent and enough to scare people off from discussing politics with others.
Craig Choy, barrister
Beijing officials have said that the new law is “ not retroactive”. But past comments could still be used against people, according to barrister Wong.

“If you display any new conduct or make any new comment, there is a possibility that the court can infer your current intention based on your past conduct,” he said.

One 30-year-old researcher in a Hong Kong university who wishes to remain anonymous said that she has noticed older Facebook posts vanishing from the platform.

Hongkongers rush to download VPNs as Beijing pushes for security law

“I found that many news [articles] which I’ve shared on Facebook are no longer available as the original posts may have been deleted,” she said.

The researcher herself has also been personally changing the status of some of her older posts on Facebook from “public” to “hide from my timeline” to avoid getting into trouble, she said.

“But I do plan to keep on sharing reasonable analyses and reports on the current situation in Hong Kong on social media, especially those which analyse and critique the national security law,” she added.

Protesters hold flags that read 'Hong Kong Independence' during a protest in Causeway Bay district, in Hong Kong, China, on Wednesday, July 1, 2020. Photo: Bloomberg

Speaking under a pseudonym, Giselle Ng, a freelance artist in her 20s who has collaborated with anti-government protesters, said she has becoming more vigilant after the passing of the national security law.

“Some of my previous works involved talking to different participants of the movement, so I saved all the information on ProtonMail,” she said, referring to the secure email service. “I also encrypt the app itself with a separate password on my phone.”

To hide her IP address – a string of numbers that identify an internet-connected device – she recently also subscribed to a VPN service. “I leave it on almost at all times. It’s easy to do. I turn it off only when I have to shop online because the credit card verification procedure requires a local IP address.”

Man arrested for selling VPN to hop the Great Firewall

Michael Gazeley, managing director of security firm Network Box, said he has seen more questions about how people can protect their privacy with technology like encryption.

“There are a lot of people who are asking not because they are directly or would be directly impacted by the law. But they asked more because maybe, due to the law, there is going to be more scrutiny or examination of data,” he said.

Interest in VPNs, which allow users to mask the origin of their internet traffic by re-routing and encrypting it, skyrocketed in the city soon after Beijing announced its intention to draw up the national security law for Hong Kong in May. On June 30, the day the legislation passed, review site Top10VPN said it saw demand for VPN rise by over four times compared to the month’s daily average.

Ng said a fellow artist she knows who creates protest-related work has switched her Instagram account to private. She now enforces strict rules on who can follow her account, demanding that her more than 2,800 followers conceal their identities by hiding their faces, real names and dates of birth, as well as remove any protest slogans from their bios.


Hong Kong needs Beijing approval to handle national security law cases in three situations

Hong Kong needs Beijing approval to handle national security law cases in three situations

But more than such elaborate measures, cybersecurity experts the Post spoke to emphasised the importance of basic cyber hygiene to protect users’ digital safety.

“Many times, [hackers] need a bug to be able to unlock a smartphone,” said a Hong Kong-based cybersecurity researcher who declined to be named because he was not authorised by his employer to speak. “So if you install the latest software and operating system updates as soon as they arrive, the possibility that anyone can hack into your phone will be far smaller.”

He also recommended that people avoid making phone calls outside of end-to-end encrypted apps. Before sending a phone away for repair, it is important to do a factory reset, which restores the phone’s original setting and wipes out all data, including sensitive ones like passwords and personal messages, he added.

“As long as you adopt good cyber hygiene, it would take a vast amount of resources for someone to crack your phone,” he said.