Hongkongers, spooked by Beijing’s new national security law, are scrubbing their digital footprints
- Hong Kong officially adopted a new national security law imposed by Beijing on July 1
- Internet users worried of falling afoul of the new law are using encrypted messaging apps, scrubbing their social media posts and installing VPN software
Sam Wong remembers exactly when he deleted his Facebook account.
The social service manager in his early 30s, who spoke under a pseudonym for fear of jeopardising his job, joins other Hongkongers who are scrambling to protect their online privacy in the face of the new legislation.
What you should know about China's new national security law for Hong Kong
Under the law, offences of secession, subversion, terrorism and collusion with foreign forces carry maximum penalties of life imprisonment.
Legal experts the Post spoke to said the national security law impacts anyone in the city from active dissidents to ordinary citizens discussing politics privately.
“Any remark that may lead to secession or the subversion of state power – for example, if you proclaim to overthrow the government of the People’s Republic of China – may run afoul of the national security law,” said barrister Anson Wong Yu-yat.
Adding to the uncertainty, it remains unclear whether common law will apply since the power to interpret the new legislation rests in the Standing Committee of the National People’s Congress, China’s pinnacle of power, he said.
The harsh potential penalties under the new law have spooked many internet and smartphone users in the city. Some are turning to encrypted messaging apps to protect their privacy and have conversations that they fear may run afoul of the new law, while others are scrubbing their social media posts and installing virtual private network (VPN) software to elude scrutiny.
One app that has caught sudden attention is Signal, an encrypted messaging app. Since July 1, it has become the most downloaded app on Google’s Play Store in Hong Kong, according to analytics company App Annie. It is also the top social networking app in Apple’s iOS App Store.
Just like WhatsApp, Signal adopts end-to-end encryption, which means no one other than the sender and the recipient can read the content of the messages. Neither the government, phone companies nor Signal itself can snoop while conversations are transmitted between devices.
But Signal also goes one step further to enhance security. “Disappearing messages” allow a user to automatically delete messages on both ends of a chat after a certain time, from five seconds up to a week.
Pazu Kong, a travel blogger who describes himself as a “gadget freak”, recently encouraged his 63,000-plus Facebook followers to use Signal. Disappearing messages add an extra layer of protection, he wrote. “Say the person you’re in contact with does not adopt proper security measures, and their phone is being taken away – then it does not matter whether you’re using encryption on your end.”
In the past few days, he has seen a sudden surge in Signal installs among his connections, including both government supporters and dissenters, he told the Post.
“Since last year I’ve been asking my friends to install Signal and use VPN, but a lot of them would say, ‘But I have no sensitive information to hide,’” he told the Post. “Recently, though, at least my close friends have all downloaded VPN and Signal. To be honest, I’m quite surprised.”
Even people who have not been particularly vocal about politics say they are paying more attention to their digital footprints. Wong, the man who deleted his Facebook account last week, is one of them. He said he is worried not for himself, but for his more outspoken friends.
“I haven’t really written anything that can’t go public or will get me arrested by the police,” he explained. “But on Facebook, if you’re someone’s friend, you can see what that person has posted. That means if my account is compromised, or if my phone is hacked, or if I am kidnapped and someone else sees what’s on my phone, then it’s not just the stuff that I wrote that is being exposed but also my friends’.”
“With the implementation of the new law, I think the risks for my friends are higher, especially those friends who have a reason to fear.”
People have a legitimate reason to worry about comments they made in private online since there is nothing in the law stopping authorities from surveilling users’ emails and text messages, according to barrister Craig Choy.
“The offences are wide and vaguely defined,” he said. “The chilling effect is already apparent and enough to scare people off from discussing politics with others.”
“If you display any new conduct or make any new comment, there is a possibility that the court can infer your current intention based on your past conduct,” he said.
One 30-year-old researcher in a Hong Kong university who wishes to remain anonymous said that she has noticed older Facebook posts vanishing from the platform.
“I found that many news [articles] which I’ve shared on Facebook are no longer available as the original posts may have been deleted,” she said.
The researcher herself has also been personally changing the status of some of her older posts on Facebook from “public” to “hide from my timeline” to avoid getting into trouble, she said.
“But I do plan to keep on sharing reasonable analyses and reports on the current situation in Hong Kong on social media, especially those which analyse and critique the national security law,” she added.
Speaking under a pseudonym, Giselle Ng, a freelance artist in her 20s who has collaborated with anti-government protesters, said she has becoming more vigilant after the passing of the national security law.
“Some of my previous works involved talking to different participants of the movement, so I saved all the information on ProtonMail,” she said, referring to the secure email service. “I also encrypt the app itself with a separate password on my phone.”
To hide her IP address – a string of numbers that identify an internet-connected device – she recently also subscribed to a VPN service. “I leave it on almost at all times. It’s easy to do. I turn it off only when I have to shop online because the credit card verification procedure requires a local IP address.”
Michael Gazeley, managing director of security firm Network Box, said he has seen more questions about how people can protect their privacy with technology like encryption.
“There are a lot of people who are asking not because they are directly or would be directly impacted by the law. But they asked more because maybe, due to the law, there is going to be more scrutiny or examination of data,” he said.
Ng said a fellow artist she knows who creates protest-related work has switched her Instagram account to private. She now enforces strict rules on who can follow her account, demanding that her more than 2,800 followers conceal their identities by hiding their faces, real names and dates of birth, as well as remove any protest slogans from their bios.
Hong Kong needs Beijing approval to handle national security law cases in three situations
But more than such elaborate measures, cybersecurity experts the Post spoke to emphasised the importance of basic cyber hygiene to protect users’ digital safety.
“Many times, [hackers] need a bug to be able to unlock a smartphone,” said a Hong Kong-based cybersecurity researcher who declined to be named because he was not authorised by his employer to speak. “So if you install the latest software and operating system updates as soon as they arrive, the possibility that anyone can hack into your phone will be far smaller.”
He also recommended that people avoid making phone calls outside of end-to-end encrypted apps. Before sending a phone away for repair, it is important to do a factory reset, which restores the phone’s original setting and wipes out all data, including sensitive ones like passwords and personal messages, he added.
“As long as you adopt good cyber hygiene, it would take a vast amount of resources for someone to crack your phone,” he said.