Like an immature teenager, the Government is not likely to be granted more power to collect personal data from Internet providers until it acts responsibly with it. Saying it is so isn’t good enough for LegCo and the Hong Kong Transparency Report (HKTR).
With privacy scandals happening weekly here in Hong Kong and at a global level, the HKTR has found our government wanting. A cavalier attitude to a lack of protocols pertaining to personal data sourcing, protecting and destroying, after use, puts Hong Kongers at risk.
HKTR, a project run by Journalism and Media Studies Centre (JMSC) of HKU, released their 2014 Hong Kong Transparency Report on Friday (September 26th). The report tracks the user data collection and content removal requests that Government departments make to various online service providers. HKTR criticised the “lack of transparency in Government disclosure and the absence of an independent oversight body” which raises “a serious concern as to what is keeping the Government power in check when it is attempting to access or remove user information online.” Very little, it seems.
Data seekers
In 2013, a total of 5,511 requests were filed from 5 departments to collect user data, such as contact information and IP address. The departments include the Company Registry, Customs and Excise Department, Police Force, Inland Revenue Department and Office of the Communications Authority. 3,846 of the requests were fulfilled by the service providers. The Police Force and Customs and Excise Department, each accounted for 83% and 16% of the requests, explaining requests were targeted at crime prevention and detection, and also law enforcement.
Content removal requests are filed when exiting protocols are breached. Last year, 1,956 cases were filed by 5 departments: the Customs and Excise Department, Department of Health, Police Force, Office of the Communications Authority and Post Office. Almost all the requests were fulfilled. 78% of the requests were from the Department of Health and 20% from the Customs and Excise Department. Requests from the Department of Health were due to suspected auction or sales of unregistered products. And those from the Customs and Excise Department and the Police Force were for copyright infringement offences and crime prevention.
No checks on police power
Currently, there is no clear law or regulation to govern the Government requests. HKTR stated that almost none of the 5,511 user data requests were issued under a court order and they questioned if the Government power was left unchecked. “The Government may abuse its power, even unintentionally, by issuing unnecessary or inappropriate requests to service providers which will encroach on users’ right of privacy,” says Jennifer Zhang, project manager of HKTR. Without protocols, there is not standard for individual investigators to follow. In effect, anything goes.
No power to compel
HKTR also believed the absence of proper regulation means the Government may face a low compliance rate with its requests. “Since their [Government] requests have no legal binding power, such low compliance rate will hinder their crime detection or law enforcement efforts,“ Ms Zhang explains and suggests the Government to make public the current internal guidelines and monitoring mechanisms, and set up an independent oversight body of its actions.
Compliance dalliance
Service providers can, in many cases, choose to comply or not to comply with governmental requests, mostly at their whim. “The Police told us [HKTR] the reason why it did not have an exact compliance rate from service providers was that many of them simply did not respond to the Police’s requests, even though such requests were made for the purpose of crime detection and prevention,” Ms Zhang says.
A known problem ignored
Suggestions have been made to the Government before on this issue but the Administration hasn’t felt compelled to act. IT sector lawmaker Charles Mok asked twice about the details of the internal guidelines and monitoring mechanisms of the Government in 2013 and 2014.
However, in a written reply to Mr Mok in February 2014, then Acting Secretary for Commerce and Economic Development Godfrey Leung wrote: “The Government departments and law enforcement agencies concerned will ensure that these requests are made only when necessary for the purpose of performing duties. Since the existing mechanism functions effectively, we do not think it is necessary to review the relevant procedures/guidelines.” In response, HKTR said that “Mr Leung’s self-reassuring answer was far from informative and convincing from the public standpoint.”
The rampant abuse of collection of data in other jurisdictions, such as that revealed by Edward Snowden regarding the American NSA, has made people in free countries wary of government collecting and retaining their personal data. Government and corporate data leakage in Hong Kong has been the stuff of scandal.
Creating a clear and transparent regime for acquiring personal data from Internet service providers could save themselves huge problems in the future. Apart from reining in the Government, laying down a proper set of guidelines and regulations can help them justify their requests, increasing compliance. It is unlikely LegCo would grant government departments more power to enforce data requests when they seem to lack proper controls to protect the people’s data.
The Government’s weak assurance that they will, without guidelines, act appropriately when collecting personal data from Internet providers does little to inspire confidence in legislators and the public that they deserve more power to do so.
