by Benjamin Zhou
The Hong Kong government said on March 1 that it had sent 3,593 user information disclosure requests to communication technology (ICT) companies in 2016, a 17 per cent drop compared with the 4,233 requests in 2015.
This is the third year in a row that user data requests had decreased, a positive change for privacy protection in cyberspace. However, details of the procedures continue to be withheld by the largest requester – the police force – even though better transparency would diminish concern about digital rights.
The information was released in a reply to a question raised by LegCo member Charles Mok, an annual practice starting from 2013 aimed at improving protection of citizens’ privacy and freedom of expression on the internet by increasing transparency.
The questions mainly required the government to provide user data statistics (referred to as “information disclosure” in the LegCo document), content removal requests to ICT companies, due process and the government’s plan to improve the request-making procedures.
The numbers have been decreasing in recent years: user data requests decreased by 15 per cent (to 4574) in 2014, 7 per cent (to 4233) in 2015 and 15 per cent (to 3593) in 2016. Content removal requests recorded the same trend: a drop by 17 per cent (to 543) in 2014, 38 per cent (to 336) in 2015 and 40 per cent (to 202) in 2016.
This indicates that the government has been increasingly cautious when it sends out such requests, which may relieve public concern over mass intrusion into our privacy and speech freedom in cyberspace. Although reasons for the decreases are still unclear, challenges from overseas ICT companies might be a driving force for the government’s prudence.
Thanks to statistics revealed by the seven companies including Google, Yahoo, Microsoft, Apple, Facebook, Twitter and Verizon, it is known that 44 per cent of the HK government’s user data requests were sent to the seven firms, while they rejected an average of 40 per cent of the requests up to 2015.
A case in 2012 revealed by Google exemplified the resistance from the tech firms: the Customs and Excise Department was frustrated by Google as the tech firm rejected a request to remove 370 YouTube videos for copyright infringement, due to incomplete notices from the government.
In contrast with the efforts to increase transparency by the international tech firms, the HK government acted passively by only releasing data in response to the legislator’s questions, with some information still withheld.
The police force, which made 88 per cent of all user data requests in the past, has never revealed how many requests were sent with court orders, but has continued to issue a statement saying that “relevant statistics are not available” for the past four years. The police also failed to reveal how many of their requests were complied with by companies.
This information matters because the public concern over citizens’ privacy and free speech rose due to arrests for comments made online, in particular after the Occupy movement in 2014.
Those arrested were charged under Section 161 of the Crimes Ordinance—“access to a computer with criminal or dishonest intent,” which stirred up a public debate over whether this provision should be applied to online comments. This controversy has already jeopardised the government’s authority.
In the meantime, Facebook recorded continuing increases of user data requests from the HK government since 2014, with the amount in the first half of 2016 reaching 190, an increase of 168 per cent compared with the same period in 2015. The rise in requests to the social media platform and controversial arrests makes it more important that the public be informed of the number of court orders and the compliance rate, so that they can see to what extent the government’s practices are scrutinised.
In addition to some figures, another key element that the government has been hiding is its request-making procedure, the disclosure of which is especially important given the fact that Hong Kong does not have a specific law regulating user data and content removal requests from the government.
The law that protects online user privacy, the Personal Data (Privacy) Ordinance, sets forth a list of exemptions, where service providers can hand over user data to the government for “the prevention or detection of crime” or “the prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct, or dishonesty or malpractice.”
This wording is too vague and gives the government agencies broad discretion in the request-making procedure.
There should be detailed guidelines on how government departments should handle our personal information in cyberspace. In his question Charles Mok required officials to “set out the ordinances, internal guidelines and codes of practice concerned.”
However, Nicholas Yang, Secretary for Innovation and Technology, dismissed this requirement in his written reply: “They will make the requests in accordance with duty-related laws, established procedures or guidelines, including the Personal Data (Privacy) Ordinance and the relevant code of practice/guidelines,” adding: “we do not have plans to make any change.”
This is not the way to improve governance, if the authorities have such an intent. The continuing decrease in government requests concerning people’s privacy and free speech is substantial progress, but it is far from being enough to win the public trust.
What citizens need to know is whether there is a mechanism in place to protect their rights from being abused. Hence, increasing transparency by setting out the mechanism and making it publicly available should be on the government’s agenda.
Benjamin Zhou is a researcher at the Hong Kong Transparency Report, a project under the Journalism and Media Studies Centre, University of Hong Kong.