Hong Kong authorities asked Apple, Google, Facebook and Twitter for information on 1,399 users between July 2019-June 2020 and hundreds of requests were granted until the advent of the national security law caused the tech giants to stop cooperating, according to the companies’ transparency reports for the period.
It was not clear from the reports what kind of data Hong Kong authorities requested. Months of pro-democracy protests and unrest – organised and fuelled partly by social media and messaging apps – began in June 2019. Some requests may have been made as part of investigations into crimes unrelated to the protests, such as credit card fraud or stolen devices.
After Beijing imposed the sweeping national security law on Hong Kong last June 30, US technology and social media giants including Apple, Google, Facebook, Twitter and Telegram announced they would halt the processing all data requests from the city authorities.
In response to an HKFP enquiry on their transparency data and their latest approach to Hong Kong government requests, Apple and Google said they had no additional comment, though a Facebook spokesperson said its policy on such requests remained unchanged.
Twitter’s transparency report indicates it received 13 requests from Hong Kong for user information during this period but has never complied with the requests. It did not respond to HKFP’s enquiries on its latest approach to Hong Kong government requests.
Telegram has no published transparency data available for any country. A spokesperson said: “We have not shared any data with the Hong Kong government,” but did not indicate its approach regarding future requests made under the security law.
In their transparency reports, Apple and Facebook differentiate between supplying “content” and “non-content” data, with requests for the two types of information handled differently. In general, content data covers emails and other messages, lists of contacts, photos and what is said in social media posts.
Non-content data is metadata such as login time, IP addresses, registration information, or even the number of characters contained in a message – but not what the message says.
After the security law came into force, Apple told news media – including Bloomberg and TechCrunch – that requests for user content data must be submitted through the Mutual Legal Assistance Treaty between the US and Hong Kong.
Apple said it stored iCloud data for Hong Kong users in the US. Requests to access user content must be approved by the US Department of Justice and supported by a warrant issued by a US federal judge, before the data could be handed to Hong Kong. It was also “assessing” the new security law, the company said.
Its statement at the time made no mention of data it had given to authorities that did not involve “user content.”
Apple received three types of requests from Hong Kong authorities between July 2019 and June 2020, according to its transparency reports for the period.
|Request types||What it means||Example of the data supplied|
|Device requests||Data from specific iPhones, Macbook computers or other Apple devices.||Such as customers associated with devices, device connections to Apple services, purchase, customer service, or repair information.|
|Account requests||Date from specific Apple iCloud or iTunes account identifiers, such as Apple ID or email address.||Non content data such as subscriber, account connections or transactional information.|
Content data such as stored photos, email, iOS device backups, contacts or calendars.
|Financial identifier requests||Data from specific financial identifiers, such as credit card or gift card number.||Such as transaction details.|
The Hong Kong government made 16 requests for data for 25 Apple accounts in that period. The company rejected five of these requests in part or in full, but complied with seven – although it supplied only non-content data. It was not clear what happened in the other four cases. Apple did not provide “content data” in response to requests from Hong Kong during the period, the report said.
Non-content data may include “subscriber, account connections or transactional information,” the transparency reports say, while content data refers to material “such as stored photos, email, iOS device backups, contacts or calendars.”
Separately, Apple also received 294 requests from Hong Kong for information on 355 devices during this period. Data was provided in response to 169 of these requests.
The company also provided data in 128 out of 293 requests for information related to financial identifiers, such as credit card numbers registered on the Apple app store. These involved 765 financial identifiers.
In its transparency reports, Apple said it only responds to valid legal requests from governments, and will “challenge or reject” them if they are invalid, unclear, or overly broad. The requests may be related to investigations on stolen devices or credit card fraud, and are responded to through a “centralised and standardised process” by a legal team.
The company would also notify its customers of such government requests unless explicitly legally banned from doing so, or if notification would risk causing injury or death to an identifiable person, or if it would endanger children, the reports said.
Apple did not respond to HKFP’s question over whether its Hong Kong users had been notified of government data requests.
Wong Ho-wa, a data scientist and current Election Committee representative for the IT industry, said customer data is typically understood to include both content and non-content data. “It is not quite fair” to users if companies have policies which differentiate between the two categories of information, he told HKFP.
Both content and non-content data are “part of personal privacy and should be handled under the same policies, so I don’t see why it should be different,” Wong said.
Facebook received a total of 503 requests for user data from Hong Kong authorities from July 2019 to June 2020. Data was provided in response to 174 of these requests.
Some 262 of these requests, relating to 285 user accounts, were made between January and June 2020, its transparency report showed. It responded to 24 per cent of these requests and rejected the rest, “our lowest compliance rate” since 2015, a spokesperson said in response to HKFP’s enquiry.
Facebook said it does not provide content data such as “contents of communications (e.g., message headers and IP addresses)” in response to requests from various governments. But it may provide “basic subscriber information” including “name, length of service, email address(es), and a recent login/logout IP addresses and other transactional information.”
But the company’s position on Hong Kong requests has remained unchanged since last July. “We have paused the review of government requests for user data from Hong Kong,” the spokesperson said.
In the case of other places, “[w]e scrutinise each government request we receive for user data to make sure it is a valid legal request, and we push back on requests that appear over-broad or vague,” a spokesperson said in a statement. “Where appropriate, we will legally challenge deficient requests. “
“As a member of the Global Network Initiative, we are committed to evaluating any legal requests from governments against international human rights standards, not only local law.”
The Global Network Initiative is a coalition of companies, non-profits and universities which pledged to safeguard against internet censorship and safeguard personal privacy against government restrictions.
Google received 183 requests from the Hong government to disclose user information between July 2019-June 2020, involving a total of 393 accounts. Some data were provided in almost 80 per cent — or 146 — of these requests, the company’s transparency report said.
The report does not indicate what such data might consist of, or whether they include content data or metadata.
“We carefully review each request to make sure it satisfies applicable laws. If a request asks for too much information, we try to narrow it, and in some cases we object to producing any information at all,” Google’s transparency report stated.
The company will review the requests based on US law, the laws of the requesting country, and international norms set by the Global Network Initiative’s “Principles on Freedom of Expression and Privacy“, its privacy terms read. These state that participating companies pledge to protect personal privacy consistent with international human rights laws or standards.
Google stopped responding directly to data requests from the Hong Kong authorities after the national security law was enacted, the Washington Post reported last August. The requests would be treated in the same way as those from China, through the US Department of Justice under a Mutual Legal Assistance Treaty.
“As always, authorities outside the U.S. may seek data needed for criminal investigations through diplomatic procedures,” a Google spokesperson said at the time.
Google did not respond to HKFP’s enquiry on whether its approach to Hong Kong requests remains the same almost a year after the national security law came into force.
A ‘responsibility’ to educate
Wong said social media and tech companies could do more to educate users about the data they disclose to authorities. “Tech giants have the responsibility to educate ordinary people on how their data are stored,” Wong said. “They may seem to have done their jobs by making disclosures in reports, but ethically speaking they should make it clear that they have different policies on customer data.”
Non-content data would also be useful in law enforcement investigations. “Suppose that the content of an email was removed apart from the email [address] and IP address. In fact, it would still provide more information for investigation to see if [someone] committed something,” Wong said.
“Even though we may not have seen the data presented in court as evidence, it doesn’t mean it was never used to find evidence about a person.”