In an exclusive interview given to Technical Politics, Charles Peter Mok JP a sitting member of the Hong Kong Legislative Council and the founder of HKNet, an early Hong Kong internet service provider, recounted how recent court cases revealed details of a ‘fishing’ expedition against the devices of those arrested in the 2019 Hong Kong Extradition Bill protests, and discussed the prospects for electronic privacy at home and abroad in the digital age.

Charles Mok was first elected to the Legislative Council in 2012 following a tumultuous battle for the Information Technology functional constituency with Tam Wai-Ho in 2008, which resulted in Mr Mok initiating legal action against Tam in relation to alleged campaign misconduct. As Council member, he has been an outspoken for privacy, freedom of speech and communication rights, where his computer engineering background, business experience and longstanding concern for civil liberties have left him well-placed to comment on issues surrounding electronic privacy protection.

Mr Mok started by describing his journey into politics, a perhaps unusual destination for a successful internet entrepreneur.

“I was educated at electrical and computer engineering in the US, and I started my career as a programmer with computer manufacturers like Digital Equipment and Sun Microsystems. I spent a few years in the US, and came back to Hong Kong and started an internet service provider in the mid-nineties.

“At the time, there was beginning to be a lot of policy issues and questions, for example, how would the government deal with spam or even pornographic content and so on, so I gradually got drafted into some of the government advisory bodies, because they needed somebody who might be familiar with the internet. So, I wandered into politics in a way because of that, but of course also because over the years I have been very concerned, and have been a proponent for human rights and freedom of information all throughout my career.”

Numerous commentators have pointed to the extraordinary loss of privacy which has already occurred over the past thirty years with the infrastructure of surveillance – be it purposeful or passive, intentional or unintentional – today assuming an almost totalistic quality. With literally tens of billions of sensors or points of data input, digital communication networks empower their keyholders with an astonishingly hyaline view of the private lives of others.

“Engineers or programmers never really started to think about that in my generation. We were just creating a product that was suitable for purpose, office automation or whatever, making it easier for people to do their work. … But information technology becomes more about information than technology. At the same time, it has become a tool for communication. First the internet, then the mobile phone, and there’s all these data on your mobile phone, then social media. So, in fact, I think for most of the engineers of the previous generation, we never even thought about it. That was part of the problem.

“One of the biggest problems with technology development or product development before was that these concerns about information security and privacy were an afterthought, and were not made at an earlier stage of development. So that’s part of the problem.

“In this day and age, of course, I think that things are very different, because we would say that this generation of developers … grew up … with the technology, so their perception of the issues and concerns are very different. So, I hope that they would be more perceptive of the issues about privacy and surveillance and security.

“So, I hope that in future it will be better.

“Unfortunately, I still see these problems coming up all the time. I do hope that that will be something that the industry will be more aware of in the future.”

Frequently, in public discussion, privacy advocates will encounter the objection that if you have done nothing wrong, you have nothing to hide. Giving short shrift to the objection, Mr Mok explained that everyone has the right to a private life and the legitimate expectation that details of their private life be kept private.

“This kind of thought, ‘If you have done nothing wrong, you have nothing to fear’, capitalises on the good nature of most people. They think, ‘I’ve done nothing wrong. I’m a good person’, but in reality, there are so many things that people would feel are sensitive about themselves, and that they would like to keep private. That would be why, in many jurisdictions, there are very specific laws, increasingly more laws, regulating sensitive personal data.

“I mean, do you really want to tell me how much money you make? Do you want to tell me how much money you have in the bank? Do you want to tell me all about your personal sexual life or whatever?

“You can think of hundreds of things, such as your full medical history, and so on. So, where do you draw the line?

“If you give the people in power too much power, they will be able to know everything about you.

“Of course, the Chinese Government or the Party will be saying ‘We are benevolent, and we are trying to protect you, and we know everything about you, so we can predict the future and we can make everything safer for you.’ But I think that history has told us that … they would become a dictator and a monster, before they are able to become a benevolent dictator.

“So, I think if you look at many of these legal developments around the world, especially for example in Europe, if you look at all these examples in recent years about GDPR, it is clear that it is the expectation of a lot of citizens that they need more protection for their privacy and their data.

“Even for jurisdictions like the United States where in the past they really didn’t have any laws or clear regulations at all about protecting privacy, … they are beginning to do it, because … they’re realising that they are probably giving up too much control to Google, Facebook and so on. So, California and some other states are beginning to do it. In the not too distant future, there might be Federal regulations and so on.

“In many ways, I don’t think that there needs to be a distinction drawn between the West and the East in this matter. It’s all about whether the authorities at the moment are receptive to people’s demands, or whether they’re still acting more in an authoritarian manner. I do not believe that the average people – of whichever background, or race, or wherever they’re from – would have a different expectation about these basic rights.”

The 1966 International Covenant on Civil and Political Rights states that “No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation” and that “Everyone has the right to the protection of the law against such interference or attacks.” While important legal protections exist to protect nationals from spying by their own government, few protections exist to guard them from the two hundred plus governments around the globe, not to mention private companies and individual hackers. We asked, therefore, what protection in law citizens should enjoy from extraterritorial infringements of their right to privacy. Is unlawful surveillance conducted from overseas a crime here or there, and what remedies in national or international law would protect against such harms?

“Some months ago, I was reading Edward Snowdon’s book, and that’s an example of some of the laws and accountability for government agencies to report to Senate or whatever, or ask for permission from the courts and so on. Many of these are applicable only to their own citizens, and even at that the agencies seem to be violating their own laws. But the laws themselves are only protecting their own people.

“That’s a very interesting point that you raise. I think that for most people, at the moment, they are probably too busy guarding themselves against surveillance from their own government. They haven’t thought about surveillance from other governments. … To be honest, I haven’t thought about that too much.

“We all understand that one of the problems with the internet that for many matters, extraterritorial jurisdiction, or the lack of it, is actually a huge issue. Whether it is purely about law enforcement or … hacking or whatever, it’s so difficult to catch the real criminals, let alone these foreign governments.”

In 2019, Hong Kong witnessed extraordinary protests against the Hong Kong Extradition Bill, which would allow those arrested in Hong Kong to be extradited to mainland China.

During the protests, some of those arrested had their devices search by law enforcement without their knowledge, with information from their devices later submitted in evidence against them during their trials.

How did Hong Kong get to this point?

“In our situation, some activists and Joshua Wong in particular, were arrested. To him, it was like ‘I thought the police had my phone and put it in a plastic bag, and sealed it. … They didn’t tell me they opened it.’ Within 48 hours, he was released and he was given back his phone. Nobody even told him that it was opened.

“When the time came and he was arraigned in court, there he found among the evidence some of the communications from his phone. So that opened up the question, how did that happen?

“Then I asked in our legislature an official question to the government, and the government answered saying that in the five months that they counted from June to November, they counted that they had opened up 3700 cellphones.

On 8 January 2020, Mr Mok asked the Government (i) how many number of cases there had been since June of last year in which the Police seized and unlocked the mobile phones of arrestees, accessing the information on it, and for how many of such cases a warrant had been obtained; (ii) since when the Police had been using hacking software to unlock mobile phones in order to access the instant messaging contents or other information therein; and (iii) whether the Government will tighten the legislative framework regulating law enforcement’s collection of electronic communications.

In its response, the Government replied that (i) Police processed 1429 involving mobile phones as evidence, and that 3721 mobiles phones belonging to arrested persons or suspects were involved, (ii) that no information on the technologies involved would be released, and (iii) that the “Government considers the existing regime and practice suitable for the situation in Hong Kong and should continue to operate”. Anticipating the latter objection, Mr Mok had written, “The existing Interception of Communications and Surveillance Ordinance merely requires law enforcement agencies to seek authorisation from a panel judge before conducting postal interceptions and telecommunications interceptions, but it does not impose any regulation on the information (including communications content, metadata and personal data) in network communications (such as mobile phones and web servers).”

Reflecting on the scale of police evidence collection, and the manner in which a warrant was obtained and phones were searched, Mok is in no doubt that it amounted to a ‘fishing’ operation, and that failure of legal protection in this instance may well point to broader abuse of existing legal protections.

“To me, three thousand out of five-six thousand people that were arrested was a huge number. So, to me, it is fishing.

“If you understand a little bit about how these people got arrested. You know, so many of them were just in the wrong place at the wrong time. They were arrested, but they were not prosecuted. Some people were said to be badly beaten up, but that was the minority. But in this case, where we’re talking about two out of three phones being opened up and looked at, this is fishing.

“A few days ago, there was a judicial review that was launched in the courts of Hong Kong by one person, one of the affected, one of the persons who were arrested and charged. He went to court with his lawyers for judicial review, and some how he found out that the court didn’t get 3700 court orders to look at all these phones. The police actually went to the court to get one warrant to search a particular office or floor in the police headquarters. This happened to be the computer crime unit’s headquarters. What happened was every time they got a phone, they moved it over to that room to open it.

“It’s ridiculous. I don’t think it takes a lawyer or judge or whatever to think that that is in the spirit or purpose of having a court warrant.

“I don’t want to criticise the court. We’re very cautious about it. We want to maintain and respect judicial independence, but in a way, the police actually put them in a difficult position, and maybe the court wasn’t really vigilant enough in all cases. How could they give a court order like that without really drilling into what the police were actually trying to do?

“So anyway, we hope that there would be something positive, or something more that would be revealed by this particular case. But it shows us that there really might be a lot of abuse, in the sense of how the police is dealing with the technology, not to mention that they are totally non-transparent.

“They are not telling us anything about what they are doing with the phones in terms of how to open it, because you might remember that it was only after the revelation of the Joshua Wong situation that some agency revealed that some of our agencies were actually using software from some Russian hacking company to open up these phones.

“The we found out that that might not actually be the exception among law enforcement around the world. Maybe most of the law enforcement around the world are able to open up these iOS and these Android phones anyway, but they haven’t been very forthcoming about it and people. … There’s a lot of lack of understanding by the public about what they are doing, not to mention the way they were using or misusing the court system and warrant system baffles our mind.

“Over the past several months, I and others of my colleagues have been trying to drill down and get some answers.

“If we didn’t ask, they wouldn’t even have told us that three thousand phones had been opened.

“I actually thought that there were few very high-profile cases like Joshua Wong or maybe three hundred phones, but no it was three thousand phones.”

The judicial review application filed on 13 January 2020 challenges the police decision to search so many devices, and charges that subjects were not personally served with the warrants. According to a Quartz article on the issue, the allegations “have serious implications for citizens’ right to privacy, which is enshrined in Hong Kong’s Basic Law”.

The Hong Kong cases highlight how vulnerable personal data are to exploitation, often without those affected being aware of how they are being harmed until after the fact. It may well be that the erosion of fundamental rights and freedoms, particularly the right to privacy and freedom of speech, is an intractable feature of the digital age, and to the extent that this is the case, the debate as to whether legal and technical remedies are feasible, or whether we need a digital detox, will rage on.

Author: David McHutchon

Article Licence: CC BY-ND 4.0

Picture of Charles Mok: Iris Tong. Public domain.