Saturday, July 23, 2022

[Diplomat] Hong Kong’s New Cybercrime Law Consultation

Hong Kong’s New Cybercrime Law Consultation

The first in a series of post-NSL cyber laws may ironically weaken the tech sector and make Hong Kong’s internet less secure.

This week the Cybercrime Subcommittee of the Law Reform Commission (LRC) in Hong Kong published a consultation paper on cybercrimes and related jurisdictional issues, setting in motion what will likely be a series of legislations of new laws and amendments in the reformed “patriots-ruled” territory under the People’s Republic of China.

The move should come as no surprise. After all, many other jurisdictions around the world have legislated cybercrime in various shapes and forms in recent years. As technology advances, news laws try to catch up. The LRC’s Cybercrime Subcommittee actually commenced work back in January 2019, a full three-and-a-half years ago, to review Hong Kong’s relevant laws, long considered to be grossly outdated.

Indeed, for decades, Hong Kong law enforcement relied on a controversial law under the territory’s Crime Ordinance, known as section 161, for the offense of “access to a computer with criminal or dishonest intent,” and section 27A of the Telecommunications Ordinance, forbidding “unauthorized access to any program or data held in a computer,” to prosecute cybercriminals. However, with a complacency induced by easy convictions, the police and the prosecution in Hong Kong continued to apply the outdated section 161 to computer-related cases way beyond its original legislative intent. The ordinance, after all, was passed back in 1993, long before the advent of the internet, smartphones, and social media.

Then, in a landmark decision by the Court of Final Appeals (CFA), Hong Kong’s top court, in April 2019, certain applications of section 161 were overturned. In particular, as the original law was intended to prohibit someone from accessing another’s computer, before networking was commonplace, the CFA ruled that the law could not apply to someone using his or her own computer to launch or commit the alleged criminal act. The solution was of course to update the antiquated law, and that was largely why the LRC set up a subcommittee to look into this.

While many in the public rightly saw the court’s decision as a victory against police and prosecution abuse, it was also inevitable that a new law would have to be established. The question then should be whether the new bespoke cybercrime law would be reasonable, proportional, and sufficient for deterrence against and punishment for committing cybercrimes.

So, do the current recommendations meet those criteria? I would point out four main areas of concern: proof of intent (or the lack thereof), making available or possessing devices or data for committing a crime, jurisdictional issues, and, finally, sentencing.

No Need for Proof of Intent

Under the category of illegal access to program or data, the subcommittee recommended that “mere unauthorized access should be criminalized as a summary offense, which does not require malice to be an element of the offense, subject to the statutory defense of reasonable excuse.” Similarly, under the section for illegal interception of computer data, the subcommittee “concluded against insisting on proof of an intent to commit a specific offense as this may cause excessive difficulty in law enforcement.”

But more convenience for law enforcement to prosecute may result in higher uncertainty and risk for programmers or companies uncertain of how to comply. The consultation paper did cite certain examples, such as “a search engine normally does not obtain consent from a website before scanning the internet protocol address concerned,” suggesting that such “customary practices” should “continue to be tolerated.”  But the subcommittee only further suggests “a generic defense based on reasonable excuse.” But what if such a generic defense cannot prevent the prosecution from pressing charges? That would cause serious chilling effects among, for instance, white-hat hackers and information security firms, local and overseas, that need to routinely access servers on the internet in order to discover vulnerabilities.

In this regard, the consultation asks, should such a defense or exemption be provided to only accredited cybersecurity professionals, and if such accreditations doesn’t exist, should they be established locally? If not, what should be the requirements for someone to prove his or her qualifications to invoke such a defense? Obviously the subcommittee has no idea how the industry operates, or how difficult, time-consuming, and costly it would be to set up such an accreditation system (which would not work well anyway).

One subcommittee member even made the remark that in order for information security companies to qualify for statutory defense or exemption, a registration system to regulate such firms may have to be set up. If that happens, local and overseas information security professionals and companies may choose to skip the troubles of registration and potential infringements of the law altogether by simply not doing business in Hong Kong anymore, and also suspending any remote surveying of Hong Kong targets for threats and vulnerabilities, leaving Hong Kong’s cyberspace less protected, less safe, and less secure.

Finally, the consultation recommends that “unauthorized disclosure or use of the intercepted data should be prohibited.” This adds great uncertainties for journalists or researchers who often have to rely on data and information from undisclosed sources. Without a whistleblower protection clause in this new law, and of course also without general whistleblower protection in Hong Kong, the public’s right to know will definitely suffer.

Making Available or Possessing Devices or Data for Committing a Crime

This whole topic should make anyone in charge of a IT platform, a cloud provider, even a university providing information services to its students and staff, cringe. The consultation paper justifies the idea by comparing it with section 62 of the Crime Ordinance, which states that “a person who has custody or control of anything, and intends without lawful excuse to use it (or cause or permit another to use it) to destroy or damage property, shall be guilty of an offense.” This may sound perfectly reasonable if that “anything” is a gun or a knife, but extending this to the cyberworld of servers and clouds would be problematic.

Although the subcommittee considers that for this offense, the accused must have “acted with knowledge,” it still casts immense uncertainty on the part of any IT service providers that have little knowledge on what their customers do. The subcommittee further recommends that the ultimate offense committed through such device or data provided need not be limited to cybercrimes, but can be any offense. So, not only would researchers, educators, or information security professionals have good reasons to worry that by sharing codes and information they may be liable for a cybercrime offense, but even email providers may worry if their services are used to organize unauthorized protests by some users that the providers may be liable for a cybercrime offense, even though the ultimate offense committed (such as an unauthorized protest) is not cyber in nature.

Jurisdictional Issues

One of the biggest problems in tackling cyber criminals globally is the issue of jurisdictional constraints. Hackers usually launch their attacks remotely, and they are difficult to locate, let alone identify, arrest, and charge. As a result, although traditionally common law criminal jurisdiction is territorially restricted, many common law jurisdictions are beginning to adopt more flexible approaches. So, the subcommittee recommends that for cases that involve illegal access, interception, or interference of computer data or systems, Hong Kong court jurisdiction can apply as long as any “essential element” of the offense has occurred in Hong Kong; the victim is a “Hong Kong person”; the target computer, program, or data is in Hong Kong; the perpetrator’s act has caused or may cause serious damage to Hong Kong’s infrastructure or public authority; or has threatened or may threaten Hong Kong’s security. But, what constitutes “threatening Hong Kong’s security” or “serious damage to Hong Kong’s public authority”?

For cases involving intermediaries making available or possessing a device or data for committing a crime, any company “carrying on business in Hong Kong” can be liable, including companies without a Hong Kong-registered presence. This can include numerous platforms from overseas or mainland China without a Hong Kong office but that may be accepting subscribers or advertisers or otherwise doing business with Hong Kong entities.


Most of the recommended sentences for these new offenses range from imprisonment for up to two years for a summary or basic offense, to up to 14 years’ imprisonment for an aggravated offense. Comparing with sentencing under similar laws in other common law jurisdictions, these recommendations are relatively harsh. In addition, the maximum sentence for the aggravated offense for illegal interference with computer data and a computer system is recommended to be life imprisonment. This is exceptionally excessive, and may leave the door open for judicial abuse and political repression.

The NSL Factor: What’s Next?

Although the LRC review and the establishment of the bespoke cybercrime law have been a long time coming, Hong Kong is very different today, after the imposition of the National Security Law (NSL), compared to when the review began over three years ago. Indeed, the consultation paper acknowledges the NSL’s enactment by noting: “The duty of Hong Kong to safeguard national security reaffirmed the need for reform of cybercrime laws in Hong Kong and the sub-committee has taken this into consideration in its pursuit of the cybercrime project.” Where was the NSL taken into consideration in the proposal, and what was done differently as a result? The answer may never be known.

In recent years, as jurisdictions around the world rushed to legislate their own cybersecurity laws in the name of combating online crimes, many governments have been criticized for trampling civil rights, using such laws as political tools of surveillance and censorship. While the Hong Kong government has insisted and will continue to insist that Hong Kong’s legal changes will be commensurate with leading Western democracies, we cannot just look at what is written in the law. We must also consider the realities and perceptions of the rule of law and judicial independence. Needless to say, local and international trust in Hong Kong’s legal system has taken a big beating since the NSL enactment.

But this cybercrime law proposal will not be the last. Already Hong Kong has made it clear that a long list of cyber-related legal changes will be carried out under Chief Executive John Lee’s new administration, with a new disinformation law, revision to local rules under the NSL, Basic Law Article 23 local legislation for national security to target foreign interference, and amendments to the privacy law all in the pipeline. After the LRC consultation is completed, the final proposal will be handed to the administration, which will no doubt waste no time in drafting and submitting it to the very cooperative legislature for speedy passage.

All this does not bode well for Hong Kong’s embattled IT industry and its professionals, especially those in cybersecurity, which will bear the brunt of the uncertainties and potential liabilities. Ironically the result may be a further weakened IT sector, and a less secure internet for Hong Kong.

Published: The Diplomat, July 22 2022

Wednesday, June 15, 2022

[FNF] Geopolitics Reshaping the Internet in East Asia

Geopolitics Reshaping the Internet in East Asia

How digital trade agreements and cyber infrastructure resiliency will hold the key to regional competition between the U.S. and China

U.S. President Biden’s recent official visit to Asia highlighted his administration’s emphasis on the U.S.’s Indo-Pacific strategy and the importance of the security of the region. With an increasingly belligerent Chinese regime, engaged in a supply-chain tug of war with the US while supporting Russia’s invasion of Ukraine, the threats of a similar Chinese invasion of Taiwan appear closer than ever before. East Asia is the most delicate flashpoint in today’s world, militarily, for both conventional as well as cyber warfare, and also the key battleground for trade and economic competition.

The growth of Internet commerce and digital economy in East Asia has been phenomenal over the past several decades, making it one of the most important regions in the world for opportunities in digital growth. Led by China’s huge Internet population, which at 765 million stands more than three times that of the U.S., and also other countries in the region, including developed economies such as Japan, South Korea and Singapore, as well as other developing markets with huge potentials such as Indonesia and Vietnam, demands for more advanced infrastructure to serve the region with better connectivity and higher performance, speed and resiliency have been insatiable.

However, after decades of growth in investment and improvements in connectivity, geopolitical realities have taken center stage. In particular, U.S.-China tensions have had the effect of limiting China’s connectivity to the rest of the world, as the U.S. has severely limited China’s ability to attain additional external bandwidth growth, while it has been actively building a new generation of digital economy and data exchange trade alliances. However, some of these efforts may be hampered by the trend of data sovereignty and digital protectionism in many nations in the region. The U.S. and its allies must realise these concurrent forces at play in order to overcome these obstacles and achieve the best outcomes for their pursuits.

U.S. ban on new undersea cables to Hong Kong has long-term effects for China

At the core infrastructure level of the Internet’s global connectivity lies the vast network of undersea submarine cables connecting the continents, and the trans-Pacific linkages between East Asia and North America are undoubtedly among the most critical connections in the world with among the highest demand. For decades, increasing investment in making more direct linkages between two of the biggest Internet markets of the world, China and the U.S., had been most intuitive and without question.

That changed around 2020, when various branches of the U.S. government raised concerns about the Pacific Link Cable Network (PLCN), which was then touted as the first direct submarine cable connecting Los Angeles, California, and Hong Kong, with high-profile investors like Google and Facebook (now Meta). There were two major factors of concerns: first, the landing of the cable in Hong Kong which was perceived to be a jurisdiction that no longer enjoyed enough autonomy from Mainland China, and second, the presence of a Chinese-owned partner among the investors of the cable.

Since then, at least four major submarine cables to Hong Kong with American investment and connecting to American landings have been canceled or rerouted to other locations, including PLCN itself:

PLCN: after the divestment of its Chinese investor, Google and Meta received U.S. approval in December 2021 to operate PLCN between the U.S., Taiwan and the Philippines, and to “pursue diversification of interconnection points in Asia including but not limited to Indonesia, Philippines, Thailand, Singapore and Vietnam.“ The connection to Hong Kong was dropped.

Hong Kong-Americas (HKA): The HKA consortium, which included HKA consortium comprising Meta, China Telecom, China Unicom, RTI Express, Tata Communication and Telstra, abandoned the project and withdrew its application to the U.S. Federal Communications Commission (FCC) in early 2021.

Bay to Bay Express (BtoBE): The BtoBE cable system, with Meta, Amazon, China Mobile as partners, was to connect California directly to Hong Kong, and then Singapore and Malaysia. It has been reconfigured to land in the Philippines, as the CAP-1 cable system, and once again Hong Kong was dropped as a final destination.

Hong Kong-Guam (HKG): The HKG cable system, owned by RTI and Google and their subsidiaries, was to connect Guam with Hong Kong, but its FCC application was withdrew in late 2020, with its future uncertain.

The consequences of the cancellations and rerouting of these important and high-capacity cables are severe for Hong Kong, making the growth of incoming and outgoing bandwidth capacity highly questionable for the immediate to medium term future, undermining its current role as a major telecommunications and datacenter hub of Asia. Indirectly, and more importantly, bandwidth connectivity growth for China will also be limited, as Hong Kong used to play an important transit role for the mainland. 

As a result, China may double down on its strategy to invest in alternative cables to connect to China, through state support or its state-owned telecom enterprises, such as its previous state-backed financial support with “low up-front costs and fast delivery” for developing economies and smaller nations such as East Micronesia and Papua New Guinea, but the scale and impact of these efforts remain limited.

Indeed, in China’s latest central planning documents of its five-year plans, including the one on digital economy development, Beijing has placed significant emphasis on upgrading its domestic and international digital infrastructure, including setting up datacenters in its western inland region to “compute the data from the east,”as well as using the Greater Bay Area (GBA)in the south to create a “international data free trade port,” which will be “powered by a global network of undersea cables planned for the district.” The chosen hub for the GBA, however, is the city of Nansha, in Guangdong Province, not Hong Kong. Given current global geopolitical tensions, such development, even if they are to progress, will likely not involve much or any foreign investment or participation, which, for undersea cable networks, may spell doom for its effectiveness and success. As undersea cables typically take years to decade to plan and build, and have a lifecycle of several more decades, the current slowing down of China’s future capacity improvement will carry long-term effects for China.

China’s aggression in the South China Sea creates regional Internet chokepoint

The South China Sea is a heavily traversed water on the surface, and at its seabed there are “at least 15 submarine cables, each owned by up to 60 international entities,” with China claiming vast water in the region with its infamous “nine-dash-lines." Many of the cables in the region, with consortium partners covering many of the major telecom operators in the region and around the world, as well as others like Internet content providers such as Meta, are said to have been delayed or forced to rerouted to bypass certain areas.

In the not too distant past, datacenter investments in the region were centered around the three main hubs of East Asia, being Japan, Hong Kong and Singapore. Just as operators may be forced to bypass Hong Kong in favor of Taiwan or the Philippines, now if they need to mitigate the additional risks of the South China Sea, it will be natural to reroute their submarine cables as well as datacenters to around the eastern edge of the Sea, through the Philippines, Indonesia and Brunei, or Vietnam and Thailand around the western edge.

With such geopolitical factors, along with demands driven by domestic and regional digital demands from smart cities, cloud adoption, digital commerce, 5G and so on, these economies are experiencing a tremendous boom in datacenter constructions. According to its own government, the Philippines ranks second in Southeast Asia in datacenter market growth, with Manila having a CAGR of 14.2 percent, just below Vietnam’s 14.5 percent. The datacenter market of the country as a whole will reach 11.4 percent by 2026, with investments of over USD535 million.Telstra, Australia’s incumbent telecom operator, even flatly states that “Asian connectivity has traditionally focused on the hubs of Hong Kong, Singapore and Japan but now is increasingly moving to Taiwan, the Philippines, Korea and Australia."

As for Taiwan, which has already been very successful in recent years attracting OTT (over-the-top, that is, content or application service providers) players to invest in large-scale datacenter on the island, such as Google, Meta and Microsoft, will continue to see rapid growth in its datacenter market, estimated to grow at 23.6 percent over the next five years, reaching USD4.47 billion.

Data trade and digital economy agreements can align geopolitical and economic interests

In April, Canada, Japan, South Korea, the Philippines, Singapore, Taiwan (Chinese Taipei) and the U.S. jointly established the Global Cross-Border Privacy Rules (CBPR) Forum, pledging to promote interoperability and bridge regulatory differences on data and privacy protection, and to establish an international certification system to support free flow of data across borders.While some of these countries or economies may have individual bilateral agreements among themselves and with others in, for example, Europe, the clear trend is for these agreements to be more multilateral and cover more jurisdictions in order for potentially more uniform rules to be established.

On a broader level, the Indo-Pacific Economic Framework (IPEF), proposed by U.S. President Biden during his recent trip to Asia, also put digital trade at a high priority, being mentioned first in the first of four pillars in the proposal. Indeed, the White House cited in its declaration that the partners “will pursue high-standard rules of the road in the digital economy, including standards on cross-border data flows and data localisation,” pledging to “benefit from the region’s rapidly growing e-commerce sector, while addressing issues such as online privacy and discriminatory and unethical use of artificial intelligence.” The thirteen initial members are the U.S., Japan, India, South Korea, Australia, Indonesia, Thailand, Singapore, Malaysia, the Philippines, Vietnam, New Zealand and Brunei — comprising of the countries around the South China Sea. Taiwan, which is not included in the IPEF, most likely will be involved in some other ways, as the U.S. and Taiwan have just stepped up its bilateral trade talks, in parallel of the IPEF efforts.

However, the obstacles facing the IPEF partners in concluding final digital trade and data exchange agreements should not be under-estimated. Data sovereignty laws and regulations, taking the shapes and forms of cybersecurity laws, data and privacy laws, or even national security laws, have been established across many jurisdictions in the region. Some countries, like India and Vietnam, similar to China, has established data sovereignty laws requiring data and servers to be stored locally. Vietnam and India also require any foreign online service providers to set up a local branch or representative to be legally accountable and able to respond to government orders and requests.

On the other hand, some other countries in IPEF are more interested in setting up the baseline, framework and rules for data flows and exchanges with other countries. For instance, Singapore has taken the approach of proactively establishing bilateral or multilateral digital trade agreements and data exchanges rules with other countries, such as an agreement with Chile and New Zealand together, and other bilateral agreements with Australia, the U.K., and South Korea, respectively. The country takes the position, similar to the U.S., that data localisation is detrimental to economic growth, financial transparency and cybersecurity.

Protectionism in the region threatens to undermine the reaching of trade agreements

In addition to the trend of data sovereignty in individual countries in the region, there are also legislations in some of these countries that may be deemed as protectionist, and they may become a factor that undermines the final trade agreement to be reached. For instance, a number of recent legislations in Japan and South Korea were established to “level the playing fields” between domestic and foreign telecom or OTT players, with the rationale that foreign service providers such as video, content, cloud or social media platforms should be regulated in the same ways a domestic company would be. For the foreign platform company, they may see the rules as protectionist and made in favor of the domestic incumbent telecom and Internet players.

The Telecommunications Business Act of Japan in 2021 extended regulations over data breaches or communications failures to cover even companies that did not have an office presence or did not host any telecom equipment in Japan, as long as their services were deemed to be provided for the Japanese markets, such as being marketed in Japan, using the Japanese language, or using the Japanese Yen for payment.

Also, South Korea’s amendments to the Telecommunications Business Act (TBA) of 2021 forced the mobile app platform companies to open up their app payment monopolies. The primary target is of course Apple. In addition, the country’s recently proposed amendments to the TBA establishes new interconnection rules for Internet service providers and value-added telecom service providers, such as content providers, that operate in South Korea, requiring them to pay a “sender pays” interconnection fees to the incumbent domestic telecom companies.The primary target appears to be Netflix.

The way forward

Clearly, the Internet, e-commerce and digital economy in the East Asia region are of critical economic and strategic importance to the U.S. and its allies. On the other hand, in today’s digital era, the security and resiliency of the cyber infrastructure and the electronic transactions must also be safeguarded against threats from all adversaries.

Hence, the U.S. and its allies must take proactive steps to strengthen its cyber resiliency in the East Asia region. Indeed, this should be one of the most important key policy objectives for the U.S. in its Indo-Pacific initiatives. The IPEF and CBPR efforts are just the first steps and they will be of critical strategic importance in achieving these goals, and countering China’s “Digital Silk Road” efforts with its Belt and Road partners.

Specifically, the U.S. and its allies must:

1. Establish data flow and technical security standards and rules for undersea cable infrastructure, from construction to operation, and take concrete measures to support and encourage submarine cable investments with partners as part of the IPEF negotiation and final arrangements. To facilitate the consortiums of investors making long-term and large-scale investments for such infrastructure, the U.S. should take the lead to improve the speed and transparency of its licensing and permitting process for these cables investments.

2. Work together to redesign, upgrade and factor in all necessary safeguards for the region’s cable infrastructure, and work around the South China Sea and other chokepoints, to achieve higher degrees of resiliency, security and redundancy.

3. Endeavor to achieve wider multilateral agreements on standards and certifications for data flow and exchange, starting with CBPR, and expanding the coverage to more countries in the region and globally, and in the process emphasising the values of trust,  openness, fairness, security and privacy, in order to maintain global leadership in digital trade against the China-Russian model of digital authoritarianism.

*Charles Mok is a visiting scholar with the Global Digital Policy Incubator of the Cyber Policy Center at Stanford University. He represented Information Technology in Hong Kong's Legislative Council as a Member of Parliament from 2012 to 2020.

Sunday, May 22, 2022

[天下] Can Hong Kong block Telegram? | 香港政府能封鎖Telegram嗎?

Can Hong Kong block Telegram?

In a committee meeting of the legislature of Hong Kong, the territory’s Privacy Commissioner made a comment on her dissatisfaction with “certain overseas platform” in its handling of requests to remove doxxing information. With these cases numbering “sometimes over 200 a week,” the commissioner said she would consider further actions to escalate. 

And then, a local media leaked the platform in question to be Telegram, a popular messaging application. Right away, the Hong Kong public were asking, will the authorities block and ban Telegram? A whole host of pro-government legislators jumped at the opportunity to call for a blockage. And international media such as Bloomberg reported the news to the world as another example of Hong Kong’s recent draconian measures against freedom of expression. 

To block or not to block? Blocking Telegram is easier said than done. Those in the tech sector will remind others of Russia’s attempt to do exactly that, and it failed. Can Hong Kong achieve what Russia couldn’t? In 2018, the Russian government demanded Telegram, which actually was founded originally as a Russian company, to provide its encryption key to officials, so that the government could try to monitor content on the platform. Telegram refused, and then the Russian government blocked the IP addresses used by Telegram. 

There was just a problem — Telegram is not a website, but an Internet based application service. When Russia blocked those IP addresses used by Telegram on a dynamic basis, those other services or websites sharing the same common cloud platforms used were also affected. We are talking about popular global cloud platforms such as AWS, Microsoft Azure and Cloudflare. Those “accidental victims” that were blocked even allegedly included some of Russia’s government’s own websites. 

Four years have passed, are there any new ways to block? Apparently not. The whole Internet today may actually be even more reliant on such cloud services. Indeed, in June, 2020, Russia actually “unblocked” Telegram. Most ironically, the Russian government was found to be using more and more of this messaging platform over the years, including official and legitimate services to citizens, as well as using it to spread disinformation. 

Some people may ask, well, then, why can China do it? And not only Telegram, but a wide range of other websites and services. If they can, why can’t Russia and Hong Kong? The simple answer is that the Great Firewall of China — its notorious censorship mechanism — is based on a series of infrastructure and policy elements that most notably depended on having government agencies and state-owned telecom enterprises keeping absolute control over its Internet gateways to outside of the country, beginning from decades ago when the Internet infrastructure was built for China. 

That was, and is, not the way in Russia or Hong Kong, and probably any other country in the world save a few like North Korea. It’s not as simple as passing a new law, or setting up a new piece of censorship software, to “become like China.” So, the other countries most likely will have to undertake a series of targeted means — technical, administrative and legal — to “handle” the content undesirable to their autocratic rulers. 

So, all we can say is that, if Hong Kong wants to find a way to block Telegram, it probably won’t be easy, but no one can stop them from trying. 

One may recall that back in 2019, during the season of anti-extradition bill protests, there were also news leaks from the Hong Kong government about how it was “seriously considering blocking Telegram.” Presumably because of the technical difficulties, that did not happen. However, late in that year, the government applied for, and was granted, a court injunction to prohibit anyone from “wilfully disseminating, circulating, publishing or re-publishing on any Internet-based platform or medium (including but not limited to LIHKG and Telegram) any materials or information for the purpose of promoting, encouraging or inciting the use or threat of violence, intended or likely to cause bodily injury or property damage unlawfully in Hong Kong.” Telegram, along with a local bulletin-board style platform LIHKG, were indeed singled out since two and a half years ago. 

Since then, numerous Telegram group administrators have been arrested, charged and sentenced for a variety of charges of crimes. So if the authorities are still feeling that is not enough, and a technical blockage of Telegram may be difficult, then what can they do? The first possibility is to find an “excuse” to apply to the court for the two main mobile operating system platforms of Apple and Google to remove the Telegram app from their online stores. That way mobile phone users registered in Hong Kong will not be able to directly download and install the app, but users registered from other locations, as well as local users who already had the app on their phones or PCs, will still be able to use it. 

But if the Hong Kong authorities do that, international reaction must be one of immediate and inevitable indignation, and almost guaranteed to draw the attention of western governments, with little practically meaningful effect to block. Is that worth it? In today’s Hong Kong, nobody can bet against the authorities’ irrationalities. 

Some may suggest, why can’t Hong Kong legislate to ban Telegram altogether, so if anyone is found to have it on their phones or PCs, they can be fined or prosecuted. Possibly, in today’s completely submissive and obedient Hong Kong legislature formed after a “perfected” electoral reform, passage of such a law may not be a difficult task at all. 

However, blocking certain applications, websites or even companies by naming them in the law is still somewhat unprecedented, and it may not be as easy as it sounds to define the scope of the blockage. I would rather point out that for authoritarian regimes, rather than banning a given list of services, they may prefer to set out a set of vague and broad criteria of what would be illegal, for highest flexibility and maximum reach, that is, similar to the injunction of 2019. 

In the past week, conflicting news emerged such that, on the one hand, some media outlets reported that the authorities would seek guidance from China in order to adopt “the most vehement ways” to block Telegram, while other sources revealed that the authorities privately acknowledged the technical difficulties and were only raising the rhetoric to pressure Telegram to improve its compliance. 

Well, no one can predict the future action of an irrational regime, but the fact remains that personal data protection and privacy protection by law in Hong Kong has been cornered into “anti-doxxing” alone, a rather disproportionate way of handling a matter of huge importance to citizens’ protection as well as a territory’s economic development. 

Certainly doxxing is not to be condoned, but any attempt, legal or otherwise, to mitigate this issue may be done in balance of other important factors including freedoms of information and the media. Of course, in reality, such expectations are increasingly impractical and untimely for today’s Hong Kong.

What I found most “interesting” about the two sides of this discussion — the pro-Beijing faction calling for strict blockage of such foreign platforms, or the citizens concerned about losing yet another service for their day-to-day use — few seem to remember that even if Telegram is “successfully” blocked in Hong Kong, doxxing of these same targets will continue to carry on outside of Hong Kong. The “extraterritorial jurisdiction” put into Hong Kong’s privacy laws, including the doxxing related amendments passed in Hong Kong last September, are still very hard to enforce. Simply pushing doxxing out of sight in Hong Kong hardly solved the problem.

So the current controversy is also about the impracticality of extraterritorial jurisdiction of the law. The government and the legislature like to put this in all the digital-related laws, almost as a manifest of “digital sovereignty,” even though it is harder and harder to receive recognition for such jurisdiction right from regimes overseas, as Hong Kong becomes more and more isolated diplomatically and internationally. Will Hong Kong’s next step be to legislate to be able to forcibly hold foreign companies accountable for everything that happens outside of Hong Kong, resulting in a de facto eviction of more global companies from Hong Kong?

So, if we are to ask the question, what a Telegram block will mean for Hong Kong’s free flow of information and its role as a regional information center and commercial hub? I can only say that these past descriptions of Hong Kong’s role as a center and hub have been slipping farther and farther away in these two years. Hong Kong’s sharp decline indeed is a huge contrast to Taiwan’s digital economy development. 

May Hong Kong also serve as a reminder for vigilance and a caution to how delicate and easy that freedoms can be stripped from a previously vibrant society.

Published: CommonWealth Insight on May 25 2022










不過,沒有人能說他們不會嘗試。回想2019年也曾有消息傳出,香港政府曾經認真考慮禁止Telegram和連登討論區,不過當時可能因為技術限制,最後沒有發生。反而在當年10月底,當局採取了以律政司向法庭申請禁制令的方法,禁止任何人「故意在任何基於互聯網的平台或媒介上傳布、傳播、發布或重新發布任何目的在於促進、鼓勵或煽動使用或威脅使用暴力的材料或信息」,禁制令中更指明「包括但不限於LIHKG 連登和Telegram」。










Published: 獨立評論 @天下 on May 21 2022

Tuesday, May 10, 2022

[FNF | 天下] Taiwan can be East Asia’s New Internet and Data Hub | 亞洲最新的網際網路及數據樞紐?台灣能!

Taiwan can be East Asia’s New Internet and Data Hub

In the second half of April, Taiwan scored two major wins in consolidating its regional and global positions in digital future and data trade within a week’s time, with relatively little fanfare or local attention. Is Taiwan on the verge of a golden opportunity to transform its economy, yet without its broader business, industrial and political communities knowing its own full potential?

On April 28, 2022, the United States and “sixty partners around the world” together launched the Declaration for the Future of the Internet. Taiwan was among these partners, which included the European Commission and governments from all over the world, and the U.S. itself. As the signatories of the declaration were in effect all governments, the diplomatic choice to use the word “partners” instead of “countries” was clearly made for including Taiwan.

As a matter of background information, the concept for an Alliance for the Future of the Internet was floated by the U.S. White House shortly before the end of 2021, and was intended to be announced at the Summit for Democracy in early December. However, the plan faced pushback from the digital rights as well as technology business communities and was criticised for being merely an extension of the Trump administration’s “Clean Network” initiative, for alliance member countries to pledge to “use only trustworthy providers” in core Internet infrastructure, which makes the alliance a “no-China” club but lacks focus for the global Internet to adhere to democratic, human rights and accessibility values. Civil societies and Internet companies also felt left out of the process and without a seat at the table.

Taiwan has a place in the future of the Internet

As a result, days before the Summit for Democracy was to commence, the announcement of the alliance was delayed, until now. The April 28 announcement of the declaration takes on somewhat of a looser form compared to an alliance of national and territorial governments. The declaration itself also adjusted its focus to a more principles-driven vision for the Internet based on human rights and fundamental freedoms including expression and pluralism, increased access and affordability, safety and privacy, fair competition, and a trusted and secure infrastructure. Also, likely as a response to the more recent “splinternet” controversy that arose out of the Russian invasion of Ukraine, the declaration emphasised a global Internet and the need to refrain from shutdowns, blocking lawful content and services, and free data flows.

But the declaration is still significant in many ways, and may represent the prelude to a series of international lobbying in preparation for the important election of the next secretary general of the International Telecommunication Union (ITU), the technical body under the United Nations (U.N.) in charge of the world’s telecom standards and regulations, where a Russian candidate and and a U.S. candidate will face off later this year. With China and Russia “fully cooperating” to try not only to dominate the ITU but also to wrestle away global Internet governance from the multistakeholder ICANN to the ITU — and hence the hands of national governments — the signatories may represent one of the most visible actions to date to counter the efforts of China and Russia.

Even though Taiwan is not a member of the U.N. nor the ITU, the inclusion of Taiwan among the democratic allies and their effort to “reclaim the promise of the Internet,” as described in the declaration, is symbolic and significant. It is also important to note that, despite the U.S.’s emphasis on the Indo-Pacific region in recent years, the declaration was endorsed by relatively few Asia Pacific partners, with only Australia, Japan, New Zealand and Taiwan, and Pacific islands such as Marshall Islands, Micronesia and Palau, with major Asian countries and technology leaders such as India, South Korea and Singapore notably missing. That makes Taiwan stand out even more.

However, the news of Taiwan’s inclusion in the U.S.-led declaration apparently only received relatively limited press coverage in Taiwan, with the attention placed on digital minister Audrey Tang representing the government in the online signing ceremony with other global partners, repeating the rather plainly worded Ministry of Foreign Affairs press release and with little commentary or analysis on any of its importance.

A seat at the table in setting global data rules

Similarly, a week before the announcement of the Declaration for the Future of the Internet, Taiwan became a member of the Global Cross-Border Privacy Rules (CBPR) Forum, on April 21, 2022, along with Canada, Japan, the Philippines, Singapore, South Korea and the U.S., this time under the name of “Chinese Taipei.” In the statement from U.S. Commerce Secretary Gina Raimondo, the Forum “intends to establish the Global Cross Border Privacy Rules and Privacy Recognition Processors (PRP) Systems, first-of-their-kind data privacy certifications that help companies demonstrate compliance with internationally recognised data privacy standards.” The “APEC CBPR” System will facilitate and establishment the framework for and promote mutual recognition and trusted international data flows.

Again, Taiwan’s Ministry of Foreign Affairs put out a press release, stating that its inclusion on the Forum will have a positive impact on “international cooperation on privacy protection and cross-border digital trade development.” Indeed, the potentials for Taiwan can go way beyond this general description.

In recent years, the U.S. and the E.U. have been embroiled in a longstanding dispute about data transfers, not the least because the E.U. has led by setting up very comprehensive privacy and data protection laws, while the U.S. has not. Recently in March 2022, however, the U.S. and E.U. finally entered into a data transfer agreement. Meanwhile, earlier in June, 2021, China’s Data Security Law also came into effect, enabling a comprehensive regulatory regime for its data and security governance, including data sovereignty and requirements for local storage, with a focus on national security. Data may be the new oil, but without the pipelines and the agreements on how to transfer and exchange these data, the full economic potentials will not be realised.

In Asia, there is no comprehensive region-wise data and privacy framework, like the E.U.’s General Data Protection Regulation (GDPR), and the regulatory regimes in countries and territories can vary greatly, if they exist. The U.S.’s CBPR initiative is obviously an attempt to counter China’s influence and to take leadership to emphasise on data transfers and related business opportunities, while the Chinese regulations tends to focus more on forcing companies to keep data within China. As such, Taiwan can play a critical role.

Taiwan can fill the void left by Hong Kong

In recent years, Taiwan has made headways in its Internet infrastructure and established a respectable regional presence. Major U.S. technology giants such as Google and Meta have chosen Taiwan to host their regional datacenters, along with Singapore, but instead of Hong Kong. When Google and Meta jointly invested to build what would have been the first direct trans-Pacific undersea cable — the Pacific Light Cable Network (PLCN) — between California and Hong Kong, and the U.S. government eventually refused to allow the PCLN to reach Hong Kong, Google and Meta had to revise their proposal to have the PCLN terminate in Taiwan instead in order to receive the license approval from the U.S. In the PLCN “national security agreement” between Google and Meta with the U.S. government, the investors agreed to “pursue diversification of interconnection points in Asia, including but not limited to Indonesia, Philippines, Thailand, Singapore and Vietnam.” That could very well mean connecting to these countries from Taiwan.

In other words, Taiwan is poised to take over at least part of the role of the region’s telecommunications and Internet hub vacated by Hong Kong, as the latter’s position has been compromised since the implementation of the National Security Law from Beijing in 2020, and the subsequent political crackdowns, followed by various U.S. sanctions. While Taiwan will not be able to displace Hong Kong interconnection role into the mainland and the Greater Bay Area, it has a good chance of taking over some of the regional and international traffic and data flows in East and Southeast Asia, especially new growth in demands, because the non-China international capacity of Hong Kong will grow much more slowly than before, if at all, in the foreseeable future.

This may be a perfect opportunity for Taiwan to set its goal to become the regional Internet, data and technology service hub for East Asia, like Singapore for Southeast Asia. For years, Taiwan has been trying to diversify its industrial base and its reliance on the semiconductor, electronics and manufacturing sectors. Even though Taiwan’s prospects for its semiconductor industry still look great, it is always smarter to spread the eggs in more baskets during good times.

Next Steps for Taiwan - What should Taiwan do ?

I humbly suggest the following for Taiwan to upgrade its grand vision, soft infrastructure and skills base:

1. Establish Taiwan’s digital economy strategy, covering all aspects of government and industry digital transformation, attracting foreign investment and supporting research and development, as well as education and manpower development, and let the world know Taiwan is more than about semiconductor and electronics.

2. Update its legal and regulatory regimes on data and privacy protection as well as  telecommunications with a view to liberalise and attract international investment and more data and services exchange with other Asia Pacific economies, and also to catch up  with data and privacy regulations in Europe and other leading countries.

3. Double down on the effort to develop the telecommunications and Internet sector, leveraging on inroads already made in datacenters and infrastructure, attract more investment and expand regional connectivity and capacity with its East Asian neighbours such as Japan and South Korea, as well as the U.S.

4. Learn from the Singapore playbook and negotiate bilateral agreements on digital trade and data transfers with other countries, similar to Singapore’s proposed pact with the U.K. Again, as it is unlikely for Hong Kong to enter into data trade agreements with leading western economies in the near future, Taiwan is well placed to take over.

There is no need to abandon what Taiwan has been doing well, but this is the best chance for it to expand and diversify into new areas of economic growth, that would not only greatly benefit Taiwan but also offer the opportunities for its allies to help, support and bolster its regional strategic and economic importance. That can truly be a win-win situation.

Published: Friedrich Naumann Foundation, May 3 2022



Also published on CommonWealth Magazine, May 5 2022 (English)




早於半年多前,當美國總統拜登政府還在籌備12月的線上民主峰會時,已計劃在峰會上宣布成立「未來網際網路聯盟」。然而消息一出,卻遭受各方質疑和批評。無論是數位人權組織或科技企業,都察覺到這個聯盟似乎只局限於川普總統時期的「乾淨網路計畫」(Clean Network),要求盟友保證在其網路基礎建設內只會使用可信的技術供應商。換句話說,除了籠統地承諾不使用來自中國的產品,這個聯盟並未聚焦網際網路發展的重要價值觀,包括民主、人權等;加上公民社會團體和網路企業都未能直接參與,私底下都表示不滿。







在宣言發布前七天,台灣以創始會員身分加入由美國領導、美國商務部長Gina Raimondo宣布成立的「全球跨境隱私規則論壇」(Global Cross-Border Privacy Rules Forum,GCPR),成員包括加拿大、日本、菲律賓、新加坡、南韓、美國及台灣;而論壇的目的包括建立首個數據私隱認可機制,讓企業能藉以顯示自己已遵從國際數據私隱要求,便利各地互認機制,容許國際數據交換及轉移。














Published: 獨立評論 @天下 on May 9 2022

Wednesday, April 13, 2022

[OPTF] Teardown of Hong Kong’s internet freedom

Dialogues on digital rights: Teardown of Hong Kong’s internet freedom

April 12, 2022 / Digital rights / By Charles Mok

This article is a part of a series of essays commissioned by the OPTF, written by people from all around the world. Charles Mok is an internet entrepreneur and IT advocate. He was formerly a member of the Hong Kong Legislative Council and founded the Hong Kong chapter of the Internet Society. He is currently a Visiting Scholar at the Global Digital Policy Incubator at Stanford University.

For decades, Hong Kong has maintained one of Asia’s freest Internet environments, despite being a part of China. As a special administrative region, reverted to Chinese sovereignty since July 1, 1997, Article 30 of Hong Kong’s Basic Law(1) guarantees the freedom and privacy of communication of residents. 

But such freedom has not come without challenges. Over the years, Hong Kong’s government has made some attempts to curtail such freedom. In 2012, it launched a consultation of the Control of Obscene and Indecent Articles Ordinance (COIAO) (2), the territory’s pornography regulation, in which the authority initially proposed the implementation of a mandatory “operator-level content filtering,” that was fortunately abandoned after opposition from the public and the Internet community(3). 

Then, in 2016, after years of consultation and legislative attempts by the government to update its digital copyright protection regime, an amendment bill was shelved following weeks of filibustering by opposition lawmakers, reflecting widespread public mistrusts of the government’s intention, as it tried to criminalise online derivative works of copyrighted materials, despite the promise of exemptions for parody(4). 

Defending Internet freedom, before National Security Law

To be fair, these legislative attempts were not dissimilar to actions taken by many western governments to regulate the Internet for reasons of public security, illegal content or intellectual property protection. Yet, the fact that they failed stood as a testament of Hong Kong’s former vibrancy and pluralism of its civil society and legislature, even if the political system was far from truly democratic.

Nevertheless, a question always stands on many people’s mind — will China’s Great Firewall be extended to Hong Kong? Fortunately, Hong Kong’s telecommunications environment has been completely liberalised for more than two decades, allowing investment and licenses for international operators, compared to China’s external Internet gateways, which are still strictly controlled by state-owned enterprises. Furthermore, Hong Kong being a hub of telecommunications, underseas fibre optics and datacenter facilities, as well as an international financial centre, has made it more difficult for China to impose the same mainland-style restrictions, at least until more recently. 

With few legal or operational mandates to censor the Internet, for more than twenty years Hong Kong’s Internet was indeed among the freest in Asia. But such advantages were hardly guaranteed without a democratic system of government. Over the years, as the political situation in Hong Kong turned more oppressive, local netizens were becoming more worried of looming crackdowns on the online freedom of expression they enjoyed. 

For example, in 2014, during the Umbrella Movement, when a large part of the Central business district was occupied by protestors for months, there were rumours abound that the government would shut down the area’s cellular wireless coverage. Although such a shutdown did not materialise, countless citizens downloaded an app called FireChat, which would enable them to communicate with one another over Bluetooth, even if all mobile or Wi-Fi networks were disabled in an affected area(5). As there was no shutdown after all, most people never got to use the app. 

Fast forward to the territory-wide protests in 2019, ignited by the unpopular “extradition bill” proposed by the government. Protesters relied heavily on the use of Internet tools and messaging platforms, most notably Facebook and Telegram, to share information, as well as to organise and mobilise. More controversially, some protestors posted personal information of police officers and government officials on the Internet, followed by government supporters retaliating by doing the same, only on a much bigger scale, resulting in a proliferation of doxxing by both camps. The government resorted to accusing protesters of causing harms to the police, government officials and their families, and sharing “fake news.” 

On October 31, 2019, the government applied for and was granted an injunction from the High Court, prohibiting anyone from communicating through “any Internet-based platform” any materials that “promotes, encourages or incites the use or threat of violence, intended or likely to cause” bodily injury or property damage. Besides the injunction being too broad and too vague, the use of such legal manoeuvre to obtain a court injunction effectively enabled the government and law enforcement to easily and conveniently bypass the legislature to impose online censorship unseen in Hong Kong before. 

The Internet Society Hong Kong(6), concerned(7) about establishing the precedence for arbitrary content deletion and prosecution, the chilling effect on netizens, and the detrimental impact on the territory’s Internet freedom, applied to the court for discharge or restrict the injunction(8). Unfortunately, on November 15, the High Court ruled to continue the injunction, with minor amendments to its terms to emphasise the wilfulness of the act(9). The injunction remains active, as part of the growing arsenal of censorship tools that law enforcement can use in Hong Kong. 

NSL: the next chapter, but not the last

Next came, of course, the National Security Law (NSL). With the implementation rules of the NSL (10) taking effect on July 7, 2020, the NSL, in effect from July 1 -- not passed in Hong Kong but imposed from the central government in Beijing -- allowed simply an authorised “designated police officer” to order the takedown of messages or content on any electronic platform that was deemed “likely to constitute an offence endangering national security or is likely to cause the occurrence of an offence endangering national security,” by the relevant platform, hosting or network service providers. Failing to comply, the service provider could face the seizure of their electronic device, plus fines and prison terms of up to six months. Moreover, Hong Kong’s chief executive could authorise the police to intercept communications and conduct surveillance to “prevent and detect offences endangering national security.”

The gross lack of transparency and oversight of the NSL, and the vague and arbitrary scope for what it is meant by “likely to constitute an offence” are obviously problematic, to say the least. And such concerns have since been manifested in the blocking of politically sensitive websites such as HKChronicles (a wiki-like website with details of police officers and pro-Beijing individuals), June 4th Online Museum, a number of Taiwanese websites, and most recently, Hong Kong Watch (a human rights group based in the U.K.)(11). As a matter of routine, the police would not even comment or acknowledge whether the blocking of such websites was made based on the application of the NSL. 

In addition, the government also amended the Personal Data (Privacy) Ordinance in September, 2021, to empower the regulator to investigate and prosecute acts of doxxing, but without strengthening the overall protection for data and privacy of all citizens, leading to concerns of selective enforcement and political weaponisation of privacy protection(12). Furthermore, there were also a number of cases where administrators of various Telegram channels or groups were belatedly arrested, charged and sentenced to hefty jail time for “inciting riots” during the 2019 protests(13). All these have added to the silencing of critics in Hong Kong, as a mood of self-censorship has settled in. 

The future is grim

So, what next? With the secretive national security police apparatus estimated to number  4,000 local officers, not even including any agents or officers from the mainland, clearly they must find ways to keep themselves busy. Expect more expansive application of the NSL, offline and online, local and abroad — as the law asserts jurisdiction over anyone, anyhow, anywhere, even if such persons have never been to Hong Kong. For instance, it is now legally possible for the Hong Kong authority to demand social media companies to remove content it deemed undesirable even if such companies’ servers or offices are not even located in Hong Kong(14). 

Moreover, the interpretation for what constitutes national security will also look to be wildly expanded as the regime sees fit. Already, Stand News, a leading pro-democracy online news outlet, was closed down, after its editors were arrested for “inciting hatred toward the Hong Kong government.” Recently, two storeowners were also arrested by national security police on charges of sedition because of their anti-vaccination posts on social media(15). 

But Beijing and Hong Kong authorities will not stop with just the NSL. The government and local pro-Beijing politicians who now completely dominate the rubber-stamp legislature are calling for the establishment of a “fake news law,”(16) which is likely to happen in 2022, even though the territory’s corps of pro-democracy media have all but been totally eliminated. In addition to further stifling any shred of independent journalism and press freedom remaining in Hong Kong, such law may finally completely silence the users on social media platforms, such as Facebook and Twitter, as well as messaging platforms, like WhatsApp and Telegram, while putting those platform companies in the untenable position of having to carry out government censorship. 

To conclude, in the immediate to intermediate term, short of implementing a full-scale Great Firewall of Hong Kong, China seems to be borrowing a page from the Russian playbook. After all, Russia, similar to Hong Kong, has previously allowed the presence of foreign platforms, and not all its Internet traffic were filtered or censored. But Russia recently enacted a law to ban “false information,” such as calling its Ukraine invasion a “war,” with a punishment of up to 15 years in prison. This is similar to Beijing’s strategy in Hong Kong. In the long run, sadly, Hong Kong is undoubtedly treading toward the model of outright China-styled censorship and surveillance. 


1. : “The freedom and privacy of communication of Hong Kong residents shall be protected by law. No department or individual may, on any grounds, infringe upon the freedom and privacy of communication of residents except that the relevant authorities may inspect communication in accordance with legal procedures to meet the needs of public security or of investigation into criminal offences.”

2. Consultation document: 

3. Internet Society Hong Kong responses to the second round consultation of the COIAO:

4. Hong Kong government’s shelving of controversial copyright bill: what went wrong?

5. FireChat – the messaging app that’s powering the Hong Kong protests

6. The author was the founding chair of Internet Society Hong Kong, in 2006.

7. Internet Society Deeply Concerned about Interim Injunction Ordered by Hong Kong High Court

8. Internet Society Hong Kong’s Legal Challenge Against Govt’s Injunction of Blocking Free Speech Online

9. Interim Injunction Order of the High Court (HCA 2007/2019) – Promotion, Encouragement and Incitement of the Use or Threat of Violence via Internet-based Platform or Medium

10. Implementation Rules for Article 43 of the Law of the People’s Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region gazetted

11. Internet censorship in Hong Kong

12. “The Downfall of Hong Kong’s Privacy Law” by the author

13. Hefty jail term for Hong Kong Telegram channel admin convicted of inciting riot, arson and violence during 2019 protestsAlleged Telegram channel administrator charged with inciting arson against police facilities, denied bail 

Student arrested for being admin of social media group supporting Hong Kong protests

14. Hong Kong’s national security law: 10 things you need to know

15. Covid-19: Hong Kong national security police arrest 2 for sedition over anti-vaxx posts

16. Hong Kong’s call for ‘fake news’ law raises media crackdown fears 

【假新聞法】研究上半年完成或將立法 記協質疑定義模糊難執法兼限制資訊流通

Published by Oxen Privacy Tech Foundation, April 12, 2022

Saturday, April 09, 2022

[Diplomat] China’s Choice for Hong Kong’s Chief Executive Reveals Its Own Insecurity

China’s Choice for Hong Kong’s Chief Executive Reveals Its Own Insecurity

John Lee’s background is heavy on security, showing Beijing values that over Hong Kong’s economic prosperity.

John Lee, chief secretary of Hong Kong and its second-highest ranking official, resigned on April 6 to prepare to stand for the chief executive election in the territory. Lee, a career police officer and former deputy police commissioner, only began his civilian government service in 2012, when he was appointed the undersecretary for security. He became the secretary for security in 2017, in the cabinet of the current Chief Executive Carrie Lam. When he was promoted to the chief secretary role last year, it was the highest government position held by a former police officer in Hong Kong. Should he become Hong Kong’s next chief executive, it will be yet another first.

In all likelihood, Lee will be the next chief executive. After all, under the new and “improved” electoral system of Hong Kong enacted in May 2021, the 1,500-member Election Committee is now completely controlled by “patriots” handpicked by Beijing. Unlike previous chief executive elections, when token competition was permitted by Beijing to give the appearance of an open election process, reports from Hong Kong have suggested that Beijing would back only a single candidate this time: Lee.

The central government’s selection of Lee clearly indicates that it puts a higher priority on security issues over Hong Kong citizens’ livelihood matters, as well as the city’s economy and its status as a global financial center. The message is clear – even though Carrie Lam demonstrated staunch loyalty by following Beijing’s orders in her tumultuous five-year term, that was still not enough. Of course, her chaotic handling of the Omicron outbreak in Hong Kong in recent months has completely ruled her out of the race.

Earlier, Paul Chan, Hong Kong’s financial secretary, was also seen as a potential candidate for chief executive. Chan is perceived to be equally loyal to Beijing, but with a more professional and somewhat more moderate image compared to Lee. Even former Chief Executive Chun-ying Leung, perennially rumored to be eyeing a return to the position as the special administration region’s leader, has more experience in domestic policies and has commented frequently on the economic integration of Hong Kong with the Greater Bay Area, in addition to his hardline rhetoric.

The tacit rejection of these contenders means that either Beijing does not care about Lee’s policy deficiency, or it indeed believes that his being a “blank piece of paper” will mean more malleability, and, hence, is preferred. Neither thought is a comfort for Hong Kong’s citizens or its business community.

With the National Security Law firmly in place after almost two years, it is hard to fathom the possibility of any domestic political unrest or protest being reignited. While Beijing would be concerned about further Western pressure and sanctions involving Hong Kong, any loyal chief executive can equally talk tough in retaliation, and there is precious little more that he or she can do. It would be up to Beijing to handle foreign policy anyway. Installing a figure like Lee at Hong Kong’s top leader would only exacerbate the already tense relations with the West.

On the other hand, in a recent meeting with the National People’s Congress delegates from Hong Kong, Han Zheng, senior vice premier of the State Council and a member of the Chinese Communist Party’s Politburo Standing Committee, as well as the leader of the Central Leading Group on Hong Kong and Macau Affairs, emphasized Hong Kong’s role as a financial center and its development as an innovation and technology center. Han also expressed his concerns about housing issues. It is hard to reconcile such practical priorities for Hong Kong with Lee’s appointment, however, as he simply does not have any policy exposure in any of these areas.

Indeed, the selection of Hong Kong’s chief executive may just be the latest in a series of policy decisions by Beijing leading to self-inflicted hardship. Beijing appears driven by paranoia over security and absolute state control, with a high dose of insecurity, leading it to ignore all the side effects of its extreme and draconian measures. Of course, this insecurity is hidden under an outward appearance of confidence, much like the often-quoted Mao Zedong thought that “man can conquer nature.”

Outside of Hong Kong policy, China has shown a similarly stubborn adherence to its zero COVID strategy, including the lockdown of Shanghai, and to the crackdown on its technology, education and property sectors, despite an ensuing economic slowdown and growing unemployment. China may have convinced itself that such policies can support its “dual circulation” goal.

However, when the goal becomes the means, China may have backed itself into a corner, forcing the rest of the world to expedite decoupling from China. That precisely defeats the purpose of one half of the dual circulation strategy: external circulation, or economic interactions with the world. Moreover, China’s standing with Russia in the invasion of Ukraine has expedited an outflow of funds in an “unprecedented scale,” further challenging the notion of the mutual dependency between China and the rest of the world.

If the world’s dependence on China decreases, so would China’s leverage on the rest of the world. China’s obsession with its regime security may have been caused by its sense of insecurity. Its regime may end up becoming less secure, and our world more unstable.

Published: The Diplomat, Apr 8 2022

Wednesday, February 23, 2022

[Diplomat] China and Russia Want to Rule the Global Internet

China and Russia Want to Rule the Global Internet

Their model of surveillance and censorship threatens a free, open, and secure future internet.

As the Winter Olympics kicked off in Beijing, the Chinese and Russian presidents, Xi Jinping and Vladimir Putin, stood in unity to offer mutual support and to challenge the dominance of the U.S. and Europe. There is more at stake in their renewed close partnership than NATO expansion and the crisis in Ukraine, or the supply of natural gas to China from Russia.

The joint statement that the two countries issued in Beijing proclaimed their support for the “internationalization of Internet governance” and “equal rights of countries to regulate the world-wide web.” They pledged to “deepen bilateral cooperation in international information security,” declared support for an “international convention on countering the use of information technologies for criminal purposes,” and advocated greater participation in the International Telecommunications Union, the United Nations specialized agency for information and telecommunications technologies, in addressing these issues.

The world should be alarmed by such resolutions from two nations known for censoring the internet, banning social media and messaging platforms, putting dissidents in jail over comments posted online, and launching misinformation campaigns to meddle in elections in other countries, including the U.S.

At the Beijing Winter Olympics, athletes and journalists had to make use of officially provided wi-fi at designated hotels and venues in order to access the “unobstructed” internet, including services like Twitter, YouTube or Facebook, all banned in China. The mobile app provided by Beijing authorities to all participants – My2022 – was found by independent researchers to be a Trojan horse that could secretly harvest users’ data, which, under Chinese laws, can be passed on to the state.

In Russia, Russian authorities successfully demanded the removal of a voting app created by prominent dissident Alexei Navalny from the app stores of both Apple and Google, alleging that it contained “illegal content.” The country also furthered its censorship efforts to block the use of encryption technology through the Tor browser and several other virtual private network services in 2021, a year that Human Rights Watch called the “year of doubling down on Internet censorship.”

These acts of censorship and surveillance speak clearly about what kind of vision of internet governance China and Russia have in mind. Their interpretation of internet information security is about the security of their regimes, not of the security and privacy of users inside or outside of their countries. An internet governance framework with such toxic underlying values of censorship and surveillance should be extremely horrifying to anyone.

Particularly for China, however, such attempts to influence and indeed dominate global technology standards and governance are nothing new. Over the last few decades, China has invested heavily to participate in and influence global technology standard bodies. In November 2021, the Communist Party Central Committee and the State Council published the National Standardization Development Outline, spelling out goals and actions for “China Standards 2035.” These “China standards” are by all means meant to be made global.

The European Union has been on high alert about China’s ambition, and recently outlined a “more aggressive approach” to setting global standards, in order to ensure its leadership in development areas such as internet technologies, artificial intelligence and green technologies. To the Europeans, it was clear that China’s standard-setting exercises at the international level were meant to provide a competitive edge to China and its companies.

International technological standards-setting and internet governance frameworks are complex and diverse. It is also important to remember that traditionally standard settings are led by the private sector and research communities, not by state actors, for good reasons. Chinese and Russian representatives should have their seats at the table, but the world must be extremely cautious about such standard-setting processes being taken over by companies controlled by autocratic regimes, tasked with their governments’ political agenda. It would be even worse if such autocratic governments are to directly steer and dominate such processes.

The EU has disclosed that they would seek to cooperate with U.S. authorities to monitor emerging standards and to unify the positions from both sides of the Atlantic through regular meetings at the Trade and Technology Council. Clearly, the urgency of autocratic competition means that the two sides must coordinate at a much higher administrative level. However, the present animosity between the Western “big tech” firms and their governments may threaten to divert the Western governments’ attention from the need to cooperate on the global stage of standards and governance – between the private and public sectors, and across nations.

Moreover, just bringing Europe and the U.S. together may not be enough, as players from Asia, Africa, and the rest of the world must be involved, as well as the private sector and civil societies, in setting the standards and governance that will shape the future internet and its next-generation enabling technologies. Only than can the world build a dam against the tides of censorship and surveillance from the emerging alliance of autocratic states.

We must do so to defend and ensure a free, open, secure, and trusted future internet that supports the principles of democracy and human rights by being more open and inclusive, and differentiate that vision against the governance model promoted by China and Russia, one that is designed to censor and surveil in the pretense of security.

Published: The Diplomat