Friday, January 06, 2023

[Diplomat] Hong Kong’s Crowdfunding Regulations Could Have Global Ramifications

Hong Kong’s Crowdfunding Regulations Could Have Global Ramifications

Regulating crowdfunding in Hong Kong is all about political vetting – extended around the world.

The Financial Services and the Treasury Bureau of the Hong Kong government initiated a three-month consultation on the regulation of crowdfunding activities in mid-December and proposed to establish a dedicated Crowdfunding Affairs Office to oversee these activities. This could have far-reaching effects on future of the territory as a financial hub and innovation center.

Over the last decade, aided by the internet, social media, and other technology platforms, the concept of crowdfunding has empowered millions to raise capital for their concepts, projects, or products, typically at the early stage of development, all while overcoming obstacles erected by financial intermediaries, such as banks, and other forms of bureaucracy. It also enabled and facilitated individuals to support innovative product development, niche cultural activities, as well as popular (or not so popular) social causes.

The borderless nature of the internet and the activities carried out on it indeed present new challenges to regulations previously designed for more traditional forms of solicitations for donations, investments, loans, or product sales. But that does not mean that crowdfunding activities are unregulated. Indeed, the consultation paper pointed out various existing laws and regulations in Hong Kong, such as the Securities and Futures Ordinance and the Money Lenders Ordinance, that would provide jurisdiction over such activities, particularly crowdfunding for equity, debt, or peer-to-peer lending.

The paper even states that, in general, anyone engaging in any online or offline fundraising to “engage in unlawful acts (such as money laundering, fraud, theft, acts and activities endangering national security, or inciting, aiding, abetting or providing pecuniary or other financial assistance or property for other persons to commit offenses that endanger national security)” is already subject to prosecution under criminal laws in Hong Kong. So why is there such an urgent need for erecting further safeguards?

That obviously has to do with the flurry of crowdfunding initiatives in Hong Kong during the 2019 protests, with the most notable case being the 612 Humanitarian Relief Fund. The fund was originally set up to provide financial support for those injured or arrested during the unrest. Cardinal Joseph Zen and ex-lawmakers Margaret Ng and Cyd Ho were among the high-profile fund trustees who were later arrested, prosecuted, and recently convicted. Indeed, the consultation makes reference to individuals who claimed “they would use the funds raised to help people in need, but they turned out to be using the funds for purposes which were unlawful and jeopardized public interests, public safety, as well as national security.”

Political Vetting, Extended Globally 

The proposed Crowdfunding Affairs Office (CAO) will require prior applications for any crowdfunding activity that “raises funds from individuals or entities of Hong Kong, or individuals or entities located in Hong Kong.” That condition is further explained in the paper to include not only those located or registered in Hong Kong: “the location of publicizing such activities can be any places, including Hong Kong and other places, and with declared purposes that are related to Hong Kong or not.” In other words, the regulation applies to anyone, anywhere, for anything, as solely determined by the CAO. The government also proposes to further specify the police’s power to request financial information; enter, search, and detain properties including financial assets; and cut off or halt electronic messages.

While the paper acknowledges that “crowdfunding activities are already subject to the regulation of various authorities and existing legislation,” and so, duplication of efforts should be avoided, that may be exactly what the CAO ends up being. The new office is not about enforcing new legislation, but only serves to ensure that there is a centralized mechanism to vet against certain undesirable political activities that are practically non-existent since the imposition of the National Security Law in July 2020. Indeed, the paper made repeated mentions of “public interests, public safety, and national security” as the justification for the proposed regulations.

On the other hand, ironically, it actually states clearly that the CAO’s decision to approve any activity or not has nothing to do with its outcome or success, and contributors to even an approved fundraising activity must themselves “carefully examine the credibility and success rate of the activity to be supported to avoid unnecessary losses” — a disclaimer by the government that what the CAO does is not about donor or investor rights protection. It’s just political vetting, extended globally.

Everyone Will Have Something to Lose

So what should crowdfunding platforms, financial institutions, internet platforms, those seeking funding support, and potential donors or contributors to projects be worried about? A lot.

The paper proposes the introduction of a “real name” system for donors, and fundraisers will have to keep that register of donors along with other details of their activities for auditing as well as inspection by the CAO and other law enforcement agencies. The additional bureaucracy and potential liabilities will turn off fundraisers, and the required disclosure of identities will cause a chilling effect, deterring donors and contributors from giving.

It is also still unclear whether income-generating creator activities by so-called key opinion leaders, journalists, or former political figures on platforms such as YouTube and Patreon will fall under the definition of “crowdfunding” in the proposed regulation. The paper cites “commercial activities on online media and the like that involve income from subscriptions or online rewards” as among some activities that will be exempted from the regulation. But it may still depend on whether the CAO in the end subjectively classifies such activities as purely “commercial” or not. Even though many of these creators are no longer in Hong Kong, the borderless nature of the proposed regulation means pressure can still be applied first to the Hong Kong offices of the platforms, such as Google for YouTube, followed by contacting those companies without a Hong Kong presence.

For the first time, the paper also proposes targeted regulations for “online platforms specifically designed for crowdfunding purpose” to register with the CAO, including providing “at least one person with a physical address in Hong Kong” as the designated representative of the platform. This would be the first instance of such “local designated representative” requirements for internet-related regulations in Hong Kong, and it bears a disturbing resemblance to the provision under India’s controversial IT Rules 2021. The so-called “hostage-taking law” that mandates platforms to register local representatives in India to be held liable if the platforms do not perform according to the government’s censorship requests. Sadly, this first for Hong Kong may not be the last.

This pressure may be felt by more than just the crowdfunding platforms often used by Hong Kong individuals, organizations, or entrepreneurs, such as GoFundMe, Indiegogo, and Kickstarter, but also subscription or advertising based content platforms such as Patreon, Medium, and YouTube, as well as payment platforms like PayPal and Square. Social media platforms such as Facebook, Instagram, or Twitter will also face more enforcement notices to remove contents or links. Fundraisers and platforms alike will have to re-evaluate the growing liabilities of their presence in Hong Kong.

For those services without a Hong Kong presence, it is unlikely that they will register with the CAO: They may simply choose not to provide services to Hong Kong-related entities and causes. This would be similar what happened when the National Security Law was enacted in 2020; shortly afterwards some virtual private network (VPN) providers simply chose to shut down their Hong Kong servers.

Unlike other consultation papers in the past, this one provides no comparison with similar practices in other jurisdictions, especially common law ones. Very likely there are none. By disregarding the need to balance ease of access, openness, convenience, and the rights of the fundraisers, contributors, and platforms in favor of the so-called “public interests, public safety and national security,” all in the subjective eyes of the authority, Hong Kong is again making itself a harder place to do business for firms local and overseas. This proposal from its financial services policy bureau doesn’t bode well for all the areas that Hong Kong says it strives to succeed in: innovation, technology, and even financial services itself.

Published: The Diplomat, January 5, 2023

https://thediplomat.com/2023/01/hong-kongs-crowdfunding-regulations-could-have-global-ramifications/

Saturday, November 19, 2022

[Directions/EU Cyber Direct] Multi-stakeholder Governance of the Cyberspace -- Merely a Myth?

Multi-stakeholder Governance of the Cyberspace -- Merely a Myth?

Blocking non-state stakeholders' participation in discussions about the information and communication technology environment may set a dangerous precedent for the future

By Anna-Maria Osula and Charles Mok 

Different approaches to governing the internet and engaging stakeholders in agreeing on what is responsible behaviour in cyberspace has been a source of disagreement since the beginning of the wider spread of information and communication technologies (ICTs). John Perry Barlow famously called for keeping governments (‘weary giants of flesh and steel’) away from controlling cyberspace. Yet, today, states have assumed a central role in governing the development, implementation and employment of ICTs worldwide.

While non-state stakeholders’ role in running the internet (such as providing infrastructure, storing data, designing apps and services) is largely uncontested, fierce discussions over the engagement of these stakeholders in governing ICTs, or cyberspace in general, are ongoing. In addition to heated debates over the rights and obligations of these stakeholders (see, e.g. measures aimed at curbing the increasing power of some stakeholders, such as Big Tech companies), there is much broader disagreement on the substantial engagement of stakeholders in multilateral discussions. Should deliberations on governing ICTs be narrowly state-to-state and closed to other interested parties, or should they follow a truly multi-stakeholder approach and be based on openness and diversity?

Revisiting past discussions

There are plenty of examples of international consultations adopting ‘multi-stakeholderism’ as the most appropriate way forward. Importantly, in 2005, as part of the World Summit on the Information Society, the Working Group in Internet Governance established the core role of the multi-stakeholder approach in governing the internet by defining internet governance as ‘development and application by Governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programs that shape the evolution and use of the Internet’. This reflects a general agreement that the involvement of relevant stakeholders in collectively shaping the development and use of ICTs has multiple benefits. These stakeholders’ diverse views and expertise make discussions better informed. Taking into account the opinions of various interest groups also adds to the legitimacy and quality of agreements and enhances their implementation.

Ideally, a multi-stakeholder governance framework should consist of an open-ended and innovative infrastructure, a decentralised governance institution and open, inclusive and bottom-up processes involving all participants. Participants should represent the private and public sector; industry and government; technical, academic and civil society; and users. It is the antithesis of a top-down policymaking model dictated by governments and others in positions of authority.

However, trends are emerging suggesting that the multi-stakeholder approach to governing ICTs is weakening. Two recent examples related to internet governance and peace and security in cyberspace merit further analysis.

Internet governance

One of the principle commitments of the high-profile Declaration for the Future of the Internet adopted by the U.S. and more than 60 partners, including the European Commission, in April 2022 was ‘multistakeholder Internet Governance’. That means protecting and strengthening ‘the multistakeholder approach to governance that keeps the Internet running for the benefit of all’, including the management of the internet’s technical standards and protocols, and refraining from undermining its technical infrastructure.

Indeed, the internet has almost always been run and governed by a multi-stakeholder policymaking model. The most notable example is the Internet Corporation for Assigned Names and Numbers (ICANN), the global organisation responsible for coordinating and maintaining the names and numbering assignments and databases critical to the running of the single, unified internet. 

Other key internet organisations or processes formed and run under the multi-stakeholder model include the Internet Engineering Task Force (IETF), the internet’s main standards-setting body, and the Internet Governance Forum (IGF), a global platform to facilitate the discussion of internet public policies convened by the UN. These bodies face increasing pressure from nations and authorities trying to usurp their mandates or assert greater government control and influence. 

For instance, the Chinese government, working through Chinese companies such as Huawei, is seeking to establish an alternative to current multi-stakeholder standards-setting procedures by proposing its ‘New IP’ standards through the UN’s International Telecommunications Union (ITU) rather than the IETF. This approach also seeks to avoid criticism of the new standards’ flawed technical foundation, surveillance-by-design capabilities and incompatibility with the existing internet. 

Even the UN’s own multi-stakeholder IGF recently appointed a 12-member ‘Leadership Panel’ in a process lacking transparency and provoking significant concern from civil society. Efforts by governments and intergovernmental organisations to embrace multi-stakeholderism are often held back by worries over inefficiency and the misplaced bureaucratic belief that categories of stakeholders can simply be represented by a few ‘leading figures’. Multi-stakeholderism is all about direct participation and not just a representative system. When such representations are chosen by authorities through an opaque process, the imitation pales further. 

But that is not all. In response to the U.S.-led Declaration for the Future of the Internet, China ‘transformed’ an annual event it has held since 2014, the World Internet Conference, into an ‘international organisation’ made up of an undisclosed list of ‘founding members including “institutions, organisations, businesses and individuals” from nearly 20 countries’. China has long used this forum to establish its vision for an alternative internet governance model, arguing for ‘respect for cyber sovereignty’ and that a new ‘international cyberspace governance’ should not be ‘unilateral’ or have ‘one party calling all the shots’. 

Stakeholders’ role in the discussions on norms of state behaviour in cyberspace
The UN Open-Ended Working Group (OEWG) was proposed as an inclusive setting for discussing international peace and security in cyberspace where ‘effective international cooperation would benefit from identifying mechanisms for the participation, as appropriate, of the private sector, academia and civil society organisations’. Yet, despite stakeholders being widely believed to enrich the discussion on international peace and security in a rapidly changing ICT environment, debates over how these stakeholders should participate in formal meetings have been fierce. At the first meetings, all the eighteen stakeholders that applied for the OEWG 2019-2021 were vetoed from formally joining the discussions. Such a ‘broad and categorical denial of access’ was seen as a dangerous precedent and viewed as extremely rare in UN disarmament and arms control fora. 

States have faced challenges in agreeing on the involvement of multi-stakeholders ever since, despite numerous calls during OEWG discussions to deepen multi-stakeholder engagement (e.g. High Representative for Disarmament Affairs Izumi Nakamitsu’s speech and the December 2021 letter to the Chair).

On one side are voices supporting the continuation of the previous OEWG practice allowing substantial input from stakeholders with official UN observer status or existing ECOSOC accreditation, as well as those invited to participate based on no-objection from other Member States. The issue was widely discussed during the UN OEWG first and second substantial sessions (for great overviews, see here and here). Some states believed that attending informal consultations held by the Chair and accessing the formal discussions via online broadcasting provided the stakeholders enough time and opportunity to express their views. Several countries argued that the OEWG sessions should retain the intergovernmental nature of the formal sessions, allowing all the UN Member States to interact, and that further engagement with stakeholders should not tilt this balance. Furthermore, some states expressed concern that spending too much time arguing about the modalities of stakeholder participation was distracting the OEWG from its mandate and blocking its work.

The opposing viewpoint argued for:

extended stakeholder participation which would also allow for non-accredited participation (with references to the long and cumbersome process for ECOSOC accreditation),
a transparent process for objections regarding stakeholder participation (especially for those already officially recognised by the UN in other contexts, and referring to other UN processes),
sufficient time to review documents and prepare input,
a hybrid format (allowing for more flexible use of resources by non-state stakeholders)
and ways for stakeholders who couldn’t formally join the discussions to express their views (see the letter here).

Stakeholders have expressed on several occasions that they want to be involved and heard in the process and are not arguing for the ability to vote during decision-making. Further, it was pointed out that the informal consultations implemented during the last OEWG are not a substitute for formal participation of stakeholders in the OEWG, which is crucial for the transparency, credibility and effectiveness of the process. Several countries supported giving stakeholders the opportunity to present views and contributions in the official meetings and substantive sessions, as well as during the intersession periods. 

After long discussions, and based on the Chair’s April 2022 proposal, countries finally managed to agree upon the modalities for non-state stakeholder engagement (involving a transparent non-objection mechanism) and to move on with formal discussions. However, despite the Chair’s encouragement that Member States ‘utilize the non-objection mechanism judiciously, bearing in mind the spirit of inclusivity’, over 30 non-state stakeholders were still vetoed from joining the OEWG formal discussions. They included the 150 technology companies represented by the Cybersecurity Tech Accord and the incident responders and security professionals represented by the Forum of Incident Response and Security Teams (FIRST).

The OEWG illustrates an example of an opportunity to benefit from the multi-layered expertise and experience of stakeholders interested in contributing to the discussions being turned into a political contest between states. It could be argued that this contest was fuelled by geopolitical complexities including Russia’s aggression in Ukraine. However, it should be acknowledged that efforts to limit the participation of non-state stakeholders may affect these stakeholders’ future investment in the implementation of the agreements put forward by the OEWG. It is clear that the private sector, academia, and NGOs are crucial for following through with the agreements and their implementation on the national, regional and international levels. Extended disagreements on engaging these stakeholders will also contribute to the substance of the OEWG discussions, eventually decreasing the relevance of the discussions in the global arena.

Muddy future ahead
That is why this is both the best of times and the worst of times for multi-stakeholderism. The enhanced levels of support and attention it receives from national governments may allow for its further adoption in various aspects of ICTs, cybersecurity and technical standards processes and policymaking systems. Yet, in an increasingly polarised global political environment, what some governments label multi-stakeholderism may not be the genuine item at all, but something else that suits their own political agenda. 

As can be seen from the OEWG example, compromises between states are often made at the expense of the non-state stakeholders. Even though the stakeholder engagement modalities included a step towards greater transparency by sharing which states objected to the participation of which stakeholders, such objections may still be employed as the basis for eliminating selected stakeholders based on political decisions. Yet, the efforts of some states to keep certain stakeholders from formally engaging with the OEWG have not decreased the civil societies’ appetite to partake in these discussions. On the contrary, despite their different views on some topics, their motivation to contribute has stayed strong and they stand unified in believing in the importance of diplomacy and of ensuring that member states benefit from relevant perspectives in their deliberations. Calls for robust civil society participation have also been made on other occasions, such as in the format of the UN Ad Hoc Committee on Cybercrime.

Multi-stakeholderism is not perfect and many aspects of its functioning need refinement. It can be inefficient, expensive and slow. In some countries, true multi-stakeholderism may not even be possible because autonomous stakeholders such as civil society may not be allowed to exist. But it is still by far the most open and participatory model that allows for accommodation and consensus building for the widest possible range of views and perspectives. It would be a mistake to criticise its shortcomings and then move in the opposite direction, towards less participation and more top-down power for the authorities. 

Therefore, avoiding the devaluation of the concept of multi-stakeholderism should be seen as a priority. Instead of it becoming an empty buzzword thrown around in official documents, states should find ways to meaningfully engage with stakeholders on international fora. In addition to increasing engagement in multilateral platforms, states should work on substantiating multi-stakeholderism on national and regional levels by encouraging discussions between domestic actors and drawing on their input in states’ official statements.

The civil society, research, technical and industry stakeholder groups must guard against political influence from state actors to revise or reject multi-stakeholderism. This would only lead to the splinternet, where the open, globally connected internet is divided into fragmented networks controlled by governments or, to a lesser extent, major corporations. If that happens, everyone will get less of what the internet has promised, and what each of us deserves.

Any views or opinions expressed in this blog are personal and do not represent those of institutions or organisations that the authors are associated with in their professional capacity.

Published Directions, an inititative by the EU Cyber Direct project coordinated by the EU Institute for Security Studies, November 18, 2022

https://directionsblog.eu/multi-stakeholder-governance-of-cyberspace-merely-a-myth/

Thursday, November 10, 2022

[Diplomat] Why Elon Musk’s Twitter Purchase Is a National Security Concern

Why Elon Musk’s Twitter Purchase Is a National Security Concern
Elon Musk’s Twitter deal reveals loopholes in U.S. national security oversight.

Two days before Elon Musk closed the deal to acquire Twitter on the court mandated deadline of October 28, he posted a short videoclip of himself cheerfully carrying a sink into the company’s headquarters in San Francisco, saying, “let that sink in.” He certainly did not waste any time making sure his presence sank in to the company, its staff, its advertisers, and its users.

Besides quickly laying off roughly half of Twitter’s global staff within a week of the takeover, Musk also changed his Twitter bio twice in recent weeks, first declaring himself as the “Chief Twit,” then Twitter’s “Complaint Hotline Operator.” These are hardly just random playful titles he lavishes on himself. Musk dissolved the company’s board and named himself sole director of Twitter just before the acquisition was completed, as disclosed in a securities filing on October 31, and fired the company’s executive team, including its chief executive officer and chief financial officer. In effect, Musk is not only the Chief Twit, but the Only Twit. The company will also be delisted from the New York Stock Exchange on November 8, according to its filing with the U.S. Securities and Exchange Commission, leaving Musk with total control over the privately-held company afterward.

Regarding Twitter’s content moderation policies, Musk said in his tweets on takeover day that he had “not yet made any changes to Twitter’s content moderation policies.” He added that the company would be “forming a content moderation council with widely diverse viewpoints,” and “no major content decisions or account reinstatements will happen before that council convenes.” But with Musk as the sole director and only person in charge of Twitter, he might as well also be the sole “complaint hotline operator” cum content decision-maker, with or without advice from people he will select later. Musk already fired the company’s entire human rights team, the entire “ethical AI” team, and almost the entire communications team.

National Security Implications

Yet, such chaos at Twitter after the Musk takeover pales in comparison to the serious national security alarms that were sounded in the weeks prior the closing of the deal. In a Financial Times interview published in early October, Musk disclosed that Chinese authorities made clear their disapproval of his Starlink rollout in Ukraine and sought assurances that he would not sell Starlink in China (read Taiwan).

Indeed, Musk has maintained a close relationship with senior Chinese government officials, having invited the Chinese ambassador in the U.S. to a test drive in an auto-piloted Tesla vehicle with him. Meanwhile, his Shanghai “Gigafactory” aim to churn out 1 million electric vehicles a year for Tesla, and last year already made up half of the company’s total global output. Moreover, China is already Tesla’s second largest market in the world, after the United States.

China can use its importance to Tesla to leverage influence on Musk’s other businesses, exemplified by the request made to Musk about Starlink, a system supported by SpaceX, another company with Musk as its chairman and CEO. The national security implications of SpaceX and its Starlink platform are obvious, direct, and significant, on top of its deployment in Ukraine and other countries such as Iran, in support of U.S. military or Internet freedom policy goals. But what about Twitter?

Although it is blocked by China’s Great Firewall and is not accessible inside the country, Twitter remains a major target for Beijing’s apparatus of online propaganda and coercion. As recently as in December, 2021, Twitter removed 2,048 accounts that were said to have “amplified Chinese Communist Party narratives related to the treatment of the Uyghur population.” Since the Musk takeover of Twitter and his decision to fire the company’s human rights team, users and civil society organizations have voiced many concerns, including over the possibility of Twitter turning over users’ personal details to China. Chinese authorities already have a track record of detaining people over things they tweeted, including while living overseas.

All these issues combined with a downsized workforce may result in weaker cybersecurity, much higher risk levels and potentially disastrous outcomes for Twitter and all its users.

And there is more to worry about than China. Also in early October, Ian Bremmer, head of political risk consultancy Eurasia Group, wrote to his clients that Musk informed him about a recent conversation he had with Russia’s president Vladimir Putin, just before Musk tweeted to urge Ukrainians to accept a negotiated solution with Russia by ceding Crimea to its enemy. Musk denied Bremmer’s allegation but Bremmer stood by his “honest” reporting.

Despite all these potentially explosive self-disclosures, and others’ allegations, over Musk’s connections and possible vulnerabilities to foreign powers, no action was taken by Washington to scrutinize any national security concerns associated with the Twitter deal. On the contrary, the White House actually came out to emphatically deny any security review. The silence was deafening.

Not Enough Tools for Timely Actions

After Musk completed his deal and released his list of equity co-investors, Senator Chris Murphy called on the government’s Committee on Foreign Investment in the U.S. (CFIUS) to conduct an investigation into the “national security implications” of the involvement of Saudi Arabian investors, who will become the second largest owner of Twitter behind Musk.

However, the scope of CFIUS is limited to foreign investments that may result in the control of U.S. businesses, with evidence that the transaction may threaten national security. Although its investigative power is not time-limited, in the case of Twitter, it may be limited only to the scrutiny of interests from countries such as Saudi Arabia and Qatar, rather than the more critical risks imposed by Musk himself – his own possible conflicts stemming from his business empire, with potential vulnerabilities exposed to China and Russia.

If the Biden administration can be so resolute on U.S. technological competitiveness in areas such as semiconductors and artificial intelligence, to the extent of restricting sales and investments to China for not only U.S. firms but also those from allies such as South Korea, Japan, Taiwan, and Europe, the way it treats Musk’s growing technology empire is grossly inadequate and inconsistent. Consider this: one man, who openly admits his close ties to Chinese government officials, now owns the largest electric vehicle maker in the world, with huge leverage in technologies such as AI, autonomous driving, batteries, robotics, and advanced manufacturing, all areas where China strives to excel; the largest low Earth orbit satellite company in the world, with leading space and communications technologies for both military and civilian use; and one of the largest and most influential global social media platforms in the world. The national security implications here should be clear to see — standalone or combined.

Maybe too much effort has been spent and wasted in Washington on regulating social media and enforcing content moderation by mistakenly focusing on reforming provisions such as Section 230 of the Communications Decency Act. There are obvious loopholes in the U.S. regulatory regimes as far as technology and national security oversights are concerned. In this case, multiple companies in different sectors, with interlocking interests in a global market, are involved, yet there is simply no avenue to demand timely actions. As the Twitter deal demonstrates, national security matters must be looked at in a more holistic way. Changes are urgently needed.

Published: The Diplomat, November 9, 2022

https://thediplomat.com/2022/11/why-elon-musks-twitter-purchase-is-a-national-security-concern/

Friday, October 21, 2022

[OPTF] The Next Chapter for Hong Kong’s digital repression: Total judicial cooperation

The Next Chapter for Hong Kong’s digital repression: Total judicial cooperation

In a bizarre case of government censorship aided by the court in Hong Kong, five speech therapists were sentenced to 19 months in jail for “conspiracy to print, publish, distribute, display and/or reproduce seditious publications.” The evidence? A set of illustrated print children’s storybooks depicting a village of sheep resisting wolves invading their village. The judge found that the books were part of “a brainwashing exercise with a view to guiding the very young children to accept their views and values,” and the authors intended to “bring into hatred or contempt or to excite disaffection” against the local and central government.

The case did not involve online content, but it clearly showed that the red line for the freedom of expression in Hong Kong has been lowered to an extremely perilous level, with full corroboration of the court in censoring expression, and indeed, thought, in Hong Kong. Regardless of what they say and how it is said, no expression is truly safe for residents of Hong Kong. The court seems to have determined to guarantee that government prosecution will score a perfect record of convictions. Yet, some activists appear to be determined to keep on going, as one of the defendants in the children’s storybook case said in court, that her “only regret was that she had not published more picture books before her arrest.”

Such will and resolve from civil defenders may be one reason why the Hong Kong government is still planning for a further series of legislative proposals, to be nominally consulted and then most likely speedily passed in what is currently a rubber-stamp legislature, designed to rein in online expression in Hong Kong.

Case in point is the recent consultation for a new cyber-crime law, which has sparked much concern from both the Internet sector and users. For instance, under the category of illegal access to program or data, Hong Kong’s law reform commission recommended that “mere unauthorized access should be criminalized as a summary offense, which does not require malice to be an element of the offense, subject to the statutory defense of reasonable excuse.” The commission also recommended raising sentencing for many offenses from two years to fourteen years. The maximum sentence for the aggravated offense for illegal interference with computer data and a computer system may even be life imprisonment. In short, these proposed changes are about easier prosecution and harsher punishment. 

And a series of other new laws are slated to be proposed, too: a new cybersecurity law “to protect critical infrastructure,” a new anti-misinformation law, and another new law to regulate online and offline crowdfunding activities, an amendment for the local rules for the national security law imposed by the central government, and the preparatory work for yet another new local version of national security law. There are several reasons for the rush for new laws. Such laws targeting cybersecurity, misinformation and also cyber and data sovereignty have already been established in many other parts of the world. In Asia alone, similar laws have appeared in Vietnam, Singapore, Indonesia, India and, of course, China itself, are becoming the norm, putting pressure on freedom of expression for both the users as well as the social media or messaging platforms. Even western democracies are doing the same, and it has become very easy for autocratic regimes to justify their digital repression by claiming to be, first, targeting cyber-crimes and protecting cybersecurity, and, second, that they are only following the examples of western democracies.

The laws can be similar, but it is the level of democratic oversight, judicial independence and the rule of law that will make the difference. In the self-proclaimed “perfected” political system in Hong Kong, with “full cooperation” of the executive, legislative and judicial branches of government, these laws will be passed quickly by the legislature, and once enacted, the court will also likely cooperate with the administration in way of their judgment. 

Under such an atmosphere, those who still choose not to self-censor will face increasingly perilous situations. Another recent case saw the administrators of the Facebook group “Civil Servants Secrets” – who were themselves government workers –  arrested by national security police on possible charges relating to “acts with seditious intention.” What made some of these postings in the group — mostly gossip or grievances about the government as a workplace — seditious? Some messages were said to “promote feelings of ill-will and enmity between different classes of the population of Hong Kong.”

One of the hallmarks of political arrests in Hong Kong is that these cases almost invariably involve the police confiscating the suspects’ mobile phones and personal computers, sometimes both personal and work, to “search for evidence.” In the “Civil Servants Secrets” case, national security police actually raided the government office of the suspect, taking away all their personal and work phones and computers. While the public often asks whether the social media platform, such as Facebook in this case, may have provided information and data to the police, the reality is that the police may not bother with getting such data from social media platforms. Everything is already sitting on the phones and computers of those arrested for the police to harvest.  In this regard, the users’ devices remain the weakest link when it comes to law enforcement abuse. Meanwhile, a number of other Facebook “secrets” pages were “voluntarily” removed to avoid getting their administrators into trouble.

Are these laws, arrests, charges and court convictions silencing activists, civil defenders and journalists? Yes, particularly when the courts are no longer seen to be independent and respect the rule of law. Unfortunately, what happens in Hong Kong is not unique, as digital authoritarian trends are rapidly expanding in Asia and many other parts of the world. What stands out for Hong Kong is only how far it has fallen in such a short period of time, from a relatively free society with a vibrant press and civil society, to a highly repressive regime. May this be a reminder for the rest of the world of the fragility of online freedom of expression, how easily it can be lost. 

Charles Mok is an internet entrepreneur and IT advocate. He was formerly a member of the Hong Kong Legislative Council and founded the Hong Kong chapter of the Internet Society. He is currently a Visiting Scholar at the Global Digital Policy Incubator at Stanford University. 

Published: OPTF, October 20, 2022

https://optf.ngo/the-next-chapter-for-hong-kongs-digital-repression-total-judicial-cooperation/

Thursday, October 13, 2022

[天下] 馬斯克「台灣特區」言論,台灣人應當看見背後的警訊

馬斯克「台灣特區」言論,台灣人應當看見背後的警訊

特斯拉執行長馬斯克(Elon Musk)最近於一場訪問中,針對台海衝突建議設立一個「台灣特區」,引發幾乎一面倒的批評。但事件的焦點不應放在這個不切實際的言論,重要的反而是他與中國政權的密切關係,和中國對他今天所擁有的技術、以及現正企圖收購的意見平台推特(Twitter)的影響力。

馬斯克的「台灣特區論」

可以用來形容馬斯克這位美國企業家的詞彙很多:創新、有性格、具魅力、高瞻遠矚,還有「語不驚人死不休」。這些年來他創辦的科技公司由特斯拉(Tesla)到SpaceX,可說真正上天下地,但管理這些巨型企業之餘,他仍有足夠時間在推特發文、在其他平台發言,甚至越來越喜歡跳進全世界最具爭議的地緣政治討論。最新的一次就是他於《金融時報》(Financial Times)的訪問中,提議以成立「台灣特區」解決難以避免的台海衝突,甚至應該可以做得比香港寬鬆,即使不能令所有人滿意,但這個安排讓人「較易入口」(palatable)。

這個訪問是在《金融時報》的「與FT共進午餐」系列下進行的。也許馬斯克當晚(這次訪問進行時其實是個晚餐)飲多了瑪格麗塔雞尾酒,說的話沒想清楚吧?不過,訪問者、也是《金融時報的編輯》Roula Khalaf清楚地指出,雖然馬斯克在訪問過程中有時談笑風生,談到中國和特斯拉設於上海的超級工廠時,他卻在一段「最長的沉默」(the longest silence)之後才回答。所以,關於中國的答案,應該不是隨便亂說的。

然而,馬斯克給台海衝突的建議,既不創新,也不實際。台灣民意普遍不接受中國大陸的「一國兩制」方程式,已非新鮮事,尤其於香港國安法實施後更是如此。同時,馬斯克也漠視了中國如何於過去數十年背棄對香港實施民主、自由、高度自治等各方面的承諾。

在訪問中,馬斯克對台灣前程的考慮,完全基於他對這「不可避免的衝突」帶來的經濟考量。他說,如果衝突爆發,雖然他認為自己在上海的工廠應該仍能為中國內地市場生產汽車(一個令訪問者有點「疑問」〔curious〕的答案),但像蘋果之類的公司一定會很麻煩,全球經濟甚至會下跌30%。然而,馬斯克對經濟擔憂提出的解決方法,卻是影響台灣人民生活的百分百政治方案。台灣人的想法顯然不是馬斯克所關心的。他有沒有跟特斯拉的台灣甚至香港員工討論過這問題?我相信,他在當地的員工最關心的,必定不是為老闆賣多些汽車吧。

馬斯克所言,顯露中國與他的密切關係
不出所料,台灣各界對馬斯克這段話的反應,一面倒的負面否定。台灣11月底即將舉行直轄市長及縣市長選舉,各方候選人當然義不容辭,跳出來批評馬斯克的言論,強調台灣對自主、民主、人權和自由的堅持。前總統馬英九說,馬斯克的建議「是一國兩制,我們無法接受」;台灣陸委會也立即否定這個建議,指台灣「不是任何商業交易或收購下的產物」,但歡迎他和其他國際企業人士來台訪問交流,實際瞭解台灣的民主自由、創新發展,與共產主義專制市場體制和惡意脅迫打壓的分別。

若說先前馬斯克建議烏克蘭割讓克里米亞半島給予俄羅斯的言論惹毛了烏克蘭人,至少俄方沒有反對,但他給台灣的建議,就連中國大陸方面都不以為然。外交部發言人即時回應指「台灣問題是中國的內政」,暗示並不歡迎馬斯克的干預;央視新聞報導更直指「馬斯克妄議中國台灣問題」。不過,一天之後,陸方態度似乎軟化,外交部發言人改稱「希望並樂意看到越來越的人士理解和支持『和平統一、一國兩制』。」

中國也許當初被馬斯克這「不請自發」的言論刺激,但令他們不快的原因,總不該是「台灣特別行政區」的建議,畢竟這豈非中方自己所推出的方案?反而,重點可能是馬斯克在訪問中所述,北京清楚向他表示,反對他向烏克蘭提供Starlink衛星網絡系統,以突破俄羅斯對烏克蘭網路實施的切斷和封鎖;以及北京向他尋求承諾,不會在中國境內出售Starlink系統。無論馬斯克是有意抑或無心,他可能已經把中方認為屬於秘密甚至「國家機密」的討論公諸於世,這很可能才是中方不快的原因。

Starlink並不是對抗獨裁的萬靈藥
如果中國要禁止Starlink於內地甚至香港出售,根本不用馬斯克的任何承諾,自己禁止就成,這說法針對的,其實是中國視為領土一部分的台灣。正巧台灣正在撥款5億5千萬台幣,建設試行衛星網絡,以強化自己的中央指揮系統,抵禦陸方可能切斷常規網路設施的狀況,其中考慮的技術就包括Starlink所使用的低地球軌道(LEO)衛星。然而,在馬斯克這番言論之後,台灣還有可能判斷Starlink是個對自己安全和可靠的系統嗎?也許不再如此。

其實,Starlink突破網路審查系統的實際功用,有時是被高估了的。若以為Starlink開關一撥,在極權國家的網路用戶就神奇地能夠自由上線,那就太天真了。Starlink最大的限制,就是當地必定需要安裝足夠的衛星訊號接收系統,這些體積不小的硬體都需要進口,甚至偷運入境的,這對極權國家的人們,談何容易?

就說Starlink最近宣布「啟動」對伊朗的服務這件事吧,至今發生了的,反而是他們自己公司的網站被伊朗政府禁了,和一些可能是國家指派的駭客,藉提供Starlink軟體為掩護,引誘伊朗用戶下載間諜程式。

無疑,Starlink比較適合像烏克蘭這種情況:一個自由國家被入侵,而外力企圖切斷他們的網路連接。不過,基於系統成本和實施的複雜性,大概還是比較適合用於軍事和政府司令,而非為大量民眾提供上網服務。

如果外國政權介入Starlink,美國政府會怎麼做?
當年初馬斯克宣布利用Starlink支援烏克蘭的時候,各界一片好評,我不少朋友都興奮地聯想,他會否在中國大陸、香港甚至台灣有需要的時候,提供這個支援?我只好冷冷地說,不要想得太多了。想想他在上海的超級工廠,他在中國賣多少特斯拉汽車,和他在中國政府裡的朋友們。有多少美國企業高層或科技鉅富能與中國駐美大使開車(或自己駕車)兜個風? 馬斯克今年3月時在美國加州就這樣做了。之後他與大使的會談,更被刊登於中國外交部的網站。試想像,如果這事主角是臉書的祖克柏,或是Google的Sundar Pichai,應該第一時間就被召到華盛頓國會聽證會,被議員們狂飆一番吧?只有馬斯克,沒有人能碰他?

不過,現在馬斯克透露出來的,是中國政府要求他不在中國出售Starkink系統,包括台灣。那麼美國政府就真的要質詢一下他,究竟他給中方的答案為何?賣,還是不賣?再試想,如果是有報導指出祖克柏或者蘋果的庫克被中國要求,停止在台灣提供社交媒體或雲端服務,或者審查或移除某些內容,美國國會議員會怎麼做?

老實說,美國和歐洲政府對SpaceX公司所出售的Starlink系統,一直出錢出力,包括他們運往烏克蘭的終端機,一度令馬斯克成為烏克蘭人的英雄。當最近伊朗出現反政府浪潮,美國國務卿布林肯(Antony John Blinken)就在推特上宣布,放寬對伊朗網際網路自由和資訊流通相關的技術出口,美國財政部也立即為相關的制裁令更新豁免,為Starlink開綠燈。如今美國政府如果發現這家他們一直支持和合作的企業,原來被外國政權企圖影響,阻止他們在一些地方提供有助網際網路自由的方案,美國管理者勢必要搞清楚,在馬斯克、他的公司和這些政府之間,究竟發生了什麼事。

馬斯克與中國的密切關係,讓推特收購案涉及國家安全關注
而這些問題和答案,關係的不只於馬斯克、他現時擁有的特斯拉和SpaceX等公司,還有他正在收購中的推特。馬斯克對推特的收購案,一直在買和不買間徘徊,最近又說要買了。美國法院的法官正給予馬斯克特別寬限,要求他在10月28日前完成收購。但如今馬斯克與中國的關係曝光,美國當局是否應該要求審核、評估這宗收購對美國的國家安全影響?畢竟,推特真的是對美國甚至全球影響力最大的社交媒體意見平台,尤其是在政治方面。

馬斯克與中國的關係,早就引起一些人的關注,例如他的太空探索業務對手、亞馬遜的創辦人貝佐斯(Jeff Bezos)今年4月曾在推特發文,問:「中國政府是不是剛在市鎮廣場得了多點影響力?」(Did the Chinese government just gain a bit of leverage over the town square?)Town square就是鎮上廣場,發言之地的意思,指的是推特平台。而當時貝佐斯還轉發了另一段貼文,提到了三件事:特斯拉在美國以外的全球第二大市場是中國;中國電池生產商是其主要供應者;自2009年起中國已經封殺推特、無法影響推特的內容政策,但這狀況快要改變了──指的就是馬斯克入主推特。另外,日經亞洲的一位評論員說得更直接:「北京可能覺得有能力向馬斯克施壓,要他將某些內容下架,一如中國政府一向所為,如果馬斯克不服從,北京只要開始榨壓特斯拉的中國運作即可。」

因此,如果對馬斯克的台灣言論大認真,恐怕就對錯焦點了,反而,他透露的是中國對他實施的影響力,反映了他面對中國政權的弱點,這才是問題核心癥結。相關的不只是他如何給向誰提供Starlink網絡,更重要的是他收購推特一事,有機會危害全球網路用戶在世上最大型、最開放意見平台的表達自由,極可能將這自由放置於全球最大型的審查機構──中國手上。

(作者曾任香港立法會資訊科技界議員,現任美國史丹福大學全球數位政策中心訪問學者。聲明:作者在香港擁有一輛他已經不再駕駛的特斯拉Model 3。)

https://opinion.cw.com.tw/blog/profile/52/article/12844

Wednesday, October 12, 2022

[Diplomat] Influencing the Influencer: China and Elon Musk

Influencing the Influencer: China and Elon Musk

Elon Musk’s latest comments on Taiwan should draw our attention to the security implications of his close relationship with – and potential influence from – China.

Elon Musk, the businessman behind Tesla, SpaceX, and many other innovative and successful ventures, is equally well known for his controversial comments, whether posted on Twitter or other channels. The most recent example is his recommendation to “figure out” a special administrative zone for Taiwan, one that is “reasonably palatable” and, he thinks “possibl[y]” or even “probably” could be “more lenient than Hong Kong.”

Given that his comment was featured in a “Lunch with the FT” interview with the Financial Times, a more casual and wide-ranging discussion over the course of a meal, one might first suspect that his remark could have been off-the-cuff, throwaway comment. However, the editor of the Financial Times, Roula Khalaf, who conducted and wrote up the interview, reported that her question about China and the risks to Tesla’s Shanghai mega-factory was met with “the longest silence” before answering, suggesting that Musk’s comments relating to China might have been more deliberate than others.

The naïveté of Musk’s recommendation is easy to see. Public opinion in Taiwan has consistently been against Beijing’s “One Country, Two Systems” formula in recent decades, and increasingly so since the crackdowns in Hong Kong. At the same time, Musk chose to overlook the way that China reneged on its promises of democracy, freedom, and a high degree of autonomy for Hong Kong over the course of the last three decades.

From FT’s report, Musk’s proposal for Taiwan was based on his worries about the fallout of the region’s “inevitable” conflict. Though Musk assumed he would still be able to produce cars in Shanghai for Chinese customers – a belief which the interviewer noted as “curious” – he warned that other companies like Apple would be “in deep trouble” and further estimated that the global economy would take a “30 per cent hit.” In other words, his concerns are purely economic, although his proposed solution is definitively political.

Predictably, reactions from Taiwan were lopsidedly negative. As the 2022 mayoral elections across Taiwan are to take place in late November, numerous incumbents and challengers from both sides of the island’s political spectrum jumped at the opportunities to lash out at Musk, while reiterating Taiwan’s insistence on its autonomy, democracy, human rights, and freedom. Even former President Ma Ying-jeou, famous for his outreach to China during his tenure, said that Musk’s proposal was based on “One Country, Two Systems” and so must be unacceptable.

The Mainland Affairs Council of the Taiwan government also flatly rejected Musk’s idea by saying that Taiwan is not a target of commercial transaction or merger and acquisition. Instead, the MAC said it would “welcome” Musk and other global business figures to visit Taiwan to find out for themselves the difference between its innovative economy based on freedom and democracy, compared with communist market control based on coercion and repression.

Even China’s reaction was not entirely positive. The Ministry of Foreign Affairs responded by emphasizing that the Taiwan issue is a matter of internal affairs, implying that Musk’s meddling was not welcomed, while the state-owned CCTV’s news broadcast plainly accused Musk of making “inappropriate comments.” However, a day later, China’s attitude seemed to have softened. The MFA spokesman said he was “glad” to see more people understand and support “peaceful reunification” and “One Country, Two Systems.”

Meanwhile, Qin Gang, China’s ambassador to the United States, went on Twitter to “thank” Musk “for his call for peace across the Taiwan Strait,” and took pains to highlight how similar Musk’s proposal was to China’s own “basic principles for resolving the Taiwan question.”

Musk’s More Troubling Disclosure Is China’s Influence on Musk Himself

There is more to this story than Musk’s ill-advised proposal for Taiwan, however. In the FT interview, Musk was also quoted as saying that “Beijing has made clear its disapproval of his recent rollout of Starlink in Ukraine to help the military circumvent Russia’s cut-off of the Internet,” and that “Beijing sought assurances that he would not sell Starlink in China.” Inadvertently or not, Musk may have leaked information about his communications with Chinese officials that Beijing would consider confidential or even a “state secret.” This may well be what initially irked Beijing.

If China were to ban SpaceX’s Starlink sales in the mainland, or even Hong Kong, for that matter, it has all the power to do so, and does not need Musk’s assurances that he would not sell it. What this comment must mean is Musk committed not to sell Starlink in Taiwan, which Beijing considers to be a sovereign part of China.

Coincidentally, Taiwan’s government is set to initiate a $17 million (NT$550 million) trial satellite program for network resiliency to keep the island’s central command systems running if conventional connections are cut. While the program is only at its funding stage, authorities are believed to be considering various satellite options, including low Earth orbit (LEO) satellites that Starlink is based on. After Musk’s disclosure, should Taiwan still consider Starlink a viable, safe, and secure option? Probably not.

When Musk first announced his Starlink deployment to support Ukraine, many of my friends were hopeful that he could do the same one day for Taiwan in the event of a cyber cutoff by China, or for Hong Kong facing more looming threats of censorship. I would caution them and say, “It’s not so easy.”

Think of Musk’s Tesla Shanghai mega-factory, the volume of cars he sells in China, and the friends he has made in the Chinese government. How many U.S. executives or Big Tech tycoons can take the Chinese ambassador for a drive, or an auto-drive, as Musk did in Fremont, California, in March this year, and then be featured by China’s Ministry of Foreign Affairs website for his “dialogue” with the ambassador? Imagine if Mark Zuckerberg of Meta or Sundar Pichai of Google tried that – they would have been summoned for a few congressional roastings right away. Somehow, only Musk can get away with it all.

But now, Musk has publicly confirmed that China is seeking assurance that he would not sell Starlink in China, meant obviously to target Taiwan. The U.S. government should start to ask him questions, including, what Musk’s answer to Beijing was.

After all, the U.S. and European governments contributed financially to support Musk’s SpaceX to deliver thousands of Starlink terminals to Ukraine, making Musk at first a hero to Ukrainians. Also, after U.S. Secretary of State Antony Blinken tweeted that the U.S. would take action “to advance Internet freedom and the free flow of information” to Iranians, the U.S. Treasury updated its license guidelines to clear Starlink to obtain a sanctions exception to operate in Iran. With all the facilitation and support provided to SpaceX from the U.S. government, if it is disclosed that a foreign power has been influencing the company’s deployment in certain parts of the world with the intention to hinder internet freedom, the U.S. must find out what has happened between Musk, his companies, and this foreign power.

And the potential for Chinese influence to negatively impact U.S. national security goes beyond SpaceX and Tesla. Musk is again seeking to buy all of Twitter, after being sued by the social media company for reneging on his original proposed deal. Shouldn’t Musk’s connection with China warrant intervention by U.S. authorities to examine the national security implications of such a transaction?

Indeed, Musk’s Twitter aspiration combined with his close China connection has attracted attention from no less than fellow billionaire and space exploration rival, Jeff Bezos of Amazon and Blue Origin. In an April 2022 tweet, Bezos asked, “Did the Chinese government just gain a bit of leverage over the town square?” Bezos also retweeted a message stating a few objective facts – that Tesla’s second biggest market after the U.S. in 2021 was China, and Chinese battery makers are major suppliers for Tesla. Since 2009 when China censored and banned Twitter, its government had almost no leverage over the platform, but that may be about to change.

A commentator for Nikkei Asia, putting it even more directly, wrote, “Beijing may feel that it is able to pressure Musk to take down content that it does not like, as the Chinese government has always done. If Musk refuses, Beijing could start squeezing Tesla’s operations in China.”

This is why it is misguided to simply focus on Musk’s comment on Taiwan. His disclosure about Chinese influence – at least the attempt of it, thereby revealing his own vulnerability – should be taken seriously, in light of not only his present control of the censorship-circumventing Starlink network, but even more importantly, his attempt to take over Twitter. The deal could potentially jeopardize the freedom of expression of all Twitter users by placing the world’s biggest open opinion platform under the indirect domination of the world’s biggest censor, China.

Disclaimer: The author is the owner of a 2020 Model 3 in Hong Kong that he does not drive anymore.

Published: The Diplomat, October 11, 2022

https://thediplomat.com/2022/10/influencing-the-influencer-china-and-elon-musk/

Saturday, July 23, 2022

[Diplomat] Hong Kong’s New Cybercrime Law Consultation

Hong Kong’s New Cybercrime Law Consultation

The first in a series of post-NSL cyber laws may ironically weaken the tech sector and make Hong Kong’s internet less secure.

This week the Cybercrime Subcommittee of the Law Reform Commission (LRC) in Hong Kong published a consultation paper on cybercrimes and related jurisdictional issues, setting in motion what will likely be a series of legislations of new laws and amendments in the reformed “patriots-ruled” territory under the People’s Republic of China.

The move should come as no surprise. After all, many other jurisdictions around the world have legislated cybercrime in various shapes and forms in recent years. As technology advances, news laws try to catch up. The LRC’s Cybercrime Subcommittee actually commenced work back in January 2019, a full three-and-a-half years ago, to review Hong Kong’s relevant laws, long considered to be grossly outdated.

Indeed, for decades, Hong Kong law enforcement relied on a controversial law under the territory’s Crime Ordinance, known as section 161, for the offense of “access to a computer with criminal or dishonest intent,” and section 27A of the Telecommunications Ordinance, forbidding “unauthorized access to any program or data held in a computer,” to prosecute cybercriminals. However, with a complacency induced by easy convictions, the police and the prosecution in Hong Kong continued to apply the outdated section 161 to computer-related cases way beyond its original legislative intent. The ordinance, after all, was passed back in 1993, long before the advent of the internet, smartphones, and social media.

Then, in a landmark decision by the Court of Final Appeals (CFA), Hong Kong’s top court, in April 2019, certain applications of section 161 were overturned. In particular, as the original law was intended to prohibit someone from accessing another’s computer, before networking was commonplace, the CFA ruled that the law could not apply to someone using his or her own computer to launch or commit the alleged criminal act. The solution was of course to update the antiquated law, and that was largely why the LRC set up a subcommittee to look into this.

While many in the public rightly saw the court’s decision as a victory against police and prosecution abuse, it was also inevitable that a new law would have to be established. The question then should be whether the new bespoke cybercrime law would be reasonable, proportional, and sufficient for deterrence against and punishment for committing cybercrimes.

So, do the current recommendations meet those criteria? I would point out four main areas of concern: proof of intent (or the lack thereof), making available or possessing devices or data for committing a crime, jurisdictional issues, and, finally, sentencing.

No Need for Proof of Intent

Under the category of illegal access to program or data, the subcommittee recommended that “mere unauthorized access should be criminalized as a summary offense, which does not require malice to be an element of the offense, subject to the statutory defense of reasonable excuse.” Similarly, under the section for illegal interception of computer data, the subcommittee “concluded against insisting on proof of an intent to commit a specific offense as this may cause excessive difficulty in law enforcement.”

But more convenience for law enforcement to prosecute may result in higher uncertainty and risk for programmers or companies uncertain of how to comply. The consultation paper did cite certain examples, such as “a search engine normally does not obtain consent from a website before scanning the internet protocol address concerned,” suggesting that such “customary practices” should “continue to be tolerated.”  But the subcommittee only further suggests “a generic defense based on reasonable excuse.” But what if such a generic defense cannot prevent the prosecution from pressing charges? That would cause serious chilling effects among, for instance, white-hat hackers and information security firms, local and overseas, that need to routinely access servers on the internet in order to discover vulnerabilities.

In this regard, the consultation asks, should such a defense or exemption be provided to only accredited cybersecurity professionals, and if such accreditations doesn’t exist, should they be established locally? If not, what should be the requirements for someone to prove his or her qualifications to invoke such a defense? Obviously the subcommittee has no idea how the industry operates, or how difficult, time-consuming, and costly it would be to set up such an accreditation system (which would not work well anyway).

One subcommittee member even made the remark that in order for information security companies to qualify for statutory defense or exemption, a registration system to regulate such firms may have to be set up. If that happens, local and overseas information security professionals and companies may choose to skip the troubles of registration and potential infringements of the law altogether by simply not doing business in Hong Kong anymore, and also suspending any remote surveying of Hong Kong targets for threats and vulnerabilities, leaving Hong Kong’s cyberspace less protected, less safe, and less secure.

Finally, the consultation recommends that “unauthorized disclosure or use of the intercepted data should be prohibited.” This adds great uncertainties for journalists or researchers who often have to rely on data and information from undisclosed sources. Without a whistleblower protection clause in this new law, and of course also without general whistleblower protection in Hong Kong, the public’s right to know will definitely suffer.

Making Available or Possessing Devices or Data for Committing a Crime

This whole topic should make anyone in charge of a IT platform, a cloud provider, even a university providing information services to its students and staff, cringe. The consultation paper justifies the idea by comparing it with section 62 of the Crime Ordinance, which states that “a person who has custody or control of anything, and intends without lawful excuse to use it (or cause or permit another to use it) to destroy or damage property, shall be guilty of an offense.” This may sound perfectly reasonable if that “anything” is a gun or a knife, but extending this to the cyberworld of servers and clouds would be problematic.

Although the subcommittee considers that for this offense, the accused must have “acted with knowledge,” it still casts immense uncertainty on the part of any IT service providers that have little knowledge on what their customers do. The subcommittee further recommends that the ultimate offense committed through such device or data provided need not be limited to cybercrimes, but can be any offense. So, not only would researchers, educators, or information security professionals have good reasons to worry that by sharing codes and information they may be liable for a cybercrime offense, but even email providers may worry if their services are used to organize unauthorized protests by some users that the providers may be liable for a cybercrime offense, even though the ultimate offense committed (such as an unauthorized protest) is not cyber in nature.

Jurisdictional Issues

One of the biggest problems in tackling cyber criminals globally is the issue of jurisdictional constraints. Hackers usually launch their attacks remotely, and they are difficult to locate, let alone identify, arrest, and charge. As a result, although traditionally common law criminal jurisdiction is territorially restricted, many common law jurisdictions are beginning to adopt more flexible approaches. So, the subcommittee recommends that for cases that involve illegal access, interception, or interference of computer data or systems, Hong Kong court jurisdiction can apply as long as any “essential element” of the offense has occurred in Hong Kong; the victim is a “Hong Kong person”; the target computer, program, or data is in Hong Kong; the perpetrator’s act has caused or may cause serious damage to Hong Kong’s infrastructure or public authority; or has threatened or may threaten Hong Kong’s security. But, what constitutes “threatening Hong Kong’s security” or “serious damage to Hong Kong’s public authority”?

For cases involving intermediaries making available or possessing a device or data for committing a crime, any company “carrying on business in Hong Kong” can be liable, including companies without a Hong Kong-registered presence. This can include numerous platforms from overseas or mainland China without a Hong Kong office but that may be accepting subscribers or advertisers or otherwise doing business with Hong Kong entities.

Sentencing

Most of the recommended sentences for these new offenses range from imprisonment for up to two years for a summary or basic offense, to up to 14 years’ imprisonment for an aggravated offense. Comparing with sentencing under similar laws in other common law jurisdictions, these recommendations are relatively harsh. In addition, the maximum sentence for the aggravated offense for illegal interference with computer data and a computer system is recommended to be life imprisonment. This is exceptionally excessive, and may leave the door open for judicial abuse and political repression.

The NSL Factor: What’s Next?

Although the LRC review and the establishment of the bespoke cybercrime law have been a long time coming, Hong Kong is very different today, after the imposition of the National Security Law (NSL), compared to when the review began over three years ago. Indeed, the consultation paper acknowledges the NSL’s enactment by noting: “The duty of Hong Kong to safeguard national security reaffirmed the need for reform of cybercrime laws in Hong Kong and the sub-committee has taken this into consideration in its pursuit of the cybercrime project.” Where was the NSL taken into consideration in the proposal, and what was done differently as a result? The answer may never be known.

In recent years, as jurisdictions around the world rushed to legislate their own cybersecurity laws in the name of combating online crimes, many governments have been criticized for trampling civil rights, using such laws as political tools of surveillance and censorship. While the Hong Kong government has insisted and will continue to insist that Hong Kong’s legal changes will be commensurate with leading Western democracies, we cannot just look at what is written in the law. We must also consider the realities and perceptions of the rule of law and judicial independence. Needless to say, local and international trust in Hong Kong’s legal system has taken a big beating since the NSL enactment.

But this cybercrime law proposal will not be the last. Already Hong Kong has made it clear that a long list of cyber-related legal changes will be carried out under Chief Executive John Lee’s new administration, with a new disinformation law, revision to local rules under the NSL, Basic Law Article 23 local legislation for national security to target foreign interference, and amendments to the privacy law all in the pipeline. After the LRC consultation is completed, the final proposal will be handed to the administration, which will no doubt waste no time in drafting and submitting it to the very cooperative legislature for speedy passage.

All this does not bode well for Hong Kong’s embattled IT industry and its professionals, especially those in cybersecurity, which will bear the brunt of the uncertainties and potential liabilities. Ironically the result may be a further weakened IT sector, and a less secure internet for Hong Kong.


Published: The Diplomat, July 22 2022

https://thediplomat.com/2022/07/hong-kongs-new-cybercrime-law-consultation/

-->