Hong Kong Citizens Want Legal Protections for Their Metadata

Data privacy protest, Unter den Linden, Germany. Photo from Flickr User: Lindsay Eyink (CC: AT)

Data privacy protest, Unter den Linden, Germany. Photo from Flickr User: Lindsay Eyink (CC: AT)

Hong Kong’s top security official finally clarified the legal procedure governing law enforcement’s requests for user data information from Internet service providers. Now we know for certain that there is no legal procedure regulating user data requests in Hong Kong. This begs the question: Should government agencies really be able to look at our metadata without any oversight from the courts?

Lai Tung-Kwok, Hong Kong's Secretary for Security, said at a Legislative Council meeting on 29 April that law enforcement agencies may request necessary user information (such as account names, IP addresses and log records) from service providers for locating witnesses, evidence or suspects when investigating criminal cases. Warrants are only required for seizure of communications content and documents, and no warrants are required for requests for metadata. That means there is no judicial scrutiny for the 23,946 user information requests the Hong Kong Police Force and the Customs and Excise Department have issued in the past five years.

Law enforcement officials appear to believe that metadata, or “non-content” data, is not sensitive. But in the modern technology age, metadata can reveal a lot about a person. Website logs of usage information and IP addresses, for instance, can tell the police when you login to a local forum and how long you stay at the forum. With the assistance of Internet service providers, police can also ascertain your physical location when you access the forum.

The development of big data and targeted advertising proves metadata is not “non-sensitive” at all. If you consider how much companies can learn about you just by having access to your metadata, it is not hard to see how governments might do the same.

Chiang Yam Wang, Hong Kong’s privacy commissioner, raised concern over the lack of protection of Internet users’ metadata in a recent blog post. Chiang believes our metadata can be more revealing than the actual content of the communication.

Metadata portrays a detailed, comprehensive and time-stamped picture of who is communicating with whom, when, how often, and for how long; where the senders and recipients are located, who else is connected to whom, and so forth. It thus reveals the details of our personal, political, social, financial, and working lives.

Hong Kong’s legal framework for regulating law enforcement’s access to personal identification information has lagged behind other jurisdictions — even those thought of to be weak on privacy protections. For example, the United States’ Electronic Communications Privacy Act, despite being under constant attack for its weak protections for metadata, sets out rules for law enforcement officers to follow when they compel service providers to release users’ metadata. Even the much-maligned Section 215 of the USA PATRIOT Act, passed in response to the attacks of September 11, requires court approval for bulk phone metadata collection. Legal experts have little faith in the particular court that oversees this provisions — in fact, a federal court ruled last week that the practice violated existing provisions. Yet even this standard exceeds what is provided in Hong Kong.

Hong Kong also lacks clear guidelines on data retention, an issue that has recently developed in other parts of the world. This March, a judge in the Netherlands struck down the Dutch data retention law that requires telecom companies to store customers’ data for one year and Internet providers for six months. The judge said that while the law helps fight crime it also breaches the privacy of telephone and Internet users. In contrast, also in March, Australia passed a controversial security law that will force telecom and Internet service providers to store customers’ personal data for two years to help law enforcement combat domestic terrorism.

When it comes to the “individual privacy versus public safety” debate, it is worth revisiting the notion proposed by legal theorist Robert Post: Privacy isn’t the trumpeting of individual against society’s interests, but the protection of the individual based on society’s own norms and values. Privacy issues involve balancing societal interests on both sides of the scale.

It is upsetting to see Hong Kong, which prides itself on its rule of law, moving ahead without any laws or regulations to regulate and oversee police access to users’ metadata. And it is especially alarming when we think about its implications on the free flow of information and free speech. The loss of online privacy is certainly not the price Hong Kong citizens want to pay to stay away from those who are actually committing crimes.

Jennifer Zhang is a researcher at Hong Kong Transparency Report, Journalism and Media Studies Centre, The University of Hong Kong.

Start the conversation

Authors, please log in »


  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.