Prior to Beijing's new National Security Law, Hong Kong Gov't made 1,400 requests for user data from Apple, Google & others
A report from Hong Kong today states that Hong Kong authorities asked Apple, Google, Facebook and Twitter for information on 1,399 users between July 2019-June 2020 and hundreds of requests were granted until the advent of the national security law caused the tech giants to stop cooperating, according to the companies’ transparency reports for the period.
It was not clear from the reports what kind of data Hong Kong authorities requested. Months of pro-democracy protests and unrest – organized and fueled partly by social media and messaging apps – began in June 2019. Some requests may have been made as part of investigations into crimes unrelated to the protests, such as credit card fraud or stolen devices.
After Beijing imposed the sweeping national security law on Hong Kong last June 30, US technology and social media giants including Apple, Google, Facebook, Twitter and Telegram announced they would halt the processing all data requests from the city authorities.
In response to a Hong Kong Free Press (HKFP) enquiry on their transparency data and their latest approach to Hong Kong government requests, Apple and Google said they had no additional comment.
In their transparency reports, Apple and Facebook differentiate between supplying “content” and “non-content” data, with requests for the two types of information handled differently. In general, content data covers emails and other messages, lists of contacts, photos and what is said in social media posts.
Non-content data is metadata such as login time, IP addresses, registration information, or even the number of characters contained in a message – but not what the message says.
After the security law came into force, Apple told TechCrunch – that requests for user content data must be submitted through the Mutual Legal Assistance Treaty between the US and Hong Kong.
Apple said it stored iCloud data for Hong Kong users in the US. Requests to access user content must be approved by the US Department of Justice and supported by a warrant issued by a US federal judge, before the data could be handed to Hong Kong. It was also “assessing” the new security law, the company said.
Its statement at the time made no mention of data it had given to authorities that did not involve "user content."
Apple received three types of requests from Hong Kong authorities between July 2019 and June 2020, according to its transparency reports for the period.
The Hong Kong government made 16 requests for data for 25 Apple accounts in that period. The company rejected five of these requests in part or in full, but complied with seven – although it supplied only non-content data. It was not clear what happened in the other four cases. Apple did not provide "content data" in response to requests from Hong Kong during the period, the report said.
Non-content data may include "subscriber, account connections or transactional information," the transparency reports say, while content data refers to material "such as stored photos, email, iOS device backups, contacts or calendars."
Separately, Apple also received 294 requests from Hong Kong for information on 355 devices during this period. Data was provided in response to 169 of these requests.
Apple also provided data in 128 out of 293 requests for information related to financial identifiers, such as credit card numbers registered on the Apple app store. These involved 765 financial identifiers.
In its transparency reports, Apple said it only responds to valid legal requests from governments, and will "challenge or reject" them if they are invalid, unclear, or overly broad. The requests may be related to investigations on stolen devices or credit card fraud, and are responded to through a "centralized and standardized process" by a legal team.
The company would also notify its customers of such government requests unless explicitly legally banned from doing so, or if notification would risk causing injury or death to an identifiable person, or if it would endanger children, the reports said.
Apple did not respond to HKFP’s question over whether its Hong Kong users had been notified of government data requests.
Wong Ho-wa, a data scientist and current Election Committee representative for the IT industry, said customer data is typically understood to include both content and non-content data. "It is not quite fair" to users if companies like Apple have policies which differentiate between the two categories of information, he told HKFP.
Both content and non-content data are “part of personal privacy and should be handled under the same policies, so I don’t see why it should be different,” Wong said.
A Responsibility to Educate
Wong said social media and tech companies could do more to educate users about the data they disclose to authorities. "Tech giants have the responsibility to educate ordinary people on how their data are stored," Wong said. "They may seem to have done their jobs by making disclosures in reports, but ethically speaking they should make it clear that they have different policies on customer data."
Non-content data would also be useful in law enforcement investigations. "Suppose that the content of an email was removed apart from the email [address] and IP address. In fact, it would still provide more information for investigation to see if [someone] committed something," Wong said.
"Even though we may not have seen the data presented in court as evidence, it doesn’t mean it was never used to find evidence about a person." For on this regarding Facebook and Google, read the full Hong Kong Free Press report.