Tony Chung, a Hong Kong pro–independence activist, was forced to unlock his device for authorities on August 25th. Not by threat or at gunpoint, but by pinning his head against the wall in a Hong Kong shopping mall’s stairwell while holding his phone to his face – attempting to trigger its facial recognition to unlock it. Shung shut his eyes and scrunched his face in resistance. So they forced his finger onto another phone’s fingerprint sensor, also to unlock it, but he had long disabled the fingerprint sensor on his phone. They then proceeded to demand passwords, that he claimed to forget.
Why? Because he was accused of writing a pro-independence Facebook post and asked to delete it. “Do you know, with the national security law, we have all the rights to unlock your phones and get your passwords?” they said to him. The chilling part is, they’re right.
Chung’s case was the first instance of a coordinated sting in response to an “internet crime” in Hong Kong – an offense previously only common in China. Agnes Chow, pro-democracy activist and politician, was also arrested this month after releasing a YouTube video teaching Hong Kongers cybersecurity basics to protect themselves online, like how to use two-factor authentication (2FA) and installing untrusted (read: Chinese) apps only on a separate phone.
2FA, in this context, is helpful because even if a third party does successfully obtain account credentials by some means or even resets them, they cannot actually access the account without a secondary means of verifying the person’s identity. Usually, 2FA uses SMS text messages as a second factor, but this is increasingly being phased out as a less secure 2FA method due to sim swapping attacks. Instead, the more secure practice is using an authenticator app to generate expiring TOTP (Time-based One-time Password) codes that must be entered before access is granted.
The day before Chow’s arrest, she posted on Facebook that strange men appeared around her house, watching and filming her in shifts. An infrared camera also appeared to have been installed at her doorstep weeks ahead of her arrest. Jimmy Lai, the pro-democracy media mogul whose arrest made headlines was the target of a phishing scam when an employee at his company received a message from “tech support” asking for Mr. Lai’s Twitter login to “set up a new iPhone”.
These tactics are also commonly used by Chinese secret police against dissidents. Hong Kong authorities have clearly been emboldened by the new legislation. Internet giants like Google, Facebook, Twitter, and Yahoo have all allegedly stopped data sharing with Hong Kong authorities, due to the increased reaching of the Chinese government since said legislation was enacted.
On June 30th 2020, Hong Kong’s national security law was passed. American readers likely know where this is going, since they’ve seen first hand how “national security” is often little more than fancy good-sounding legalese for “government security measures taken against their own population”. Kind of like “The Patriot Act”, or “Stop Enabling Sex Traffickers Act”. Basically wording that no decent human being could ever oppose – unless they read the fine print.
So what does the fine print say in this case? For starters, it criminalizes any act of “secession”, “subversion”, “terrorism”, and “collusion” with external forces. Let’s break that down. Secession, in this context, refers to Hong Kong achieving independence and establishment as a democratic nation – which is what protesters have been risking their lives to fight for on a daily basis since March 2019. Subversion refers to the mere act of undermining Chinese authority. Typical authoritarian stuff. Collusion makes it illegal for protesters to receive any kind of foreign support, presumably including food or medical supplies.
Well, at least terrorism makes sense, right? Until you find out that damaging public property can be considered terrorism. Then again, the US recently went through the same thing when Trump branded Antifa a terrorist organization – meaning anyone can be labeled a terrorist at whim and stripped of their rights, both as a US citizen and also as a human.
Punishment for any of these crimes comes with a maximum sentence of life in prison. Regardless of the sentence, those found guilty cannot hold public office. The national security law also expands China’s powers over Hong Kong. Beijing will establish a new security office in Hong Kong with a Beijing-appointed adviser. Cases can also be extradited to China to ensure the harshest punishments. Beijing will also have power over how the law should be interpreted. Of course, Beijing law overrides Hong Kong laws.
Further provisions include surveillance and warrant-less wire-tapping of “suspects”, and trials can be heard behind closed doors. The law also applies to non-residents of Hong Kong. Meaning tourists or anyone traveling to Hong Kong for work is also subject to the draconian legislation.
Also on-brand for “good-sounding” legislation with terrifying fine print is the fact that very few people had actually seen the full text before it was enacted. Hong Kong’s Chief Executive Carrie Lam was not one of those people, even though she was defending the legislation mere hours before it came into force. Promising it would not undermine Hong Kong’s autonomy or its independent judiciary, nor would it be retroactive. So far, two of those three claims have turned out to be false.
Facebook has been surprisingly helpful – disabling the accounts of activists that get arrested to protect their privacy and prevent police access. While both iOS and Android offer a “Lockdown” feature that disables biometric authentication for precisely these reasons, someone getting ambushed in a coordinated sting like Tony Chung wouldn’t have the time to activate it.
Cybersecurity experts always advise that the appropriate measures depend on the individual’s threat model. For most normal people, the lockdown feature is probably good enough – in combination with an encrypted chat app with 2FA enabled. Whereas hunted pro-democracy activists and journalists like Tony Chung need to permanently disable biometric authentication and only communicate using timed self-destructing messages.