A sweeping new law from Beijing that aims to bring Hong Kong’s internet under its control has left Silicon Valley scrambling, with at least one Big Tech company considering a total retreat from the territory.
The national security law passed last week effectively moves Hong Kong’s internet within China’s Great Firewall, giving police the power to censor the web and potentially arrest the managers of tech companies who refuse to hand over data on users.
In response, Facebook, Twitter, Google, Zoom and Microsoft’s LinkedIn have all said they will “pause” any requests for data from law enforcement while they review their legal positions. Apple, which has the largest mainland China business of its US peers, has only said it is “assessing” the situation. Amazon Web Services said it was “reviewing the details” of the law.
But Western companies now must judge how much leeway they will have, whether they can comply with the new regime, or whether they will ultimately have to abandon Hong Kong. One tech executive said his company was considering “all options”.
What could the tech companies be forced to do under the new law?
The Hong Kong government can now compel companies to take down online posts or accounts, and to share private user data.
If, for example, a company refuses to remove a social media post, police are able to seize and confiscate the Hong Kong-based servers that store the messages.
If the posts are stored on overseas servers, the police can ask internet service providers (ISPs), which control the internet connections between Hong Kong and the rest of the world, to block access to offending websites.
As Hong Kong businesses, ISPs will find it harder than foreign tech companies to reject requests, said Paul Haswell, a Hong Kong-based partner at law firm Pinsent Masons.
Mr Haswell predicted that while big tech companies will probably move servers out of Hong Kong, in the end their websites are likely to be blocked.
“Hong Kong authorities can now move up every link in the chain of how information goes from a server to your phone or laptop,” he said.
Tech companies already receive requests from Hong Kong police to share data to solve crimes. Some disclose the number of requests they get. Facebook, for example, received 384 requests in 2019 across all its services, and complied with just under half of the requests.
But under the new law, investigations into national security crimes can be deemed state secrets and any trials may be heard in closed court. Tech companies may be forbidden from disclosing what the police ask them for.
Messaging apps, including Apple’s iMessage, Signal and WhatsApp, use end-to-end encryption, meaning that only the end users can read messages. But these services can be asked to share metadata, such as the time a message was sent and the number it was sent to, or who is in the same group conversation. WhatsApp also collects contact lists and GPS locations from users with their consent.
Google Maps also collects GPS data from users and is a prime resource for US law enforcement, which often request the identities of users within a certain radius of a crime.
“Companies will collaborate with metadata gladly. Twitter is the only one who has put up some resistance,” said Nathan Freitas, director at Guardian Project, a developer of mobile privacy tools.
Mr Freitas added that he was concerned about the development of automatic surveillance and tracking for tech companies in Hong Kong.
For instance, mobile carriers could message everyone within a certain distance of a protest to tell them to go home.
ISPs and app stores, such as Google Play, could be asked to provide information on who is using or downloading VPNs and cut their service if they continue to do so.
How much is Hong Kong worth to Silicon Valley?
For LinkedIn, Twitter and Facebook, the Hong Kong market — with a population of just over 7m people — makes up less than 0.3 per cent of their global user base, based on figures by marketing agency We Are Social.
None of the major internet companies use Hong Kong as their regional headquarters although they all have offices in the city.
Facebook, for example, opened a large four-story office in Quarry Bay last year where teams are working on policy and communications, legal and finance, sales and marketing, and augmented and virtual reality.
According to its annual report, Facebook generates “meaningful revenue” from advertisers in China, listing the region among its top five sources of income outside the US. Much of that business is handled from Hong Kong.
Facebook’s Hong Kong office is advertising for a new associate general council for Greater China, who would report to the vice-president and head of legal for Asia-Pacific in Singapore. One requirement listed is a “keen understanding of Greater China’s legal framework, experience engaging with regulators is a plus”, as well as in areas of internet, data protection, privacy and cyber security laws and user-generated content.
Twitter opened an office in Hong Kong in 2015 but moved most of its China sales force to Singapore the following year, according to reports at the time. Twitter would not confirm this week whether or not it still had any employees in Hong Kong, but the location is still listed on its careers site and the company’s LinkedIn page.
Microsoft has been in the region longer than its Silicon Valley peers — its first Hong Kong office opened in 1991 and its 80,000 sq ft base in the Cyberport business district houses some 300 staff. Microsoft and LinkedIn already operate in mainland China, where LinkedIn has some 50m users. In the past, it has been criticised for censoring sensitive content.
Google, Amazon Web Services and Microsoft all have data centres in Hong Kong, while Twitter and Facebook do not have local data centres.
Mr Haswell said in theory cloud providers could be asked to hand over client data but in practice “logistically it might not be possible” because they cannot easily identify which data belongs to whom.
What happens next?
As they digest the implications of the new law, none of the tech companies was prepared to discuss their future in Hong Kong. If necessary, they all have offices elsewhere in Asia, with Singapore emerging as a popular tech hub, though it is unclear whether Hong Kong citizens would wish to move.
Meanwhile, the decision by the companies to “pause” their response to data requests does not absolve them of complying with the law, said Anson Wong Yu Yat, a barrister in Hong Kong.
“It doesn’t give any shield to liability because it is not a lawful excuse, it is just a policy that is adopted by a foreign company,” he said.
Carolyn Bigg, a technology partner at DLA Piper in Hong Kong, said it was important that the companies immediately formulate plans for how everyone from their front desk to their IT department would respond to a request from the authorities.
“It’s making sure your ‘dawn raid’ plans . . . are updated to take into account this might happen,” Ms Bigg said.
Reporting by Yuan Yang and Nian Liu in Beijing, Primrose Riordan in Hong Kong, Mercedes Ruehl in Singapore, Tim Bradshaw in London, Dave Lee and Patrick McGee in San Francisco