Joshua Wong’s black iPhone sat in a room on the 22nd floor of the Hong Kong Police Headquarters in the heart of the city’s business district, where over a total of 21 hours between late September and early November, its data were examined by officers, and hundreds of chat messages exported.
The 23-year-old pro-democracy activist only learned months later that his locked phone had been cracked into when authorities presented him with a search warrant in February. His phone had been confiscated following his arrest the previous summer on charges of inciting others to take part in an unlawful assembly at the height of Hong Kong’s mass protests against a controversial extradition law.
These details were documented in a judicial review filed last month by Wong and Agnes Chow, an activist and fellow founding member of political party Demosisto who was arrested alongside Wong and also had her phone confiscated. While the police managed to crack into Wong’s iPhone, which was locked with a four-digit passcode, they did not manage to access the contents of Chow’s Google Pixel phone using the force’s existing digital forensics tools, according to the court filing. Chow says her phone is still in police possession.
A rigged game of ping-pong
Wong’s phone was just one of nearly 4,000 of devices belonging to detainees and suspects that police cracked into between June and November last year, according to Hong Kong’s security secretary. Two judicial reviews filed in January detailed the use of vaguely worded search warrants—basically identical to those served to Wong and Chow—granting police extensive and effectively unlimited access to digital devices confiscated from people arrested in connection to the protests. Like the warrants for Wong and Chow’s phones, they gave police access not to specific devices, but for “all digital contents in all digital devices” that police brought to a room in the force’s headquarters—essentially, the police obtained warrants to search the 22nd floor of those premises, where the confiscated phones were conveniently located. In other words, the police got a warrant to ostensibly search police property.
A Hong Kong lawyer with knowledge of the cases said that after the filing of those applications, other lawyers involved in similar cases have reviewed their own documents to discover that the peculiarity of a warrant to search police headquarters is commonly used.
Some legal experts see the vague Hong Kong police warrants as legally unsound at best, and an abuse of justice and the law at worst. “It’s obvious that in jurisdictions that I know—the US, Switzerland, Germany, or under the Europe Convention on Human Rights—that this wouldn’t hold water,” said Nathan Kaiser, a lawyer and a fellow at the Berkman Klein Center for Internet & Society at Harvard University.
Kaiser explained that there are typically two parties involved in a warrant—the searching party, and the party being searched. “But here, the search warrant is for the police headquarters. That doesn’t even make sense. They’re not a party,” he said. He compared the scenario to a rigged game of ping-pong: “The same party is playing both sides of the ping-pong table, and the party whose phone is at stake is not even at the ping-pong table.”
The use of such vague search warrants potentially threatens Hong Kong citizens’ rights to privacy on a much larger scale, particularly in light of the police’s increasingly frequent practice of mass arrests, including bystanders who just happened to walk by a protest site but who still risk having their digital devices examined using broad warrants. As of early January, police have arrested around 7,000 people since protests erupted last June. Less than one-sixth of those have been charged.
Chat groups at risk
A Hong Kong-based cybersecurity expert who has provided training to the police force’s cybersecurity and technology crime bureau, and who wished to remain unnamed because the issue was “too politically sensitive,” said he’s not surprised the police have the capabilities to crack into locked phones. Even if the evidence collected is not ultimately admissible in court because the legality of the vague warrants are challenged, he said, extracting data from a phone can still help the police in their investigatory work.
He gave the example of Telegram chat groups, which are widely used by Hong Kong protesters. Even if the police do not extract specific messages to use as evidence, the expert said, they can find out who the administrator and other members of the chat group are, and use that information to further their investigations. “No one would ever know how they got that information unless they need to present it in court as evidence,” he said.
The practice of gathering information on connections between activists is not unique to Hong Kong. Law enforcement agencies elsewhere, including the US, use a similar approach.
“Particularly looking at activists, what the government is really interested in is connections, is contacts,” said Michael German, a fellow at the Brennan Center for Justice at New York University, adding that information gleaned from link analysis often gives a more complete story than the actual contents of the phone. And when that intelligence has to be presented in court as evidence, investigators reconstruct the information via legal avenues in a process known as “parallel construction.”
In court filings from the government’s prosecution team, the Hong Kong police force revealed that it had extracted data from locked phones using software from Israeli mobile forensics company Cellebrite—which is widely used by US police departments and the FBI—and Swedish mobile forensics firm MSAB. The government previously refused to publicly disclose what technology it was using to crack into locked phones, saying it was “confidential information” that could be exploited by criminals.
A spokesperson for Cellebrite said the company’s technology is “used by thousands of law enforcement and government organizations globally to help create a safer world,” but that it doesn’t comment on the specific applications of its technology. Neither MSAB nor the Hong Kong police responded to requests for comment.
The weak link in digital security
Wong believes that the Hong Kong police are also specifically targeting their arrests at high-profile and internationally recognized opposition figures in part to gain access to their phones and gather intelligence, as evidenced by last month’s arrest of 15 veterans of the city’s pro-democracy movement including media tycoon Jimmy Lai, lawyers Margaret Ng and Martin Lee, and former legislator Albert Ho.
Lai’s phone was confiscated, according to Mark Simon, a senior executive at Lai’s media company, though he did not specify whether a search warrant was served. Ho, a lawyer, said his phone was also confiscated, but he has “no particular worries at this stage” that police would crack into his phone because he invoked legal professional privilege.
“Martin Lee and Jimmy Lai, they connect with people abroad, like the White House national security council, Mike Pence, and Mike Pompeo,” Wong said, referring to the US vice president and secretary of state. “If you take their phone you can take all their communication logs.” Wong himself also has regular communications with politicians and officials in the US and other countries.
A spokesperson for the US state department said that it is “deeply concerned by Hong Kong authorities’ selective use of law enforcement for political purposes.” The office of the vice president did not respond to a request for comment.
Demosisto’s Chow is worried that more elderly protesters could be the weak link in digital security. “The older generation may be less aware. They might use WhatsApp for everything, might use fingerprints or Face ID,” she said. The police have tried on at least one occasion to forcibly unlock an iPhone by prying open a suspect’s eyes, according to an interview by the New York Times with a Hong Kong arrestee in July. “So if your family has older members going out to protests, you have to remind them.”
Figo Chan, a 24-year-old protest organizer and one of the 15 high-profile figures arrested last month, was served with a warrant that gave police liberty to search all his digital devices for one month. He said he’s not too concerned, however, about data being extracted from his device because he has been careful to keep sensitive communications off his phone, but does worry about the right to privacy being increasingly threatened in Hong Kong. “Will our data, my communications with friends, fall into the hands of the police? No one is supervising this.”