The rise of smartphones means it is easier than ever for governments to tap local telecom carriers to learn where we spend our time, what websites we visit, who we’re calling and texting, and other personal information. In Hong Kong, a group of researchers and activists is telling residents it’s time to find out how much of their data is being collected.
Access My Info Hong Kong is a new web app built by the Chinese University of Hong Kong, Keyboard Frontline, and In Media, two local NGOs, to spur more city residents to learn about what carriers know about them. It follows in the footsteps of a similar project in Canada and a pilot study in Australia, by taking advantage of local laws to force telecom providers to tell you what they’re tracking. As fears of increasing influence from Beijing grows in Hong Kong, finding out what local companies are actually tracking is more important than ever, they say.
Hong Kong residents can use the website to create a personal data request that is sent to their carrier. It requests:
- call logs
- mobile app data
- geolocation data
- IP address logs
- disclosures to third parties
- text message information
- basic subscriber information
Since it was started in mid-April, 700 requests have been sent to Hong Kong’s telcos, Lokman Tsui, a professor at City University of Hong Kong who co-founded the app said. He spoke with Quartz last week after a panel on privacy held at the university. The following is an edited transcript of the conversation.
What made you want to start this project?
When we first started this project I asked around to see if anyone had ever done this before in Hong Kong, and everyone said no, which I thought was interesting. We have the right to ask the telco what do you know about me, and no one has done that before.
There’s a law in Hong Kong called the Personal Data (Privacy) Ordinance. One of its key principles is about access and about correction, meaning not only can you access your own information but you can rectify it too. This law has been around for years. There is a form you can send to request access for your data but it’s is fairly complicated, it’s a couple of pages long.
Our website tries to simplify that process as much as possible. We auto-generate letters to the major telco guys and send a very detailed letter requesting different types of data. Our goal was to understand what data they have, how long they keep it for, and if we can’t get it then we want to know why not.
How have some of the telcos responded?
The law has been around for so long, but it doesn’t seem that Hong Kong telcos have a mature process in place to handle these types of requests.
The law stipulates that telcos have to respond to requests for data within 40 days. I’m happy to report that all of the telcos have given responses within 40 days. Even if it’s not a satisfactory response, at least [they have responded] and that’s good.
What has been less good about it is that almost all the telcos started calling our volunteers asking, “Why do you want to know this?” or saying, “We don’t have to tell you this.” I suspect it’s because they’ve just never handled these types of requests before.
We’ve yet to receive a complete response with all of the data that is requested. Many telcos will give call logs that show who you’ve called, but they can’t give us a list of the websites you’ve visited or geolocation, even though they track them. That’s another example of immaturity.
It’s time to bring this analog law into the digital world, which is not just about phone calls, but where I am and what websites I’ve visited.
Has any telco ever outright rejected a request?
One of them outright rejected a request. Their reasoning was that people are required to use the form that the commissioner’s offices uses in order to obtain information about their data. The interesting thing is that the law does indeed say that telcos can choose not to comply with the request is if it’s not using the official form. But the privacy commissioner is also on the record saying that if you refuse to comply just because it’s not through the form, than that’s just a technical argument.
Which one was it?
What makes advocating for privacy different in Hong Kong than elsewhere?
What’s different about Hong Kong, or why I wanted to do it in Hong Kong specifically, is because of the social context Hong Kong is in right now. You could argue that Hong Kong people more sensitive towards privacy these days thanks to two incidents in its recent history.
In 2010, six years ago, we had the so-called “Octopus Incident.” This is a case where the smart card we use to pay for everything from public transportation to bills to candy—it turned out that the company was selling data to other companies, including survey companies and insurance companies.
There was good money—the money they were making was about a third of their annual revenue. This caused a big controversy and it’s why the personal privacy data ordinance was amended in 2012. It’s still fairly fresh in people’s memories here.
In addition to that, people started worrying about the security of their personal data during the Umbrella Movement. The Umbrella Movement was running on Facebook and WhatsApp and WhatsApp back then wasn’t encrypted. There was sensitivity around this data.People were wondering if they were at risk and what the risk might be. So this seemed like a good moment to roll this out project out.
You mention the Umbrella Movement, which is undeniably driven by fears about Beijing’s increasing influence in Hong Kong. Are you worried about this influence and its effect on privacy?
I see Beijing politics and privacy in Hong Kong as two separate issues. We have a separate system of law here, as is well known.
At the same time, one thing I am concerned about is maintaining a good legal protection system in Hong Kong. Just because we have a right to privacy or other right now doesn’t mean we’ll have them forever.
The rights we have are like muscles, if we don’t use them they will atrophy. We need to use it and exercise it in order to become strong and healthy.