MTR Corporation union leader Tam Kin-chiu remembers how upset and threatened he felt after someone posted his photograph, workplace details and mobile phone number online in August 2019.
In the midst of escalating anti-government protests, Hong Kong’s train stations had become a target of serious vandalism.
The 55-year-old Tam, a train driver and vice-chairman of the pro-Beijing Hong Kong Federation of Railway Trade Unions, said being doxxed
left him feeling intimidated.
Online users attacked him for supporting the government. He received numerous anonymous phone calls, some after midnight. One caller told him threateningly: “I’ll remember your face.”
He started to worry for his family when the protests became more intense, and “was afraid somebody would do something to harm” them.
When he reported the matter to police, an officer told him not much could be done.
“There was no law to regulate doxxing, and the police couldn’t trace the person who posted my information online or the anonymous callers,” he said.
He was not alone in being harassed after his personal details were exposed. Also targeted during the social unrest of 2019 were numerous police officers, their family members, those who supported police, as well as some protesters and journalists.
Now Hong Kong is preparing to outlaw doxxing and cyber harassment, with a bill expected to go before the Legislative Council by October that will outline severe penalties not only for offenders, but also the tech platforms that enable them to leak private information.
The Constitutional and Mainland Affairs Bureau has proposed amending the Personal Data Privacy Ordinance to give the Office of the Privacy Commissioner for Personal Data power to carry out criminal investigations to curb doxxing.
Those who leak personal information to threaten, harass or cause psychological harm to individuals or their family members will face five years in jail and a maximum fine of HK$1 million (US$129,000).
The proposed law also seeks to penalise companies that provide platforms for offenders to post the personal details of their targets, with penalties for the staff of those companies as well.
The strongest objections to the bill came early this month from the Singapore-based Asia Internet Coalition, an alliance that includes such American tech giants as Facebook, Google, Yahoo, Twitter and LinkedIn.
Among other things, the group said the proposed law was too expansive and excessive, likely to curtail free expression, and would discourage tech companies from investing and offering services in Hong Kong.
It objects to wording in the proposed law which effectively suggests that any intermediaries and local subsidiaries of offending companies will be liable to investigation and prosecution.
This would be “a completely disproportionate and unnecessary response to doxxing,” it said, because intermediaries were neutral platforms with no editorial control of posts and were not the ones maliciously publishing personal data.
Other observers have questioned how the government will strike a balance between ensuring freedom of expression and the right to privacy, and whether Hong Kong will be able to retain its status as an innovation and technology hub with a free and open internet.
‘Proposed law is unusually stringent’
In acting to criminalise doxxing, Hong Kong is following similar action by Singapore, the European Union, Australia, New Zealand and Canada.
But the city’s proposed law was “far more stringent and appears to be a response to events of the 2019 protests”, said Paul Haswell, a partner with global law firm Pinsent Masons.
“This is not to say that doxxing should not be outlawed – it should – but care must be taken that only the actual perpetrators are ultimately subject to the greatest sanctions,” he added.
Haswell points out that Hong Kong’s proposed law is unusually stringent, as the staff of the tech companies’ web platforms where doxxed materials are posted could face fines and imprisonment unlike in other jurisdictions that commonly punish the culprits who post the personal information.
“The employee of a platform holder in Hong Kong may have no responsibility for, or power or authority to remove content deemed to be doxxing,” he said. “It is therefore unfair for such staff to face criminal liability for something they have no power or control over.”
The Privacy Commissioner will also be empowered to issue a rectification notice to anyone providing services in Hong Kong to its residents, directing the platforms hosting doxxing materials to remove them.
Failure to comply will result in a fine up to HK$50,000 and two years in prison, rising to HK$100,000 and two years behind bars for subsequent offences.
“This is the penalty that could impact staff of a platform holder based in Hong Kong, and is a subject of concern,” Haswell said.
Many doxxing cases, few arrests
Hong Kong leader Carrie Lam Cheng Yuet-ngor acknowledged the concerns of the tech coalition, but said on July 6 the anti-doxxing regime would address the problem of people being traumatised in this manner.
Police said about 3,800 officers and their family members had become victims of doxxing since the anti-government protests erupted in June 2019, and they were subjected to cyber bullying and harassment.
Only 61 people aged between 16 and 60 were arrested for offences such as disclosing personal data obtained without consent, criminal damage, fraud and incitement to commit public nuisance.
A police spokesman said some used the officers’ personal details to apply for personal loans and, distressingly, to donate organs.
As an interim arrangement, police turned to the courts for anonymity orders to conceal the identity of officers involved in protest-related cases. The High Court granted an injunction in October 2019 banning the doxxing of officers and their families.
So far, only eight cases have proceeded to the courts.
Last November, Hong Kong’s first doxxing offender was jailed for two years. Former telecoms worker Chan King-hei, 33, was found guilty of gaining illegal access to the personal data of three public figures, 20 police officers and six of their family members between July and August 2019.
He exposed the name, identity card and telephone numbers of a police inspector’s father on a channel of the popular messaging app Telegram.
The officer’s father told the court of the psychological distress he suffered, including feeling helpless and fragile, and worrying about his safety and that of his family.
Chan was prosecuted on three counts of obtaining access to a computer with a view to dishonest gain, and one count of disclosing personal data obtained without consent.
While everyone agrees that doxxing is detestable, should be stopped and the culprits punished, some observers question whether the proposed law goes too far.
Charles Low, chairman of cyber industry organisation Internet Society Hong Kong, noted that the proposed law was not only stiffer than elsewhere, but also aimed to cover online messaging systems such as Telegram, Signal and WhatsApp in addition to social media platforms.
He said he would not be surprised if tech companies relocated to avoid the risks once the tough new law was in place.
“Hong Kong’s position as an internet hub will be weakened,” he said. “The new law adds more woes to internet development in the city after the national security law took effect last year.”
However, Lento Yip Yuk-fai, chairman of the Hong Kong Internet Service Providers Association, failed to see anything unreasonable in the proposed law or how it could affect the city’s tech sector adversely.
He pointed out that the law would provide a degree of protection to service providers, who could appeal when ordered by the authorities to remove offending content.
“Even if service providers are unable to take down the doxxing content, they are still allowed to put up a defence. I don’t think they would run afoul of the law easily,” he said.
Yip added that ultimately, the tech companies were only concerned about being able to do business in the city.
“Hong Kong is a free market, and service providers just want to make money here. They are free to come and go,” he said.
‘Concerns are unfounded’
Hong Kong’s privacy regulator refuted the suggestion that the proposed law could hit foreign investment.
“Anti-doxxing laws exist in many other jurisdictions, and we believe that the amendments will have no bearing on the business-friendly environment,” a spokesman said.
He said representatives of the office met the coalition via video conference on July 9 and that the tech group’s members were committed to Hong Kong and agreed with the need to combat doxxing.
The office handled 5,700 doxxing cases over the two years through May, leading to the removal of 70 per cent of related hyperlinks. It said the remaining weblinks were managed by overseas companies in places such as Dubai, Pakistan and Mali, and the office could only seek help from these jurisdictions.
Koh Chia Ling, managing director of law firm Osborne Clarke in Singapore, pointed out that the city state’s Protection from Harassment Act did not set out criminal liability for internet intermediaries such as social media platforms.
Singapore’s practice allows victims of cyber harassment to seek a court order to get internet intermediaries to disable access by users of their services to the posts causing distress.
Only when the intermediaries failed to comply would they be liable for a contempt of court charge, he said, something that had not yet happened.
In New Zealand, a doxxing charge has a relatively high threshold, as there is a need to prove intent, objective harm and subjective harm. Harm is narrowly defined as serious emotional distress.
Online content hosts are exempt from legal liability for any harmful content posted on their platforms by a third party if they follow the “safe harbour” provisions that provide a complaint process.
Lokman Tsui, assistant professor of Chinese University’s school of journalism and communication, said the definition of doxxing as an offence was too vague in the proposed law, while the penalties and liability were “very questionable”.
Much will depend on how the law is interpreted and enforced.
“Under the current definition, Hong Kong police can claim that anti-police messages on the so-called Lennon Walls caused them psychological harm,” he said.
Tsui said the tech giants’ concerns were valid, as the government had given the impression that it would use any law as a weapon to crush dissent in Hong Kong.
“The problem is, we don’t know where the line should be drawn,” he said. “Now that even journalists and educators are arrested and harassed, the tech firms are naturally afraid they might be the next target.”
However, lawmaker and barrister Priscilla Leung Mei-fun said the tech coalition’s concerns were “unfounded”.
“I don’t think the law will inflict serious consequences on them,” she said.
Instead, she added, the companies needed to understand the serious threat posed by doxxing in Hong Kong, when “even judges are not exempt”.
She did not think the proposed law was particularly harsh, and emphasised it was needed to safeguard residents’ personal safety.
However, she said authorities could consider introducing a “safe harbour” clause to exempt hosts of online content from legal liability if they could prove they took due care to address complaints.
Simon Lee Siu-po, co-director of the international business and Chinese enterprise programme at Chinese University, said there was still time for the privacy commissioner to exercise caution in finalising details of the law before it was passed.
“The definition of legal terms must be clear to give confidence of enforcement,” he said. “Take the lessons on the enforcement of the national security law, which has shown a huge discrepancy between the way the law is written and the series of arrests that followed.
“Investors come to Hong Kong because of the freedom of the economy and freedom of speech. A balance is needed.”