Last November, a severe fire occurred at Wang Fuk Court in Tai Po, claiming 168 lives and leaving nearly two thousand families displaced. Four months later, affected units have been repeatedly burgled, yet owners have not even had the chance to return home to collect their belongings, let alone receive arrangements for permanent housing. On the other hand, the humble wish of residents to hold an owners’ meeting has been delayed time and again. Basic facts—such as the distribution of the deceased and the status of the fire safety system at the time of the accident—were only first made public during a recent hearing. That hearing, however, lacked enough space for residents to attend, curiously lacked a live stream, and had no power to summon the contractors.
Despite this, Hong Kong citizens should perhaps be understanding. After all, the overall efficiency of the SAR government remains high. For instance, in safeguarding national security, nearly six years after the enactment of the Hong Kong National Security Law, the government again gazetted amendments to its implementation rules on Monday. These grant law enforcement agencies more power: if a designated person refuses to provide the password or decryption method for a seized electronic device, it constitutes a crime punishable by up to one year in prison and a fine of HK$100,000. For provisions with such deep impact on civil privacy, the government can issue them suddenly with immediate effect, bypassing Legislative Council scrutiny. This demonstrates a level of executive power that deserves commendation from national leaders.
As a Hong Kong citizen, I have no way to oppose such legislation other than “voting with my feet,” as hundreds of thousands who moved to other countries have done. But as a believer in and practitioner of the Cypherpunk spirit, I feel a minimal responsibility to raise public awareness. Since these provisions were announced and implemented so suddenly, citizens may not realize they are now in a jurisdiction where they can be ordered to unlock their phones at any time—where refusal is a crime facing a HK$100,000 fine and a year in prison.
In the digital world, to see is to possess
Some might think I am overreacting or even fearmongering. As I write this, it was only two weeks ago that Book Punch, prosecuted for the third time, was raided by law enforcement again. The founder, Pong Yat-ming, and three other staff members were taken away, this time accused of selling “seditious publications” such as the Biography of Jimmy Lai. Just one day after the new law was enacted, if law enforcement exercises their power to seize Yat-ming’s phone and demand it be unlocked, all his chat records—including his conversations with me—would be instantly exposed. This example happening right before our eyes clearly illustrates that privacy is a local and personal issue for everyone.
Some people like to say, “If you have done nothing wrong, you need not fear a knock at the door at midnight” (perhaps because a knock at dawn is more terrifying?). They say, “If you’re honorable and upright, why fear being seen?” I wonder if the gates of their homes are transparent, or if they walk around naked in the summer. These “upright” people don’t seem to understand that wearing pants doesn’t mean you’re afraid of someone seeing a gang tattoo on your buttocks. I am upright, and I don’t even plan to delete my chats with Book Punch, but I do not want people reading my records—simply because privacy is a fundamental human right.
Furthermore, the argument that the “upright have nothing to fear” completely ignores the difference between the physical and digital worlds. In the physical world, “seeing” and “possessing” are separated. A jewelry store allows you to see gold ornaments while maintaining security; unless you pay, you cannot possess them. But with data in the digital world, to see is to possess. Saying “why fear being seen” is like saying “why fear letting people enter your home and take whatever they want”—it is utterly absurd.
Imagine if I said: “Even if I see your creations, your reports, your messages, your photos, or your videos, I won’t take them, and I promise not to back them up.” That would be a rogue’s promise, because firstly, seeing the data is largely the same as possessing it, and secondly, you have no way of knowing if I’ve made a backup. Moreover, the new implementation rules for the National Security Law apply when the phone or electronic device has already been seized and is no longer in the owner’s hands.
If this is true for general data, privacy is even more critical for asset management. If a password is leaked, data can be copied; if you get your device back or log in from another device, you still have a copy. But digital assets are like physical objects; once stolen, the owner loses them permanently. Users of digital banking, centralized exchanges, and other custodial services already know the consequences of a password leak. The government itself frequently advises citizens to be alert to scams and never leak their passwords.
Providing a password = giving up all data and assets
I must supplement what disclosing a password means for self-custodied cryptocurrencies.
Last month, the South Korean government accidentally published the private keys of seized cold wallets online. Cryptocurrencies worth 6.4 billion won (about US$5 million) were stolen instantly. If you think this is just a one-off blunder, you are wrong; similar incidents have happened three times this year alone, involving amounts up to US$20 million. Ultimately, this isn’t just about being careful; it involves the workflow of law enforcement agencies and the core design of cryptocurrency and cryptography.
For most people today, a phone is not just for communication; it is a device that stores all passwords, 2FA, and passkeys used to verify identity. Having the phone and the password means being able to use all services, read all data, and move all assets as the owner. If “e-money” in a bank is stolen, at least there is a trail and the possibility of a freeze. Once self-custodied cryptocurrency is stolen, however, it will likely be sent to untraceable wallets, making it difficult to even identify the thief. The victim is left with no recourse.
I absolutely agree with the importance of protecting national security, but at the same time, private property is the cornerstone of society. Article 6 of the Basic Law states: “The Hong Kong Special Administrative Region shall protect the right of private ownership of property in accordance with law.” I do not intend to question the loyalty or bravery of the Hong Kong Police Force, but there are always “rotten apples.” For example, in February 2025, a male officer was involved in 12 counts of unauthorized access to police investigation systems (ESCC 553/2026); in early 2018, an exhibits officer allegedly stole approximately HK$860,000 from an exhibit room (FLCC 2551/2018); in May 2018, an officer stole HK$3,000 from a citizen’s wallet (ESCC 1273/2018; the list goes on). During an investigation, if just one person acts on greed, the owner’s property will vanish.
Even if a citizen is lucky enough not to encounter a dishonest officer, a simple mistake by an administrator—or even just following an outdated standard operation procedure, such as photographing evidence for records—is enough to cause a citizen who surrendered their password to lose their property. It is like the situation at Wang Fuk Court: the government prohibits residents from returning home to collect belongings “for their safety,” while allowing law enforcement and workers to enter, resulting in the theft of residents’ property.
The new rules of the Hong Kong National Security Law require citizens to provide passwords to law enforcement, but I see no accompanying measures to protect the property of affected citizens—specifically to ensure that self-custodied cryptocurrency does not vanish into thin air during the investigation.
I am not a legal professional; I can barely even parse the difficult, pieced-together Chinese sentences in the implementation rules. However, based on common sense and logic, if someone refuses to hand over a password to prevent their data and assets from being stolen, I believe that is perfectly reasonable.
If Hong Kong still had a normally functioning Legislative Council with representatives speaking for the people, they could at least voice these concerns. If there had been a public consultation as in a democratic society before the new rules were released, Cypherpunks—or even tech enthusiasts like me who know just a little—could have in good faith pointed out these potential loopholes.
Unfortunately, the new National Security Law rules are like the mandatory seatbelt law from months ago—rushed through without public consultation. Who can say for sure that there won’t be a department that accidentally gets something wrong, just like what happened with the seatbelt law? If a citizen hands over a password and their life savings are stolen, who will be held responsible?
POLL: The new implementation rules for the National Security Law require designated persons to provide passwords or decryption methods to police…
- I don’t know the first thing about politics.
- I have thoughts, but the risk of expressing them is too high…
- National security is paramount; the new law is reasonable, I support it!
- It fails to protect citizens’ right to privacy and may cause property loss.
- You don’t know what you’re talking about; let me, a member of the “rebuttal team,” tell you in the comments.
p.s. While the new rules have drawn attention and many citizens seem to care about privacy, Meta’s announcement that it would terminate end-to-end encryption for Instagram DMs starting in May didn’t even cause a ripple. When there’s a chance, let’s discuss how Mark Zuckerberg ate his word and, more fundamentally, why end-to-end encryption is so vital.
Leave a Reply