A. EXECUTIVE SUMMARY
2
B. EVALUATION CRITERIA
3
C. OVERVIEW OF RESULTS
5
D. RESULTS OF ONLINE SERVICE PROVIDERS
6
BABY KINGDOM DISCUSS.COM.HK HKEPC HKGALDEN HKGOLDEN HK IN-MEDIA MEMEHK MY SINA BLOG UWANTS
6 7 8 9 10 11 12 13 14
E. CONCLUSION
15
DISCLAIMER SPECIAL THANKS
15 15
ABOUT KEYBOARD FRONTLINE
PAGE 1 OF 15
15
Who’s On Your Side? Protecting Your Information First Annual Report on Online Service Providers’ Privacy and Transparency Practices by Keyboard Frontline September 2015
A.
EXECUTIVE SUMMARY
1.
This is the Hong Kong’s first ever review of online service providers’ level of transparency and respect for user data privacy.
2.
Hong Kong is a new frontier of Internet transparency. The government’s controversial use of computer crimes law to arrest online forums users during the Occupy movement suggests that privacy, security and free expression are not only issues that activists should be concerned about, but can potentially affect every internet user in Hong Kong. Also increasingly important is the role internet platforms play in this process - how do they work with law enforcement, when do they hand over our user data and how do they protect our privacy - these are all becoming pertinent questions. It is in this context that Keyboard Frontline in collaboration with Hong Kong Transparency Report and the research team of the IT Legislator Charles Mok conducted the first “Who’s On Your Side?” survey. We selected 9 local online service providers (“OSP”), 6 of them are popular discussion forums, 2 are news service agencies and 1 a blog service provider.
3.
One may also wonders how banks, beauty salons etc. obtain the contact information to make cold calls and what are the data collection, sharing and retention policies of the online services providers. More serious, the Government’s requests for netizens’ data (for instance IP), when implemented in line with local and international laws and practices, can be effective to prevent crimes and to keep us safe. From 1st October 2014 to 29th January 2015, police handled 2,431 technology crime cases, and made 1,156 user information requests requests towards Internet service providers and online platforms. However, neither the government nor service providers have properly addressed the mounting public concern over whether government’s requests are legitimate, and whether their service providers respond to government requests in a responsible manner.
4.
We notice that it is a global trend that the online service providers or telecommunication companies are already making effort in publishing a transparency report. Regrettably, Hong Kong is lagging behind from this international outcry for a more open and transparent on how the personal information data is handled by the online services providers. The lack of transparency during the request-making process casts shadow on both government and corporate accountability. The possible suggestion of government surveillance and information misuse could have a chilling effects on netizens’ right
PAGE 2 OF 15
to information and free speech, the least we want to see in Hong Kong the free harbour. Therefore, it is time that Hong Kong should step up and follow suit. 5.
“Who’s On Your Side?” aims to help netizens obtain a general picture of how their online data is being collected and handled by local forums, to raise awareness and promote good practice in the local Internet community.
6.
Key findings include:
B. 7.
(a)
One third of OSPs mandates excessive user registration. Some of them require not only an email but mobile phone number or ISP email, average monthly income, marital status etc. The practice of which is likely to facilitate self-censorship and surveillance;
(b)
Though two thirds of OSPs posted privacy policy statements on their websites and provide dedicated channel to handle privacy enquiries;
(c)
Four out of the nine OSPs surveyed state it clearly that they will disclose information if there is court orders for government’s data request;
(d)
Yet, they do not have clear legal guidelines for responding to government requests. It does not tell whether a court order or warrant is required when facing the government requests nor how they would resist unreasonable requests;
(e)
In contrast to many global online service providers, most of the Hong Kong online service providers surveyed have not published transparency reports disclosing details of the respective compliance rates and the number of users affected. Only one informed users of how many government requests they received.
EVALUATION CRITERIA Five criteria are used to assess the OSPs in Hong Kong:(a)
Mandate minimal personal information to register: To earn a positive checkmark, the OSPs should collect information not more than necessary for the purpose of registration. We consider mandatorily requiring ISP emails, telephone numbers or particulars of personal information constitutes the excessive collection of information for the purpose of registration.
(b)
Publish privacy policy statement: We check if the OSP provides a Personal Information Collection Statement or a Privacy Policy Statement.
(c)
Provide privacy complaint channel: OSP will be awarded a positive checkmark if they have a specific channel to contact them for matters relating to privacy for the users.
PAGE 3 OF 15
8.
(d)
Publish Comprehensive Guidelines for Data Request by Third Parties: In order to get a positive checkmark, the OSPs not only are required to state how they will handle data request but also how they will resist a request. In particular, if the OSPs take active steps to enquire the purposes of the request and limit the scope of information to be provided to ensure that information are not given to a third party more than necessary.
(e)
Publish transparency report: We award the OSPs a positive checkmark in this category if they publish useful data about how many times the authorities have sought user data from them.
The checkmarks of this survey cannot tell the full story. The checkmarks indicate the online forums have either publicly disclosed related policies or told the panel they have related policies in place. A lack of checkmark does not necessarily mean the companies have not reached the standards the panel tentatively set, but possibly indicates they either do not publicly reveal their related policies, or did not tell the panel about related policies.
PAGE 4 OF 15
PAGE 5 OF 15
C.
OVERVIEW OF RESULTS
D.
RESULTS OF ONLINE SERVICE PROVIDERS
Baby Kingdom 1.
Mandate minimal personal information to register: In order to register as a user, the netizens are required to provide surname, name, date of birth, family status, plan for children, number of children and annual gross income of the family. They also require users to verify via SMS verification. Therefore, no positive checkmark is awarded. http://www.baby-kingdom.com/member.php?mod=abbott_register
2.
Publish privacy policy statement: A privacy statement is published under http://www.babykingdom.com/privacy.php. A positive checkmark is therefore awarded.
3.
Provide privacy complaint channel: An email was provided for enquiries of privacy related issues. A positive checkmark is rewarded accordingly.
4.
Publish comprehensive legal guidelines: Under its privacy statement, it states that the disclosure of information will be done in accordance with the laws. Neither it states if a court order or warrant is required nor how they will restrict information to be provided more than it is necessary. No positive checkmark is given.
5.
Publish transparency report: No transparency report or number of request by authorities are published. No positive checkmark is awarded.
PAGE 6 OF 15
Discuss.com.hk 1.
Mandate minimal personal information to register: To register, netizens are required only to provide account name, email, password and how they know about the forum. As the information provided is unlikely to be able to identify the netizen, a positive checkmark is awarded. http://www.discuss.com.hk/register.php
2.
Publish privacy policy statement: A privacy policy statement is published under http://www.discuss.com.hk/announcement.php?id=74#74. A positive checkmark is therefore awarded.
3.
Provide privacy complaint channel: Not only an email is provided for matters of privacy, a postal address and a telephone number are provided, therefore, a positive checkmark is awarded.
4.
Publish comprehensive legal guidelines: They state it clear under what circumstances they will disclose information e.g. warrant, court order, legal proceeding, situation allowed under section 58 of the Personal Data (Privacy) Ordinance, merger and acquisition. However, it does not tell if they will enquire the requestor for its purposes and scope. Accordingly, no positive checkmark is given.
5.
Publish transparency report: No transparency report published nor number of data request by the authorities is disclosed. No positive checkmark is awarded.
PAGE 7 OF 15
HKEPC 1.
Mandate minimal personal information to register: Only account name, password and email are required for registration. A positive checkmark is given accordingly.
2.
Publish privacy policy statement: A privacy police statement is published under http://www.hkepc.com/privacy. A positive checkmark is awarded. User may request for a copy of the information retained by the company at a fee of HK$100.
3.
Provide privacy complaint channel: An email is dedicated for privacy related issues. A positive checkmark is therefore awarded.
4.
Publish comprehensive legal guidelines: The online service provider reserves right to disclose information according to the law. It does not stipulate whether it is a court order or warrant. No positive checkmark is awarded.
5.
Publish transparency report: No transparency report nor number of data request by authorities are published. No positive checkmark is awarded.
PAGE 8 OF 15
HKGalden 1.
Mandate minimal personal information to register: Required ISP email or email of tertiary institutions to register. In addition, it also require users to provide date of birth, sex, telephone number, surname and given name for registration. Therefore, no positive checkmark awarded. https://hkgalden.com/member/register_account
2.
Publish privacy policy statement: No privacy policy statement. No positive checkmark is given.
3.
Provide privacy complaint channel: No specific channel to handle privacy related enquiries. No positive checkmark.
4.
Publish comprehensive legal guidelines: No legal guidelines how information is handled when facing a request. No positive checkmark.
5.
Publish transparency report: No transparency report published or number of data request by authorities disclosed. No positive checkmark.
PAGE 9 OF 15
HKGolden 1.
Mandate minimal personal information to register: User must provide a long list of personal information to register: name, nickname, sex, ISP email/ email of a tertiary institution, secondary email, year of birth, country, home number, mobile number, marital status, education level, nature of job, average monthly income, hobbies, spending behaviour on those hobbies. We consider the information required to be provided is excessive. No positive checkmark is awarded. http://www.hkgolden.com/members/join2015.aspx?type=0
2.
Publish privacy policy statement: Privacy policy statement is published under http://forum1.hkgolden.com/privacy.aspx. A positive checkmark is awarded.
3.
Provide privacy complaint channel: An email was provided for contact of privacy related issues. A positive checkmark is therefore given.
4.
Publish comprehensive legal guidelines: It states that they will comply with the request of a law enforcement agency or other authorities in accordance with the law. However, it does not explain whether court order includes warrant or if they only surrender users’ information under such circumstances. No positive checkmark is awarded.
5.
Publish transparency report: No transparency report published or number of data request by authorities disclosed. No positive checkmark.
PAGE 10 OF 15
HK In-Media 1.
Mandate minimal personal information to register: Only email and the account name is required. A positive checkmark is awarded. http://www.inmediahk.net/user/register
2.
Publish privacy policy statement: No privacy policy statement in the website, therefore, no positive checkmark is given.
3.
Provide privacy complaint channel: No dedicated channel for enquiries about privacy issues. No positive checkmark is awarded.
4.
Publish comprehensive legal guidelines: No guidelines as to how data is handled at all. No positive checkmark is given.
5.
Publish transparency report: In-Media has never published a transparency report or number of data request by the authorities in its website. No positive checkmark is awarded.
PAGE 11 OF 15
Memehk 1.
Mandate minimal personal information to register: Only require user name, password and email for registration. A positive checkmark is awarded. http://forum.memehk.com/member.php?mod=register
2.
Publish privacy policy statement: Privacy policy statement is published under http://news.memehk.com/privacy. A positive checkmark is awarded.
3.
Provide privacy complaint channel: An email is provided for users to enquire privacy related issues. A positive checkmark is given.
4.
Publish comprehensive legal guidelines: It states that they will only comply with court order for data request and demand explanation of the purpose and how it may impact the investigation with and without the requested information by the authorities. A positive checkmark is awarded.
5.
Publish transparency report: It discloses the number of data request by authorities in its privacy statement. A positive checkmark is therefore given in this category.
PAGE 12 OF 15
My Sina Blog 1.
Mandate minimal personal information to register: Apart from account name, sex, email, one must also provide date of birth, education level, occupation, position in the company and average monthly salary to register. No positive checkmark is awarded. https://login.sina.com.hk/cgi-bin/register.cgi
2.
Publish privacy policy statement: The privacy policy is published under http://cs.sina.com.hk/faq/sinahelp30.html. A positive checkmark is awarded.
3.
Provide privacy complaint channel: A page is specially designed for filing enquiries under http://cs.sina.com.hk/faq/sinahelp707.html. A positive checkmark is given.
4.
Publish comprehensive legal guidelines: It does not expressly state whether a court order or warrant is required nor how they will handle request by the authorities. It only states that information will be provided if it is requested for the purpose of crime prevention or investigation or circumstances allowed under the Personal Data (Privacy) Ordinance. No positive checkmark is awarded.
5.
Publish transparency report: No transparency report nor number of data request by authorities is published. No positive checkmark is awarded.
PAGE 13 OF 15
Uwants 1. Mandate minimal personal information to register: Only account name, email and password are mandatory for registration. A positive checkmark is therefore given in this category. http://www.uwants.com/register.php 2.
3.
Publish privacy policy statement: A privacy policy statement is published under http://www.uwants.com/announcement.php?id=127#127. A positive checkmark is awarded for that. Provide privacy complaint channel: Postal address, telephone number and emails are provided for enquires related to privacy issues. A positive checkmark is awarded.
4.
Publish comprehensive legal guidelines: The privacy policy statement states it clear under what circumstances they will disclose information e.g. warrant, court order, legal proceeding, situation allowed under section 58 of the Personal Data (Privacy) Ordinance, merger and acquisition. However, it does not tell if they will enquire the authorities for the purposes and scope. Accordingly, no positive checkmark is given.
5.
Publish transparency report: No publication of the transparency report nor disclosure of the number of data request by the authorities. No positive checkmark is awarded in this category.
PAGE 14 OF 15
E.
CONCLUSION
9.
To conclude, we find that there are a lot of room for the local OSPs to improve, in particular in the area of the protection of the users’ information and the transparency in handling data request by the authorities. Transparent governance fosters company accountability and builds user trust. In fact, 47 foreign Internet and telecom companies have published transparency reports, seven of which have disclosed requests they received from Hong Kong authorities. With these big firms leading the way, it is high time for local companies to checkmark engaging in transparency reporting and informing users of what is happening to their online data.
10.
It does take time and multi-stakeholder efforts to legitimise and standardise companies’ disclosure of government requests and related surveillance activities. We welcome comments and suggestions on this pilot project and encourage other local websites and forums to partake in this initiative.
DISCLAIMER As this survey attempts to explore cutting-edge topics, some criteria may not be strictly applicable to some OSPs and some issues concerned are still playing out at the Legislative Council and local courts. Therefore, this survey shall not be construed as intended to prejudice the online service providers surveyed. SPECIAL THANKS This survey is a pilot project inspired by the Who Has Your Back by Electronic Frontier Foundation. Special thanks also go to “HK Transparency Report” and Research team of Hon. Charles Mok.
ABOUT KEYBOARD FRONTLINE KEYBOARD FRONTLINE was founded in the year of 2011 to fight for greater user rights under the 2012 Copyright amendment bill (also known as the Internet Article 23) for netizens. Believing that the rights of netizens are of vital importance, KEYBOARD FRONTLINE devotes its time and effort in the defense of these rights. By organising varies activities, for example, protests, exhibitions, discussion forums, online lobbying, etc., we aim to arouse public awareness of the importance of internet freedom, and ultimately to create a free and open internet environment in Hong Kong. Currently, KEYBOARD FRONTLINE is focusing on various projects, including internet freedom, privacy and security, “Right to be Forgotten” and, of course, the 2014 Copyright Amendment Bill. We will undoubtedly continue to devote ourselves to safeguard the rights of the netizens in Hong Kong. Keyboard Frontline 13 September 2015
PAGE 15 OF 15