Hong Kong Police Can Demand Passwords Under New National Security Rules

An anonymous reader quotes a report from the BBC: Hong Kong police can now demand phone or computer passwords from those who are suspected of breaching the wide-ranging National Security Law (NSL). Those who refuse could face up to a year in jail and a fine of up to $12,700, and individuals who provide "false or misleading information" could face up to three years in jail. It comes as part of new amendments to a bylaw under the NSL that the government gazetted on Monday.

The NSL was introduced in Hong Kong in 2020, in wake of massive pro-democracy protests the year before. Authorities say the laws, which target acts like terrorism and secession, are necessary for stability -- but critics say they are tools to quash dissent. The new amendments also give customs officials the power to seize items that they deem to "have seditious intention."

Monday's amendments ensure that "activities endangering national security can be effectively prevented, suppressed and punished, and at the same time the lawful rights and interests of individuals and organizations are adequately protected," Hong Kong authorities said on Monday. Changes to the bylaw was announced by the city's leader, John Lee, bypassing the city's legislative council. The NSL also allows for some trials to be heard behind closed doors.

I give this 3 days

[Anonymous Coward]

Before its abused and a non National Security search is called National Security to gain access

Re:

[Mr. Dollar Ton]

You misunderestimate the efficiency of the political police in some locations. The only difference from before is that it is now completely legal to use that soldering iron :)

Re:

[ClickOnThis]

misunderestimate

Haven't seen that one in a while. [wikipedia.org]

Re:

[Mr. Dollar Ton]

Yeah, what was terrible and unacceptable back then appears today a gone golden age of propriety and decorum.

Re:

[belmolis]

That's already the case. The so-called National Security Law is used against any kind of political dissent.

Re:

[Sloppy]

"National Security" means anything the government wants. Anything you would consider to be an abuse, they would consider to be within bounds, because there are no bounds.

Re:

[easyTree]

Arguably, open lying from the political class is not in society's interests or doesn't that count?

Re:

[Sloppy]

It's not in society's interests, but it is in government's interests. Society and government are orthogonal teams who often conflict with each other. In the US, we spelled that out explicitly in the late 1700s, but docs go back at least as far as the Magna Carta.

Alas, "spelling out" government limitations isn't the same thing as believing limits are a good idea and enforcing them, as we're occasionally reminded. The Constitution is just ink on a page, until people give a fuck about it. And in America, the c

Re:

[easyTree]

That's an implementation problem - government should be part-of and motivated solely to solve problems for: society.

Re:

[SomePoorSchmuck]

Celine's First Law [wikipedia.org]
"National Security is the chief cause of national insecurity."

Touch ID

[svoncrumb]

Time for phone manufacturers to invent a way to make PIN requirements like this impossible to fulfill. Also bring back touchid because it is more reliable than faceid. Because you know this shit isn't ending in Hong Kong!

Re:Touch ID

[Archfeld]

We need a burn-down pin. When entered performs a factory reset.

Re:

[TheMiddleRoad]

They'll burn you down for it.

Re:

[geekmux]

We need a burn-down pin. When entered performs a factory reset.

Probably not the most fashionable move while in a foreign country getting ready to be interrogated.

Suspect just became a new middle name. As 99% of people stand there with a digital brick in their hand unable to recall even a single phone number from memory to prove who they really are.

Re:

[JaredOfEuropa]

That is covered by the "providing false or misleading information" clause. In other countries it might be considered "destruction of or tampering with evidence". Around here, you can't be compelled to provide passwords to your personal devices, but providing a burn-down pin or otherwise deleting information after the police have asked for it, is a crime.

As for Touch ID or Face ID: in many places you can be compelled to unlock your phone with your fingerprint, or they can simply hold it up to your face

Re:

[DarkOx]

Dude this is China, not the USA or West.

You do something like that in the West you probably get some charge of obstruction, possibly held without bond instead of released a protracted ordeal in terms of hearings and trial.

Depending on what you're hiding that might indeed be a good or even great trade, should it actually destroy critical evidence against you in an innocent until proven guilty situation. You go to prison for your process crime for a bit and then get on with your life.

If you do this in China y

Re:

[easyTree]

Hi, you need to update your pep talk to reflect the modern US where they shoot citizens in the face for nothing at all - on video - and get away with it.

Presumably this is a way to discourage dissent too but I suspect it may backfire - eventually.

Re: Touch ID

[easyTree]

So Ice isn't s thing?

Re: Touch ID

[slazzy]

Better to have an unlock pin that opens a separate user account with file dates, browser history dates freshly touched so it looks like a valid user account recently used.

Re:

[ctilsie242]

This reminds me of a project. I can't find any info on it, but it was called PhonebookFS. You had a directory full of encrypted chunks, and you would use an encryption key to mount layers of it. Even if you knew all the passwords to each layer, there was randomly generated chaff in every repository for plausible deniability.

Now, imagine that for phones. One PIN might get you to your work's stuff. Another PIN, your personal contacts. A third PIN, a "clean" account that is intended to be scoured. None

Re:

[Sloppy]

I think that might be a bad idea, because when thugs say "hand over your phone" and you hand them a brand new phone that you have apparently never used, you're going to get wrench-based cryptanalysis. You need to be able to hand them the keys to a realistic environment that looks like it's being used. Thugs wanna see recent timestamps.

Ideally, we need to have some casual, boring (but constantly-touched!) environment that can launch encrypted environments, but somehow not have anything that references those

Re:

[easyTree]

OR: we could push back against those who would use force to coerce behaviours they like.

Re:

[SomePoorSchmuck]

Now that would be an actual use of a mobileOS-level AI agent that is perfect for LLM derivatives.
It's trained on all your personal data, so it can impersonate both you AND your pattern of interactions with your social/business circle. Then when activated it can quickly crank out a completely plausible alternative data history -- your notes, browser history, coherent back and forth message conversations, all with current time stamps and headers. Or it can go through your device data and scrub references to p

Re:

[ctilsie242]

A duress code would be nice. However, instead of a factory reset, it would do something like screw up the ECC on the flash drive or do something to make it look like a hardware fault happened, where any data extracted from the device would be poisoned or unusable.

I am still surprised that most authentication mechanisms other than a few safes, don't have a duress ability. For example, jacking people for their phones is a common thing. Having the ability to type in a duress code which would make it look li

Re:

[sarren1901]

If you can unlock your phone, then someone can force you to unlock your phone. This just makes it legal. I'm not going to look up the little comic with the guy with the wrench, but that's basically it in a nutshell.

Re:

[haruchai]

"I'm not going to look up the little comic with the guy with the wrench"
This is Slashdot. If you're going to participate, it's a requirement.
I'll do it for you this once. kindly note the proper format

Obligatory XKCD - https://xkcd.com/538/ [xkcd.com]

Re:

[TheMiddleRoad]

Gulf states are shitholes too.

Re: Other countries?

[beelsebob]

If Hong Kong hadnâ(TM)t returned to china, then under UK law, the police could demand their password for any reason at all, with similar sentences in the case of national security related offences.

That's Fine

[Bahbus]

Just set up a special alternate password that when entered wipes the device. You didn't refuse and it isn't "false or misleading", technically.

Re:That's Fine

[TheMiddleRoad]

Yeah, enjoy political prison.

Re:

[easyTree]

So your position is what? Just do whatever these fucks want?

It would be slightly more palatable if they weren't subnormally intelligent.

Re:

[TheMiddleRoad]

I know reading comprehension is hard, but come on, man. My point is that if you set up an alternative password that wipes your device, then the authoritarian regime is going to put your ass in political prison. The Brits gave up Hong Kong to an evil totalitarian regime. Hong Kong is lost. The CCP is too powerful to cast off, at least not anytime soon, so the Hong Kongers are fucked. It's best for them to GTFO, and it's best for everyone else to stay out of that authoritarian hellhole. But hey, at leas

Re:

[Bahbus]

These governments are not as powerful as you think they are.

Re:

[haruchai]

Tell us how you'd fight back against any authoritarian government when you're in their custody?

Re:

[TheMiddleRoad]

The Iranian recently killed tens of thousands of their own, and they're choking off 20% of the global energy trade. What's powerful to you?

Re:

[geekmux]

Just set up a special alternate password that when entered wipes the device. You didn't refuse and it isn't "false or misleading", technically.

Uh huh. And technically Hong Kong police can still throw your ass in prison for that.

You can try and refuse, but you’ll be reminded very quickly that this isn’t fucking Kansas, Toto.

Re:

[AmiMoJo]

The UK has had a similar law for a long time now, and this has been considered. It won't work. Veracrypt rejected the idea.

In the case of computers, they will clone the drive before entering the password, so wiping won't help. Some SSDs are better, in that they won't even allow the data to be read without the password first, but they don't support the duress password feature.

In the case of things like phones, you can set up a duress password that wipes the device, but using it will get you into more trouble

Re:

[WaffleMonster]

The UK has had a similar law for a long time now, and this has been considered. It won't work. Veracrypt rejected the idea.

In the case of things like phones, you can set up a duress password that wipes the device, but using it will get you into more trouble.

The solution for duress passwords is hidden data.
https://veracrypt.io/en/Hidden... [veracrypt.io]

Re:

[AmiMoJo]

Hidden data is an interesting idea, but you need it to be plausible. The fake data has to have signs of regular, recent use, for example, or they can argue that you haven't given them the real key. The same issue with claiming to have forgotten the password, when there is evidence that you used it recently.

Re:

[WaffleMonster]

Hidden data is an interesting idea, but you need it to be plausible. The fake data has to have signs of

Fake data?

regular, recent use, for example, or they can argue that you haven't given them the real key.

I don't know what fake data means in the context of hidden data so I can't really evaluate what you are saying. Generally while anyone can argue whatever they feel like affirmative evidence is required in court. Simply having unused space is not a crime. Suspicion it might actually be used for something else is not evidence of anything.

Re:

[AmiMoJo]

So for example, say you use the hidden partition feature. You have two encrypted partitions, one with your really secret data, and one other with some other data that you don't mind if your adversary gets hold of. Under duress you give your adversary the password to the latter.

In the UK, the prosecution can argue that the data you gave up is not all there is, and you are holding some back. As evidence, they can point to things like lists of recently accessed files that seem to point to data on that hidden p

Re:

[Sloppy]

That's pretty neat!

The danger with using unallocated space, is that sometimes you might accidentally overwrite it. But if that happens, I guess it just means you need to figure out what your new size needs to be, make a new hidden volume, and then restore from backup. It's that last step that I never remember as a possibility, probably due to my horrible backup habits. ;-)

Re:

[SvnLyrBrto]

Well then, I guess it's a good thing that the sort of big brother wannabe thugs who would demand your passwords under the guise of law would absolutely respect actual correctness and are not in any way the sort who would just toss you in the gulag for your stunt or just beat you with a pipe until you talk in the first place.

Re:

[Local ID10T]

Just set up a special alternate password that when entered wipes the device. You didn't refuse and it isn't "false or misleading", technically.

That is exactly what they mean by "providing false or misleading information".

It is a system where dissent = terrorism. The greatest threat to society is non-conformity.

Your attempt at rules lawyering will get you tortured in a re-education center until you have a change of heart and publicly acknowledge your actions were wrong and offer your sincere apologies. As a foreigner, you may be allowed to return to your home country after serving as an example. If you are a citizen, you will disappear but your

Re:

[Bahbus]

Your attempt at rules lawyering will get you tortured in a re-education center

Maybe.

until you have a change of heart and publicly acknowledge your actions were wrong and offer your sincere apologies

Never works and is never sincere because it is forced via coercion or the fear of it. Fear is a game that only losers play. Fearmongers control the game and those that give into them become loser pawns. Especially when the fearmongers aren't actually as skilled or capable as they pretend to be.

Re:

[Local ID10T]

well... yes. Welcome to CHINA.

Re:

[Bahbus]

China is not as powerful, skilled, or capable as they pretend to be.

Re:

[haruchai]

China is not as powerful, skilled, or capable as they pretend to be.

How long did you live there? Were you ever imprisoned there?

Re:

[Bahbus]

Neither are relevant to factual nature of China's power, skill, and capabilities. Putting people in jail has nothing to do with any of those. It's just a form of fear in an attempt to control the population. They can't imprison everyone. Well, I mean, they can try, but it will backfire spectacularly as it always does.

Re:

[haruchai]

"They can't imprison everyone"
were you in a different universe when China had the entire country under COVID lockdown for long periods?
sure there were protests but it amounted to nothing

Re:

[Bahbus]

The lockdowns were bad (and potentially unlawful), but did not equate to "imprison everyone". And, to be fair, if people would have actually done the right things (keeping their distance, wearing masks, and staying home) maybe the lockdowns wouldn't have happened. The various lockdowns and shutdowns across the world could have been avoided if most humans weren't so disgusting and selfish.

Digital detox

[BeaverCleaver]

Stop carrying a phone with you everywhere.

Re:

[TheMiddleRoad]

Because they cannot go into your home? What?

Re:

[geekmux]

Stop carrying a phone with you everywhere.

Oh, now there’s a creative alternative for privacy.

Pay no attention to those extra clicks you hear when using State-sponsored telecommunications. Of course 500ms is a reasonable ping to the local ISP..

Re:

[yanestra]

Some encryption tools like VeraCrypt offer a plausible deniability option. You can have a second password that unlocks a different layer of specially crafted pseudo-secret drive data.

Re:

[kwelch007]

If discovered, would that not also be "false or misleading information"?

Let me get this

[NotEmmanuelGoldstein]

.. bypassing the city's legislative council.

It sounds like 1 bureaucrat decided the police can do whatever the fuck they want and people have no rights.

... those who are suspected ...

As always, who decides? Is it a beat cop, a secret court (which is available), or the 10th judge the police ask?

You cannot tell

[gtall]

Without knowing this story was about Hong Kong, you could have thought it credible enough in the current environment to be applying in the U.S.

Re:

[organgtool]

Republicans Before MAGA: Tyranny and government overreach are bad!
MAGA Republicans Now: If it's alright for China, it's alright for us - as long as our cult leader is the one in power

Re:

[tlhIngan]

Republicans Before MAGA: Tyranny and government overreach are bad! Now hand me my guns
MAGA Republicans Now: If it's alright for China, it's alright for us - as long as our cult leader is the one in power. And no one needs guns, you shouldn't be carrying them

FTFY.

Re:

[haruchai]

"Go out in public and shout about how much you hate Trump in any city in America. Now do the same in any city in China, shouting about how much you hate Xi. See how far you get"

agree with you there but will also point out that 1000s were deported for public support of the Palestinian people and 1000s more fired for saying anything negative about Charlie Kirk who was not an elected leader or representative at any level of government

Plausible deniability

[EldoranDark]

What you need to fight this is multiple sets of credentials that unlock multiple accounts and folders. Use one pin to unlock a clean account with clean social media profiles. Another set to get in provate comms and files. Yet another to open the clean one while deleting personal in the background. It might not work against a professional forensics team, but it'll make any attempts to force people to incriminate themselves expensive. And before you ask, totalitarian government control is spreading and I worr

Ukraine gave up nukes, UK believed PRC

[sinkskinkshrieks]

The only real power grows out of the barrel of a gun or an ICBM launch tube. International agreements built on wishes and paperwork without significant and meaningful enforcement mechanisms aren't worth toilet paper.

Re:

[haruchai]

Ukraine never had operational control, only physical possession but if they really did give them all up in return for security guarantees, i bet many there wish they'd kept some to use as a reference to develop their own

zune pager with a browser

[bugs2squash]

All I really need is a web browser that need not retain history, a way to make occasional voice calls (even that could be via the web), and an app that provides notifications that there is something I should pay attention to, maybe just a bell noise and a counter of uncollected notifications or some limited amount of metadata like a name for the sender.

MFA and the clock features are the only other apps I typically use and they can be done in other ways

Some way to play music offline would be nice

\o/

[easyTree]

Why stop there? I know at least some of these guys secretly want a pony.

Online phone

[nospam007]

Just a website where you enter your password and it opens a simulation of your real phone, with all the apps, no app, because it would be a dead giveaway.

The phone itself is just a decoy you use to order pizza.