Some items on our site have recently moved. Visit our News Hub for selected articles, special reports, podcasts and other resources.
Platforms should be required to turn in ‘doxxing’ offenders, Hong Kong privacy official says
13 December 2019 00:00 by Xu Yuan
Global online media platforms such as Facebook and Twitter should be required to reveal information on users that engage in “doxxing” if provided with evidence of their behavior by authorities, Hong Kong’s data protection authority has suggested as it seeks to revamp local laws.
Hong Kong Privacy Commissioner for Personal Data Stephen Wong told MLex he’s seeking to propose a second batch of recommendations to the government on revising the city’s 23-year-old Personal Data (Privacy) Ordinance, following a first group of reports presented earlier this year.
Speaking in an interview, Wong said that his second proposal is driven by a surge in doxxing and cyberbullying cases since pro-democracy protests triggered by a proposed extradition bill started in June and that he will focus on issues on enforcement tools in handling such cases.
“After the social unrests or incidents being in place for such a long time, we further find out that there are certain other provisions that need to be amended … in relation to issues arising out of the doxxing of personal data or what we call the weaponization of personal data,” Wong said.
Doxxing refers to the publication of accumulated personal data on a person with the intent of damaging their public standing or putting their safety at risk.
The changes proposed by Wong refer to the powers of the privacy authority, including investigation and prosecution, and the power to pursue not only the doxxers but also the medium — suggesting plans to regulate the use or the involvement of a social platform in cases of doxxing.
The official hopes to have included in the law a requirement that online platforms, when approached by the regulator with reasonable evidence of a doxxing offense, should be in a position to answer the regulator’s questions, including the identity or the personal information of the offenders.
“They should have a way to be able to identify the doxxers,” Wong said, referring to the platforms.
The regulator is also considering the power to apply for prohibitive orders — including an injunction — on the victims’ behalf or assist victims to apply for an injunction in court. A third possibility is for the data-protection authority to be granted the power to issue such orders.
The regulator is also seeking the power to conduct criminal investigations and prosecutions.
Wong says the number of doxing cases has has remained steady over the past few months, thanks to the enforcement efforts. His office has had 4,714 cases as of December, 36 percent of which affect members of the police and their families. It received 59 complaint cases on cyberbullying in 2018.
The official said that opposing political camps are doxxing each other and the regulator will investigate and prosecute both sides using the same yardstick, without fear or favor.
—Broader reach —
To complement increased regulatory powers over social platforms, Wong said the regulator also needed extraterritorial reach or, at least, closer cooperation with counterparts abroad.
“The difficulty is that doxxers put up messages online through a social platform or discussion board, and our primary job is to stop the damage, contain the damage caused to the data subject concerned,” Wong said in response to questions from MLex at a recent data privacy forum.
He said doxxers prefer to use social media platforms or channels that don’t operate in Hong Kong. “If [it’s not registered in Hong Kong], our hands will be tied,” he said.
To deal with this challenge, Wong told MLex that the government might need to find a way to plug the loophole on extraterritoriality, in the same way that the EU’s General Data Protection Regulation has extraterritorial applicability.
“We’ll keep chasing [the doxxers], from Hong Kong to Russia to Dubai ... and now they say they go to Syria, or Kazakhstan. So international collaboration will be needed for investigation and for protecting individuals’ rights,” Wong said.
“We need multinational or bilateral agreements in relation to enforcement and sharing of intelligence and information,” he said.
— From goodwill to law —
Wong said that, as things stand, the handling of doxxing cases depends on the goodwill and preparedness of the platforms to cooperate. This is usually achieved by the regulator appealing to their sense of social responsibility.
“But these are not the letter of the law,” Wong said, arguing that the time had come to place this goodwill “in clear terms in our statute books.”
“Now we are urging or calling for [the platforms’] cooperation to assist us in stopping unlawful use of personal data or weaponization of personal data in doxxing cases,” Wong said.
“We would like to clarify the detailed provisions and the requirements of these platforms and other parties involved [on] how the doxxing should be regulated … effectively,” he said.
“If you can't make it an obligation in Hong Kong for those platforms to provide the details, it’s a futile job of investigation,” he said.
Despite the fact that so far 77 percent of the links involving doxxing have been removed upon request, “we would like to be a perfectionist by reaching the hundred percent,” Wong added.
— Meet the legal test —
These powers, according to Wong, should be sought without compromising competing human rights and should be proportionate with a view to meeting or achieving the legitimate purpose of the proposed legislation.
The regulator anticipates objection to his proposals, because the subject concerns people’s freedom and some may think their basic right to privacy would be seriously endangered or compromised.
But Wong says that any proposal should also be consistent with the jurisprudence of Hong Kong human rights law.
The city’s High Court recently issued an interim injunction banning anyone from posting or spreading messages online that could incite violence. “We believe that this is a ground we could rely on to ask for not merely cooperation but compliance,” Wong said.
He said the recent injunction suggested that the attitude of the judges of the court was not too far from theirs. “We can see that their reasoning for granting an injunction is more or less on the same line as our thinking.”
In the past, Wong’s office has put forward similar proposals without much success. But, he said, feedback from the government on the first report is “quite encouraging” and he was now seeing more support from outside the government.
When asked if he thinks the doxxing problem will lend urgency to the need to reform the ordinance, he said that it would. “We will be given some teeth, in the tiger’s mouth,” he said.
26 May 2023 14:59 by Sam ClarkWhen the EU’s General Data Protection Regulation came into force five years ago, some said it would usher in a new era of EU supremacy over Silicon Valley's tech giants, reining in their rampant data-driven power.
24 May 2023 15:39 by Mike SwiftSince the General Data Protection Regulation took effect five years ago this week, more than 40 countries have enacted national privacy laws, most of which drew liberally from the canonical text of the EU law.
23 May 2023 23:47 by Mike SwiftThe count of countries with data protection laws more than doubled to 162 over the past dozen years, a total that includes a wide majority of the world’s nations, with new research suggesting data protection rules are approaching ubiquity.