10 Apr 2015 Law enforcement’s requests for communications content must be approved by judge
In a Legislative Council meeting this Thursday, deputy secretary of security clarified that the law enforcement’ request for communications content that is in the course of transmission is governed by Interception of Communications and Surveillance Ordinance (ICSO).
In a reply to IT Legislator Charles Mok’s question on law enforcement’ controversial practice of asking for web users’ data without adequate judicial scrutiny, Millie Ng, acting deputy secretary of security, said law enforcement officers must apply for authorisations from a judge before carrying out interception operations, or requesting communications content in transmission from service providers.
As to subscribers’ information, or meta data, Ng commented if law enforcement officers demand subscribers’ information without following any legal procedures, service providers can choose not to comply with those requests.
The ICSO sets strict conditions for a panel judge, or an eligible judge of the Court of First Instance, to issue interception or covert surveillance authorisations. The purposes for carrying out interception or covert surveillance activities should be either preventing or detecting serious crimes or protecting public security. There should be reasonable suspicion on the target, and the interception or covert surveillance “is necessary for, and proportionate to, the purpose sought to be furthered by carrying it out”. A panel judge’s authorisation for interception “is not to be longer than three months beginning the time when it takes effect”. Law enforcement can apply for renewal when necessary.
The Commissioner on Interception of Communications and Surveillance, who oversees the compliance by law enforcement agencies with the ordinance, shall notify the relevant person if the commissioner considers the interception or covert surveillance has been carried out without authorisation. However, the ordinance does not mention if the person whose communication has been intercepted or surveilled will eventually be notified.
According to the annual report by the commissioner, in 2013, 1,365 judge’s authorisations for interception and 47 authorisations for surveillance were issued. Seven applications for interception and four applications for Type 1 surveillance were rejected. A total of 261 persons were arrested as a result of or further to the operations carried out following those prescribed authorisations. Ten non-compliance cases were reported to the commissioner.
Darryl Saw, the incumbent commissioner, indicated at the annual report briefing last December that law enforcement officers can apply for subpoena to a magistrate to request from service providers information already received by the target (e.g., text messages), which is a very different matter from the interception operation covered by the ICSO.
The ICSO states that
S2 (1) “intercepting act”(截取作為) in relation to any communication, means the inspection of some or all of the contents of the communication, in the course of its transmission by a postal service or by a telecommunications system, by a person other than its sender or intended recipient;
“interception” (截取)— (a) in relation to any communication, means the carrying out of any intercepting act in respect of that communication; or (b) when appearing in a context with no specific reference to any communication, means the carrying out of any intercepting act in respect of any communication;
S2 (5) (b)… a communication transmitted by a telecommunications system is not regarded as being in the course of the transmission if it has been received by the intended recipient of the communication or by an information system or facility under his control or to which he may have access, whether or not he has actually read or listened to the contents of the communication.
Back in 2013, the Supreme Court of Canada ruled that seizing text messages stored by service providers would be an interception and requires a wiretap warrant, which is more difficult for the law enforcement to obtain than a general search warrant.
Mok at Thursday’s LegCo meeting requested the government to issue a written guideline for the IT industry on what legal procedures the law enforcement should follow when demanding different types of user data and communications content from service providers. He noted cases where law enforcement officers carry no legal documents when demanding user data from service providers, and service providers, without a clear knowledge of the relevant laws and regulations, can easily surrender user information to the law enforcement.
In 2014, Hong Kong police made around 4,234 pieces of requests for user’s meta data (e.g. IP address), only partial of which were made under court orders, and partial of the requests were acceded to by service providers. In the first half of 2014, Google received 359 user data requests from Hong Kong law enforcement, and the company only complied with half of them.
In response to legislators’ concern over whether the law enforcement will carry out covert surveillance against political activists in Hong Kong, Ng said neither the former and nor the incumbent commissioner have noticed such operations in their terms of appointment.
The ICSO specifies that
S 2 (7) ..advocacy, protest or dissent (whether in furtherance of a political or social objective or otherwise), unless likely to be carried on by violent means, is not of itself regarded as a threat to public security.
Hong Kong residents’ privacy of communication is protected by the Basic Law. Article 30 of the Basic Law promulgates:
The freedom and privacy of communication of Hong Kong residents shall be protected by law. No department or individual may, on any grounds, infringe upon the freedom and privacy of communication of residents except that the relevant authorities may inspect communication in accordance with legal procedures to meet the needs of public security or of investigation into criminal offences.