For a long time, Hong Kong operated as a mostly independent city-state and was exempt from China's restrictions on the internet. In case you didn't know, China blocks many websites and services inside its borders and that means that users have no access to services like Facebook, WhatsApp, and Google services like Gmail. If users want to use these services, they have to resort to things like a VPN where those of us here in the West can just log on normally.
That's all changed, and with it comes a fear that people in Hong Kong can now be subject to punishment for things they have said online. Yes, China actively pursues users who say things that the state doesn't want them to say over the internet. It's a small world but so very different, depending on where you live in it.
This has prompted concern over government requests for user data and Facebook (as well as other companies like Telegram) has decided that it's not going to comply right now if authorities request any user data about Hong Kong's citizens. This is a very big deal.
When end-to-end encryption is not enough
Technically, WhatsApp user data and messages are encrypted and any data that Facebook could provide would just be gibberish without the encryption keys. But this is Facebook we're talking about here, and its track record means we shouldn't blindly trust things like Mark Zuckerberg saying this is the case.
End-to-end encryption means that your phone encrypts a message before it is sent, and the only person who can decrypt it is the person(s) it is addressed to. But two things about how Facebook processes WhatsApp messages are a bit worrisome: it stores them on a central server, and the way our phones can share data between apps is a way for "regular" Facebook to access WhatsApp encrypted data.
Never blindly trust a company to do the right thing.
We don't know the exact details on how Facebook handles the storage of encrypted WhatsApp messages, and it could be as simple as storing them until the recipient can download them, then erasing the data. But we do know privacy and data retention policies were a big part of the reason why the founders of WhatsApp have left the company since Facebook purchased WhatsApp for $19 billion in 2014.
We do know how data sharing on smartphones works, though. On both Android and iOS, apps can communicate with each other in order to make things like sharing a photo easier. A darker side to this is that Facebook can also expose WhatsApp data to the Facebook app. Data stored this way can be decrypted by your phone, and that means that the regular Facebook app — which makes no promise of encrypting your data when anything is uploaded to the internet — can store it.
Facebook wants all of your data and will do almost anything to get it.
And we know this is happening because Facebook has been caught doing it. We shouldn't be surprised after learning that Facebook used its Messenger component as a way to capture and store SMS and phone data; Facebook wants all of your data and has proven it will do anything to get it.
There is no proof that Facebook is storing decrypted copies of your WhatsApp messages and that it delivered that data to any government. I'm not trying to imply that it did. But it would be possible, and that's important to remember.
Just say no
Facebook, like almost every company, complies with legitimate government requests for user data when given a lawful request. Some companies may fight for us more than others, but in the end, if a judge says a company must comply, it will comply.
Hong Kong's new National Security Law is pretty scary stuff that we're not used to seeing in the West.
This used to be the case in Hong Kong, too. In 2019 requests for data from 257 users were made by Hong Kong's independent government, and Facebook complied in 46% (about 119 users) the cases. We don't know what the data was or why it was requested, but we know that Hong Kong was not alone when it comes to requesting data from Facebook; Canada requested data for 2,375 users, the United Kingdom requested data for 5,481 users, the U.S. requested data for 82,321 users, and India requested data for 39,664 users.
Things have changed in Hong Kong, which recently lost much of its independent city-state status, and mainland China now exercises more control. This has led to a legitimate concern over the civil rights and well-being of Hong Kong's 7.5 million citizens, and we encourage everyone to investigate what this means on all fronts, not just technology. In China, there is no WhatsApp, so there has never been a request for user data.
With all the sweeping changes and China's new draconian policies for Hong Kong's citizens come requests to tech companies for anything and everything that could be considered dissent that a person posts on or over the internet, and Facebook isn't having any of it:
We believe freedom of expression is a fundamental human right and support the right of people to express themselves without fear for their safety or other repercussions.
Facebook announced it will suspend all processing requests for user data from Hong Kong law enforcement. That means it's not even going to entertain the idea of handing over any user data until it can further assess "the impact of the new National Security Law, including formal human-rights due diligence," and that's great news.
Facebook has a responsibility to its users the same way it has a duty to comply with lawful and legitimate requests for data from a government. Hong Kong citizens are deleting social media accounts to keep safe because things they may have said in the past can land them in prison. Facebook also must accept the responsibility to change as the laws change in any country.
No matter what you may think of Facebook as a company, this is the right thing to do. I applaud Facebook for (finally) taking a stand and choosing to think about the privacy and safety of its users.