Issue 48

The situation in Hong Kong

Delivered on 03 September 2019 by Justin Pyvis. About a 6 min read.

Most of you are, by now, aware of the ongoing turmoil in Hong Kong. While like most I have an opinion on various aspects of it, I'm not going to get into that here and will instead focus on the technological side. Specifically, that throughout the drama there has been an ongoing battle between protesters and police taking place in the background, with the latter trying - and struggling - to identify members of the protesters, presumably so that they can be detained at a later date.

In their latest attempt to "unmask" front-line protesters, the police even added blue dye to their water cannons:

Not exactly high-tech but potentially effective; the protesters are, after all, normal people with jobs or classes to which they must attend during the week. It'll be pretty obvious to everyone what you were up to on the weekend if you show up looking like a smurf.

But the reason the police have resorted to such low-tech solutions is because they have been trying, with limited success, to both discover the identities of protesters and intercept their communications using more sophisticated means. Their problem is that almost everyone protesting in Hong Kong covers their face and wields an umbrella, and even shoot lasers that interfere with the government's facial recognition cameras. They also encrypt their communications using popular messaging apps such as Telegram:

"They have lots of phones and they're using forums. They have their own forums and they're using Telegram as a place where they hold a lot of these discussions. In fact, apologies for yesterday's incident came out of these forums there — the soul searching, and 'we shouldn't ever let this happen again' came out of these forums. So I don't really know how it will play out, but everybody's so digitally adept.
Obviously, the phones are tracked and they're aware of it. Some of them have multiple phones and some of them turn off their phones. They wear a lot of masks and [they use] umbrellas to block CCTV when they get off at a subway station: The first one jumps out and opens umbrellas covering all the visibly closed circuit CCTVs. And then when they want to make decisions, they open their umbrellas and huddle under it. It's not fully protective against surveillance, but just like many other ... surveilled [people], when I asked them if they were worried about surveillance, they usually say, "There's so many of us. There's hundreds of thousands of us in the streets." And that's probably their only real protection. I don't think they can [remain undetected] even with their umbrellas and cool tactics. I don't think they can avoid the surveillance, so they're just counting on the fact that they probably cannot jail that many of them all at once."

Encryption has thwarted many an attempt by the Hong Kong police to gather evidence, to the point that they even resorted to the ol' wrench technique.

Mr. Cheung, a skinny 29-year-old, was grabbed at a mall around noon on July 18, according to his account. Four plainclothes officers waited for him to unlock his phone and then jumped on him, trying to pry it out of his hands.

After the officers tried to use his face to unlock the phone, they took him to a police station, where, he said, he was roughed up and interrogated. Later, officers went to his home and used a USB drive loaded with hacking software to break into his computers, according to his account of the incident. He said that he had been held for more than 10 hours and that he was not sure how the police had identified him.

You can take steps to protect your data, for example as Mr Cheung did by using a privacy-friendly messaging app such as Telegram, but ultimately it all comes down to your threat model, and the protesters may have got this one wrong.

While it might help prevent the police gather evidence, whether or not their messages are encrypted is largely irrelevant; they are, after all, using Telegram as a forum/group chat, i.e. for mass communication, something easily intercepted regardless of whether or not it's encrypted (it only takes one 'insider').

What matters is whether or not individuals in those chats can be identified, something that is still possible in Telegram group chats:

"Per reports, an attacker can add tens of thousands of sequential phone numbers to a phone's address book. The attacker then connects to a Telegram channel where protests are being organized and syncs their contacts with the Telegram app.

At this point, the Telegram app will tell the attacker which of the sequential phone numbers has an account active on the protesters' group. A state law enforcement agency, or intelligence service, can then force local mobile telcos to disclose the names of the persons behind those phone numbers. In the case of the Hong Kong protests, Chinese officials could get a list of people who organized or coordinated protests via Telegram."

While Telegram is working on a patch(which might even be geographically restricted to those in China/Hong Kong), there is a chance that the flaw in Telegram at least contributed to both Mr Cheung's identification and last week's arrest of 28 people(according to the police) connected to the protests, including Joshua Wong and Agnes Chow, who led the pro-democracy protests in 2014.

Now I don't know whether the arrests were warranted or not and I'm not going to speculate either way, but the lesson here is just because something is encrypted does not necessarily make it the right tool for the situation.

It would be great...

...if the US focused more on actual issues, such as China's use of facial recognition software or its treatment of the Uyghurs, than the opaque "national security" argument that is so obviously just a cover for Trump's ridiculous long pre-determined trade dispute (tip: bilateral trade balances don't matter). How long until Vietnam starts to threaten the US' "national security"?

Learn more:

The internet's demise starts in Europe

Europe will have a different, less dynamic, internet to the rest of the world. Don't get me wrong, Facebook erred, but Europe's response is the wrong one.

Learn more:

Other bits of interest

Image of the week

Remember when Paris Hilton launched an ICO? Floyd Mayweather? This week's image is the ICO bubble, visualised.

"It's now obvious that ICOs were a massive bubble that's unlikely to ever see a recovery. The median ICO return in terms of USD is -87% and constantly dropping... The ICO failure can very easily be explained by misaligned incentives between founders and investors. Unlike in VC, the founders raised money from unsophisticated (mostly retail) investors with a product in very early stages. ICO investors had no claim on the project's assets."

If famous people start pushing products they clearly know nothing about, it's time to sell.

This week's data breaches

No commentary from me this week but lots of interesting articles, especially that iPhones were for a long time being compromised by simply visiting a website, giving hackers control of the entire device (Google discovered the flaw).

The breaches:

Issue 48: The situation in Hong Kong was compiled by Justin Pyvis and delivered on 03 September 2019. Join the conversation on the fediverse at