Discussion
Hong Kong Police Can Now Demand Phone Passwords Under New Security Rules
tyho: Wow, what a free society! In the UK if you refuse to unlock your device you can be imprisoned indefinitely! In HK it's just one year!
netsharc: Fuck me, smells like too many misinformed Nazis in this bar...Sorry if that's not you, but your comment smelled like it to me.Are you referring to this conviction, which was overturned? https://reclaimthenet.org/tommy-robinson-acquitted-after-ref...
embedding-shape: You're in a place called "Hacker" news, many of us hackers feel like we shouldn't be forced to unlock our private devices, not sure this is surprising.
andylynch: Why are you misrepresenting about UK law?Yes, it can be a criminal offence. But the maximum tariff for this under RIPA 2000 is five years. If it’s not about nation security or CSAM, it’s two.(Incidentally, the USA is a real outlier in this topic)
xvector: This shit is why I don't visit China.
netsharc: How about the US? What I'm going to write smells of "whataboutism", but it's tragic how more and more of the world is becoming police states. Going to the USA, they want your social media accounts. Regardless of that, the border thugs can probably demand you unlock your devices or they'll detain you for weeks on end, without any repercussions, because that sort of lawlessness is government policy now.
dmitrygr: In the US, not disclosing a password is explicitly protected (5th amndmnt), SCOTUS has been clear. not so for biometrics, but so for PIN/passwd
garciansmith: They have? What was the relevant case? It was my understanding that some lower courts have ruled one way, others the opposite. There are also many nuances in particular cases (e.g., the police wanting a broad search of a device for something that may or may not be there versus them knowing for a fact a device has certain information they want).
vrganj: The horrible bastion of despotism that is China-run Hong Kong has now caught up to the rule of law utopias of enlightened thought in the US and UK.
gruez: >in the US and UK???Of all the issues with the US justice system, being compelled to disclose passwords isn't one of them. It is an issue for UK, though.
FpUser: The above probably meant a point that current democracies are increasingly sliding into the same hole as authoritarian governments. Amount on encroachment of governments and big corporations on personal freedoms and democracy in "democratic" countries is quickly becoming intolerable under a guise of safety and "save the children" mantras
gib444: Oh just 5 years, that's OK then.
kleiba: It would be nice if phones had a feature where you can define more than one pin, but only one is for your actual phone contents - the other ones leave you to a completely harmless but otherwise indistinguishable looking smartphone interface that contains no or only completely bogus data.
0x3f: Depends, you can get NSL'd to disclose passwords. Good luck running that one up to the supreme court. And biometrics aren't as well-protected. Though, yes, in the UK it's a much more routine affair.
jonex: Feature request: Make it default behavior on phones that you can have multiple passwords, connected to different profiles. With no way to determine how many profiles a phone have.I'm sure there's some people here working on mobile operating systems, might be worth considering?
throwaway290: in china was never a problem for police to detain you for whatever reason (or no reason) but HK has a different legal system
netsharc: Ah yes, the US government still respects the 5th amendment... like they respect the other amendments as well as the constitution.The constitution doesn't say shooting citizens is illegal, right?
comboy: Haha, here's some random AI generated content: At least 225 judges have ruled in more than 700 cases that the administration's mandatory immigration detention policy likely violates the right to due process[1] The Fifth Amendment's Due Process Clause generally requires those having federal funds cut off to receive notice and an opportunity for a hearing, which was not provided in many of DOGE's spending freezes[2] (there's more but what's the point)1. https://www.justsecurity.org/107087/tracker-litigation-legal...2. https://www.cbpp.org/research/federal-budget/many-trump-admi...
dmitrygr: Wait till you hear about most of europe...
kubb: Roleplaying a parallel reallity where "Europe" is an oppressive totalitarian regime will never not be funny.
ulfw: My Oppo Find N6 allows multiple user accounts
everdrive: No one likes when I say this but it's really past time to stop doing anything interesting on your phone. Delete all your apps, set it as minimally as possible. Leave it home when you go for walks, and power it off when you go driving or to the store, or whatever.
roenxi: Are we damning the UK with faint praise now?I'm not even sure how much practical difference there is between 5 and indefinite is in practice, 5 years is a long time. I imagine it is pretty life-destroying. Especially for the crime of having something on your phone that you want to keep private.> If it’s not about nation security or CSAM, it’s two.I am sure we all get what you mean, but there is a comic interpretation in vaguely-Soviet style here where if someone hasn't done anything wrong they only get 2 years. I'm going to spend some time this weekend making sure my encryption is plausibly deniable where possible.
hananova: "This profile doesn't have anything on it. Give us the password for the real profile."Or even worse, you did give them the real password, but because your phone supports the feature and your profile is kind of barren, they don't believe you. Now you are in a very bad lose-lose situation.
pcdevils: The police must obtain appropriate permission from a judge to obtain a s.49 RIPA notice.Before a judge grants the notice, they must be satisfied that:The key to the protected information is in the possession of the person given notice. Disclosure is necessary in the interest of national security, in preventing or detecting crime or in the interests of the economic wellbeing of the UK. Disclosure is proportionate. If the protected information cannot be obtained by reasonable means.
beambot: So you're saying it's still at the discretion of a single magistrate?I'm sure China could find some judges to rule in the name of national security if it would give everyone warm fuzzies.Judicial checks and balances only function when they're independent of the executive and parliament
kevincloudsec: I think everyone's glossing over that this extends to anyone who knows the password. Your sysadmin, your business partner, your spouse. Hong Kong just turned your company's entire key management chain into a legal liability.
pavel_lishin: For many people, their phone is their primary, if not only, computing and communications device.
everdrive: Right, which is why they need to start changing their behavior.
pavel_lishin: It would be nice if I didn't get beaten with a hose in a vain attempt to prove that I unlocked the "real" one.
iamnothere: If your country has this problem, you’re way past worrying about phones, and you need to be acquiring arms and training.
ulfw: You have never crossed the border into the Great US of A then
ericd: It's possible to cross the border many times and not have this happen.
keiferski: With LLMs, it should be easier than ever to fake generate text messages, notes, emails, etc.
plagiarist: Federal agents couldn't possibly have been aware that executing people on the streets is a violation of those people's rights, so they are covered by QI.
mikhael: > Provide fake credentials? Three years behind bars.
some_random: Funny how it's a horrible misrepresentation slurring the honor of the United Kingdom to exaggerate the penalty of not unlocking your phone for His Majesty's Law Enforcement, but US border cops being allowed to ask foreigners for the same thing upon pain of not being allowed to enter the country (something that no one seems to care about other nations doing?) is totally the same thing.
idiotsecant: So put stuff on it, duh
hananova: "This isn't what we expected to find. Give us the real password."
idiotsecant: You're unsure of the difference between 5 and infinity?
nhecker: I'm starting to believe this is [a] way forward. Or maybe an approach which is on a spectrum between <everything I have is on a phone behind a fingerprint and a four digit pin> and <I don't own a smartphone>.Unfortunately, it's pretty common to only have a smartphone as your sole compute device, and increasingly onerous not to own one at all.
em-bee: how? whatsapp, wechat, telegram, even signal, all require a phone to be used.if i didn't need any of those apps then sure, but unfortunately there is no way around these apps if i want to keep in touch with certain people that are important to me.
jobs_throwaway: They would be real credentials, just to a separate profile. Are they going to make multiple profiles illegal?
