Category Archives: surveillance

自己資料自己攞

小時候,有一次回到家,我如常看看郵筒裏有沒有寄給我的信。信箱內有一封信,是寄給我的,已被拆開。究竟是誰拆開了我的信?我問媽媽什麼回事;正忙於清潔的她,一邊工作,一邊應聲說她誤以為信是她的,所以拆開了信件。但我倆的名字差天共地,怎會認錯?「有冇搞錯呀!」我說,但她只聳聳肩,堅稱以為信是她的。雖然我當時還小,但我已知這事有點不妥。她為什麼要打開一封明明不是屬於她的信?我相信我媽是出於關心,才拆開我的信件,我卻為自己的私隱被侵犯而不安,她的舉動亦漸漸傷害了我們之間的信任。這事令我體會到保護個人私隱和個人資料的重要。

「沒機構比網絡供應商更能威脅私隱」

時移世易,我們已甚少寫信,愈來愈依賴電郵、聊天軟件和社交媒體等等媒介來溝通。我們留下的數碼腳印當中,亦包括愈來愈多個人資料。誰可以獲取這些個人資料呢?我們經常打趣道,facebook和Google知道我們所有事情;其實,網絡供應商和電訊公司掌握的個人資料也許更多。喬治城大學法學院教授保羅拉姆(亦是該校私隱和技術研究中心的主任)在2008年的一篇論文中強調「社會裏沒有機構比網絡供應商更能威脅我們的私隱」。他指出,以前由於技術所限,網絡供應商沒法處理大量的個人資料;但今時不同往日,技術進步遠超你我想像,他們已經可以輕而易舉地追蹤和分析我們的個人資料。他們能知道你什麼時候在哪裏、逗留了多久、瀏覽了什麼網頁,以至種種敏感的個人資料。

因此,我和其他民間團體一起開發了「誰手可得」這個網站,目的是了解我們的個人資料究竟怎樣被收集、處理和分享。用家只需選取為自己提供服務的公司並填寫簡單的個人資料,網站就會幫用家撰寫一封「查閱個人資料要求」的信件,用家隨後可以發送給該公司的私隱條例事務主任。

根據《個人資料(私隱)條例》第18條,我們有權查閱公司收集了的個人資料。根據個人資料條例第19條,公司亦必須在40日內依從「查閱資料要求」回覆查詢。

為何建立這個網站呢?我是中文大學新聞與傳播學院的助理教授和美國哈佛大學貝克曼研究中心(Berkman Center for Internet & Society)的研究員。我一向研究網絡自由,十分關注網絡政策。參與這個研究計劃的機構,包括同樣關心網絡自由的「獨立媒體(香港)」和「鍵盤戰線」。另外,跟我們合作的多倫多大學的研究智庫Citizen Lab和Open Effect在2014年研發類似網站,成為這個程式的藍本。

我們希望透過「誰手可得」了解有關個人資料的保障現况,包括我們的個人資料如何被收集和處理?它們會被保留多久?誰能夠拿到這些資料?我們留下的數碼足印會不會被各種各樣的機構利用,甚至濫用?

為何要關心個人資料?

也許你會覺得個人資料都是雞毛蒜皮的小事,如果身家清白,為何要關心呢?讓我分享兩個故事。

故事一:2005年內地記者師濤被判監禁10年。案件源自他將一份中共的文件「泄露」給海外民運網站。這份文件要求記者不得報道有關六四事件的紀念活動。師濤用他的雅虎電郵寄出了這份文件,而雅虎公司將師濤的資料,包括辦公室地址、電話號碼和電腦的IP地址交予中國執法機關,成為他被判監的關鍵證據。雅虎的做法被國際媒體和社會批評,亦被控違反香港個人資料條例。出乎意料之外,私隱專員和行政上訴委員會卻指雅虎交給執法機關的資料,不屬於個人資料。

故事二:2010年八達通公司被發現在未經客戶同意下,售賣客戶個人資料,包括電話號碼、住址、職業、收入水平和「日日賞」計劃的消費資料。八達通公司將140多萬客戶的資料售賣給不同公司,包括保險公司和市場調查公司。八達通公司終承認過去4年半出售客戶資料作推銷用途,獲利4400萬元,佔其間總收入近三分之一。

這兩個故事告訴我們,保護我們的個人資料十分重要。無論是出於商業、政治或法律原因,有很多機構對我們的個人資料甚感興趣。作為公民,如果想保障個人資料,我們能做什麼?我們是否無能為力?

幸好香港有法律保障個人資料。經過八達通事件,個人資料條例經修改。根據現時的個人資料條例,我們有權查閱網絡供應商和電訊商收集了哪些個人資料。如果你的個人資料不準確,你甚至有權更改。換句話說,我們能評估我們個人資料泄露的風險和了解個人資料的去向。要行使你查閱個人資料的權利,你需正式寫信向機構提出要求。「誰手可得」可幫你撰寫這封信,讓你確認這些公司是否對我們的私隱負責任。

權利需不斷運用才會增強

香港正在努力推動創新及科技發展,但如果我們想推動創新經濟,我們要能夠信任收集、處理和分析我們個人資料的公司。權利就像肌肉一樣,需要不斷「運用」才會增強。研究個人資料保障也一樣,不能單靠文字描述或分析,亦要透過行使我們的權利,才能真正了解法律的本質。珍惜我們擁有的權利就要好好運用。請登錄「誰手可得」(accessmyinfo.hk),寫信給你的網絡供應商或電訊公司,一起行使我們的權利吧:自己資料自己攞。

文:徐洛文

作者是香港中文大學新聞與傳播學院助理教授

原文載於2016年4月21日《明報》觀點版

my next research project: personal data protection in hong kong

Have you ever wondered what others know about you? We live in an era where everything that we do, including who we call, for how long and at what times, what websites we visit and how often, all can be recorded in minute detail. This can be a scary thought: information is power and money, as companies can share your information with law enforcement or sell it to other companies, oftentimes without your consent.

Am I being overly concerned? Well, remember what happened in 2010 in Hong Kong? Initially denying accusations that they had sold people’s personal information without their consent, Octopus ended up confessing that, yes, they had sold away personal information of their users, making a not insignificant profit of HKD44m, which was about 31% of its total revenue. Octopus is the company famous for pioneering the smart card that everyone in Hong Kong has and uses to conveniently pay for a wide range of things, from public transportation, to candy bars, to electricity bills, with just one simple tap of the card. The personal information Octopus sold included partial identity card numbers; partial date of birth, including year and month; mailing address without block and floor details; occupation; gender; range of salary; and spending on a reward scheme. Upset and angry that Octopus was collecting, processing and even selling their personal information, users demanded to know why this could happen at all, and whether anything could be done about it. This incident ultimately led to the strengthening of data protection law in Hong Kong, which was already known for being the first jurisdiction in Asia to have a dedicated personal data protection law.

A strong law that guarantees the protection of personal information in Hong Kong: that’s great. But is it working? That’s not so clear: there was a record high number of complaints in 2015, with 40% of the complaints “related to the use of personal data without the consent of data subjects”. Perhaps not surprising, a study by the Annenberg Public Policy Center revealed how people are increasingly feeling a sense of resignation and fatalism when it comes to privacy: more than half do not want to lose control over their information but also feel that this already happened and that they cannot do anything about it. But people still care about privacy: another study by Pew revealed that 93% of adults say that being in control of who can get information about them is important; while 90% say that controlling what information is collected about them is important.

I study internet freedom. I believe being able to protect your privacy is critical not only because privacy is a human right, but also because privacy helps free expression: if you feel you are being watched, you will self-censor yourself. It’s why I am working on a research project, to understand the collection, processing and sharing of personal information here in Hong Kong; a research project that is in collaboration with InMedia Hong Kong and the Citizen Lab at the University of Toronto. If you’re interested, keep your eye on this space: there will be more to come.

the coming colonization of hong kong cyberspace

my latest article covers the government response to the use of the internet by the umbrella movement. it is titled “the coming colonization of hong kong cyberspace” (pdf) and published in the chinese journal of communication.

here’s the abstract:

Governments are increasingly playing catch-up and sometimes even leapfrogging ahead of social movements in the use of digital tactics; government responses to new technologies include surveillance, censorship and demonization of foreign influence. This development has implications for the emancipatory potential of new technologies, in particular for the anonymous, decentralized and autonomous character of the Internet.