In this edition of the bowers.law Room 228 Newsletter, we look at how doxxing is controlled in Hong Kong, and share with you our Top Tips to protect yourself from falling victim of the doxxers.
Our reliance on social media / online platforms makes anonymity pretty much a thing of the past. The unintentional sharing of our personal information across various online platforms makes it that much easier for others to access and exploit our personal information.
Hong Kong’s first comprehensive anti-doxxing law was introduced when the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) amendments came into effect in October 2021.
What is doxxing?
Doxxing is the malicious act of publicly revealing someone’s personal / sensitive information or providing personally identifiable information about an individual without their consent.
Doxxing: Before
Prior to October 2021, a doxxing offence could only be committed if “…[a] person discloses any personal data of a data subject which was obtained from a data user without the data user’s consent…”.
- A data subject being “the individual who is the subject of the data”.
- A data user being “a person who, either alone or jointly with other persons, controls the collection, holding, processing or use of personal data”.
In light of this, a doxxing offence was committed only if person X disclosed information about a data subject, of which this data subject’s personal information was obtained by person X from a data user, without the data user’s consent. This is a very specific circumstance – and not many doxxing acts were capable of falling into this narrow class of offence. We all need to take into account that nowadays, information circulates at lightning speed, which makes it extremely difficult (or near impossible) for the Privacy Commissioner for Personal Data (PCPD) to trace the source of a data subject’s personal information being obtained from a specific data user without their consent.
Doxxing: Present
There are now two tiers of offences under the PDPO, the most serious penalty for which is liability on conviction on indictment to a fine of HK$1 million and imprisonment for 5 years.
- A summary offence will be committed if someone “…discloses personal data of a data subject without the relevant consent of a data subject (i) with an intent to cause any specified harm to the data subject or any family member of the data subject, or (ii) being reckless as to whether any specified harm would be, or would be likely be, caused to the data subject or any family member of the data subject.
- A second (and much more serious) indictable offence will be committed if, in addition to the above elements in point (1) “…the disclosure causes specified harm to the data subject or any family member of the data subject”.
“Specified harm” means (i) the harassment, molestation, pestering, threat or intimidation to a person (ii) bodily or psychological harm to a person (iii) harm causing one to be reasonably concerned for the person’s safety or well-being, or (iv) damage to one’s property.
The new provisions create a broader scope within which doxxing offences may be committed. Now, it is not required under the PDPO to ascertain whether the personal data disclosed was obtained from a data user (or many data users) without their consent. Instead, the PCPD can now identify the data subject directly from the disclosed personal data and then ascertain whether or not the data subject had consented to such disclosure.
Alongside the PCPD’s ability to commence legal proceedings against those involved in doxxing, the PDPO amendments now give the PCPD statutory powers to issue and serve cessation notices requiring websites, social media platforms etc. to remove any messages, posts or links involving doxxing – a viable response to ensure that any personal information published without consent can be removed in a timely manner.
Successes
The latest success under the PDPO amendments came on 12 January 2024, and saw a doxxer pleading guilty to two charges of doxxing. The victim had been involved in a financial dispute with a third party, and the doxxer posted messages containing the victim’s personal information on a personal account of a social media platform, asking the victim to settle the outstanding loan. The victim’s English and Chinese name, mobile number, photos and a copy of his Hong Kong identity card were posted on the social media platform. The doxxer was sentenced to 2 months’ imprisonment, suspended for 2 years. The PCPD’s statement about the case: https://www.pcpd.org.hk/english/news_events/media_statements/press_20240112.html
During the nearly 2 years since the implementation of the new anti-doxxing regime up until 30 June 2023, the PCPD has:
- received a total of 1,113 complaints relating to doxxing offences;
- written more than 400 times to ask operators of a total of 18 websites, online social media platforms, or discussion forums to remove more than 7,400 web links involving doxing;
- issued 1,741 cessation notices to 39 online platforms, requesting them to remove over 22,900 web links involving doxing; and
- commenced 188 criminal investigations and arrested 26 persons with respect to 25 cases of suspected contravention of “disclosing personal data without consent”.
(Statistics taken from the Office of the Privacy Commissioner for Personal Data, Hong Kong website)
How doxxing can occur on WhatsApp / social media platforms
You may be surprised just how easy a doxxer is able to acquire your personal information. Any personal information displayed on any social media platforms / online platforms provides a good starting-point for doxxers to gather information – shared (and public) information, such as your name, profile picture and public status updates can easily be exploited if they fall into the wrong hands!
If you use any location-sharing features on social media / online platforms, or frequently post your whereabouts (particularly in real time), doxxers can capitalise on this information to track your movements, daily routines and even work out your frequently visited places and home address.
Having multiple social media accounts means that doxxers can gather information (by identifying common information, such as similar (user)names, profile pictures, interests and followers etc) from across multiple online platforms to compile a comprehensive and identifiable profile of a victim target. For example, doxxers may find that a Facebook account with a username and profile picture corresponds to a LinkedIn profile with a similar username and similar-looking profile picture.
Unfortunately, this is only the tip of the iceberg! The doxxers’ shady methods are only getting wider and more sophisticated.
Nearly all of us have an online presence and have access to some (if not many) social media / online platforms, so we should all keep in mind that this gives doxxers an avenue to target any of our sensitive personal information.
We’re not saying that you should avoid social media / online platforms completely – we just want to take this opportunity to remind everyone that we can all take precautionary measures to minimize the risk of our personal information falling into the wrong hands.
Top Tips for protecting yourself from falling victim to doxxing
- Unless absolutely necessary, try to use social media platforms only for fun and games, rather than for the exchange of private confidential information, such as your home address, phone numbers, workplace etc. If you do end up sharing personal information, be mindful of what you decide to share.
- Change your settings in WhatsApp etc so that only your contacts can add you to group chats, minimising the risk of your profile being exposed to random third parties.
- Manage privacy settings e.g. for example on WhatsApp – you can manage who sees your account name, profile picture, last seen and status updates, and on Facebook, limiting the visibility of your profile and Facebook posts.
- Enable two-factor authentication on all your social media / online platforms where you can for an added layer of security.
- Take care when using public / unsecured Wi-Fi networks when you wish to access personal information, like online banking – and be cautious if you do decide to do so – but as a general rule, don’t do it!
- Enable security notifications to alert you when someone logs into your social media / online accounts from a different device, which should help identify and address any unauthorised access promptly.
- When using an exercise app, enable the function to disguise your starting and finishing locations, so as to hide your home address.
Take a look at earlier editions of our Room 228 Newsletters for more Top Tips on protecting yourself online.
- Don’t be a victim of a Rom-Con…If it looks too good to be true, it almost certainly is!
- Don’t make it easy for the hackers!
Please contact Kevin at kevin.bowers@bowers.law if you have any questions about this Room 228 Newsletter.
This Newsletter is not intended to be and should not be relied on as legal advice. You should seek professional legal advice before taking any action in relation to the subject-matter of this Newsletter.