Hong Kong Politics & Protest

Citizen nomination platform suspended following concerns over security of personal data

Organisers of an unofficial civil nomination platform for the chief executive election have temporarily shut down their system after the privacy commissioner raised concerns over the system’s use of personal data and its security.

The platform Chief Executive Election Civil Referendum 2017 is managed by the group Citizens United in Action. It was proposed by law professor Benny Tai in cooperation with the PopVote system of the University of Hong Kong’s Public Opinion Programme and the Centre for Social Policy Studies at the Hong Kong Polytechnic University.

But since the online platform’s launch last week, it has met with questions over its requests for personal data. The system asked users to input their phone number and obtain a verification code through instant messaging app Telegram. If users have set up the app’s two-step verification process, they will need to input their password as well.

PopVote

Photo: PopVote.

IT sector lawmaker Charles Mok and tech experts urged users not to use the system for now.

Frontline Tech Workers, a group of pro-democracy IT professionals, urged users not to use their number if it is used for confidential matters. Even if their number is not being used for confidential matters, the group urged users to temporarily suspend two-step verification when using the platform so that they would not need to give up their password.

The group warned that if the system was being attacked, hackers may be able to obtain the verification codes and passwords for the Telegram accounts, and gain access to them.

The system also did not automatically log users out of their Telegram sessions after they completed the nomination process. The function was added following criticism.

PopVote

Photo: Screenshot.

Lack of transparency

On Monday, the Privacy Commissioner for Personal Data issued a statement saying that “there is a lack of transparency in setting out the details and objectives” for the collection of personal data.

“It does not, in particular, state the differences in mechanism and procedures between the activities and what have been stipulated in existing laws, thereby misleading members of the public and prejudicing the public interest,” it read.

“The PCPD strongly requests the relevant organisations to stop collecting personal data unfairly and the use of the related Telegram in the activities. Individuals should fully understand the privacy risks involved and consequences before participating. The PCPD has initiated compliance check for the case.”

Stephen Wong Kai-yi

Commissioner Stephen Wong Kai-yi. Photo: Privacy Commissioner for Personal Data.

In response, Citizens United in Action said in a statement: “Although we have confidence in the security of our system, to reduce confusion among members of the public, we will suspend the nomination collection on PopVote.”

It said it will reopen the system only after the group contacts the commissioner to explain how they use collected data and understand the demands of the commissioner. The group apologised for any inconvenience caused.

The system was scheduled to be online between February 7 and 22. Twelve contenders named on the platform have received nominations ranging from one to 8,146.

Comments

Citizen nomination platform suspended following concerns over security of personal data