How Much Is Your Phone Password Worth?

How much is your phone password worth?

In Hong Kong, starting March 24, 2026, refusing to hand over an electronic device password during a national security investigation carries a maximum sentence of one year in prison plus a HK$100,000 fine. Try stalling with a fake password? The penalty doubles and doubles again: three years plus HK$500,000. The amendment to the implementation rules of Article 43 of the National Security Law was gazetted on March 22 and took effect 48 hours later. The government described it as a "technical improvement," emphasized it "does not affect ordinary citizens," and claimed the amendment "complies with the Basic Law and human rights provisions."

Alright, let's open up the Basic Law and see.

The Government's Own Weapon

Article 30 of the Basic Law: "The freedom and privacy of communication of Hong Kong residents shall be protected by law. No department or individual may, on any grounds, infringe upon the freedom and privacy of communication of residents except that the relevant authorities may inspect communication in accordance with legal procedures to meet the needs of public security or of investigation into criminal offences." Every word is spelled out in black and white. The key lies in six words: "in accordance with legal procedures." What was the procedure for the password amendment? Gazetted and effective within 48 hours. No Legislative Council debate, no public consultation period, the decision made unilaterally by law enforcement, no judge required. The Basic Law says "in accordance with legal procedures." In practice, it's "because I say so."

Article 39 is even more direct: the International Covenant on Civil and Political Rights applies to Hong Kong. Article 17 of the Covenant states in plain language that no one shall be subjected to arbitrary or unlawful interference with their privacy, family, home, or correspondence. Compelling someone to hand over their phone password is equivalent to cracking open their entire digital life. Chat logs, photos, bank accounts, search history — all laid bare. Does this count as "interference with privacy"? The government says no, because there's a legal basis. But the Covenant asks not just whether there's a legal basis, but whether the interference is "arbitrary." Compelled decryption without judicial oversight — arbitrary or not? You be the judge.

"Does Not Affect Ordinary Citizens"

The government says it doesn't affect ordinary citizens. But the law's scope extends far beyond suspects. The text specifies: "any person" who owns, possesses, has authorized access to, or knows the password has a legal obligation to surrender it. "Any person" is legal terminology, not advertising copy. You don't need to be suspected of any crime. You just need to "know" a device's password. Your family, your colleagues, your company's IT administrator, the technician at your phone repair shop — as long as they know, or police believe they know, they're caught in the net.

The same amendment also expanded customs powers: confiscation of items with "seditious intent" without arrest. The Secretary for Security can approve the removal of online content. "Seditious intent" in the context of the National Security Law is a box that can hold anything — the past six years of enforcement have proven that. Passwords, devices, online content — three escalating steps, forming a complete digital control chain. The password is just the entry point.

Other Countries Have It Too

Section 49 of the UK's Regulation of Investigatory Powers Act (RIPA) also allows authorities to compel the surrender of encryption keys. The penalties are even heavier than Hong Kong's: up to two years in standard cases, up to five for national security matters. But the gap between the UK and Hong Kong isn't in the legal text — it's in the four safeguards beyond it. First, a judge issues the order, not the police themselves. Second, the judge must confirm the request meets the tests of proportionality and necessity. Third, the defendant can present evidence of having forgotten the password as a defense. Fourth, the independent Investigatory Powers Tribunal provides oversight. Four safeguards, each indispensable. Australia's 2018 Assistance and Access Act doesn't even target individual users — it targets tech companies, and explicitly prohibits requiring companies to build systemic backdoors.

Back to Hong Kong. Who issues the order? In a judicial environment where the judges for the 47-person primary election case were handpicked by the Chief Executive, Jimmy Lai's trial proceeded without a jury, and a cumulative 386 people have been arrested with 176 convicted, the answer is: the Secretary for Security. The UK hands this power to a judge, then sets up an independent body to oversee the judge. Hong Kong hands it to a subordinate of the Chief Executive. Who oversees them? You tell me.

Progress Bar

June 2020: the National Security Law descended from Beijing. March 2024: Article 23 legislation. March 2026: the password amendment takes effect. One step every two years, three steps complete. The National Security Law governs speech, Article 23 governs organization, the password law governs everything inside your phone. On March 23, Hong Kong Watch testified before the Canadian Parliament, documenting Hong Kong's transnational repression. As of today, 386 arrested, 176 individuals plus 4 companies convicted, Jimmy Lai sentenced to 20 years. What fills the next slot on the progress bar? You can guess for yourself.