Your iPhone’s encryption means nothing if Hong Kong police decide you’re a security threat. New amendments to the city’s National Security Law now allow authorities to demand “any password or other decryption method” for phones, laptops, and encrypted devices—no warrant required, even with digital IDs.
The rules, effective March 23, 2026, turn your biometric locks and multi-factor authentication into legal obligations rather than privacy protections. Refuse to unlock your device? That’s a year in jail plus a HK$100,000 fine (roughly $12,700 USD). Provide fake credentials? Three years behind bars.
Device Security Becomes Legal Liability
These expanded powers target anyone with access to encrypted data, from device owners to IT administrators.
These powers extend beyond device owners to anyone who knows access details—your spouse, business partner, or IT administrator. The law covers everything from smartphone PINs to enterprise-grade encryption keys, essentially making digital privacy contingent on government approval, creating computer problems that go far beyond typical technical issues.
For travelers using encrypted messaging apps like Signal or running VPNs, Hong Kong just became a digital minefield. Your usual privacy tools now carry potential criminal liability if authorities deem your communications threatening to “national security”—a deliberately vague standard covering:
- Secession
- Subversion
- Terrorism
- Foreign collusion
Bypassing Traditional Legal Protections
Chief Executive John Lee implemented these changes without Legislative Council oversight or judicial authorization requirements.
Chief Executive John Lee gazetted these amendments without Legislative Council input, expanding police powers that previously required higher-level authorization. The changes also allow customs seizure of “seditious” materials and asset freezing—turning everyday devices into potential evidence, especially concerning for users of specialized AI apps that might be deemed suspicious.
UK-based law lecturer Urania Chiu called the powers “grossly disproportionate,” noting they operate “without judicial authorisation” and infringe on privacy rights and fair trials. Since the NSL’s 2020 enactment following pro-democracy protests, authorities have arrested 386 people with 176 convictions, establishing precedent for broad interpretation of security threats.
Hong Kong’s government claims these measures align with human rights protections while preventing security threats. But for anyone carrying sensitive data through Hong Kong—journalists, business travelers, or residents—the calculation just changed.
Your smartphone’s strongest encryption becomes meaningless when unlocking it isn’t optional. The implications stretch beyond Hong Kong’s borders, signaling how authoritarian governments can weaponize everyday technology against users who thought their devices were secure.
