Hong Kong Police Can Force You to Reveal Your Encryption Keys

According to a new law, the Hong Kong police can demand that you reveal the encryption keys protecting your computer, phone, hard drives, etc.—even if you are just transiting the airport.

In a security alert dated March 26, the U.S. Consulate General said that, on March 23, 2026, Hong Kong authorities changed the rules governing enforcement of the National Security Law. Under the revised framework, police can require individuals to provide passwords or other assistance to access personal electronic devices, including cellphones and laptops.

The consulate warned that refusal to comply is now a criminal offense. It also said authorities have expanded powers to take and keep personal electronic devices as evidence if they claim the devices are linked to national security offenses.

Tags: , , ,

Posted on April 7, 2026 at 5:45 AM12 Comments

Comments

Paul April 7, 2026 6:18 AM

As a Hong Kong resident, I should point out that this report was a bit over-sensationalised. The police need a warrant from a court in order to require access to a device, and to obtain such a warrant they need to demonstrate a “national security” reason.

I don’t see this situation as being much different in reality from the situation in other countries – the police and border forces of the UK and New Zealand, for example, have very similar powers. And so does the USA for that matter, where as I understand it, the EFF’s advice is only to bring empty or burner devices across the US border.

Gazda April 7, 2026 6:26 AM

Paul, you are comparing Hong Kong police counties that are taking about democracy constantly – but you cannot see it there.

It’s definitely bad publicity for Hong Kong.

Rontea April 7, 2026 10:11 AM

Forcing individuals to hand over encryption keys or passwords weakens the very protections that safeguard personal and corporate data. It also drives people toward using stronger, more covert methods to secure their devices. In the long run, this approach does little to deter serious actors but erodes trust and privacy for everyone else.

kiwano April 7, 2026 11:41 AM

I wonder how this would interact with my approach to the encryption keys on my laptop. My approach was to base64-encode 144 bits of random data, yielding a 24 character password. Then, instead of memorizing the letters and numbers making up the password, I practiced typing it, much like one would practice playing a song on a musical instrument.

Absent a keyboard to type the password out on, I genuinely can’t provide the encryption key to anyone (any more than I’d be able to name all the notes of a song that I’ve learned how to play from memory — which is not at all).

While it’s possible that access to a keyboard would enable me to reproduce my password, it’s not a sure thing, particularly in a setting like being compelled to provide it to the police. I mean I remember when I performed in piano recitals in my childhood, the stress of actually being up on stage made playing my song much more difficult — even with carefully trained muscle memory. I struggle to imagine a police order to produce my password being less stressful than a childhood piano recital.

Wilful blindness April 7, 2026 12:47 PM

@kiwano

Stay away from hk until you memorize them.

Failure to comply is the crime itself. The reason probably does not create a defence, at least not without a trial after which a judge rules your practice establishes an exception to the rules application.

Clive Robinson April 8, 2026 1:28 AM

@ ALL,

I note that people have not commented on,

“even if you are just transiting the airport”

In the past if you remained on the “air side” you were considered to still be “wheels up” as far as the legality of the flight was considered.

This has slowly been changing.

Nations are claiming “jurisdiction” but without providing the other face of the coin the protection of an individuals “rights”.

This is a vary authoritarian viewpoint that was in effect first claimed by the UK in the mid 1960’s by the “Marine Offences Act” brought in by Harold Wilson PM because he blaimed loosing an election on “Off Shore Pirate Radio”.

https://en.wikipedia.org/wiki/Marine,_%26c.,_Broadcasting_(Offences)_Act_1967

lurker April 8, 2026 2:53 AM

@Clive Robinson, ALL
re “airside” and “Wheels upp”

In my jetsetting days the USofA never recognised transit rights. Transit pax were required to pass through immigration and enter the USA.

Hongkong’s transit facilities were a hangover from colonial days. They are now coming into line with mainland China airport practice. And as the article notes, into line with current US practice, except for one minor point.

Do we have any case law yet on refusal to provide password at a US airport? I suspect not, because the Boys in Blue have their own methods of entry if they want.

Which comes back to @Paul’s comment above, they’re unlikely to shoulder tap random tourists. If they want to see inside your device, your name is already on a list of persons of interest.

Anonymous April 8, 2026 5:31 AM

The workaround I’d try if I were in such a situation is to act highly convinced that the wrong password I type is fully correct. I’d write it down on piece of paper, spell it out, have the officers try type it in, etc. I’d be so shocked to find I’ve lost access to my files and all.

Who? April 8, 2026 9:57 AM

What happens if someone provides a duress password instead? What if people travels with empty devices with simple passwords and upload real content once they arrive to destination?

Bob April 8, 2026 2:29 PM

I don’t care where you’re going. If you travel internationally with your regular devices instead of burners, you’re asking for trouble.

Clive Robinson April 9, 2026 7:57 AM

@ Who?, ALL,

There are a couple of things to note in general,

1, They are extending the boundary of their authority ever outward.

2, But they are also reducing the coverage of any rights you should receive as a consequence of such authority expansion.

This can be laid fair and Square against the US behaviour since 9/11 and hiden provisions tucked in under the Patriot Act that various people have wanted for decades previously (hence the legislation was already written back last century). And also subsequent “Executive Orders” getting fired off in all directions and often failing judicial review, but whilst an EO takes only as much time to enact as a child scrawling with a “felt tipped pen” judicial proceedings move at pace that puts an arthritic snail to shame. This leaves a window of opportunity for great harms to be committed as we’ve recently seen.

Which brings us back to the general points of how this legislation applies and abuses…

@Who? made the point,

“What if people travels with empty devices with simple passwords and upload real content once they arrive to destination?”

In the US the “boarder zone” is now immense and covers most of the US you are likely to go, so in effect the legislation is

“Any time, any place, any direction of travel”.

So they simply “flag you”, and “pull you later”, and “grab your devices”.

So the ploy does not work.

Worse with the “Connivance of system designers” like Apple, Google, Samsung and many more it is now trivial to install irremovable “Compulsory Client Side Scanning” and similar so that “what you see they see” long after you’ve left their jurisdiction.

I advised that people “Do not Travel with electronics” for quite some time, or acquire new electronics when you get there… For exactly this

“we can see what you can see”

issue, that has now been made more problematic…

Some places are insisting that you have “contact information” available at all times for “health visa/certificate” and not having an approved tracking phone before you start travelling is a criminal offense.

My advice is simply “don’t go there” because they are looking to use you as a “cash machine” in some way. The Dubai “ruling classes” have become expert in stealing peoples businesses and money this way and keeping them in prison in conditions designed to kill them slowly…

If you must do business with such a nation for some reason, then do it on your home turf. Or if they insist on having a meeting there, then send somebody without family, who knows little, has nothing but limited delegated authority, and is easily replaceable and insure them quite highly.

There are a couple of times in my life when loosing a little business, saved me a lot of bother.

One I’ve mentioned here before is back in the 1980’s with UK Prime Minister “mad Maggie” Thatcher trying to have me locked up for “fraud” when I was not committing any crime what so ever other than pointing out someone involved with the BT Sell Off was lying, which you would have thought was a “public good” not “a crime”… But when the Government are in effect “insider share manipulation/dealing” I guess they care not how they behave…

soothsayer April 9, 2026 10:53 PM

@Paul,
How long is the process to obtain a warrant?
I can bet police have a little judge issuing warrants on their phones/tablets 24×7.
If SARS and Corona Virus didn’t kill all travel thru HongKong, this will.
See what has happened with arbitrary detensions Xi started of business executives and even basketball players, now you can’t get anyone to go to China for business!

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.