RConversation

The Hong Kong Privacy Commissioner's Office has released a detailed investigation report clearing Yahoo! Hong Kong of complaints that it violated Hong Kong's Personal Data (Privacy) Ordinance when information from Chinese journalist Shi Tao's Yahoo! mail account was handed over to the Chinese Public Security Service.  Shi Tao's was arrested and convicted of "illegally providing state secrets overseas."

See reports from the Associated Press ( this one via USAToday), The Wall Street Journal, and the Times Online about the investigation's findings.

The results of the investigation (which you can download in full here or read the press release here) actually make sense to me and are generally consistent with my understanding of the facts. 

But that doesn't absolve Yahoo! Inc. of responsibility for Shi Tao's case.

The real issue is that Yahoo! Inc. chose (via Yahoo! Hong Kong) to provide an e-mail service to Chinese users in mainland China with user data stored on computer servers inside the PRC. It did so knowing full well that the user data would then be subject to Chinese legal jurisdiction and requests by Chinese law enforcement authorities. They also had to know full well that the People's Republic of China defines "crime" in such a way that when Yahoo! China employees handed over user data in response to law enforcement requests (as they do regularly in all jurisdictions where they operate) they could - and inevitably would - make Yahoo! complicit in human rights violations.

Thus when Yahoo chose to provide a PRC hosted e-mail service under the Yahoo brand, either they didn't care about their inevitable future complicity with human rights violations, or they were not thinking.  My sense from talking to people in the industry is that it was more the latter than the former, but that still doesn't excuse what happened.

This is exactly why Google and Microsoft have opted not to offer e-mail services hosting user data inside the PRC. Despite the fact that Gmail would work a lot better for Chinese users if they did so, and Google would probably be making more money in China in the short run if they did so. They have made a decision that the potential human costs - and the costs to their company's reputation - are not worth it.

So what was the Hong Kong Yahoo! investigation all about? In a nutshell:

The Chinese court document outlining Shi Tao's conviction cited Yahoo! Holdings (Hong Kong) Ltd. as the entity that had handed over Shi's e-mail information to the Chinese authorities.

What Shi Tao did would not be considered a crime under Hong Kong law.  Many here in Hong Kong have been horrified by the idea that that a Hong Kong-based service provider may have aided in a human rights violation. The case also led to implied but largely unspoken concerns about whether, if a Hong Kong service provider had indeed shared user data with PRC authorities  - and got away with it - the communications of Hong Kong's Internet users might not be safe from the eyes of mainland "law enforcement" who define crime rather differently than it is defined in Hong Kong. 

Thus a Hong Kong legislator filed a complaint that Hong Kong's privacy ordinance had been violated, and the authorities appear to have taken that complaint quite seriously.

In its report, the Hong Kong Privacy Commissioner found no evidence to contradict Yahoo! Inc.'s claim in a U.S. Congressional hearing last year and in subsequent statements (including a letter to Human Rights Watch detailed here) that while Yahoo! China was at the time a subsidiary of Yahoo! Holdings (Hong Kong), the user information about Shi Tao provided to the Chinese authorities came from a Yahoo! China e-mail account, hosted on servers inside the PRC, and was handed over by Yahoo! China employees inside the PRC. Which means that Shi Tao's user data was never located in Hong Kong, or handled by Hong Kong-based employees, and that no data in this case was ever transfered in between Hong Kong and PRC jurisdictions.

Frankly I haven't come across any evidence to contradict this story either, given the corporate structure at the time and what we know about the circumstances of the case. Thus I am inclined to believe it is true that no user data passed between Hong Kong and the PRC in Shi Tao's case and that the offices in Hong Kong weren't involved. There is the open question about what the Hong Kong office did or didn't known about what was happening at Yahoo! China with this case. But then there is the further question of whether they could have done anything about it without asking their Beijing employees to violate Chinese law and risk criminal prosecution themselves. It is also believable that the Yahoo! China employees were responding to a formal request as part of a criminal investigation, that they didn't know the identity of the person concerned, and that they had no way of knowing whether the case was for a dissident or a pedophile or a mass murderer.  It is also true that the user Terms of Service (which all users have to click on when they create an account) inform users that their information will be shared with relevant authorities in criminal investigations.

So again, the issue for me is that Yahoo! chose to host user e-mail data in a jurisdiction where the company would inevitably wind up serving as a conduit for human rights violations. They made a choice. Not all companies have made the same choice. It was not something they "had" to do. They have not ever expressed public regret for having made this choice. Now they say it's out of their hands because the Chinese company Alibaba now controls Yahoo! China. Yahoo! deserves to take a hit on its global brand reputation and user trust as a result.

Some commenters on my previous posts related to the Yahoo! Shi Tao case have argued that Yahoo! has the responsibility to maximize shareholder value, and thus could not be expected to act otherwise. But wouldn't shoe manufacturers better maximize shareholder value if they hired 12-year olds at one cent per hour?  Wouldn't many companies have a better short term return on investment if they didn't treat their industrial waste and just dumped it in the closest body of water? Sure. But at what human cost. It's called corporate social responsibility.

One silver lining in all of this is that Yahoo! is now sitting around the table with human rights groups, free speech groups, academic institutions, and other companies to formulate global standards for the protection of free expression and privacy by technology and communications companies.  Let's hope that these standards will be meaningful, and will help Yahoo! and other companies avoid being complicit in more cases like Shi Tao's in the future.