In recent decades, Hong Kong has been considered a haven for data centers given its strategic location in Asia, a legal system trusted by international businesses and reliable internet connectivity. Many virtual private network (VPN) operators keep servers in the city, serving mainland users who want to conceal their internet activity or access websites blocked by the Chinese authority.
But some VPN providers are reevaluating the risks of keeping their servers in Hong Kong upon the enactment of the national security law, which critics warn could compromise user privacy and have a chilling effect on free speech. Under the new legal framework, internet service providers will be required to turn over user data to the authorities.
VPN services are gaining ground globally as they claim to provide better privacy from users’ internet providers and sites visited, although they could be vulnerable to attacks if not properly secured.
The company stressed that it does not store any personally identifiable information on its servers, so the decision to remove Hong Kong from its server list is to “protect our configuration keys” and “monitor the reach of the new security law on technical ecosystems in Hong Kong.”
Other popular VPN services we contacted said they will keep their servers in Hong Kong for now. ProtonVPN, operated by the same Swiss company that owns ProtonMail, said although it’s not removing its Hong Kong-based servers, it has changed the designation of the region to a high-risk jurisdiction, giving it the extra layer of privacy protection as countries like Russia, Turkey and Vietnam.
“Our use of full disk encryption and a strict no-logs policy greatly limits the potential risk to activists and dissidents if the Chinese government were to move against our servers in Hong Kong,” Proton’s spokesperson Edward Shone told TechCrunch, adding that users who connect to Hong Kong are advised to activate a special feature that makes it “far more difficult” to locate their true IP address.
Panama-headquartered NordVPN will also keep its servers in Hong Kong. “All of our servers are either diskless or encrypted, so even a physical takeover wouldn’t compromise our users’ privacy,” said NordVPN spokesperson Laura Tyrell. The company observed a huge spike in inquiries for its service in Hong Kong — by a factor of 120 times — shortly after China announced the upcoming law in May. It has since added more servers in the surrounding regions, including Hong Kong, to “keep up with the velocities.”
A spokesperson for ExpressVPN, which is registered in the British Virgin Islands, told TechCrunch it currently doesn’t have plans to remove Hong Kong as a server location option for users because its “VPN servers are already specifically architected not to contain personal or sensitive data on customers.”
Its proprietary technology ensures servers run only on volatile memory (RAM), not on hard drives. “As a result, no data, including certificates or credentials, can persist after a system is powered down, whether because it is rebooted or physically removed from a data center,” added the spokesperson.
But all the VPN companies we contacted said they are closely monitoring the impact and enforcement bodies of Hong Kong’s new security law and will react accordingly to safeguard user interests.
The VPN providers we spoke to are still accessible in Hong Kong, but it’s not inconceivable to see app stores start removing VPNs from the city under the new legal framework, as Apple did during a crackdown back in 2017 to comply with Chinese regulations that illegalized VPNs without official approval.
As a spokesperson for TunnelBear observed: “We can speak to the fact that distribution is often hit first as the first stage of cyber censorship.”
“We are, of course, concerned about users’ ability to access privacy and security services like VPNs, and we have experienced our app being removed from app stores in countries like China,” said the ExpressVPN spokesperson.
Apple, whose business heavily depends on China, has drawn a barrage of criticism in recent years for accommodating Beijing’s censorship demands. Besides banning VPNs, it has also restricted Chinese and foreign podcasts. Chinese users can still retrieve these apps by switching to a different regional app store, but the registration process is cumbersome, as it usually requires a foreign address, phone number and credit card.
Apple cannot be immediately reached for comment on the story.
Proton’s Shone echoed the concern over an Apple ban: “Our worry is that the Hong Kong authorities will begin demanding the removal of news apps, communications apps and VPNs and Apple will obey to maintain market access to mainland China. Tim Cook and others are due to give evidence on Capitol Hill later this month as part of an antitrust investigation into big tech.”
“We sincerely hope that this issue of censorship will form part of the questioning,” he said.
The article was updated on July 16, 2020 to clarify that ExpressVPN is registered in the British Virgin Islands.