As an internet privacy company, our top priority is protecting our users’ data.

On June 30, the Chinese government passed a security law on the semi-autonomous city of Hong Kong which critics warn is a threat to online safety and freedom of expression. Privacy and human rights organizations have expressed concerns that the new law gives the Chinese government legal means to force Hong Kong’s ISPs to turn over user data, or even make arrests over online content.

Starting today, TunnelBear will be disabling its Hong Kong servers in order to ensure the safety of our users.

While we do not store any personally identifiable information (PII) on any of our servers, we know we have a responsibility to keep our technical ecosystem safe, which this law may put at risk.

What is the new law?

The new security law lays out four crimes: secession, subversion against the central Chinese government, terrorist activities, and collusion with foreign forces to endanger national security.
The four crimes are vaguely defined. For example, calling for Hong Kong independence is now a crime under “secession,” and working with a foreign government or organization against the central Chinese government is now a crime under “inciting hatred.”

Additionally, the law also includes the introduction of “national security education,” stronger government oversight over foreign news outlets and NGOs, and greater wiretapping abilities for police.

The introduction of these commanding elements, combined with the broad range of the four crimes’ definitions, has led to widespread worry that this new law will hurt freedom of expression in Hong Kong.

TunnelBear joins a growing list of companies in standing up against the potential harm of this new law by removing our Hong Kong servers from the TunnelBear network.

Network safety measures

The only sensitive data stored on our servers are configuration related keys, which we have taken every precaution to ensure are safe.
When we order physical servers, our vendors provide the server preinstalled with a Ubuntu Linux version that we specify.

After we take control of the server, it is reformatted and the entire disk is encrypted. At this time, the vendor loses access to the server. The only way to access a running server is via SSH, which is protected by key-based authentication and 2-factor-authentication.

If the server is physically confiscated, and the hard drive is taken out for analysis, the entire hard drive is encrypted.

Again, we do not store any PII on our servers, so our decision to remove Hong Kong from the server list is to:

a) protect our configuration keys

b) monitor the reach of the new security law on technical ecosystems in Hong Kong.

Will this affect user experience?

This update does not affect TunnelBear users in Hong Kong. To minimize the potential impact to our networks we have scaled up our Singapore and Japan regions’ capabilities, and recommend people in Hong Kong connect to them instead.

What’s next?

We will continue to monitor the situation from both data integrity and human rights perspectives.

We will reinstate the Hong Kong server if and only if our users’ privacy and safety will be protected. Beyond this, we are grateful for the efforts of NGOs who work with communities in Hong Kong who are able to provide us with insight into the human rights situation in the region.

TunnelBear strongly believes in an open and uncensored internet for everyone, a value fundamentally linked to freedom of expression as a basic human right. We will always work to promote these values, and always work hard to ensure that our product gives users the peace of mind needed to freely express themselves online.

Sincerely,
the TunnelBear Team