Originally reported by Schneier on Security, WIRED Security
TL;DR
Hong Kong authorities can now force travelers to reveal encryption keys or face criminal charges, while a New Mexico court ruling against Meta treats end-to-end encryption implementation as evidence of negligence. These developments represent significant threats to digital privacy and security protections.
Hong Kong's mandatory encryption key disclosure law represents a significant escalation in surveillance powers that could set dangerous precedents globally. The New Mexico Meta ruling creates legal liability for implementing end-to-end encryption, potentially undermining fundamental security protections.
Three developments this week highlight escalating threats to digital privacy and encryption protections across different jurisdictions and contexts.
Hong Kong authorities significantly expanded surveillance powers under the National Security Law, now requiring individuals to provide passwords and encryption keys for personal devices. According to a March 26 security alert from the U.S. Consulate General, the changes took effect March 23, 2026.
The new framework allows police to demand access to cellphones, laptops, and other electronic devices from any individual, including airport transit passengers. Refusal to comply constitutes a criminal offense under the revised enforcement rules.
Authorities also gained expanded powers to seize and retain electronic devices as evidence when claiming connections to national security offenses. The policy applies broadly, creating potential risks for business travelers, tourists, and transit passengers who may be compelled to reveal sensitive information stored on their devices.
A New Mexico court ruling against Meta establishes dangerous precedent by treating end-to-end encryption implementation as evidence of negligence, according to analysis by Mike Masnick. The state's attorney general specifically cited Meta's 2023 decision to encrypt Facebook Messenger as facilitating harm to minors.
The legal theory argues that because predators used encrypted communications for illegal activities, implementing encryption constitutes a "design choice that enabled harm." New Mexico now seeks court-mandated changes requiring Meta to protect "minors from encrypted communications that shield bad actors."
This framework creates perverse incentives for technology companies. Security improvements that protect billions of users could become legal liabilities if exploited by bad actors. The precedent threatens to discourage implementation of privacy-protective features across the industry.
The ruling also discourages internal security discussions at companies, as documented risk assessments become "smoking gun" evidence in litigation. Legal experts warn this could lead companies to avoid formal security reviews and risk documentation entirely.
U.S. Border Patrol stations operated nonprofits that sold inappropriate challenge coins, including designs featuring children's book characters in riot gear and phrases associated with extremist groups. The coins potentially violate government rules regarding the use of official positions for private gain.
While less technically significant than the encryption developments, the incident highlights ongoing concerns about surveillance agency culture and accountability. The use of Proud Boys-associated phrases on official merchandise raises questions about ideological influences within federal law enforcement agencies.
Originally reported by Schneier on Security, WIRED Security
