Hong Kong just made it a crime to refuse to unlock your device at the border.

What happened

On March 23, 2026, Hong Kong authorities amended the implementation rules of the National Security Law. Police can now demand passwords, PINs, biometric unlock, or any decryption method for any electronic device from any person, including transit passengers at Hong Kong International Airport. Refusal is a criminal offence: up to one year in prison and a HK$100,000 fine. Providing false credentials carries three years. The obligation applies regardless of professional confidentiality duties, which means lawyers, doctors, and journalists have no legal shield. The US Consulate issued a formal security alert on March 26. The amendment took effect immediately, without legislative oversight.

The lesson that doesn’t depend on Hong Kong

Most people reading this will never transit Hong Kong. That’s not the point.

Hong Kong made explicit what every other border regime keeps implicit. The United States, the United Kingdom, Australia, and Canada all allow device searches at the border without a warrant. The difference, until now, was that refusing had ambiguous consequences. In the US, a citizen who refuses risks detention and device seizure. A non-citizen risks denial of entry. No criminal charge for the refusal itself. Yet. Hong Kong removed the ambiguity. But the underlying power was already there.

The lived case is documented in how border agents seized a journalist’s laptop. The legal authority was already there. Hong Kong simply removed the friction between authority and consequence.

The encryption misunderstanding

When people learn that border agents can search their device, the instinctive response is to strengthen encryption. Longer password. Full-disk encryption. Biometric disabled before landing. None of that addresses the actual threat at a border crossing.

A border agent doesn’t need to break your encryption. They ask you to unlock it. In most jurisdictions they have legal authority to make that request. In some they now have legal authority to compel compliance under criminal penalty. Your encryption is excellent protection against a remote attacker who doesn’t have physical access to you. At a border, the attacker has physical access to you. The threat model is different. The response has to be different.

What an unlocked device actually gives up under forensic analysis is mapped in what forensic tools extract from a seized device. Encryption stops being relevant the moment you tap the unlock pattern in front of an agent.

What a travel device actually means

A travel device is not a device with a strong password. It’s a device that contains nothing sensitive before you cross.

Reset to factory settings. Separate identity: no personal Apple ID, no personal Google account. Only the applications needed for the specific trip. No message history. No contacts from previous source relationships. No documents that shouldn’t be in the hands of a border authority.

The logic is simple. A device that contains nothing sensitive cannot reveal anything when searched, regardless of whether the search is voluntary, compelled, or conducted under threat of criminal penalty. The cost of a refurbished Pixel is under 100 euros. The cost of what’s on most people’s personal devices, if accessed at a hostile border, is not measurable in euros.

The full preparation sequence is in our security checklist before travelling to a high-risk country. Configure the device weeks before the airport, not the night before the flight.

The cloud account problem

A factory-reset travel device can still be a liability if it’s logged into cloud accounts linked to a real identity. If iCloud or Google is authenticated on the device, a border agent with the device has access to years of cloud backup: messages, photos, documents, location history. The device itself contains nothing. The account it’s logged into contains everything.

The travel device protocol requires a separate identity. A trip-specific email address. Proton Mail with a new account works. No personal accounts, linked to nothing that matters. This is not paranoia. It’s the minimum viable configuration for anyone crossing a border with a real threat model.

Who this affects beyond travelers

The Hong Kong amendment applies to transit passengers. Someone changing planes at Hong Kong International Airport, not entering the country, faces the same obligation. For journalists working in or through the region, for NGO workers operating across Southeast Asia, for lawyers travelling with client data, for anyone carrying sensitive professional information through a hub airport that happens to be Hong Kong. The calculation changed on March 23.

It will change again. Somewhere else. On a date that hasn’t been announced yet. The structural response doesn’t change with the jurisdiction.

For diplomats and long-term expats, the layered response sits in our companion piece on digital security for diplomats and expats in high-risk countries. A border crossing every six months is a different calculation from a posting that lasts a year.

Frequently asked questions

Can border agents force you to unlock your device?

In the US, UK, Australia, and Canada, border agents can demand device access without a warrant. Consequences for refusal vary by jurisdiction and citizenship status. In Hong Kong, refusal is now explicitly a criminal offence with prison time attached. The principle that your device is not protected at a border crossing applies globally.

Does encryption protect you at a border?

Against remote attackers, yes. At a border, no. Border agents don’t need to break encryption. They ask you to unlock the device. In an increasing number of jurisdictions, they can legally compel you to do so. The correct defence is a travel device that contains nothing sensitive, not a stronger password on a device full of sensitive data.

What is a travel device?

A phone or laptop that contains nothing sensitive before you cross any border. Factory reset. No personal accounts. No message history. Only what you need for the specific trip. It can be searched completely and reveal nothing of consequence.

Are transit passengers really subject to the Hong Kong law?

Yes. The amendment applies to anyone present on Hong Kong territory, which includes the international transit zone of Hong Kong International Airport. Changing planes is being present. The legal authority does not depend on your having entered the country in the immigration sense. For anyone routing through HKG with sensitive material on a personal device, the practical consequence is the same as for an entering passenger.

Proton Unlimited is the tool we recommend for encrypted email, VPN and secure storage. It’s what we’d use ourselves.

---

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.