|A firm has sent free security keys to Hong Kong's protest movement, which has relied on technology to coordinate its activities. Photo from South China Morning Post|
By Karen Zhang
Sherry Chan Yuen-yung said in a Facebook post that Yubico had sent her 500 of its Yubikey devices after she wrote to the company requesting support in upgrading demonstrators' cybersecurity.
Yubico, set up in 2007, is best known for its signature invention Yubikey, which can be used for two-factor authentication for computers, networks and online accounts.
The key plugs into the USB or lighting ports of computers and mobile phones.
In response to the Post's inquiry about Yubico's donation, the company said: "Yubico has a long-standing mission to ensure that people at high risk are protected online.
"The company works with many non-profit organisations dedicated to an open internet and free speech."
Explaining her decision to approach the company in her Facebook post, Chan said: "Amid grave concern over the online security of protesters in the face of aggravating police abuse of power, we contacted Yubico in August, hoping that they would kindly sponsor Hong Kong protesters with their feature product.
|Tear gas has blighted Hong Kong's streets since June, but confrontations have also broken out in the online world. Photo from South China Morning Post|
"It was to our surprise [the company] swiftly responded and mailed us 500 Yubikeys in no time."
Chan's Facebook post also showed six white boxes of the devices. The keys appeared to be a budget model that cost about US$20 (HK$156) each, with basic two-step authentication features.
Two-factor authentication is a security process designed to ensure other people cannot access your online accounts, even if they have your password. Chan said she planned to distribute keys the keys to journalists and protesters.
The Facebook post has received more than 2,700 likes, 800 shares and more than 100 comments. She said the donated keys would be saved for those in need of protection but might not be able to afford them.
By Tuesday, 2,363 protesters had been arrested and at least 408 charged since the protest crisis broke out in June.
There have been growing concerns online about the digital safety and data privacy of protesters.
The anti-government movement, which initially erupted over the now-withdrawn extradition bill, has relied on technology to coordinate its activities. Apps such as online messenger Telegram have acted as a virtual command centre for the protests.
|A protester wanting greater online protection for fellow members of the anti-government movement posted this image on social media, showing an online security company's contribution to the cause. Facebook|
Eric Fan Kin-man, a Councillor on the trade association Hong Kong Information Technology Federation, believed as a piece of hardware, Yubikey offered a stronger form of protection than online versions.
"It's like those hardware devices banks would mail to users when required for password protection," he said.
"The ordinary authentication apps are still connected to the internet which makes them more likely to be compromised than using hardware devices."
However, he pointed out the key would not be helpful if police asked protesters to unlock phones protected by biometrics, such as fingerprints or facial recognition.
According to Chan's Facebook post, the model of donated security keys only supported computers. "It's useful for reporters or other users to protect their accounts from being hacked online," she said.
Francis Fong Po-kiu, honorary president of HKITF, also thought Yubikey was effective in protecting passwords because of the long digits involved and the requirement to use the hardware to log in.
"But apart from online security measures, users should be aware of not posting excessive private information online which could leak their identity or traces," he said.
Reddit-like forum LIHKG, which is used by anti-government protesters for discussing demonstration-related information, including tactics, was under DDoS attack (distributed denial-of-service) on August 31 and National Day, paralysing the platform for hours.