The Spy Case Hidden in the Immigration Database

The scary part of the China spy case is not the spycraft. It is the login.

On Thursday, May 7, 2026, a London jury convicted Chi Leung “Peter” Wai, an ex-UK Border Force officer, and Chung Biu “Bill” Yuen, a former Hong Kong police officer employed at the Hong Kong Economic and Trade Office in London, under Britain’s National Security Act 2023 after prosecutors said they helped run a “shadow policing” operation against Hong Kong dissidents in Britain, according to the Crown Prosecution Service¹. Wai was also convicted of misconduct in public office, and Sky News reported³ that the conviction covered searches of Home Office databases he could access through his work between September 16, 2022, and May 2, 2024. Prosecutors said the men researched dissidents’ homes, cars and social-media accounts, while Hong Kong authorities had put bounties of up to £100,000 on some pro-democracy campaigners for information leading to their whereabouts or capture, according to the CPS¹.

This is where I think the West is still behind the threat. Democracies know how to imagine espionage when it looks like classified documents, dead drops, cyber intrusions or cultivated lawmakers. They are less practiced at seeing an immigration search, a police query or a contractor export as part of the same contest. But for an authoritarian state trying to frighten exiles, the most useful information may not be secret in the James Bond sense. It may be the address in a case file, the travel record, the passport photo, the asylum history, the family link or the note showing who is vulnerable.

The case matters because it turns bureaucracy into terrain. Britain is home to a large Hong Kong exile community because the UK opened the British National (Overseas), or BN(O), route in January 2021, allowing eligible Hong Kongers and their family members to live, work and study in the country, according to Home Office immigration statistics⁴. By the end of 2025, the UK had issued 185,507 BN(O) out-of-country visa grants since the route opened, and 50,296 in-country grants for people already in Britain to extend their stay, according to the same Home Office release⁴. That makes the Home Office not just an immigration department, but a warehouse of politically sensitive information about people who may have fled Beijing’s tightening control over Hong Kong.

China’s campaign against critics abroad is not theoretical. The FBI defines transnational repression as foreign governments reaching across borders to intimidate, silence, coerce, harass or harm diaspora and exile communities, and says such activity threatens U.S. sovereignty, violates U.S. law and infringes individual rights, according to the bureau’s public guidance⁵. The Justice Department’s National Security Division likewise says transnational repression threatens both individual freedoms and U.S. sovereignty and democracy, according to its TNR guidance⁶. Freedom House has described China’s campaign as broad and far-reaching, targeting Hong Kongers, Uyghurs, Tibetans, Falun Gong practitioners, human-rights activists, journalists and other critics abroad, according to its China transnational-repression research⁷.

The British case also has an American twin. In 2022, the U.S. Justice Department charged current and former Department of Homeland Security-linked personnel in a PRC-related transnational repression case, alleging that passport information, passport photos, flight records and immigration records on U.S.-based PRC dissidents were obtained from a restricted federal law-enforcement database and passed along for use in targeting and harassment, according to the Eastern District of New York⁸. Two countries, two bureaucracies, the same mechanism: ordinary state-held data becomes valuable when a hostile government wants to map, scare or isolate people who thought exile had put them beyond reach.

That does not mean Western bureaucracies are “controlled” by Beijing. I do not think the evidence supports that. The stronger claim is more precise and more troubling: administrative systems built for liberal government can be repurposed by insiders, former insiders, contractors or recruited intermediaries if agencies treat access as a workflow issue rather than an adversary problem.

This distinction matters. If an employee looks up a file without a case reason, the privacy frame sees a compliance breach. If the subject is a Hong Kong activist under a foreign bounty, the national-security frame sees a possible targeting step. The same database query means something different once the state understands who the victim is and who might benefit.

The answer is not ethnic suspicion. The worst possible lesson from this case would be to treat Chinese-background civil servants, interpreters, police officers or community liaisons as inherently suspect. The United States has already run that experiment badly. In February 2022, Assistant Attorney General Matthew Olsen retired the China Initiative as a branded Justice Department program, while stressing that the PRC threat was real, because the framework had helped create a harmful perception that people from China or of Chinese descent were treated differently, according to his DOJ remarks⁹. A 2021 Committee of 100 and University of Arizona survey of 1,949 scientists found that 50.7 percent of scientists of Chinese descent reported considerable fear or anxiety that they were being surveilled by the U.S. government, compared with 11.7 percent of non-Chinese-descent scientists, according to the survey summary¹⁰.

That warning is not a footnote. It is a design requirement. The response has to be conduct-based, role-based and system-based: who accessed which record, for what authorized purpose, under what case number, from what device, with what downstream disclosure. Ancestry, language skill, family ties and community background are not evidence. Unauthorized access, hidden relationships, unusual search patterns, unexplained payments and contact with foreign-state-linked taskers are evidence.

This is why I think the right policy is tougher than ordinary privacy compliance but narrower than panic. The UK’s National Cyber Security Centre already recommends knowing which users accessed which records, protecting audit logs from alteration, reviewing them, and raising automated alerts for sensitive events such as bulk exports or queries with no related case ticket, according to its bulk personal data guidance¹¹. Those are not exotic spy-agency tools. They are the data equivalent of locks, cameras and a sign-in sheet. The difference is that agencies should apply them with the threat model in mind: records about asylum seekers, dissidents, sanctioned targets, bounty-listed activists and their relatives deserve stricter compartmentalization and faster alerting than routine records.

Britain has begun to move in that direction, but too slowly. The UK government told Parliament in 2025 that it had introduced police training, published guidance for people at risk of transnational repression, created a Home Office team to coordinate strategy, and joined G7 statements condemning such repression, according to the government’s response to the Joint Committee on Human Rights¹². MI5 has also been blunt: the service says Chinese authorities use “all the means at their disposal” to monitor and, where they deem necessary, intimidate the Chinese diaspora, and it has cited Hong Kong police bounties against pro-democracy activists in the UK as part of the state-threat landscape, according to MI5’s public state-threats material¹³.

The remaining gap is institutional imagination. Governments often protect databases against hackers and leaks. They are less consistent at protecting them against legitimate users performing illegitimate searches. Yet the latter is exactly the danger in the Wai case and the DHS-linked U.S. case. A person does not need to break into the system if the system already lets him in.

The counterargument is that recasting immigration and public-service databases as national-security assets could make ordinary administration feel militarized, scare diaspora communities away from reporting threats, and repeat the distrust created by the China Initiative. I take that seriously. But I think the greater civil-liberties failure is pretending that sensitive administrative data is neutral once an authoritarian government has shown it wants those names, addresses and movements. A Hong Konger who cannot trust the host state to protect her file does not fully enjoy asylum. A Uyghur activist who suspects a database search can reach family abroad does not fully enjoy free speech. A Tibetan organizer who believes a police contact could expose him may stop calling the police.

The line I would draw is simple: protect communities, scrutinize access. Western governments should create special handling rules for dissident-sensitive records; require case-ticket justification for searches; audit privileged users and contractors; alert on repeated name, address or nationality-based searches with no operational reason; impose aggravated penalties when misuse benefits a foreign state; and give diaspora targets trusted reporting channels that do not route them back through the same local systems they fear.

My prediction is that within the next two years, at least one major Western government will announce an audit of insider access to immigration or policing databases after another transnational-repression case. The indicator to watch is not whether more spies are caught with dramatic equipment. It is whether routine searches of sensitive diaspora files start producing automatic questions before prosecutors have to answer them in court.