Following is a written reply by the Acting Secretary for Security, Mr John Lee, to a question by the Hon Charles Peter Mok in the Legislative Council today (November 28):
The Government set up an Inter-departmental Working Group on Computer Related Crime in March 2000 to conduct a comprehensive review of the framework and environment within which law enforcement against computer crimes might be carried out. The Working Group made 57 improvement recommendations. In this connection, will the Government inform this Council:
(a) with regard to the recommendations made by the Working Group which were adopted by the Government, whether the authorities have regularly reviewed the effectiveness of the efforts made by the relevant government departments in implementing such recommendations; if so, of the review results;
(b) with regard to the recommendations made by the Working Group which were not adopted by the Government, whether the authorities have taken any measures to address the relevant concerns raised by the Working Group; if so, of the details and effectiveness of such measures; and
(c) given that the report of the Working Group was completed more than a decade ago, since then the Internet has become more and more popular and the relevant information technology has made rapid development, whether the authorities have any plans to set up an inter-departmental working group again to conduct a comprehensive review of the framework within which law enforcement against computer crimes may be carried out and the environment in which personal data and privacy on the Internet are protected; if so, of the work schedule; if not, the reasons for that?
Given the rapid development in the Internet and information technology in recent years, tackling the related crimes has been an inter-departmental effort, and it has to move with the times. Regarding the three-part question, the Administration’s reply is as follows:
(a) the Administration has adopted and implemented most of the 57 recommendations put forward by the Inter-departmental Working Group on Computer Related Crime (Working Group) in 2000, including the major ones as follows:
* The Working Group recommended that the law enforcement agencies (LEAs) strengthen communication with the Internet service providers (ISPs) and the private sector, as well as exchanges and co-operation among themselves. The LEAs have established a 24-hour liaison system with major ISPs and other institutions (such as financial institutions) to handle contingencies. The Police from time to time organise seminars for financial institutions in order to enhance the industry’s understanding of computer security. To better protect important local information technology infrastructure, the Office of the Government Chief Information Officer (OGCIO) has established the Internet Infrastructure Liaison Group (IILG), comprising members from OGCIO, the Police, the Office of the Communications Authority (OFCA), the Hong Kong Computer Emergency Response Team Co-ordination Centre (HKCERT), the Hong Kong Internet Registration Corporation Limited (HKIRC), the Hong Kong Internet Exchange (HKIX) and the Hong Kong Internet Service Providers Association (HKISPA). Through the IILG, the stakeholders have established closer communication and co-operation. These communication and liaison channels have been operating smoothly.
* The Working Group also recommended enhancing education and publicity on information security. The Police, in conjunction with OGCIO and HKCERT, organise year-round activities on topics of concern in the area of information security to promote public education. OGCIO has set up an information security portal (www.infosec.gov.hk) and update it regularly to provide the latest information on computer and cyber security. The relevant departments co-operate with the industry and professional organisations to organise public education activities from time to time to promote computer and cyber security. These co-operation platforms and publicity and education efforts have been effective and will continue.
* The Working Group recommended establishing a set of standard procedures for handling computer evidence. The Police have drawn up standard procedures for handling computer evidence for investigators’ and computer forensics officers’ reference. The Police also regularly exchange views with other local LEAs on related issues. The LEAs review the relevant procedures from time to time to ensure that they meet the enforcement needs.
(b) With regard to the recommendations that were not adopted or implemented (including mainly setting up a committee with representatives from LEAs and the private sector, amending the law to tackle the issue of “deception of machines”, and for ISPs to delete the “multiple log-in” function), the Administration has adopted a series of follow-up measures to address the concerns raised at the time:
* As mentioned above, the LEAs and the private sector have established a number of co-operation platforms, and regularly exchange experience to promote information system security.
* The Administration had set up in 2004 a dedicated department, OGCIO, to replace the Information Technology Services Department and to promote the development of information and communications technology across the community, to formulate strategies on information technology and to develop a digital economy through the promotion of measures on cyber and information security.
* The Administration has carefully studied the recommendation on “deception of machines” through legislative amendments and came to view that the existing provisions in the Crimes Ordinance (Cap. 200) in relation to computer offences already addressed the problem well.
* Having studied the recommendation, HKISPA and the Consumer Council were of the view that “multiple log-in” is a neutral function. The important issue was to educate consumers on the implications of multiple log-in on computer security. HKISPA and the Consumer Council have stepped up public education to this end.
(c) As mentioned above, tackling Internet and information technology-related crimes has been an inter-departmental effort which has to move with the times. From time to time, the Administration reviews the regulatory framework and administrative measures so that they keep up with the development of the Internet and technology. Today, Hong Kong has many pieces of legislation tackling computer and Internet-related crimes. For example, the Telecommunications Ordinance (Cap. 106) prohibits unauthorised access to computer by telecommunications. The Crimes Ordinance (Cap. 200) tackles access to computer with criminal or dishonest intent. The Theft Ordinance (Cap. 210) deals with offences of destroying, defacing, concealing or falsifying records kept by computer; the Unsolicited Electronic Messages Ordinance (Cap. 593) prohibits fraud activities related to the sending of multiple commercial electronic messages.
In addition, although certain laws do not mention explicitly the cyber environment, they apply to both the physical and virtual worlds. The Personal Data (Privacy) Ordinance (Cap. 486), insofar as protection of personal privacy is concerned, is applicable to any personal data which is practicable to access to and to process. The Electronic Transactions Ordinance (Cap. 553) gives electronic records and digital signatures the same legal status as paper records and handwritten signatures.
OGCIO and the Police have been monitoring closely the technological development and changes in modus operandi of law breakers, updating their strategies in regulation, enforcement and publicity where necessary. Since 2009, HKCERT has been conducting a local information security incident response drill exercise on an annual basis, simulating various cyber attack incidents in order to enhance the ability of the relevant organisations to respond to cyber attacks. Every year, OGCIO, the Police and HKCERT stage a year-round activity on information security. The theme for 2012 is “Build a Secure Cyberspace”, focusing on helping the public tackle cyber attacks. The Police will also continue to adopt a number of measures to combat technology crimes, including (a) staying professional and advanced in investigating technology crimes, electronic data identification and training; (b) closely co-operating with overseas LEAs, other government departments and major industry stakeholders; and (c) raising public awareness of the prevention of technology crime through public education and community efforts.