Report on Inter-Departmental Working Group on Computer Related CrimeResponse by the Hong Kong General Chamber of CommerceFebruary 20011. In 1992 the HKCSI Information Services Committee of the Hong Kong General Chamber of Commerce submitted a detailed response to the Computer Crimes Bill, which became the Computer Crimes Ordinance in 1993. Between then and now, a lot has happened in the information technology arena; for instance, the Internet phenomenon was not addressed when the Computer Crimes Bill was considered. This Report on Computer Related Crime is a very timely, in light of the increasing concern for crimes related to the use of the computer and the Internet. We are pleased that many of today's issues have been taken up in this report. Our comments on the recommendations put forth in the Report are as follows.Definition of computer2. We raised the question of definition of computer in our 1992 paper and we are pleased that it is being addressed in the Report. We agree with the principle as suggested, that a broad definition of computer should be adopted, and that the terminology of different sections of the law should be aligned. Since the concern with computers is not with the machines per se, but with the functions they perform, we agree that the basis of consideration should be the Electronic Transactions Ordinance. Hence we support using the same terminology (information system) as in that Ordinance.Jurisdiction3. Again, this issue was raised in our 1992 paper and we are pleased that it is being examined.4. While it makes good sense for a comprehensive examination of the cross jurisdictional issues to be undertaken by the Law Reform Commission, we note that LRC deliberations typically take a very long time to complete. In view of the rapid development of the new economy, we believe cross jurisdictional issues will become more frequent and complicated, so we urge the subject be examined, by the LRC or otherwise, more urgently.5. Before that comprehensive study is completed, we believe that it is important to first deal with the most commonly understood “computer crimes”. Hence we support the recommendation in para 4.17 of putting those related to unauthorised access and criminal intent under the Criminal Jurisdiction Ordinance.Encryption6. We are sympathetic with the law enforcement agency wanting to have right to encrypted data. Criminals are getting more sophisticated in hi-technology, so the investigating agencies should be armed with more tools to combat hi-tech crimes. However, any legislative approach should be designed with much care. We therefore support the highest level of safeguard, namely, judicial scrutiny, for disclosure requirement. Furthermore, we believe this should apply only to organised and serious crimes. 7. We support the legal protection of confidentiality of information obtained through the disclosure procedures. The principle in considering penalties for non-compliance, namely that it should be commensurate with the specific offence under investigation, also seems reasonable.Protection of computer data8. In practice, this is the area that is of most relevant to the business sector. We are happy that some of the concerns we expressed in 1992 have been addressed in the 1993 Ordinance.9. We agree that the theft of computer data and the trading thereof should be made a criminal offence, and that all data at all stages of transmission should be covered. We agree with the improvements in the legislation as proposed in para 6.19.10. As to “hacking tools”, the description itself carries an a priori bias against certain types of computer software. The software will only become a hacking tool in the hand of a hacker, so the aim of regulation should be towards the use rather than the software itself. We concur that there is no need to legislate against hacking tools.Deception of computers11. Although one understands what is meant by “tricking a computer”, we do not believe there is no need for legislation to deal with it. The “deception of computers” becomes an issue only because in the end some individual or party – and not the machine itself - is the subject of a deception, theft or deprivation. If it were to be legally established that a machine could be deceived, then likewise could it be argued that a machine could be established as the deceiver? The law should apply to criminals and aggrieved parties, not machines.Penalties12. We have no problem with the penalties as suggested, including the imposition of a custodial sentence for appropriate crimes. They are based on sound principles.Assistance from ISPs13. In interacting with Internet Service Providers, it is important to strike a balance between enabling effective law enforcement on the one hand, and minimal regulation on the other. While we understand that from the law enforcement point of view, Internet tracking will be very useful, we do not believe this should be prescribed by law. Instead it should be a matter of good business practice which should be promoted to, but not made compulsory for, ISPs.14. On public key infrastructure, while it is understandable that the government has an interest in encouraging the use of public key infrastructure, we do not believe industry should be subject to any pressure other than the force of the market. Rather, more competition with PKI will, in our view, be beneficial to all.15. Likewise, subjects such as credit limits, multiple log-in, and record keeping procedure are matters of practice for industry, for which the market should be the best mechanism for judgement to be made. For these matters, industry guidelines to promote good practice will be preferable to legal regulation. On take down procedure, there are adequate laws and regulations elsewhere to achieve the legal intention, so again it should be considered a matter of good practice for which self regulation will suffice.16. While we fully endorse the need for closer cooperation between law enforcement agencies and ISPs, we suggest that a flexible view be taken of what an “ISP” is. As the new economy develops, there may be other stakeholders in the IT arena which should also be engaged.Protection of critical infrastructure17. This is a matter of international concern so international cooperation will be essential. Like the Y2K problem before, we have every confidence in the SAR government's ability to safeguard Hong Kong's critical infrastructure.Public education18. We are glad that the Report pays high regard to cooperation with private sector, and that a market led approach is recommended. As the largest Chamber of Commerce with the broadest membership base, we shall certainly play an active part in educating the business users about computer security.19. However, we are not convinced of the need for a unified assessment mechanism to certify security standards of different industries. We believe the market is the most effective medium in setting standards and assessing performance.Resources20. We have no comment other than, again, to express confidence in our law enforcement agencies. As the organiser of the “Good Citizens Award” with the Police Force, the Chamber is, naturally, also a champion of good cyber citizenship.Institutional arrangement21. Instead of a new committee, we support the setting up of a sub-committee under the Fight Crime Committee.
Top