1. Information Security Legislation Moving ahead Information Security 2001 Professional Information Security Association Sin Chung Kai Legislative Councillor (IT) July 28, 2001

2. 2 A. The “Report” The Inter-departmental Working Group on Computer Related Crime Sept 2000 The major review of laws concerning computer crime since 1993 Legislative amendments in the coming year http://www.info.gov.hk/sb/cr-rpt/report.htm

3. 3 A. The “Report”  Comments by professional bodies & associations  http://www.legco.gov.hk/yr00-01/english/panels/se/papers/se_c.htm  Government’s response  http://www.info.gov.hk/gia/general/200107/16/0716105.htm  Accept most recommendations from the Working Group  Legislative amendments will be submitted to LegCo in 2001/02

4. 4 Major Recommendations  Redefine “Computer”  Clarify gray areas in legislation  definition of “computer data”  definition of “access to computer”  definition of “hacking”  Increase penalties of computer crimes  “unauthorized access to the computer”  “accessing a computer with the intent to commit an offence”  deception and dishonest intent

5. 5 Controversial Recommendations  encrypted computer records  serious offences  require judicial scrutiny  Hacking  extend jurisdictional rules

6. 6 1. Encrypted computer records  Compulsory disclosure of encrypted computer records  law enforcement agencies  decryption tool or the decrypted text  judicial scrutiny  similar to production order  serious offences  maximum penalty on conviction of not less than 2 years  penalty will be in commensurate with the specific offence under investigation

7. 7 Government view  law enforcement agencies have to  provide admissible evidence from encrypted data in criminal cases  prove beyond reasonable doubt  use the right decryption method

8. 8 Opposite view  disclosure of decryption key may make one incriminating himself  threshold of offence carrying maximum penalty of not less than 2 years is sufficiently high  potential infringement of privacy

9. 9 Overseas Experience  prohibit unauthorized encryption  China, Russia & Saudi Arabia  provide for mandatory key escrow  create the power to require production of encryption keys by warrant or order  Singapore  Malaysia  UK

10. 10 Implication  Information Security professionals may be required to provide the decryption key under the aforesaid situation.

11. 11 2. Hacking--Existing Law  unauthorized access to computer by telecommunications  hacking  Telecommunications Ordinance S. 27A  access to computer with a criminal or dishonest intent  Crimes Ordinance S. 161

12. 12 2. Hacking--New proposals  increase penalty  hacking  include a custodial term  accessing a computer with the intent to commit an offence  regard to the severity of the offence to be committed  accessing a computer with deception and dishonest intent  maximum penalty:3 years

13. 13 2. Hacking--New proposals  extend the jurisdiction  include hacking in Criminal Jurisdiction Ordinance (Cap. 461)  Hackers attacking Hong Kong from foreign countries commit an offence

14. 14 3. Hacking - New proposals  implication  unauthorized access to computer by telecommunications  access to computer with a criminal or dishonest intent  The above crimes originated from overseas are offences in HK

15. 15 Legislation in progress  Gambling Amendment Bill 2000

16. 16 Other new legislation  Smart ID Card  Collection of data  Privacy issues  Review of Electronic Transactions Ordinance  Enacted Jan, 2000  review within 18 months

17. 17 Overseas Experience  Australia  European Union  US

18. 18 Australia  Cybercrime Bill 2001  Amend  Criminal Code Act 1995  Crimes Act 1914  enhance investigation powers relating to the search and seizure of electronically stored data  take into account the draft Council of Europe Convention on Cybercrime  http://scaletext.law.gov.au/html/ems/0/2001/top.htm

19. 19 Council of Europe  Convention on Cyber-crime  Final Version--29, June, 2001  The first international treaty on cyber crime  http://conventions.coe.int/Treaty/EN/cadreprojets.htm  Request members to criminalize:  illegal access  illegal interception  data interference  system interference  misuse of devices  hacking tools

20. 20 US  HR 1259  Computer Security Enhancement Act of 2001  Expands the National Institute of Standards and Technology's (NIST) role in promoting computer security.  H Cont. Res 22  Expressing the sense of Congress regarding Internet security and ``cyberterrorism'’  Designates cyberterrorism as an emerging threat to the national security of the United States; and calls for a revised legal framework for the prosecution of `hackers' and `cyberterrorists’

21. 21 US  HRes 12  Opposing the imposition of criminal liability on Internet service providers based on the actions of their users.  Opposes foreign governments' attempts to prosecute or penalize ISPs for content that is protected in the U.S. by the First Amendment, and the idea that ISPs should be held liable for content posted by others.

22. 22 US  HR 2136  Confidential Information Protection Act  Limits the use and disclosure of personally identifiable information by federal agencies, and exempts such information from requests made under the Freedom of Information Act.

23. 23 D. Current Legislation in HK  Telecommunications Ordinance (Cap 106)  Crimes Ordinance (Cap 200)  Theft Ordinance (Cap 210)  Electronic Transactions Ordinance (Cap 553)  Personal Data (Privacy) Ordinance (Cap 468)  Copyright Ordinance (Cap 548)  Control Obscene and Indecent Article Ordinance (Cap 390)  Gambling Ordinance (Cap 148)

24. 24 Thank You cksin@sinchungkai.org.hk