Information Security Legislation

Moving ahead Information Security 2001

Professional Information Security Association

Sin Chung Kai

Legislative Councillor (IT)

July 28, 2001

2

A. The “Report”The Inter-departmental

Working Group on Computer Related Crime

Sept 2000

The major review of laws concerning computer crime since 1993

Legislative amendments in the coming year

http://www.info.gov.hk/sb/cr-rpt/report.htm

3

A. The “Report” Comments by professional bodies & associatio

ns http://www.legco.gov.hk/yr00-01/english/panels/se/papers/se_c.htm

Government’s response http://www.info.gov.hk/gia/general/200107/16/0716105.htm

Accept most recommendations from the Working Group

Legislative amendments will be submitted to LegCo in 2001/02

4

Major Recommendations Redefine “Computer” Clarify gray areas in legislation

definition of “computer data” definition of “access to computer” definition of “hacking”

Increase penalties of computer crimes “unauthorized access to the computer” “accessing a computer with the intent to

commit an offence” deception and dishonest intent

5

Controversial Recommendations encrypted computer records

serious offences require judicial scrutiny

Hacking extend jurisdictional rules

6

1. Encrypted computer records Compulsory disclosure of encrypted computer

records law enforcement agencies decryption tool or the decrypted text judicial scrutiny

similar to production order serious offences

maximum penalty on conviction of not less than 2 years

penalty will be in commensurate with the specific offence under investigation

7

Government view law enforcement agencies have to

provide admissible evidence from encrypted data in criminal cases

prove beyond reasonable doubt use the right decryption method

8

Opposite view disclosure of decryption key may make one

incriminating himself threshold of offence carrying maximum

penalty of not less than 2 years is sufficiently high

potential infringement of privacy

9

Overseas Experience prohibit unauthorized encryption

China, Russia & Saudi Arabia provide for mandatory key escrow create the power to require production of

encryption keys by warrant or order Singapore Malaysia UK

10

Implication Information Security professionals may be

required to provide the decryption key under the aforesaid situation.

11

2. Hacking--Existing Law unauthorized access to computer by

telecommunications hacking Telecommunications Ordinance S. 27A

access to computer with a criminal or dishonest intent Crimes Ordinance S. 161

12

2. Hacking--New proposals increase penalty

hacking include a custodial term

accessing a computer with the intent to commit an offence regard to the severity of the offence to be

committed accessing a computer with deception and

dishonest intent maximum penalty:3 years

13

2. Hacking--New proposals extend the jurisdiction

include hacking in Criminal Jurisdiction Ordinance (Cap. 461)

Hackers attacking Hong Kong from foreign countries commit an offence

14

3. Hacking - New proposals implication

unauthorized access to computer by telecommunications

access to computer with a criminal or dishonest intent

The above crimes originated from overseas are offences in HK

15

Legislation in progress Gambling Amendment Bill 2000

16

Other new legislation Smart ID Card

Collection of data Privacy issues

Review of Electronic Transactions Ordinance Enacted Jan, 2000 review within 18 months

17

Overseas Experience Australia European Union US

18

Australia Cybercrime Bill 2001

Amend Criminal Code Act 1995 Crimes Act 1914

enhance investigation powers relating to the search and seizure of electronically stored data

take into account the draft Council of Europe Convention on Cybercrime

http://scaletext.law.gov.au/html/ems/0/2001/top.htm

19

Council of Europe Convention on Cyber-crime

Final Version--29, June, 2001 The first international treaty on cyber crime

http://conventions.coe.int/Treaty/EN/cadreprojets.htm

Request members to criminalize: illegal access illegal interception data interference system interference misuse of devices

hacking tools

20

US HR 1259

Computer Security Enhancement Act of 2001 Expands the National Institute of Standards and

Technology's (NIST) role in promoting computer security.

H Cont. Res 22 Expressing the sense of Congress regarding Int

ernet security and ``cyberterrorism'’ Designates cyberterrorism as an emerging threat

to the national security of the United States; and calls for a revised legal framework for the prosecution of `hackers' and `cyberterrorists’

21

US HRes 12

Opposing the imposition of criminal liability on Internet service providers based on the actions of their users. Opposes foreign governments' attempts to prose

cute or penalize ISPs for content that is protected in the U.S. by the First Amendment, and the idea that ISPs should be held liable for content posted by others.

22

US HR 2136

Confidential Information Protection Act Limits the use and disclosure of personally

identifiable information by federal agencies, and exempts such information from requests made under the Freedom of Information Act.

23

D. Current Legislation in HK Telecommunications Ordinance (Cap 106) Crimes Ordinance (Cap 200) Theft Ordinance (Cap 210) Electronic Transactions Ordinance (Cap 553) Personal Data (Privacy) Ordinance (Cap 468) Copyright Ordinance (Cap 548) Control Obscene and Indecent Article

Ordinance (Cap 390) Gambling Ordinance (Cap 148)

24

Thank Youcksin@sinchungkai.org.hk