Information Security Legislation Moving ahead Information Security 2001 Professional Information...
-
Upload
sherman-barker -
Category
Documents
-
view
217 -
download
0
Transcript of Information Security Legislation Moving ahead Information Security 2001 Professional Information...
Information Security Legislation
Moving ahead Information Security 2001
Professional Information Security Association
Sin Chung Kai
Legislative Councillor (IT)
July 28, 2001
2
A. The “Report”The Inter-departmental
Working Group on Computer Related Crime
Sept 2000
The major review of laws concerning computer crime since 1993
Legislative amendments in the coming year
http://www.info.gov.hk/sb/cr-rpt/report.htm
3
A. The “Report” Comments by professional bodies & associatio
ns http://www.legco.gov.hk/yr00-01/english/panels/se/papers/se_c.htm
Government’s response http://www.info.gov.hk/gia/general/200107/16/0716105.htm
Accept most recommendations from the Working Group
Legislative amendments will be submitted to LegCo in 2001/02
4
Major Recommendations Redefine “Computer” Clarify gray areas in legislation
definition of “computer data” definition of “access to computer” definition of “hacking”
Increase penalties of computer crimes “unauthorized access to the computer” “accessing a computer with the intent to
commit an offence” deception and dishonest intent
5
Controversial Recommendations encrypted computer records
serious offences require judicial scrutiny
Hacking extend jurisdictional rules
6
1. Encrypted computer records Compulsory disclosure of encrypted computer
records law enforcement agencies decryption tool or the decrypted text judicial scrutiny
similar to production order serious offences
maximum penalty on conviction of not less than 2 years
penalty will be in commensurate with the specific offence under investigation
7
Government view law enforcement agencies have to
provide admissible evidence from encrypted data in criminal cases
prove beyond reasonable doubt use the right decryption method
8
Opposite view disclosure of decryption key may make one
incriminating himself threshold of offence carrying maximum
penalty of not less than 2 years is sufficiently high
potential infringement of privacy
9
Overseas Experience prohibit unauthorized encryption
China, Russia & Saudi Arabia provide for mandatory key escrow create the power to require production of
encryption keys by warrant or order Singapore Malaysia UK
10
Implication Information Security professionals may be
required to provide the decryption key under the aforesaid situation.
11
2. Hacking--Existing Law unauthorized access to computer by
telecommunications hacking Telecommunications Ordinance S. 27A
access to computer with a criminal or dishonest intent Crimes Ordinance S. 161
12
2. Hacking--New proposals increase penalty
hacking include a custodial term
accessing a computer with the intent to commit an offence regard to the severity of the offence to be
committed accessing a computer with deception and
dishonest intent maximum penalty:3 years
13
2. Hacking--New proposals extend the jurisdiction
include hacking in Criminal Jurisdiction Ordinance (Cap. 461)
Hackers attacking Hong Kong from foreign countries commit an offence
14
3. Hacking - New proposals implication
unauthorized access to computer by telecommunications
access to computer with a criminal or dishonest intent
The above crimes originated from overseas are offences in HK
15
Legislation in progress Gambling Amendment Bill 2000
16
Other new legislation Smart ID Card
Collection of data Privacy issues
Review of Electronic Transactions Ordinance Enacted Jan, 2000 review within 18 months
17
Overseas Experience Australia European Union US
18
Australia Cybercrime Bill 2001
Amend Criminal Code Act 1995 Crimes Act 1914
enhance investigation powers relating to the search and seizure of electronically stored data
take into account the draft Council of Europe Convention on Cybercrime
http://scaletext.law.gov.au/html/ems/0/2001/top.htm
19
Council of Europe Convention on Cyber-crime
Final Version--29, June, 2001 The first international treaty on cyber crime
http://conventions.coe.int/Treaty/EN/cadreprojets.htm
Request members to criminalize: illegal access illegal interception data interference system interference misuse of devices
hacking tools
20
US HR 1259
Computer Security Enhancement Act of 2001 Expands the National Institute of Standards and
Technology's (NIST) role in promoting computer security.
H Cont. Res 22 Expressing the sense of Congress regarding Int
ernet security and ``cyberterrorism'’ Designates cyberterrorism as an emerging threat
to the national security of the United States; and calls for a revised legal framework for the prosecution of `hackers' and `cyberterrorists’
21
US HRes 12
Opposing the imposition of criminal liability on Internet service providers based on the actions of their users. Opposes foreign governments' attempts to prose
cute or penalize ISPs for content that is protected in the U.S. by the First Amendment, and the idea that ISPs should be held liable for content posted by others.
22
US HR 2136
Confidential Information Protection Act Limits the use and disclosure of personally
identifiable information by federal agencies, and exempts such information from requests made under the Freedom of Information Act.
23
D. Current Legislation in HK Telecommunications Ordinance (Cap 106) Crimes Ordinance (Cap 200) Theft Ordinance (Cap 210) Electronic Transactions Ordinance (Cap 553) Personal Data (Privacy) Ordinance (Cap 468) Copyright Ordinance (Cap 548) Control Obscene and Indecent Article
Ordinance (Cap 390) Gambling Ordinance (Cap 148)
24
Thank [email protected]