Internet Society Hong Kong’s concerns over the Anti-doxxing bill

The HKSAR government gazetted amendments to the Personal Data (Privacy) Ordinance (PDPO) against doxxing (anti-doxxing bill) on 16th June, 2021, and the first reading and debate took place in legislature on 21st July, 2021 (Wednesday). Internet Society Hong Kong is concerned over the new anti-doxxing bill, while we acknowledge the importance of protecting citizens’ privacy, yet the newly proposed bill is authorizing Privacy Commissioner excessive power. We are worried that the bill will cause damage to the free flow of information in Hong Kong and go against the principles of open and unrestricted Internet promoted around the globe. 

  1. Excessive Power to the Privacy Commissioner

We believed that the amendments would give excessive and disproportionate power to the Privacy Commissioner. Anti-doxxing bills overseas in general only deal with those who disclose information and have caused substantial harm to the victims. However, the amendments proposed by HKSAR government grant Privacy Commissioner power to request any third party, including online platforms, search engines and Internet service providers (ISP) to shut down websites in question, provide assistance to investigation, or potentially demanded to “decrypt” information by to monitor and access website traffic. 

In practice, the amendments let the Privacy Commissioner conduct a search and decrypt anyone’s electronic devices without a court warrant for cases of suspected contravention of the bill. This would effectively empower Privacy Commissioners to conduct criminal investigations and request third parties to comply. This excessive power is unprecedented and also unheard of in other countries. 

  1. Vague definition & grey areas in the bill

The law amendments are vague and consist of undefined grey areas, which could easily be abused as “speech crime”. The definition on personal data remains the same in the amended bill, however, doxxing acts which cause “psychological harm” and are “being reckless as to whether the data subject or any immediate family member would be threatened, intimidated or harassed” are regarded as an offence according to the amendments. This definition of doxxing is too vague and subjective, which might lead to “speech incrimination”. ISOC HK worries that the bill could easily be abused and lead to revenge-style prosecutions to crush whistle-blowers and disclosure of materials that are of public interest to know.

  1. Limit Information freedom and affect Hong Kong’s role as Internet hub

ISOC HK concerns that by granting Privacy Commissioner power to shut down websites and criminal investigation, on top of the vagueness of the bill, it can easily be abused and become a means to crush dissent and pre-empt whistle-blowers, causing a negative impact on the free flow of information. As mentioned above, the Privacy Commissioner is given excessive power, for instance, online platforms, search engines, and network service providers can be asked to shut down websites, breaking the principle that Internet providers are not responsible for the content transmitted, and transferring legal risks to third parties that have nothing to do with the leakage of personal data. Online platforms and service providers, due to technical limitations, might be forced to close down other related or even unrelated websites in one go, causing inaccessibility to other legitimate services. In addition, the amendments would undermine Hong Kong’s role as an Internet hub in the long run. Since the Privacy Commissioner has the right to search and decrypt any relevant person’s electronic device “under reasonable suspicion” without a court warrant, it would weaken the technology companies’ confidence to invest and set up business in Hong Kong. Foreign companies might not regard Hong Kong as a network hub or a preferred choice for cloud their services.

ISOC HK believes that while the current amendments to the Personal Data (Privacy) Ordinance solely deals with doxxing acts, the amendments neglected personal data protection in other important areas, such as large-scale leakage of personal data by enterprises and government bodies.. To ensure privacy protection, the government should strengthen regulation of personal data within enterprises and government bodies by making reference to the practice of foreign countries, such as mandatory disclosure of data breach incidents and formulate penalties against the offending organisation and compensate affected personnels, or having the negligence management criminally liable. On the contrary, solely targeting doxxing acts and unproportionately increasing Privacy Commissioner’s power would only limit free flow of Information in Hong Kong, affect the city’s role as Internet hub and make the society question that the authorities are only ​​persecuting “speech crime” through law amendments.

20th July, 2021
Internet Society Hong Kong

Read more

香港互聯網協會對《私隱條例》修例的關注及憂慮

香港特區政府於 2021 件 6 月 16 日刊憲,將在 2021 年 7 月 21 日(星期三)進行有關《私隱條例》草案修訂之首讀及開始二讀辯論。香港互聯網協會對此表示關注及憂慮,保障個人私隱是對社會有益的倡議,但協會認為是次修例賦予私隱專員過大權力,將影響本港的資訊自由,與國際社會多年一直推動開放、不受限制的互聯網的理念背道而馳。

  1. 賦予私隱專員的權力過大

是次修訂賦予私隱專員的權力明顯過大及不合比例。外國處理起底的法例,主要是針對披露資料者及作出實質傷害的人士。但今次港府提交的修例草案,除了針對和約束披露者,還可要求任何第三方包括網上平台、搜尋引擎和網絡服務供應商配合,封禁個別網站,於法例的「解密」要求下甚至可能授權監聽存取有關網站的通訊。

在執行上,專員有權於「合理懷疑下」不需法庭手令即可搜查及解密任何相關人士之電子裝置,這變相賦予專員刑事調查和要求第三方配合的權力,在外國未見先例,權力之大亦前所未見。

  1. 修例含灰色地帶,定義模糊 

條例草案的定義模糊,含有不少灰色地帶,當局容易藉條例「以言入罪」。雖然修訂草案沿用過往個人資料的定義,然而條例當中的「指明傷害」包括「心理傷害」以及以「罔顧是否會 ( 或相當可能會 ) 導致該當事人或其任何家人蒙受任何指明傷害」作入罪條件十分模糊,更可能依賴主觀決定,當局容易藉條例「以言入罪」。本會憂慮此修訂製造了空間予權力機關對一些非新聞報道的吹哨或涉及利益衝突的個人資料披露作報復式檢控。

  1. 限制資訊自由,影響香港作互聯網樞紐的角色

本會認為修例授予網禁及搜查權力予私隱專員,加上法律定義模糊,容易遭到濫用,變成扼殺異見及阻止吹哨披露的手段,對資訊流通絕對有負面影響。上方提及,專員的權力過大,如可以要求網上平台、搜尋引擎和網絡服務供應商封禁網站,打破互聯網供應商不需就傳送內容負責的原則,將法律風險轉嫁至與洩漏個人資料無關的網絡平台及供應商。基於技術限制,網絡平台及供應商可能被逼將相關以至不相干的網站一併封殺,導致市民無法存取其他合法的服務。另外,修例長遠亦會打擊香港的互聯網樞紐角色。專員有權於「合理懷疑下」不需法庭手令即可搜查及解密任何相關人士之電子裝置,會削弱科技公司於香港投資及開拓業務的信心;外國公司在將來亦未必會視香港為網絡樞紐及雲端服務的優先選擇。

本會認為今次修例只針對處理「起底」行為,忽略了其他領域的個人資料保障,如企業及政府機構大規模洩漏個人資料的嚴重事件。本會建議政府可以在加強規管企業及機構處理市民個人資料方面的工作,如參考外國要求機構於發現個人資料洩露後指定時間內向受影響人士及規管當局披露以及制定罰則,甚至向疏忽保護個人資料的機構管理層追究刑責,以保障市民個人資料安全。反之,光是針對「起底」行為,以含糊的條例修訂不合比例地增加專員的權力,只會削弱香港的資訊流通,影響香港作互聯網樞紐的角色,並令社會質疑當局只是藉修例「以言入罪」。

2021 年 7 月 20 日
香港互聯網協會

Read more

【HKIGF 香港互聯網管治論壇】 網禁時代?

2021年1月14日,香港寬頻承認按照《國安法》的要求,停止連線至「香港編年史」網站,為警隊國家安全處首次正式引用《港區國安法》第 43 條封鎖網站。消息傳出後,外界關注當局會否進一步封鎖其它被指威脅國家安全的網站,甚至將此舉與中國大陸嚴厲的網絡審查相提並論。

網禁時代是否已經來臨?中國大陸「防火長城」能否被複製到香港?封鎖網站連線實際如何運作?香港互聯網協會舉辦「香港互聯網管治論壇」,邀請大家一同參與網上討論,與不同專家講者,探討步入網禁應如何應對。

嘉賓:
※ 徐文傑 – 「眾新聞中國組」記者
※ 鍾宏安 – DotAsia域名註冊機構行政總裁
※ 石書銘 – 大律師公會執委
※ 黃浩華 – 資訊科技界選委
※ 魏志豪 – 東區區議會康怡選區議員

主持:鄭斌彬 香港互聯網協會董事

日期:4月29日(星期四)
時間:晚上7:30至9:30
地點:Bluejeans; Facebook同步直播
語言:廣東話此活動將在 Bluejeans 進行,有興趣的朋友可在以下連結報名,一同參與討論。屆時活動將同步於Facebook進行直播。

報名:https://forms.gle/kTVzWgHFCnEP2mQs6

Read more

Response to the Real-name Registration Programme for SIM Cards

Internet Society Hong Kong (ISOCHK) believes that the proposed Real-name Registration Programme for SIM Cards is damaging to Hong Kong’s reputation as a role model in the field of telecommunication policy. It will hinder the development of smart city, a commitment made by the Hong Kong Government, and deter technological innovation of the information technology industry. We oppose the proposed Programme and recommend a complete withdrawal of the Programme. 

A matter of principle

As the United Nations Human Rights Council’s Special Rapporteur on freedom of opinion and expression reports, “encryption and anonymity tools have become vital for journalists, activists, artists, academics and others to exercise their professions and their human rights freely”. [1] Individuals and organizations should have the right to hold and freely express opinions without interference and conduct their legitimate everyday activities under adequate privacy protection. ISOCHK believes that the proposed regulation will only undermine decades of efforts Hong Kong has made to protect and promote freedom of speech and to maintain a favourable business environment, jeopardizing Hong Kong’s role as an international finance centre.  

Proposal 1: SIM Real-name Registration Programme

ISOCHK does not support Proposal 1. The consultation paper depicts prepaid SIM cards (PPS) as a material factor in illegal activities. We do not believe it is true, and are of the opinion that PPS is a mere scapegoat. ISOCHK highlights the following:

According to the Secretary for Security Mr John Lee’s written reply to Hon Vincent Cheng in Legislative Council on 13 January 2021 [2], the majority of telephone deception cases originated from outside Hong Kong. We do not see how real-name registration of local SIM cards could address the problem and we can foresee the prevalence of similar phone scams even after the Registration Programme is put into effect. Without disclosing the ratio of telephone deception cases involving local SIM cards versus overseas callers, the claim made by the consultation paper is incomplete and misleading. 

The consultation paper also argues that serious and violent crimes threaten public safety, hinting at the possibility that criminals would make use of local PPS to conduct their activities. ISOCHK would like to point out that it is easy for any serious criminal to obtain overseas SIM cards; they may also look for scapegoats to bypass the real-name SIM card registration. Worse still, it is also foreseeable that identity theft or SIM swapping attacks would become a more apparent concern once the registration programme comes into effect, imposing additional risks to innocent individuals and businesses. 

If crime prevention is an important concern in the legislative exercise, ISOCHK regrets to comment that the proposed Programme will be gravely ineffective. The burden and restriction it places on service providers and consumers are utterly unnecessary and disproportionate vis-à-vis the purported purpose.

Hong Kong has been one of the safest cities in the world since the introduction of mobile telephone services back in the 1990s, and has always been a successful role model of a free city with low crime rate and high adoption of telecommunication technologies. The consultation paper’s accusations that the anonymous nature of PPS “undermines confidence in the integrity of telecommunication services” and “jeopardizes the genuine or legitimate use of telecommunication”, when scrutinized against the city’s experience, are utterly gratuitous and unsubstantiated.

Proposal 2: Three PPS cards restriction per user

ISOCHK does not support Proposal 2. It proposes to limit the number of SIM cards to three (3) per user, including company and corporate users. It is obvious that the authorities have not thoroughly considered reality, in this case, the increase of mobility devices per individual in the era of Internet of Things (IoT) and 5G. Based on the World Bank’s 2019 data [3], each person in Hong Kong subscribes to 2.89 mobile services on average. It is expected that this number would only increase in the coming years. The proposed restriction of three SIM cards per individual is no doubt unrealistic, disregarding the fact that many people use more than three PPS for their own devices for emergency internet access during network outages or have dual SIM cards in the same phone for extra mobile data quota.

The proposal does not detail any arrangement on SIM cards for machines, such as automobiles and shared bicycles, or fixed installation such as vending machines and advertising panels. Many of these devices require the use of SIM cards to perform remote management, security update, location tracking and content delivery. It is also common for the information technology industry to conduct research and test resiliency, compatibility and security of their products and services by using dozens or even hundreds of mobile devices simultaneously. The proposal illustrates not only the government’s ignorance and disregard of the IT industry’s real practices, causing inconvenience to the daily operation of hundreds of businesses, but also paints a very discouraging future for the industry, further accelerating the relocation of companies and emigration of talents since the establishment of the National Security Law. 

Proposal 3: Registration endorsement for young persons

ISOCHK does not support Proposal 3. We do not think the registration endorsement could provide any substantial protection to young people. Speculating on the assumption that criminals would lure teenagers to register SIM cards for illegal use, the consultation paper proposes that adolescents be required to seek endorsement from parents, relatives or guardians before obtaining registered SIM cards. On a practical level, this only imposes extra difficulties upon service providers to prove such relationships, and is not at all helpful in preventing identity theft, or barring teenagers from selling their SIM to criminals for profit. It would, however, put teenagers into a disadvantageous position in which, with increasingly extraordinary law enforcement and prosecution practices, youngsters lacking legal knowledge and experience would be dragged into criminal proceedings and even challenged to prove their (legally presumed) innocence in case of SIM card misuse. 

The registration would also bring obstacles to the promotion of STEM education to children. The added cost and endorsement procedure would discourage talented children from exploring and learning innovative technologies that involve the use of mobile networks. Children, especially those living in grassroots communities, might lose their opportunity to learn if access to mobile networks requires approval of adults who do not understand the importance of it. 

Proposal 8: Record requests from Law Enforcement without warrant

ISOCHK does not support Proposal 8. The proposed regulation grants power to law enforcement agencies (LEAs) to request registration information under “urgent or emergency situations”. Yet, the definition of “urgent or emergency situations” is unclear and the power itself lacks independent checks and balances. As the National Security Law has already granted LEAs the right to request service providers to provide assistance whenever deemed necessary, it is redundant and excessive for the proposed legislation to grant LEAs access to the records without warrant. 

In addition, there does not seem to be any clear mechanism to prevent abuse of such private information. It is foreseeable that the abusive power given to LEAs could easily be weaponized and become a tool to harass or threaten dissidents. As the UN opines, “when States legitimately need access to encrypted or anonymous information, they should only seek it through judicial process”. [1] ISOCHK only supports that LEAs may request licensees to provide SIM card registration records of relevant individuals and time ranges when a warrant is issued by a magistrate, where it is necessary for LEAs to conduct investigation and the magistrate is satisfied that all other less intrusive methods have been exhausted. 

Internet Society Hong Kong

25th February, 2021

[1] https://www.ohchr.org/EN/NewsEvents/Pages/HRencryptionanonymityinadigitalage.aspx 

[2] https://www.info.gov.hk/gia/general/202101/13/P2021011300541.htm

[3] https://data.worldbank.org/indicator/IT.CEL.SETS.P2?name_desc=false&locations=HK

Read more

【要求撤回電話智能卡實名登記制度聲明】

政府於2021年1月30日建議透過《電訊條例》訂立規例實施電話智能卡實名登記制度,並展開公眾諮詢。我們認為實名制不但沒法打擊罪案,甚至會阻礙科研發展。理由如下:

  1. 建議數量對需要進行開發及測試應用程式的前線員工極為不便、條文沒有清晰界定機器對機器 (M2M) 連接電話卡在實名制外, 官僚制度使中小企無所適從
  2. 實名制不能阻止利用境外電話假冒成本地電話的犯案、亦會增加不法份子透過偷竊及威嚇手段盜用市民電話卡的可能性,巿民或會因此成為代罪羔羊
  3. 建議沒有釐清迫切或緊急之定義,導致執法部門權力過大
  4. 聯合國人權高級專員辦事處一份2015年的報告已指出,言論自由需要有足夠的加密法及匿名權才有足夠的保障,報告建議世界各地應該盡可能避免實名制
  5. 實名制使電訊商收集及儲存更多個人資料,但香港現階段沒有足夠成熟的私隱政策保障市民的應有的權利

因此我們要求撤回修例並呼籲業界從業員在諮詢期內提交意見。

香港資訊科技界工會
前線科技人員
Internet Society Hong Kong (ISOC HK)
資訊科技界選委 黃浩華

Read more