A sub-committee on Cybercrime in the Law Reform Commission of Hong Kong published a consultation paper in July, and the sub-committee welcomes views from the public. I made the following submission today.
11 October 2022
RE: Consultation on Cyber-dependent Crimes and Jurisdictional Issues
I would like to express my concern to the consultation paper that the recommendation made by the sub-committee is quite far from cyber reality and real-world cases. And it deprives the human right of everyone to protect themselves away from cybercrime. It also restricts the work of IT security professionals and other Information Technology professionals.
We should protect the right of people to protect themselves from cybercrime, and they should be allowed to execute security checks on their own.
Reporting a personal privacy leak was prosecuted
In the Hong Kong court case WKS6208/2019 , a non-IT professional (Mr Chan) reported a security bug to a local airline company, and then he was prosecuted for unauthorised access to the computer.
When Mr Chan checked his ticketing information on a Hong Kong airline company website, he found that it is a potential leak of the personal information on his ticket as well as other passengers which can be accessed without any authentication (eg. the surname of the ticket holder). He made a simple digit change on a parameter value of the web address to confirm his finding and reported to the airline this data leak. Later on, the airline company reported to the police that Mr Chan accessed unauthorised information, and the police arrested Mr Chan.
Mr Chan did not use any security tool but just change a digit on the address bar of a web browser, and then he was prosecuted for a ‘cybercrime’. If the sub-committee recommends the defence or exemption apply to security professionals only, the general public is facing a huge risk to get investigated by the authorities anytime when they use information technology for general applications.
Therefore, from the view of IT professionals and the general public, this case should not be prosecuted. From this case, we can understand that sometimes security check does not require professional skill, it could be a simple task.
Will a similar case happen again if the defence or exemption applies to security professionals only?
It is interesting that the potential personal privacy leak from the airline company was not investigated and warned about.
Should a large personal privacy leak be also classified as a cybercrime?
Did the discussion in the sub-committee meeting include this court case ?
Nowadays, Information Technology skills can be learnt easily online or from books by everyone, even non-IT professionals or secondary school students can find a security bug on a website. It should not underestimate the learning potential of everyone including retired persons, teenagers and children.
We can’t say that a knife can be used in crime to hurt someone and restrict the use of knifes to ‘professional’ only.
Therefore I express the following comments to the sub-committee.
- For your recommendation 2, a specific defence or exemption for unauthorised access for cybersecurity purposes should be applied to everyone, no accreditation regime is required.
- For your recommendation 8, scanning and testing of a computer system on the internet can be carried by everyone, not limited to cybersecurity professionals to protect themselves, eg. The behaviour in the court case WKS6208/2019.
- For your recommendation 8(b)(i), web scraping should be allowed to collect data from the website by everyone. It is an essential work of data professionals for AI & machine learning, data processing and analytics.
- For your recommendation 9, the most popular Linux distributions include some security tools and their source codes. For example, Wireshark, nmap. It is non-sense to disallow the developers to develop & distribute such source codes to protect the people, and non-sense to disallow the user to own such source code and executable binaries.
It is also recommended that the sub-committee should extend its work and make a longer consultation with the wide information technology industry to revise its previous sub-committee discussion.
Mr Sammy Fung
Open Source Professional
(This submission is also published on my blog and other media/websites)
 香港01: 港航網上系統現漏洞 男乘客通告不果反被指取用資料 准守行為 https://www.hk01.com/article/347780