Hong Kong’s New Cybercrime Regulation Session – The Diplomat

This week the Cybercrime Subcommittee of the Regulation Reform Fee (LRC) in Hong Kong printed a session paper on cybercrimes and associated jurisdictional points, setting in movement what’s going to seemingly be a sequence of legislations of recent legal guidelines and amendments within the reformed “patriots-ruled” territory underneath the Folks’s Republic of China.

The transfer ought to come as no shock. In spite of everything, many different jurisdictions world wide have legislated cybercrime in varied shapes and kinds lately. As expertise advances, information legal guidelines attempt to catch up. The LRC’s Cybercrime Subcommittee truly commenced work again in January 2019, a full three-and-a-half years in the past, to evaluate Hong Kong’s related legal guidelines, lengthy thought-about to be grossly outdated.

Certainly, for many years, Hong Kong regulation enforcement relied on a controversial regulation underneath the territory’s Crime Ordinance, referred to as part 161, for the offense of “entry to a pc with felony or dishonest intent,” and part 27A of the Telecommunications Ordinance, forbidding “unauthorized entry to any program or knowledge held in a pc,” to prosecute cybercriminals. Nevertheless, with a complacency induced by simple convictions, the police and the prosecution in Hong Kong continued to use the outdated part 161 to computer-related circumstances means past its unique legislative intent. The ordinance, in spite of everything, was handed again in 1993, lengthy earlier than the arrival of the web, smartphones, and social media.

Then, in a landmark choice by the Courtroom of Remaining Appeals (CFA), Hong Kong’s high courtroom, in April 2019, sure functions of part 161 had been overturned. Specifically, as the unique regulation was supposed to ban somebody from accessing one other’s pc, earlier than networking was commonplace, the CFA dominated that the regulation couldn’t apply to somebody utilizing his or her personal pc to launch or commit the alleged felony act. The answer was after all to replace the antiquated regulation, and that was largely why the LRC arrange a subcommittee to look into this.

Whereas many within the public rightly noticed the courtroom’s choice as a victory towards police and prosecution abuse, it was additionally inevitable {that a} new regulation must be established. The query then must be whether or not the brand new bespoke cybercrime regulation can be cheap, proportional, and enough for deterrence towards and punishment for committing cybercrimes.

Having fun with this text? Click on right here to subscribe for full entry. Simply $5 a month.

So, do the present suggestions meet these standards? I’d level out 4 primary areas of concern: proof of intent (or the shortage thereof), making obtainable or possessing units or knowledge for committing a criminal offense, jurisdictional points, and, lastly, sentencing.

No Want for Proof of Intent

Beneath the class of unlawful entry to program or knowledge, the subcommittee beneficial that “mere unauthorized entry must be criminalized as a abstract offense, which doesn’t require malice to be a component of the offense, topic to the statutory protection of cheap excuse.” Equally, underneath the part for unlawful interception of pc knowledge, the subcommittee “concluded towards insisting on proof of an intent to commit a particular offense as this may increasingly trigger extreme problem in regulation enforcement.”

However extra comfort for regulation enforcement to prosecute might end in increased uncertainty and threat for programmers or corporations unsure of the right way to comply. The session paper did cite sure examples, corresponding to “a search engine usually doesn’t acquire consent from a web site earlier than scanning the web protocol tackle involved,” suggesting that such “customary practices” ought to “proceed to be tolerated.”  However the subcommittee solely additional suggests “a generic protection based mostly on cheap excuse.” However what if such a generic protection can not stop the prosecution from urgent expenses? That will trigger severe chilling results amongst, for example, white-hat hackers and data safety companies, native and abroad, that must routinely entry servers on the web with a purpose to uncover vulnerabilities.

On this regard, the session asks, ought to such a protection or exemption be offered to solely accredited cybersecurity professionals, and if such accreditations doesn’t exist, ought to they be established regionally? If not, what must be the necessities for somebody to show his or her {qualifications} to invoke such a protection? Clearly the subcommittee has no concept how the business operates, or how tough, time-consuming, and expensive it will be to arrange such an accreditation system (which might not work properly anyway).

One subcommittee member even made the comment that to ensure that data safety corporations to qualify for statutory protection or exemption, a registration system to manage such companies might need to be arrange. If that occurs, native and abroad data safety professionals and corporations might select to skip the troubles of registration and potential infringements of the regulation altogether by merely not doing enterprise in Hong Kong anymore, and in addition suspending any distant surveying of Hong Kong targets for threats and vulnerabilities, leaving Hong Kong’s our on-line world much less protected, much less protected, and fewer safe.

Lastly, the session recommends that “unauthorized disclosure or use of the intercepted knowledge must be prohibited.” This provides nice uncertainties for journalists or researchers who usually need to depend on knowledge and data from undisclosed sources. And not using a whistleblower safety clause on this new regulation, and naturally additionally with out normal whistleblower safety in Hong Kong, the general public’s proper to know will certainly undergo.

Making Accessible or Possessing Units or Information for Committing a Crime

This complete subject ought to make anybody answerable for a IT platform, a cloud supplier, even a college offering data companies to its college students and employees, cringe. The session paper justifies the thought by evaluating it with part 62 of the Crime Ordinance, which states that “an individual who has custody or management of something, and intends with out lawful excuse to make use of it (or trigger or allow one other to make use of it) to destroy or injury property, shall be responsible of an offense.” This will sound completely cheap if that “something” is a gun or a knife, however extending this to the cyberworld of servers and clouds can be problematic.

Though the subcommittee considers that for this offense, the accused will need to have “acted with data,” it nonetheless casts immense uncertainty on the a part of any IT service suppliers which have little data on what their prospects do. The subcommittee additional recommends that the last word offense dedicated by such machine or knowledge offered needn’t be restricted to cybercrimes, however might be any offense. So, not solely would researchers, educators, or data safety professionals have good causes to fret that by sharing codes and data they could be accountable for a cybercrime offense, however even e-mail suppliers might fear if their companies are used to arrange unauthorized protests by some customers that the suppliers could also be accountable for a cybercrime offense, despite the fact that the last word offense dedicated (corresponding to an unauthorized protest) just isn’t cyber in nature.

Having fun with this text? Click on right here to subscribe for full entry. Simply $5 a month.

Jurisdictional Points

One of many greatest issues in tackling cyber criminals globally is the problem of jurisdictional constraints. Hackers often launch their assaults remotely, and they’re tough to find, not to mention establish, arrest, and cost. In consequence, though historically frequent regulation felony jurisdiction is territorially restricted, many frequent regulation jurisdictions are starting to undertake extra versatile approaches. So, the subcommittee recommends that for circumstances that contain unlawful entry, interception, or interference of pc knowledge or techniques, Hong Kong courtroom jurisdiction can apply so long as any “important aspect” of the offense has occurred in Hong Kong; the sufferer is a “Hong Kong individual”; the goal pc, program, or knowledge is in Hong Kong; the perpetrator’s act has triggered or might trigger severe injury to Hong Kong’s infrastructure or public authority; or has threatened or might threaten Hong Kong’s safety. However, what constitutes “threatening Hong Kong’s safety” or “severe injury to Hong Kong’s public authority”?

For circumstances involving intermediaries making obtainable or possessing a tool or knowledge for committing a criminal offense, any firm “carrying on enterprise in Hong Kong” might be liable, together with corporations with out a Hong Kong-registered presence. This could embrace quite a few platforms from abroad or mainland China with out a Hong Kong workplace however which may be accepting subscribers or advertisers or in any other case doing enterprise with Hong Kong entities.

Sentencing

Many of the beneficial sentences for these new offenses vary from imprisonment for as much as two years for a abstract or fundamental offense, to as much as 14 years’ imprisonment for an aggravated offense. Evaluating with sentencing underneath related legal guidelines in different frequent regulation jurisdictions, these suggestions are comparatively harsh. As well as, the utmost sentence for the aggravated offense for unlawful interference with pc knowledge and a pc system is beneficial to be life imprisonment. That is exceptionally extreme, and should go away the door open for judicial abuse and political repression.

The NSL Issue: What’s Subsequent?

Though the LRC evaluate and the institution of the bespoke cybercrime regulation have been a very long time coming, Hong Kong could be very totally different right now, after the imposition of the Nationwide Safety Regulation (NSL), in comparison with when the evaluate started over three years in the past. Certainly, the session paper acknowledges the NSL’s enactment by noting: “The responsibility of Hong Kong to safeguard nationwide safety reaffirmed the necessity for reform of cybercrime legal guidelines in Hong Kong and the sub-committee has taken this into consideration in its pursuit of the cybercrime mission.” The place was the NSL considered within the proposal, and what was achieved in another way consequently? The reply might by no means be identified.

Lately, as jurisdictions world wide rushed to legislate their very own cybersecurity legal guidelines within the title of combating on-line crimes, many governments have been criticized for trampling civil rights, utilizing such legal guidelines as political instruments of surveillance and censorship. Whereas the Hong Kong authorities has insisted and can proceed to insist that Hong Kong’s authorized adjustments will probably be commensurate with main Western democracies, we can not simply take a look at what’s written within the regulation. We should additionally contemplate the realities and perceptions of the rule of regulation and judicial independence. Evidently, native and worldwide belief in Hong Kong’s authorized system has taken an enormous beating because the NSL enactment.

However this cybercrime regulation proposal is not going to be the final. Already Hong Kong has made it clear {that a} lengthy listing of cyber-related authorized adjustments will probably be carried out underneath Chief Govt John Lee’s new administration, with a brand new disinformation regulation, revision to native guidelines underneath the NSL, Primary Regulation Article 23 native laws for nationwide safety to focus on international interference, and amendments to the privateness regulation all within the pipeline. After the LRC session is accomplished, the ultimate proposal will probably be handed to the administration, which can little question waste no time in drafting and submitting it to the very cooperative legislature for quick passage.

All this doesn’t bode properly for Hong Kong’s embattled IT business and its professionals, particularly these in cybersecurity, which can bear the brunt of the uncertainties and potential liabilities. Satirically the outcome could also be an extra weakened IT sector, and a much less safe web for Hong Kong.