This week the Cybercrime Subcommittee of the Law Reform Commission (LRC) in Hong Kong published a consultation paper on cybercrimes and related jurisdictional issues, setting in motion what will likely be a series of legislations of new laws and amendments in the reformed “patriots-ruled” territory under the People’s Republic of China.
The move should come as no surprise. After all, many other jurisdictions around the world have legislated cybercrime in various shapes and forms in recent years. As technology advances, news laws try to catch up. The LRC’s Cybercrime Subcommittee actually commenced work back in January 2019, a full three-and-a-half years ago, to review Hong Kong’s relevant laws, long considered to be grossly outdated.
Indeed, for decades, Hong Kong law enforcement relied on a controversial law under the territory’s Crime Ordinance, known as section 161, for the offense of “access to a computer with criminal or dishonest intent,” and section 27A of the Telecommunications Ordinance, forbidding “unauthorized access to any program or data held in a computer,” to prosecute cybercriminals. However, with a complacency induced by easy convictions, the police and the prosecution in Hong Kong continued to apply the outdated section 161 to computer-related cases way beyond its original legislative intent. The ordinance, after all, was passed back in 1993, long before the advent of the internet, smartphones, and social media.
Then, in a landmark decision by the Court of Final Appeals (CFA), Hong Kong’s top court, in April 2019, certain applications of section 161 were overturned. In particular, as the original law was intended to prohibit someone from accessing another’s computer, before networking was commonplace, the CFA ruled that the law could not apply to someone using his or her own computer to launch or commit the alleged criminal act. The solution was of course to update the antiquated law, and that was largely why the LRC set up a subcommittee to look into this.
While many in the public rightly saw the court’s decision as a victory against police and prosecution abuse, it was also inevitable that a new law would have to be established. The question then should be whether the new bespoke cybercrime law would be reasonable, proportional, and sufficient for deterrence against and punishment for committing cybercrimes.
So, do the current recommendations meet those criteria? I would point out four main areas of concern: proof of intent (or the lack thereof), making available or possessing devices or data for committing a crime, jurisdictional issues, and, finally, sentencing.
No Need for Proof of Intent
Under the category of illegal access to program or data, the subcommittee recommended that “mere unauthorized access should be criminalized as a summary offense, which does not require malice to be an element of the offense, subject to the statutory defense of reasonable excuse.” Similarly, under the section for illegal interception of computer data, the subcommittee “concluded against insisting on proof of an intent to commit a specific offense as this may cause excessive difficulty in law enforcement.”
But more convenience for law enforcement to prosecute may result in higher uncertainty and risk for programmers or companies uncertain of how to comply. The consultation paper did cite certain examples, such as “a search engine normally does not obtain consent from a website before scanning the internet protocol address concerned,” suggesting that such “customary practices” should “continue to be tolerated.” But the subcommittee only further suggests “a generic defense based on reasonable excuse.” But what if such a generic defense cannot prevent the prosecution from pressing charges? That would cause serious chilling effects among, for instance, white-hat hackers and information security firms, local and overseas, that need to routinely access servers on the internet in order to discover vulnerabilities.
In this regard, the consultation asks, should such a defense or exemption be provided to only accredited cybersecurity professionals, and if such accreditations doesn’t exist, should they be established locally? If not, what should be the requirements for someone to prove his or her qualifications to invoke such a defense? Obviously the subcommittee has no idea how the industry operates, or how difficult, time-consuming, and costly it would be to set up such an accreditation system (which would not work well anyway).
One subcommittee member even made the remark that in order for information security companies to qualify for statutory defense or exemption, a registration system to regulate such firms may have to be set up. If that happens, local and overseas information security professionals and companies may choose to skip the troubles of registration and potential infringements of the law altogether by simply not doing business in Hong Kong anymore, and also suspending any remote surveying of Hong Kong targets for threats and vulnerabilities, leaving Hong Kong’s cyberspace less protected, less safe, and less secure.
Finally, the consultation recommends that “unauthorized disclosure or use of the intercepted data should be prohibited.” This adds great uncertainties for journalists or researchers who often have to rely on data and information from undisclosed sources. Without a whistleblower protection clause in this new law, and of course also without general whistleblower protection in Hong Kong, the public’s right to know will definitely suffer.
Making Available or Possessing Devices or Data for Committing a Crime
This whole topic should make anyone in charge of a IT platform, a cloud provider, even a university providing information services to its students and staff, cringe. The consultation paper justifies the idea by comparing it with section 62 of the Crime Ordinance, which states that “a person who has custody or control of anything, and intends without lawful excuse to use it (or cause or permit another to use it) to destroy or damage property, shall be guilty of an offense.” This may sound perfectly reasonable if that “anything” is a gun or a knife, but extending this to the cyberworld of servers and clouds would be problematic.
Although the subcommittee considers that for this offense, the accused must have “acted with knowledge,” it still casts immense uncertainty on the part of any IT service providers that have little knowledge on what their customers do. The subcommittee further recommends that the ultimate offense committed through such device or data provided need not be limited to cybercrimes, but can be any offense. So, not only would researchers, educators, or information security professionals have good reasons to worry that by sharing codes and information they may be liable for a cybercrime offense, but even email providers may worry if their services are used to organize unauthorized protests by some users that the providers may be liable for a cybercrime offense, even though the ultimate offense committed (such as an unauthorized protest) is not cyber in nature.
One of the biggest problems in tackling cyber criminals globally is the issue of jurisdictional constraints. Hackers usually launch their attacks remotely, and they are difficult to locate, let alone identify, arrest, and charge. As a result, although traditionally common law criminal jurisdiction is territorially restricted, many common law jurisdictions are beginning to adopt more flexible approaches. So, the subcommittee recommends that for cases that involve illegal access, interception, or interference of computer data or systems, Hong Kong court jurisdiction can apply as long as any “essential element” of the offense has occurred in Hong Kong; the victim is a “Hong Kong person”; the target computer, program, or data is in Hong Kong; the perpetrator’s act has caused or may cause serious damage to Hong Kong’s infrastructure or public authority; or has threatened or may threaten Hong Kong’s security. But, what constitutes “threatening Hong Kong’s security” or “serious damage to Hong Kong’s public authority”?
For cases involving intermediaries making available or possessing a device or data for committing a crime, any company “carrying on business in Hong Kong” can be liable, including companies without a Hong Kong-registered presence. This can include numerous platforms from overseas or mainland China without a Hong Kong office but that may be accepting subscribers or advertisers or otherwise doing business with Hong Kong entities.
Most of the recommended sentences for these new offenses range from imprisonment for up to two years for a summary or basic offense, to up to 14 years’ imprisonment for an aggravated offense. Comparing with sentencing under similar laws in other common law jurisdictions, these recommendations are relatively harsh. In addition, the maximum sentence for the aggravated offense for illegal interference with computer data and a computer system is recommended to be life imprisonment. This is exceptionally excessive, and may leave the door open for judicial abuse and political repression.
The NSL Factor: What’s Next?
Although the LRC review and the establishment of the bespoke cybercrime law have been a long time coming, Hong Kong is very different today, after the imposition of the National Security Law (NSL), compared to when the review began over three years ago. Indeed, the consultation paper acknowledges the NSL’s enactment by noting: “The duty of Hong Kong to safeguard national security reaffirmed the need for reform of cybercrime laws in Hong Kong and the sub-committee has taken this into consideration in its pursuit of the cybercrime project.” Where was the NSL taken into consideration in the proposal, and what was done differently as a result? The answer may never be known.
In recent years, as jurisdictions around the world rushed to legislate their own cybersecurity laws in the name of combating online crimes, many governments have been criticized for trampling civil rights, using such laws as political tools of surveillance and censorship. While the Hong Kong government has insisted and will continue to insist that Hong Kong’s legal changes will be commensurate with leading Western democracies, we cannot just look at what is written in the law. We must also consider the realities and perceptions of the rule of law and judicial independence. Needless to say, local and international trust in Hong Kong’s legal system has taken a big beating since the NSL enactment.
But this cybercrime law proposal will not be the last. Already Hong Kong has made it clear that a long list of cyber-related legal changes will be carried out under Chief Executive John Lee’s new administration, with a new disinformation law, revision to local rules under the NSL, Basic Law Article 23 local legislation for national security to target foreign interference, and amendments to the privacy law all in the pipeline. After the LRC consultation is completed, the final proposal will be handed to the administration, which will no doubt waste no time in drafting and submitting it to the very cooperative legislature for speedy passage.
All this does not bode well for Hong Kong’s embattled IT industry and its professionals, especially those in cybersecurity, which will bear the brunt of the uncertainties and potential liabilities. Ironically the result may be a further weakened IT sector, and a less secure internet for Hong Kong.