Speech by Director of Public Prosecutions
******************************************
Following is the speech on Criminal Misuse of
Computers and How This Can be Tackled by the Director of
Public Prosecutions, Mr Grenville Cross, SC at the
Symposium of 'e-Management : Challenges and Opportunities'
organised by the Institution of Electrical Engineers Hong
Kong today (May 26):
The computer age : growth of the Internet : e-commerce : a
global marketplace
The computer age has ushered in a technological
revolution which has profoundly affected perceptions,
practices and procedures. It has implications which are
transnational in their scope and mind-boggling in their
complexity. Problems have arisen for which there are no
quick or easy solutions. That said, the well-being of the
global community requires not that we throw up our hands
in despair, but that, at the regional, national and
international levels, we address our minds collectively to
the most effective way forward.
In recent times there has been major growth in the
use of computer networks to provide financial services, in
the development of the Internet, and an explosion of
online share dealing. In the United Kingdom, Internet-
based stockbrokers are seeing business double every
fortnight. Some companies there are struggling to keep
pace with demand, which now sees as many shares traded
online in a single week as in the last 6 months of 1998.
Banks are going online with Internet banking services.
Open networks have the capacity to offer substantial
opportunities for global electronic commerce in goods and
services which can be ordered, supplied and paid for
electronically. The electronic marketplace is now a fact
of life.
Open and accessible, the Internet allows rapid and
efficient worldwide exchanges at low cost. Romano Prodi,
President of the European Commission, recently announced
an ambitious drive to hook every EU citizen up to the
Internet as soon as possible so as to promote e-commerce.
It is estimated that the number of Internet users will
increase this year a quarter of a billion. In the Asia-
Pacific Region about 50 million people used the Internet
in 1999, and that figure is expected to increase by more
than 50% a year. In Hong Kong, there are now more than 1
million Internet users, and 30,000 registered websites.
Based on latest industry forecasts, the total value
of electronic transactions will be US$403 billion this
year, and that figure is projected to rise to US$953
billion by 2001, and to US$7.29 trillion by 2004. The
business-to-business e-commerce market is anticipated to
rise to more than US$400 billion by 2002, and to reach
US$2.7 trillion by 2004, with the Asian market expected to
account for 13.6% of that figure. In Hong Kong, the total
value of products and services transacted over the
Internet was $466 million in 1998.
Computer crime : emerging trends
Whilst modern computer technology is a great thing,
it cannot easily be regulated, controlled or policed. All
major jurisdictions have encountered offences related to
the misuse of computers, often concerning fraud and theft
through the Internet, but also involving money laundering,
pornography, copyright piracy and unlawful gambling. It
has, remarkably, been estimated, by Meridien Financial
Services, that up to 15% of the sales made over the
Internet using a credit card could be fraudulent - whereas
less than 1% of credit card transactions in shops are
fraudulent, according to figures from Visa International.
Most crimes that can be committed on paper can now be
perpetrated on the Internet. Complaints of fraud on the
Internet are running at 300 a month in America, where the
US Government believes hacking cost companies $265 million
last year, double the 1998 figure, and like trends are
emerging elsewhere. Companies are particularly at risk -
competitors can break into computer systems to obtain
account details, customer records and other sensitive
data. There are hackers at work who aim to defraud banks,
to extort money, to plunder information of financial
value, and to cause economic harm. Let no-one
underestimate the skill and sophistication of the hackers.
We are concerned here not, as once may have been the case,
with curious computer science students, but with
international organised crime groups. Computer hackers in
England recently demanded a ᄁG10 million ransom from Visa
International after successfully penetrating its computer
network. And if, as has recently happened, the hackers
can gain access to the websites not just of major
companies, but also of the websites of the Japanese
Government and the US Military, then they have the
capacity to penetrate almost any system. This must be
something of concern to business communities everywhere.
Hong Kong rightly prides itself as being a
technologically advanced society, and the Economist in
1999 praised it as having one of the most wired urban
populations in the world. But if persons unknown can halt
the operation of the wealthiest, most powerful web
operations in the world - and in February cyber attacks
led to the shutdowns of Amazon.com, eBay, Yahoo!, CNN and
Excite - then they can break into almost any system.
In the USA in 1999, reported hacking cases doubled to
1,154. That the number of reported hacking cases in Hong
Kong rose from 1 in 1993, to 4 in 1996, to 238 in 1999,
demonstrates that Hong Kong is in no way insulated from
the problem of computer crime. Nor could it be, for the
problem has three essential characteristics : it is
transnational, it is sophisticated, and it is secret.
Since we cannot tolerate a situation to develop which
threatens Hong Kong's emerging status as an international
centre of e-commerce, firm action is required to clamp
down on computer crime and to supplement existing laws in
this area. So what laws do we have, and what is the
extent of the problem?
Laws to deal with computer misuse
The existing legislative regime is such that at
present we can just about tackle most forms of reported
computer crime. Its main features are :
* Access to a computer with criminal or dishonest intent
(Max sentence : 5 years) - s 161, Crimes Ordinance, Cap
200
* Criminal damage to property, which applies to misuse of
a computer programme or data (Max sentence : 10 years) - s
60, Crimes Ordinance, Cap 200
* Unauthorised access to a computer by telecommunication
(Max sentence : HK$20,000) - s 27A, Telecommunications
Ordinance, Cap 106
* Burglary, which includes unlawful damage or alteration
of computers in premises (Max sentence : 14 years) - s 11,
Theft Ordinance, Cap 210
* False accounting, destroying, falsifying, etc any record
- including a record kept by means of a computer - made or
required for any accounting purpose, or producing any such
record in the knowledge that it is or may be misleading
(Max sentence : 10 years) - s 19, Theft Ordinance, Cap 210
* Publishing an obscene article, which applies to the
display of obscene articles on the Internet (Max sentence
of 3 years and HK$1 million) - Control of Obscene and
Indecent Publications Ordinance
* The Electronic Transactions Ordinance, which commenced
on 7 January 2000, reduces the opportunity for computer
crime through the use of false identities
* Unauthorised copying of computer programmes (copyright
works) constitutes an offence (Max sentence : 4 years) -
see s 3 and s 118 of Copyright Ordinance, Cap 528.
Despite this legislation, there is no room for
complacency. The problems of computer and Internet crime
are proliferating at an alarming rate. Although so far
Hong Kong has, for example, only had two cases of Internet
investment fraud, and although Hong Kong's problem with
online scams involving securities and futures products is
not as great as that facing regulators elsewhere, we
cannot assume this will stay the position. At the very
least, it is vital for investors to exercise great
vigilance.
Extent of the problem : The Statistics
Nature of
Cases/Year 93 94 95 96 97 98 99 2000
Hacking 1 5 4 4 7 13 238 38
PABX Fraud 0 3 4 5 5 4 0 0
Publication of 0 0 1 6 6 13 32 0
Obscene Article
Criminal Damage 0 1 2 4 3 3 4 1
Internet
Shopping Fraud 0 0 0 0 2 1 18 4
Others 3 3 7 7 2 4 25 6
Total 4 12 18 26 25 38 317 49
So between 1993-1999, it will be seen that there was an
increase of almost 8000% in computer related crime. This,
therefore, is a growth industry, in every sense of the
term. These statistics, I must emphasise, do not
illustrate the problem - they simply expose the tip of the
problem.
An emerging area of concern from the statistics is
unlawful Internet shopping, and the illegal use of the
credit cards of others to buy goods on the Internet.
Hundreds of new websites appear each day. Cybercrooks
seeking to exploit the online shopping boom are building
websites which either advertise goods that never
materialise or record credit card numbers to be used later
for multiple purchases. Others trade legitimately for a
time to establish their credentials before advertising
high cost items, delivering sub-standard or fake goods,
and disappearing with the cash. Most of these incidents
never come to the attention of the police because of the
relatively low cost of the goods and because victims and
criminals are spread across the globe. Stolen credit card
numbers have been used to access pornographic sites for
which card holders are then billed.
Transnational reach of computer crime
It is apparent to law enforcers that organised,
international crime groups are making the most of the
opportunities offered by the Internet and e-commerce.
Such people are well aware of the criminal laws in various
jurisdictions. Yet they do not operate within, or respect
jurisdictional boundaries. For that reason no single
jurisdiction can alone tackle organised crime. Very
often, due to the encryption programmes which the
cybercrooks use when they communicate with one another,
the offences are difficult, if not impossible to detect.
Criminals can use encryption to send messages for crimes
ranging from money laundering to child pornography to
fraud. And because the evidence is recorded digitally and
then encrypted, it can be difficult, if not impossible for
law enforcers when they seize the material to discover
what exactly has been going on. In the absence of the
digital keys, such material cannot be decoded for hard
evidence, and, even if it can, the process may be
laborious in the extreme.
New initiatives to combat computer crime
In 1999, the Government's computer system was broken
into twice by hackers. The first incident took place in
January, when a hacker penetrated the Government's website
and tried to create a chat service. The second came in
June when another hacker tried to penetrate the core
computer area. Since these attacks demonstrated to the
government the interest of its website to hackers,
tightened security is being implemented. This is being
achieved by the establishment of a Central Internet
Gateway (CIG). With the CIG, government offices
disseminating information and communicating to the public
via the Internet will be guaranteed a secure and centrally-
managed gateway. The CIG is adopting internationally
accepted Internet security standards by means of
firewalls, virus detection systems and intrusion detection
systems.
So it must not be thought either that Hong Kong is
defenceless in the face of computer crime, or that its
legislation is inadequate, or that it is not pro-active.
That said, more, much more needs to be done, in relation,
in particular, to three areas :
* Jurisdiction;
* Encryption;
* International Cooperation.
(1) Jurisdiction
The cyber world is an intangible environment.
Jurisdiction is usually associated with geographical
boundaries. Unless otherwise specified, the jurisdiction
of a court is limited to acts arising within the place in
question. The common law in general regards an offence as
occurring where the last act or event necessary for its
completion took place, and jurisdiction is conferred where
the offence is committed.
In relation to conduct which involves the misuse of
computers in order to commit the traditional crimes
related to fraud and dishonesty, such as theft, forgery of
documents or conspiracy to defraud, the necessary
legislation to deal with jurisdictional issues is in
place. The Criminal Jurisdiction Ordinance enables Hong
Kong courts to exercise jurisdiction in relation to any
such offences if :
* Any of the conduct (including an omission) or part of
the results that are required to be proved for conviction
of the offence takes place in Hong Kong
* An attempt to commit the offence in Hong Kong is triable
in Hong Kong whether or not the attempt was made in Hong
Kong or elsewhere and whether or not it had an effect In
Hong Kong.
* A conspiracy to commit in Hong Kong the offence is
triable in Hong Kong where the conspiracy is formed and
whether or not anything is done in Hong Kong to further or
advance the conspiracy.
* A conspiracy in Hong Kong to do elsewhere that which if
done in Hong Kong would constitute an offence is triable
in Hong Kong provided that the intended conduct was an
offence in the jurisdiction where the object was intended
to be carried out.
In simple terms, these provisions can apply to the
following example ᄀV A person who resides in Canada and
who uses his computer to hack into the Hongkong and
Shanghai Banking Corporation data base and thereafter
causes funds to be transferred to a bank account he has in
Switzerland can be prosecuted in Hong Kong for the theft
of those funds. The same would also apply where a person
in Hong Kong uses a computer to hack into the Chase
Manhattan Bank data base in New York and causes funds to
be transferred to a bank account in the Cayman Islands.
Equally so where two persons agree in Hong Kong or outside
Hong Kong to do such acts but fail to carry their plan
into effect.
However, legislation may well be required to confer
jurisdiction to cover two other situations : first, where
a person in Hong Kong uses a computer which causes misuse
of a computer in another country, and, second, where a
person in another country uses a computer to cause misuse
of a computer in Hong Kong.
For example, if a person in Hong Kong uses a personal
computer to connect through a network in the United States
and attacks a computer system in Canada, where does the
offence occur? Which legal system can claim jurisdiction
to prosecute? How can the perpetrator be brought to
justice? In the United Kingdom, the Computer Misuse Act
confers jurisdiction if either the victim or the
perpetrator is in the UK. Again, the Computer Crime Act
in Singapore makes provision for an offender to be
prosecuted if either the commission of the act in question
originated in Singapore or the consequence of the act in
question was in Singapore. Such legislation allows for
complex computer crimes to be dealt with whether or not
the offender is in the jurisdiction.
(2) Encryption
In order for the commercial opportunities offered by
electronic communications via open networks to be fully
exploited, a safe environment is essential. To that end,
cryptographic technologies are recognised as the essential
tool for security and trust in electronic communication.
The recently enacted Electronic Transactions
Ordinance gives recognition to digital signatures which
will enhance e-commerce. This legislation ensures the
authentication and integrity of messages sent via a
computer via the Internet.
However, while cryptography has many legitimate uses,
it is also being used to facilitate criminal activity,
such as drug trafficking, terrorism, fraud and the
distribution of child pornography. Whilst it is important
that decryption keys be protected from improper
disclosure, it is equally important for legitimate law
enforcement agencies to have access to such keys in order
to detect criminal acts. This is an area in which other
jurisdictions in Asia have been active, and both Singapore
and Malaysia have in place legislation which enables law
enforcement agencies to acquire decryption keys. In
England, the Investigatory Powers Bill was introduced into
Parliament last February, and this will enable law
enforcement personnel to serve written notices on
individuals or bodies requiring the surrender of
encryption keys and such other information as is required
to enable them to understand the nature of material seized
or surrendered. In the United States, the legislature is
considering two Bills which, while recognising the need to
protect cryptography for legitimate purposes, contain
provisions enabling the mandatory recovery of keys for
decrypting messages through a court order.
So it is clear that, on the basis of the experience
of other advanced jurisdictions, a respectable case exists
for making it an offence not to decrypt enciphered
material when requested, or not to provide the keys
necessary to decipher the files or messages, or not to
state, if known, where the keys are hidden. Time alone
will tell if Hong Kong is to proceed down this route.
(3) International cooperation
The proliferation of transnational crime can only be
countered through cooperation at the international level.
Full use must be made of mutual legal assistance
arrangements to ensure the preservation and the production
of evidence. The major areas of assistance covered by
mutual legal assistance agreements include :
* Identifying and locating suspects and witnesses;
* Serving documents;
* Obtaining evidence;
* Executing requests for search and seizure;
* Providing documentary evidence relevant to criminal
matters;
* Transferring of persons to give evidence or assisting
confiscation; and
* Tracing, restraining and confiscating property used or
derived from crime.
Mutual legal assistance facilitates the collection of
evidence of transnational crime, and will be useful in
tackling cross-border cyber crime. What is required,
however, with the growth of computer crime is even greater
and even speedier cooperation between law enforcement
authorities in all countries in order to deal swiftly with
crimes resulting from computer misuse. The need for such
cooperation is all the greater since the computer records
generated as a result of the crime may be speedily erased
by culprits who fear detection. The swift cooperation
between law enforcers, in particular in America and the
Philippines, over the software virus called Love Bug,
which wrought such havoc to computer systems, and caused
damage in lost work time and repairs valued at $7 billion,
was particularly encouraging.
A good example of international cooperation at work
is provided by the Securities and Futures Commission. It
uses its Internet surveillance programme - which monitors
websites, chat rooms and bulletin boards - to detect
activities which target Hong Kong and which may infringe
the legislation for which the SFC is responsible. The SFC
has concentrated on the fraudulent solicitation of
investors, manipulation, the circulation of false or
misleading information and insider trading. Eight
suspicious sites out of 115 surveyed have been identified,
and these were in seven jurisdictions. The SFC passes on
information of possible criminality, which it discovers in
the course of its surveillance, to enforcers in other
jurisdictions which might be involved.
Law enforcers need to work closely to provide each
other with information from Internet Service Providers,
which may well require legal process where the ISP
maintains its records. That said, primary safeguards
regarding the use of data from ISPs must be respected.
For example, an ISP in the US cannot provide subscriber
information to law enforcers without a subpoena, or
unopened e-mails without a search warrant from a court, as
a general rule. It is important, however, that
jurisdictions should respond quickly to requests from
elsewhere for requests for such data, by filing the
appropriate documents and obtaining the information before
it is lost, and making it available to the jurisdiction
conducting the investigation.
Often the formal process required for investigators
and prosecutors to retrieve information from ISPs can take
substantial amounts of time, particularly when requests
must be made to another country. If an ISPs traffic or
subscriber data is routinely destroyed, valuable
information may be lost. There is therefore a case for
saying that ISPs should be required to retain information,
such as subscriber account data and Internet protocol
address logs, for an additional six months upon a written
request from a government authority in their own country.
This procedure would require the requesting authority to
go to the law enforcement authority in the jurisdiction
where the ISP is located, and make a request for
preservation until the proper legal process can be
prepared. The preservation request can be any type of
writing, such as a letter, telefax, or e-mail. In this
way, critical evidence will be retained by the ISPs until
the appropriate documents are presented to the ISP.
Internet service providers - voluntary initiatives
Possible legislation apart, voluntary measures to
police themselves can properly be initiated by the
Internet Service Providers. They could, for example,
verify the identity of each new subscriber who opens an
account. They could also take steps to make their systems
less vulnerable to criminals. The verification of the
subscriber's identity would help law enforcement to
identify a suspect, once the screen name of the suspect
has been linked to a particular account. Currently, many
ISPs do no more than simply determine if the credit card
used for billing has been reported stolen. The name and
address of the customer should also be verified. ISPs
should maintain subscriber account information and billing
records for, say, a year, so that ISPs can identify the
subscriber when requested to do so. There is much that
ISPs can do on a voluntary basis. Whether the will to act
is there is another matter.
Law enforcement : meeting the challenge
Hong Kong is moving quickly to strengthen the
weaponry in its arsenal. The government established in
March 2000 an inter-departmental group to look into
computer related crimes and to review existing
legislation. The group will report its findings to the
government later this year and make recommendations on
what additional legislation is required to meet the
challenges posed by computer crime.
The government's efforts are being reinforced by
strengthened enforcement. Computer Crime Units have been
established by the Police, the Independent Commission
Against Corruption, the Customs and Excise Department, and
the Immigration Department. A team of specialist
prosecutors has been put in place in the Department of
Justice to provide the appropriate expertise in court and
at the advisory stage. Prosecutors and investigators are
in regular contact on these issues with their counterparts
in other jurisdictions.
Conclusion
There is a clear determination on the part of the
Administration that the HKSAR will tackle both the
immediate and the long-term problems posed by computer
crime. That, in turn, will promote international
confidence in the HKSAR. But the vision is broader than
that. There is also a keen appreciation that such is the
status of the HKSAR that it must play a full and effective
role in the combat of computer crime at the international
level as well. I conclude with this assurance : we will
not be found wanting.
End/Friday, May 26, 2000
NNNN