@eLaw.com.hk 葉謝鄧律師行

This is a Court of Appeal decision.

The prosecution arose out of an earlier conspiracy in which customs officers had arranged for illegal immigrants to enter Hong Kong from China for transit abroad. These two applicants were charged with other offences related to that original conspiracy.

On 11 November 1994 after trial Judge Eccleton in the District Court convicted the 1st applicant (Hung) of one offence of obtaining access to a computer with a view to dishonest gain contrary to s. 161 of the Crimes Ordinance, Cap. 200.

The trial judge convicted Hung on his interpretation of s.161 of the Crimes Ordinance in the following terms:

"However Section 161 of the Crimes Ordinance specifically extends the meaning of "gain" beyond that of monetary terms.

When sensitive or classified information is given to an unauthorised person whether money changes hands or not and regardless of the use to which that person intends to put such information there has been a dishonest gain in that the otherwise unobtainable information or knowledge has been gained by that unauthorised person."

Hung appealed to the Court of Appeal.

Facts of Hung's Case

The facts of Hung's offence were that on 14 May 1993 he obtained access to the Immigration Dept computer containing the Travel Record and Immigration Control Enforcement system to discover whether certain people were on the watch list.

The indictment alleged that he obtained access to the computer with a view to dishonest gain for himself and /or another. The prosecution case was that Hung obtained access at the request of Lee Kang Sun, a senior customs officer who was the main participant in the original conspiracy, and that the access was with the view to dishonest gain because Hung performed the service in the expectation that he would be paid for it.

The Laws

The relevant part of s.161 of the Crimes Ordinance Cap. 200 provides

"(1) Any person who obtains access to a computer -

(c) with a view to dishonest gain for himself or another;

.... commits an offence and is liable to conviction upon indictment to imprisonment for 5 years.

(2) For the purposes of subsection (1) "gain" and "loss" are to be construed as extending not only to gain or loss in money or other property, but as extending to any such gain or loss whether temporary or permanent, and -

(a) "gain" includes a gain by keeping what one has, as well as a gain by getting what one has not; and

(b) "loss" includes a loss but not getting what one might get, as well as a loss by parting with what one has".

Held by the Court of Appeal Mortimer JA (giving the judgment of the Court):

The act is complete once access is obtained. It is then for the prosecution to prove that the person had the requisite intent - in this case a view to dishonest gain for himself or another. Once the judge had decided that the applicant obtained the access to the computer in this case as an act of friendship, that he was unaware of the underlying illegal purpose, and that he was not expecting any monetary payment or other reward, evidence relevant to proof that any gain was dishonest called for very careful consideration.

Assuming that obtaining information may be sufficient gain within the meaning of the section the judge decided that as the access to the computer was unauthorised, it was therefore dishonest - without further examination of his other findings apparently inconsistent with dishonesty. This finding we cannot accept. Looking at the judge's reasons in the round, it was not open to him to find that the access to the computer was shown by the prosecution to be with a view to dishonest gain.

The Court of Appeal allowed the appeal and quashed the conviction.

Coram: Litton, V.-P., Mortimer and Ching, JJ.A.
Date of Judgment: 4 August 1995; 8 September 1995

In accordance with section 31(1) of the Electronic Transactions Ordinance (Cap. 553) (the Ordinance), the Director of Information Technology Services must maintain for each recognized certification authority (CA) an on-line and publicly accessible record.

As at today, the following disclosure recrords are found on the following links:

1. Disclosure Record for Digi-Sign Certification Services Limited

2. Disclosure Record for HiTRUST.COM (HK) Incorporated Limited

3. Disclosure Record for the Postmaster General

Disclosure Record for Other Recognized CA

Currently, there is no other CA who is recognized under the Ordinance. Therefore, the above 3 CAs are the only recognised CA as at 23rd June 2004.

Archive of Disclosure Record for CA Whose Recognition Has Been Revoked

1. Disclosure Record for Joint Electronic Teller Services Limited

Virus is a computer program and is the result of someone developing a mischievous program that is self-replicating. Computer program is digitized information easily transmisable on the Internet. Virus can therefore likewise be transmitted on the Internet easily not bound by territory. Because it is self-replicating, computers can be infected in large scale and in very short period of time.

Hong Kong does not have a specific legislation on hacking. People sending virus can be subject to the criminal charge of criminal damage. The offence reads as follows:-

Destroying or damaging property

shall be guilty of an offence.

Threats to destroy or damage property

shall be guilty of an offence.

Before its amendment, 'property' does not include computer program and 'damage' can only be done to physical objects. Section 59, Crimes Ordinance has now covered these situations:

>"property" (財產) means inter alia property of a tangible nature, whether real or personal, including money and any program, or data, held in a computer or in a computer storage medium, whether or not the program or data is property of a tangible nature.

HKSAR Government's website at http://www.itsd.gov.hk was hacked twice on 10 and 11 of June, 2000. Hacker successfully posted insulting short messages of “ Own3d by the crows” and “ hacked by o analista” on the web page on 10 June and “Hacked by The Crows –Owned by id3nt FXXK Government!! Hacking for Justice”was shown on the page on 11 June. As a result, the website was forced to suspend. Fortunately, the website being hacked was a standalone website. It did not affect the websites of other government departments.

This was the first reported incident that HKSAR Government's website was successfully hacked. If the hacker can be arrested, he can be prosecuted for criminal damage (misuse of computer). However, the culprit was not traceable and it did not result in any arrest or prosecution.

HKDNR is a wholly owned subsidiary of Hong Kong Internet Registration Corporation ("HKIRC"). It is the operation arm of the HKIRC.

It is responsible for the administration of Internet domain names under '.hk' country-code top-level domain. It assumed the responsibility of registration and assignment of Internet domain names ending with '.hk', '.com.hk', '.org.hk', '.gov.hk', '.edu.hk' , '.net.hk' and '.idv.hk'.

The Board of Directors of HKDNR comprises 13 members from six different classes, namely "User Class", "Service Provider Class", "IT Industry Class", "Commercial and Industry Class", "Tertiary Institution Class" and "Government Class".

HKDNR is a non-profit -making company where it pays no dividends to its shareholders. It charges for Domain Name registrations in order to cover its operational costs. Domain Name registration fees are periodically reviewed. The Company will not scrutinize applications for Domain Names, other than in respect of technical restrictions and application qualifications. Nor will it make judgments as to whether the registration or use of a Domain Name infringes the rights of any third parties. HKDNR will employ latest technology to deliver cost-effective service to Customers.

"Cybersquatter" refers to a person who registers a trademark as a domain name hoping to later profit by reselling the domain name to the trademark owner. An aggressive cybersquatter may even send messages to the trade mark owner soliciting a sale. Passive cybersquatter may just leave the domain name unused or direct it to a one-page homepage indicating that the domain name is "for sale".

In the USA, a trade mark owner believing that someone has taken a domain in bad faith, he can either sue under the provisions of the Anticybersquatting Consumer Protection Act (ACPA), or he can follow the arbitration procedures set out by the Internet Corporation of Assigned Names and Numbers (ICANN). The ACPA in the USA defines cybersquatting as registering, trafficking in, or using a domain name with the intent to profit in bad faith from the goodwill of a trademark belonging to someone else. Hong Kong does not have an equivalent legislation. Trade mark owners may however resort to the general laws of trade mark infringement and sue the cybersquatter in Court.

The ICANN arbitration procedure is often regarded by intellectual property lawyers to be faster and less expensive, and the procedure does not necessarily require a solicitor to be engaged.

Past statistics show that Courts and arbitrators generally side with trademark owners in these disputes and order the cybersquatter to "transfer" the trademarked domain names to tthe trademark owners. Respondents defending in good faith may rely on the Applicant's "bad faith" or "reverse hijacking" to resist the Applicant's attempt to "bully" the Respondent.

HiTRUST.COM (HK)

HiTRUST was incorporated in Hong Kong in August 2000. It is a joint venture of HiTRUST Incorporated and the New World Group.

Being a Recognized Certificate Authority certified by Hong Kong government as well as a VeriSign International Affiliate, HiTRUST.COM (HK) is specialized in the provision of managed digital certificate services to help enterprises sharpen its competence in the trust e-commerce world.

HiTRUST Incorporated

Founded in March 1998, HiTRUST's core business is the provision of solutions for secure eCommerce. In April 2000, HiTRUST.COM Incorporated was officially established with capital of about US$100 million. The major shareholders include Acer Group, HSBC, New World Group, AIG and VeriSign. The continuous growth of HiTRUST has been achieved through an unrivalled commitment to, and focus on, commercially successful, secure eCommerce.

Targeting the Greater China region, HiTRUST has been successfully providing leading-edge, trusted total solutions and customized, high added-value services including Commerce Content, eBusiness Operation, ePayment & eBilling, Financial Services Software, Application Server and eCommerce Security to the region's corporations, telecommunication companies, financial institutions and service providers.

HiTRUST's success depends on its product offerings and reputation for value and trust in the secure eCommerce industry. Early on, HiTRUST identified the opportunities developing in the region and has expanded its business operation into Taiwan, Hong Kong, Shanghai and Beijing, by opening its branch offices and strategic investment in eCommerce related businesses. In the future, HiTRUST will continuously offer industry-leading technologies and services to customers in the Greater China region and its brand will remain at the head of the region's secure eCommerce industry.

Since February 2001, HKEx has offered secure Internet trading services with the application of a digital certificate.

By using a digital certificate issued by a recognised certification authority such as the Postmaster General of HKSAR Government, Digi-Sign, investors are able to place order through the Online Trading Service securely and directly to their brokers' trading systems over the Internet.

In addition, Digi-Sign accepts non-HK citizen to apply for ID-Cert using a valid travel document and this can enable cross-border investors to conduct trusted and secure transactions on the Net.

Digi-Sign Certification Services Limited (Digi-Sign) is a recognised Certification Authority under the Electronic Transactions Ordinance. The ID-Certs issued by Digi-Sign can be used to authenticate a wide range of trade transactions online. ID-Cert holders can use their digital certificates with Hong Kong Jockey Club's eWin service for betting on the Internet.

The Hong Kong Jockey Club's eWin service is an efficient and secure way of betting on football matches, horse races and buying Mark Six. Through its website, you can access the latest odds and results, study the extensive racing information database. To make your online betting securely, simply use your ID-Cert with the eWin service.

Personal ID-Cert can be applied online at the secure web server of Digi-Sign.

More information on eWin service can be found on the Hong Kong Jockey Club's website http://www.hongkongjockeyclub.com

The conditions on using a digital certificate will deal with the liability of the certificate owner and the CA. The following is taken from the Certificate Practice Statement (CPS) of CA of the University of Science and Technology and are quoted here as an example:

Liability of Certificate Owner

Without limiting other certificate owner obligations stated in the CPS, certificate owners are liable for any mis-representation they make in certificates to third parties that, reasonably rely on the representations contained therein.

Liability of HKUST CA

HKUST CA :

· Does not warrant the accuracy, authenticity, completeness or fitness of any unverified information contained in certificates or otherwise compiled, published, or disseminated by or on behalf of HKUST CA.

· Shall not incur liability for representations of information contained in a certificate, provided the certificate content substantially complies with the CPS.

· Does not warrant "non-repudiation" of any certificate or message (because non-repudiation is determined exclusively by law and the applicable dispute resolution mechanism).