Hong Kong IGF – June 17th, 2010: Session 3

Security, Openness and Privacy


REAL TIME TRANSCRIPT: Security, Openness and Privacy

Hong Kong IGF
14:30-17:00, Thursday 17 June 2010
Hong Kong

DISCLAIMER: Due to the inherent difficulties in capturing a live
speaker’s words, it is possible this realtime transcript may
contain errors and mistranslations. An edited version of the
realtime transcript which amends the inherent errors, will
be posted later. LLOYD MICHAUX and APrIGF accept no
liability for any event or action resulting from the
contents of this transcript.


>> : Our session will soon begin.

Please be seated.

Welcome back, this session is about issues of
on-line security, openness and privacy.

May I now invite Mr Ken Ngai, Project Manager of be
net wise internet education campaign and Mr Stephen Lau,
chairman of the organising committee, to start the
session for us.

Mr Lau and Mr Ngai, please.

>> Stephen Lau: Thank you.

Ken and I are co-moderating this, because we have
a good panel and we just want to ensure that logistics
are well covered.

If you recollect that this morning, Mr Markus Kummer
did talk about in IGF, there are a number of major
issues which are usually covered in the annual IGF
forum, the global one.

This is a Hong Kong IGF conference and I think it’s
only relevant that we use the same categories, the same
issues, to look at these issues in the light of the
specificity relating to Hong Kong.

We have access and diversity and now this is about
security, openness and privacy.

I just want to mention that the issues of security,
openness and privacy on-line context, are interwoven,
with proposal to strike a balance between them.

This session will examine in practical and policy
making level, how to balance access to knowledge,
freedom of expression and also of equal importance, the
intellectual property rights in the virtual world, from
the perspective of scholars, academics, practitioners,
taking a 360 kind of perspective.

We will cover the practical aspects of the
coordination, to secure the network, for example, to
fight spam, relationship to issues relating to openness,
like the open architecture of the internet and cyber
security, cyber crime, identity theft, identity fraud
and information leakage.

Other issues child protection on line — it’s a very
wide scope in terms of security, openness and its
linkage and interaction with privacy, all interacting.

We do actually have, as I said, an illlus introduce
co-moderator, we have to speakers and three panellists.

May I just very briefly, for the sake of time,
because the CVs and bios are in our programme
publication in the booklet.

Briefly, on my right-hand side, Mr Ken Ngai, who is
the Website Director for Hong Kong Federation of Youth
Groups. He’s responsible for all technical aspects of
the website development for the group and also in terms
of engaging youth on-line.

He’s also the Project Manager for a well-known
project in Hong Kong, which is the largest internet
education campaign called Be Netwise in Hong Kong that
was funded by the Hong Kong Government.

On my left is Mr Micheal Jackson, name very easy to
remember, associate professor in the faculty of law of
the Hong Kong University. He specialises in criminal
law and procedures, equity and trust and cyber crime.

Very active in the local and the regional legal
scene, including as a membership of our law reform

On his left is Mr Nigel Mendonca, regional director
for Symantec Host Services in Asia, responsible for
managing all sales across corporate and enterprise
accounts, as well as partnership accounts.

He is in Hong Kong for many years, so can provide
a very relevant perspective to the issues we are
discussing specific for Hong Kong.

As for our three panellists in that order, Priscilla
Liu, director of Against Child Abuse in Hong Kong, since

Responsible not only in managing the agency, but
also supervising advocacy of children’s right and
protection to ensure their rights are our community.

She has numerous awards and recognitions in
Hong Kong and internationally.

Just to include one, for example, the Hong Kong
humanity award for 2009.

On her right is Charles Mok. Charles, I don’t think
he needs much introduction, but everybody here doesn’t
need much production. There’s a protocol. He’s
executive director of Computer Society Ltd and Media and
Internet Consulting Company.

He’s chairman of Internet Society in Hong Kong, as
well as honorary past president of the Hong Kong
information technology federation, a well recognised
professional in ICT in Hong Kong and in the region. He
has many community roles, including member of the
Hong Kong Government’s digital 21 strategy advisory
committee, as well as a member of the consumer council
and also you should all know that he’s an active

Finally and not the least, Mr Anthony Fung, from
Microsoft. He’s the regional investigation manager,
particular in the investigation of cyber crime and also
very well experienced for the job for his current
position as a former Hong Kong Police inspector.

We have a very knowledgeable moderator, we have to
eminent speakers and three notable panellists.

Let me kick-start this.

Earlier on, I mentioned about this session, which is
security, openness and privacy.

They are all interlinked, how are they interlinked
if what are the dependencies in what are the implication
on each other? I think it will be really relevant to
have our moderator expert in this to provide a short
presentation to set the scene, to understand what we are
going to talk about and then we go into depth with our
speakers and our panellists.

>> Ken Ngai: Thank you.

As Stephen mentioned, we are going to cover this
topic, actually three distinct words, security, openness
and privacy.

This seems to be very distinct, but actually they
are interlinked and today I want to start off with some
very short presentations about some phenomenons happens
in Hong Kong.

So that we can start our discussions.

Same as the other sections, that if anybody from the
floor would like to express your idea, feel free, either
in Cantonese or English, whatever language that you feel

First, openness.

I would like to show you some examples. This is one
of the screen captures that a got from a very common,
popular website in Hong Kong. You probably know this
website already.

It seems, I would say seems, it’s a girl of 18 years
old calling for a sex partner. This sort of message is
posted in the website without any barriers, anybody can
see it, can view it, can participate, can respond.

Another website screen is about a girl stating, she
said that she involved in compensated dating.

She talk about her experience, her 10 experience
with taking this kind of trade activities, shall we
describe it.

The third case I would like to share with you is
something I think everybody knows about this case, cyber
bullying case, basically a lady is not happy with what
the pricing of the shop and then she post some
videolinks on the web and eventually, she got the
bullied by other people for her act.

All her personal information were revealed on the
website afterwards and she cannot stop the attempt.

Another thing I would like to highlight here is in
the website, in actually is what we call exhibition of
spiral of silence on the web.

What I mean is because many people actually on the
web think that they are minority or they don’t know
either they are minority or they are majority. So when
they express their view, they’re not sure if they will
get attacked or they are the minority or majority.

A fear is about this.

Peel will be unwilling to publicly express their
opinion if they believe they’re in the minority.

They will also be more vocal if they believe Tai are
part of the majority.

Thus, more marginalised you become and less you
speak and so spiral into a fully marginal position I did
some sort of research and I show you some status I cans
later on.

Here is another within site called she.com.

What I would like to show you is the number of views
that you can see. The number of views is 2,200
something, by actually there are only over 600 replies.

Over the 600 reply, actually only 35 people involved
in this.

It generate a lot of response, it generate a lot of
opinions and if you count it, from these 2,000 views,
minus this 35 people, actually over 2,000 from other
people, I suppose.

Probably their views, their opinions are largely
driven by these 35 people.

I’ll show you another example here.

This is another forum. Start from April 15
to April 21. We see total views is over 18,000 and
total number of replies 255.

Only 200 something people reply, you United Kingdom
user replies.

Again, there are over 18,000 views, actually not
generated from these users, are others.

When we express our opinion, it’s a large number of
people getting affected, but not the original users, but
others, just readers.

Another one, same thing happens. About 6,000 views
with only 28 unique users.

If you are good eyesight, you probably can see the
topic, what they describe.

It’s in Chinese, but I state that it’s a question
asked if someone want to rape his sisters.

So this is the thread topic to discuss. So you see
a lot of people get involved in viewing of this content,
but not actually involved in give out their opinions.

Again, this is the same thing, same situation.

Same thing happens.

Again, here, another blog. This blog is from
I think it’s a girl. She actually post in her blog
about her experience of abortions.

I don’t have the statistic how many people actually
has viewed this, but this is quite popular, because when
I search this, this rank quite high in the search

This one recently happened. It’s a friends page in
Facebook. Having a group of people actually saying that
how they want to harm themselveses and they cut their
hands with cutters and so on.

I block some very bloody pictures. If you want to
see, I will show you later.

If we see that there are about 500 people join in as
friends and I didn’t count how many people actually post
photos there.

From here, we can see I think in Hong Kong, nobody
will deny that we are open to content. People can post
very open content, any kind of content that we are able
to put it on the web.

The second thing that we are going to discuss is
about the privacy issues.

I think most of you here, I suppose, over
90 per cent of you here, will have a Facebook account.

But I doubt how many of you actually has viewed the
privacy setting of Facebook.

How many of you actually can understand what that
means to you?

You know the privacy setting has been changing.
I think the last change happened in April.

When we, most of us here, for example, don’t know
what that means to us, how do we configure to the way
that we want?

I show you one more statistic. This I grab from
Facebook. From the statistic, that have over
400 million active users already in the world.

Over 50 per cent of active users log-on to Facebook
on any given day.

On average, every people has about 130 friends on

Actually, we can see from esface book it is
collecting a lot of policy information and we don’t know
how we control it and Facebook has the legal
establishment in Hong Kong.

How do we control? How do we protect ourselves,
what information that we should disclose to other

It’s a great question, that we probably need to

Activity on Facebook, I’m going to cover later.


Facebook as everybody knows, this is a great
platform for people to interact and for marketers.
A lot of marketers nowadays target very much on Facebook
marketing, more than traditional marketing.

What marketers or Facebook developer actually can
retrieve from your Facebook account, we don’t know. I’m
going to show you a little bit about this.

Facebook define their own social on-line privacy.

But it is not according to our ordinance in
Hong Kong or other ordinance in other part of the world.

Do we need to redefine what privacy is about?
Because this is actually a dynamic thing that changing
maybe every year, every two years, privacy means
different things.

Do we need to redefine it?

Lastly, the security risks. I like to do it
a little different. I try to define it. It’s current
of occurrence of an event beyond our expectations, in
terms of the adverse consequences, especially adverse
consequences, if it is not, we probably likely happen,
but some sort of risk that we don’t want it to happen
and beyond our control.

If it happens, actually beyond our capability to

There are human and technical risks on-line.

Many of you probably can have involved before in
Facebook games, Facebook survey, for example.

But are these just games?

Actually, these games developed through this game to
access to some of your information.

I like to show a little bit more to you.

For example, I think many of you will see this icon
before. This big thumb here: like.

Everybody thinks I click it because I like this.

But what’s behind the scene is our information is
passed on to this website particular and passed onto the
developer and they know who actually has pressed this

Facebook through this can actually collect a lot of
intelligence, maybe product intelligence, know what you
like, because Facebook also got all the other personal
information from you. So that they can better prepare
themselves for any marketing campaign, targeted directly
to you or to your friends.

Here is one discussion about Facebook leaked user
names, user ID, personal details to advertisers.

As for developer, probably to know, Facebook has
another mark up language, of course Facebook query
language, from which actually a developer can, through
Facebook interface, to access some of the user
information, such as, for example, when you get involved
into Facebook game, they know you play the game and they
can also access your friends list, for example.

You cannot imagine, when I play the game, it’s
just — it’s not just you, your friends get involved

Social engineering is very getting popular in the

This is one quiz happened on Facebook a while ago

I put this as an example here, to show you what’s
actually behind it that they can do about it.

Apparently this quiz is actually just test your
knowledge, how secure your password is.

But at the end of the day, if they get this
information, actually they can, through this, to do some
sort of social engineering by statistics, Sam data
mining techniques and then they can filter out those who
have very weak password and then they can start off the

I actually have tried to cover a little bit about
these three words in three sequence of slides and then
I think we can start our discussions.

Let me pass the time to Mr Nigel.

>> Stephen Lau: Ken, you have given us a short, but very
informative look at these three issues of security,
privacy and openness, through websites and web pages to
demonstrate its effect and, both in positive, as well as
Mostly so far, in terms of the negative impact, in those
three areas.

There is an opening statement to get give you a feel
of what you are talking about.

Now let’s look deeper in some of the issues with our
two speakers.

The first one is from Nigel Mendonca, who
I understand will speak on development in the on-line
threat landscape and methods of protecting individuals
and organisations against them.

>> Nigel Mendonca: Thank you.

Good afternoon, ladies and gentlemen, thank you for
your time this afternoon.

Just very quickly, Symantek Hosts Services is the
software as a service business unit of Symantec and the
reason that that’s important is because of the or
relevant is because there’s a very rapidly changing
landscape in on-line threats and the technology that we
use and that a number of other companies similar to us
are starting to deploy more rapidly, is really all about
deploying technology, information and technology from
the internet to a machine dynamically in real time, as
opposed to having that information sit on the machine

From a security point of view, for example, we run
a global network of data centres that has access to
realtime information. We have a huge amount of
legitimate and illegitimate information, harmful
information, going through our data centre network on
a global basis. We process around about between 6 and
9 billion emails every single day through our data

If you accept the fact that over 9 a per cent of all
emails around the world in the internet are spam these
days, that means that there’s an awful lot of spam and
malicious content that goes through our data centres on
a daily basis.

What that means for us & Cos like us that are
providing internet based technology or you might have
heard the term cloud computing or hosted services. What
that means is that we have the ability to dynamically
capture those new and emerging threats in realtime and
deliver the most up to date realtime protection to all
of the companies and individuals that are using our

The differences that the traditional way of
providing information, security, internet security is by
having what is called signature based technology
residing on the machine itself.

So if you’re an individual, it resides on your PC.
If you’re an organisation, it resides on your servers
and then every single time a new type of internet
threat, whether it’s a new spam technique or whether
it’s a new virus technique is detected, then the
security company responsible for managing that has to
write a patch, specifically to protect against that new
threat, has to do the testing and then deploys it to all
of their end users & Cos around the world and then
eventually, you are protected against that new threat.

That update timeframe can take anywhere from
a couple of hours to a couple of days.

The whole thing about the cyber crime industry is
that it’s an incredibly rapidly moving industry, so
really that window of vulnerable from the time a new
threat is released into the marketplace, until the time
that that consumer and businesses are protected against
that, that is specifically targeted. That window is
specifically targeted by all the cyber criminals
globally and really they can do an awful lot of damage
in the space of just a few hours.

Globally, we are seeing a significant trend towards
cloud computing or software as a service based
technology, because it offers companies and individuals
the ability to be protected, a lot more comprehensively
a lot quicker.

From Symantec’s point of view, we have a huge data
centre network, as I said, we process between 6 and
9 billion emails every single day and we scan around
a billion websites every day.

We protect around 9.2 billion end users across our
14 data centres globally.

What that give us is a unique ability to see a huge
amount of new and emerging threats and be able to
protect organisations and individuals in real time, but
also to provide a lot of insight into the new and
emerging threats.

We work proactively with other organisations in our
industry as well as industry bodies and government
bodies to help try and update and protect and educate
the markets to try and stem the tide that seems to be
really proliferating through the internet.

If we go to the next slide.

Really, what we are seeing, some of the key trends
that we are seeing in the internet threat landscape are
more sophisticated email threats, so if you look back
probably even as little as three or four years ago, over
9 a per cent of emails, malicious emails or viruses,
I should say, were delivered as email attachments.

So you receive an email, you open up the attachment
and all of a sudden your machine is infected.

These days, over 90 per cent of malicious software
or malware as it’s called is delivered via an internet
link within the email, the URL link. So that’s probably
one of the biggest changes.

Why that is significant is there is a convergence of
email threats and web threats, because all of those URL
links take the user to a malicious website. It’s not
just a malicious email, it’s a malicious website as

Again, a new an emerging trend over the last few
years is that previously, malicious websites in the
market tended to be reasonably obvious. So they might
have been questionable websites, whether it was gambling
websites or pornographic websites or different things
like that.

These days, there are more and more legitimate
websites being comp miced. So people browsing the web,
completely legitimately, going to their banking website
or going to a shopping website or might be an
entertainment website, a news website even, there’s more
and more businesses having their legitimate websites
being compromised and hosting malware on those websites.

If you go back to the email scenario, it doesn’t
have to be somebody deciding to buy some pharmaceuticals
on line or a university degree on-line or something
questionable like that. It can be something that looks
completely legitimate and they click on the link to go
to what they think is a legitimate website and all of
a sudden, it’s taking them to a malicious website and
before they know it, they are infected.

The other things that we are seeing are more and
more instant messaging is certainly a growing trend in
the consumer space, but it’s becoming more and more
popular for businesses and business use as well.

The cyber criminals, because most businesses now
have a reasonably good level of protection for stop
email threats and web threats, the cyber criminals are
seeing instant messaging as I guess a gap in their
technology and protection armour and they are targeting
instant messaging for the same sorts of things, viruses
and what they call spim.

I have spoken about the websites as well.

It really is a converging threat landscape.

The bad guys out there, the cyber criminals are
targeting multiprotocol technologies, so as a consumer
or as a business, we highly recommend that organisations
start to think about multi-protocol protection as well,
because, really, it’s a bit of a game of cat and mouse,
the cyber criminals versus the security companies and
the cyber criminals are really trying to target the path
of least resistance and any vulnerable that they will
see they will target it as best they can in the shortest
possible time and as soon as a defence comes up against
that, they will target something else.

If we go to the next slide, some of the things that
we are seeing in our annual intelligence report, we saw
last year over 73 million different types of malicious
software and these are not just different downloads or
different instances of malware, they are actually
different types.

For a security company to protect you against this,
they need to issue 73 million different patches. That
gives you an understanding of the sizeable task that
we’re up against.

We stopped over 60 billion different types of spam
and again, it’s not different — that’s not 60 billion
email, it’s 60 billion different types of spams. Again,
that’s the magnitude a things that we’re up against.

In Hong Kong specifically, Hong Kong has the dubious
distinction of consistently being at the top of the
charts when it comes to global spam rates. Every now
and then, somebody comes and knocks us off our perch,
but we always tend to fight our way back up and be
resilient and head back to the top. The global spam
rates in April were 9.9 per cent. In Hong Kong, we were
just above that, 91 per cent.

You can see the trend lines there. The rest of the
world dipped down for a little bit, Hong Kong was still
pretty consistent. The rest of the world is catching
up. I’m not sure whether that is a gad thing or a bad

The interesting thing is to ask ourselves the
reasons why that’s the case. There’s a couple of

First of all, Hong Kong is a , let’s call it a ,
well, probably a multilingual society, but from a spam
point of view, definitely English language and Chinese
language spam.

A lot of other countries have one or the other.
Hong Kong has a significant proportion of both English
language and Chinese language spam.

The second significant thing is that, obviously, we
all know Hong Kong has a significant banking and finance
industry and any geographic area with a high proportion
of banking finance businesses and industry professionals
working within that industry tends to be targeted,
because I guess the association is that there is money
to be made within that industry.

The third thing which is probably driving having
a really significant impact on this, is the proximity to
China and the massive growth in broadband internet
adoption in China.

Obviously, broadband internet adoption and the
ability for individuals to access the net leaves more
and more people vulnerable and essentially delivers
a larger target market for the cyber criminals.

Because Hong Kong is in such close proximity and
because of the other factors that I mentioned, it tends
to be more of a target. So we definitely think that
that’s going to continue to be the case.

From a virus point of view, you can see there, just
in the last couple of months, Hong Kong has come under
the global rates, but it tracks fairly significantly.

As you can see, a few months back, it was above the
global rates and again, that’s synonymous with the
factors that I mentioned earlier on.

What does 2010 hold. Some of the things that we are
already seeing is that from a spamming point of view,
spammers will continue to be nimble and adopt new and
more sophisticated types of threats and the other thing
is that botnets, so botnets are essentially groups of
recruited PCs, individual consumer PCs, that somebody,
for example, downloads a malicious file and a all of
a sudden, their home PC is compromised and recruited and
can be remotely controlled to the a lot of things that
the end user doesn’t even know that they are doing, but
a centralised cyber criminal is controlling those and
recruiting them into Burma we call a botnet, using them
to be either a file server or to send out spam or to do
a number of different things. Essentially using their
power and their reach to recruit and perform these
illegitimate activities.

The different governments around the world have been
successful in intercepting different ISPs and bringing
them down and stopping the facilitation of a lot of

But whenever we see that, we literally within
a matter of days, that the global spam rates, they come
down pretty sharply, when these things happen, but
within a matter of days, they are back up at their peak

What it tells us is that global cyber crime is
incredibly difficult to control and it’s not a case of
necessarily governments or individuals or businesses
being able to step up and do more, it’s a case of really
about collaboration and education and trying to stay one
step ahead of these guys.

We saw last year that the spammers broke or decoded
the capture technology, which is the automated, for
automated personal emails account. I’m sure everyone
has seen it. If you sign up for a new account, it
delivers you a set of five or six different characters
and you have to key those characters in to prove that
you are the person that’s opening the account and you’re
doing it manually.

Obviously, the cyber criminals are wanting to build
as many of these accounts as they possibly can in the
shortest period of time, so the capture technology has
now been updated, so apparently the cyber criminals are
going to have a more difficult time for a while at least
in breaking this.

The next thing that we have seen is that the cyber
criminals or the spammers are trying to use real people.
Basically, like internet sweat shops, for people in
emerging technologies, to get a huge amount of low paid
people, literally in front of computers, opening
accounts, whether it’s gmail accounts or hotmail
accounts or all different types of free internet
accounts, they’re opening them manually and then the
cyber criminals, the guys that are running these sweat
shops are selling all those accounts.

They are going to a very manual means of opening
these accounts and selling them off, but they’re really
coming up with any type of new means of doing this that
they can.

The other thing that we think we’ll see an increased
amount of in 20010 is non-English spam.

Even in Hong Kong, that does receive a significant
amount of English and Chinese language spam, by far the
majority is English spam, over 80 per cent.

We definitely see and we are seeing all around the
world a larger amount of non-English spam.

Globally, English spam accounts for about
95 per cent of all spam. But that is changing and
non-English language spam is catching up.

If you think about it, again, the security companies
out there protecting companies and individuals, their
expertise and the thing that they’re best at is stopping
English based spam, because that’s what they see the
most of.

Again, the cyber criminals are targeting something
that they see as a gap in the marketplace and that is
the ability to stop non-English language spam. So they
are really focusing on that.

We heard a little bit more about earlier about
social engineering. With the proliferation of social
engineering websites like Facebook and linked in and my
space and these types of things, there’s a huge amount
of personal information available on the internet. Just
about everybody on the in this room has some personal
information on the internet.

What we are seeing more and more of in relation to
that is really highly targeted attacks.

It’s almost like if you think of it like targeted
marketing, not too many companies in the industry these
days spend their marketing dollars just doing shotgun
marketing, broad based marketing to anybody and

They have all got a target market and they are all
sending a specific message by a specific means to people
that they think are going to be more interested or more
likely to be interested in their message.

The bad guys, the cyber criminals are starting to do
the same thing by taking information from social
networking sites to find out what are my interests,
where do I live, what’s my geographic proximity, what
industry do I work in, what are my demographic — what’s
my demographic profile, what industry associations am
I associated with, all these types of things.

So that what they can do is send people like me and
everybody else in this room, a message that’s highly
targeted. So when you receive it, there’s a strong
chance that you will think that is a legitimate email,
from a legitimate body, that is simply sendsing you
something of personal interest.

What they are doing is including malicious links in
that email to take you to a website that probably looks
like a legitimate website, but as soon as you click on
something, you will download a piece of malicious

The days are gone when by downloading a peace of
malicious software, your whole machine shuts down or
your address book all of a sudden starts to send out an
offensive message to everybody in your address book.

That doesn’t happen any more. That was kind of
nuisance attack.

These days, it’s more about silently downloading
a piece of malicious software that gives these guys
access to your personal information.

Their whole objective is to stay under the radar and
not let you know that you have been compromised. So
they take control of your machine, they can use it to do
a lot of things and they can also siphon information
from you personally or from your company.

In the way they do that is by sending senting out
these targeted attacks, so that you don’t even know that
you’re being compromised.

The or thing is this they target a lot of high
profile event, Valentines day is one that happens every
year, but also different events like we saw it with the
Olympics, a couple of years ago, we’re already seeing it
with the world suppose in Shanghai and with the World

If you go to just a couple of quick examples. Here
is one, a piece of themed malware from the Olympics.
The hyperlinks in this email take the user to legitimate
web signs, but those websites are compromised, so that
when somebody goes there, follows that link, all of
a sudden there’s some mall we’ll placed on the
recipients computer and they would n even know it.

Here is another example that we have just picked up
from the FIFA World Cup. This is a legitimate.

People with certain types of day.

When they open up this PDF, their PC will be

Here is some examples of what can happen if your CP
is compromised.

People typically used to any if I download
a computer virus, it means that my computer is going to
be shut down and I’ll have to go and buy a new computer.
There is a lot worse things that can happen these days.
I won’t go into the details, but you can see that your
computer can be recruited and used as a web server, it
can be used to siphon corporate information, it can be
used to deliver different email attacks, it can be
recruited into a robot network, and it can be used to
sigh Foon different financial credentials from you.

One of the things that can be downloaded is a key
stroke logger, so when you go to anything that resembles
a banking website, it can basically log the key strokes
that you’re typing on your computer when you’re putting
in your passwords.

All of that information can be sold.

That gives you hopefully an idea of the type of
things that can happen, if you do download a piece of
malicious software.

The key thing here is that definitely, the vast
majority of internet threats these days are driven by
organised criminals. It’s widely reported that internet
crime generates more money now than the global drug
trade. It is a hugely professional industry and so what
that means is that the solutions in the marketplace need
to be able to keep up, both the consumer solutions and
the corporate solutions need to be able to keep up with
this sort of activity and the investment that goes into
it from the criminal side.

One of the key things here is that all the cyber
criminals, they go out and buy every single readily
available, commercially available piece of security
software that is available in the marketplace and they
set up their own test labs and they test all of this
stuff to try and find the vulnerables.

It’s not difficult to do. Hay just set up a test
lab. They have plenty of money to spend on doing this
and it’s all about return on investment for them. They
test these things for vulnerables. As soon as they find
some vulnerables, they get to work and send out as many
targeted attacks as they possibly can to exploit those
vulnerables while they still exist.

Going back to cloud technology or software server
based technology that’s delivered from 2 internet, it
can’t be tested.

To give you an example, our technology across our 14
data centres globally, we have a technology statistic
consisting of some of the best software level
technologies in the marketplace, so three different
levels there, as well as our own technology, as well as
pu ris ticks and perimeter based technologies.

Basically, to use our technology, you have to
literalically connect, subscribe to it from the
internet. You can’t download it and test it.

So companies like ours that are offering cloud based
technologies have the advantage of staying one step
ahead of these cyber criminals.

You can see on the slide there the number of new
malicious signatures that are being identified every
year and it’s increasing exponentially, year after year,
so what that means is that as I said, huge amounts of
money invested in this, highly specialised and highly
skilled participants.

What it means is that basically, the old signature
based technologies really aren’t equipped to capture
these technologies any more.

With a software as a service approach, logically
what it means is that if you stop the threats before
they enter the corporate network, or the consumer PC,
then you’re at a lower risk than waiting until the
attack or the threat actually comes into your network or
your PC and then dealing with it reactively.

I won’t go through that in detail. It’s hopefully
pretty self-explanatory, but it is a growing and
emerging trend, both at a consumer level and a business
level on a global basis.

The very last slide here shows you the global
emergence of software as a service technology. In the
UK, over 50 per cent of businesses and 70 per cent of
businesses at the surprise level deploy a hosted
security solution these days.

In Hong Kong, that rate is only about 10 to
12 per cent, but it’s growing significantly. We expect
to see more and more businesses move to a hosted or
cloud based technology solution to help businesses and
consumers protect themselves as best they can against
all of those new and emerging threats.

>> Stephen Lau: Thank you, Nigel. We just heard from
security expert who is working for world renowned
security company offering products and services to many,
many clients on a global basis and he’s talking about
emerging threats and the sophistication, the
proliferation thereof. It’s really frightening.

We have asked Nigel to come here, despite the fact
that I know that he has another engagement coming up
very shortly, but so he has to leave, but we thank him.

Is there any — we can entertain a couple of
questions from the floor.

If not, let me ask one, because in my personal

He has been talking about corporate and Symantec as
a global company offering service, whereby corporation
well prepared and needs to have a lot of resources,
securities in the interests of the security protection
for the corporation.

You and I , simple individuals, sitting in front of
our laptop, I just want to ask Nigel, give us some
advice. Given all this proliferation of these
sophisticated kind of attacks, what is the best way we
should protect ourselves?

>> Nigel Mendonca: The first thing I would say is whether
you use Symantec or any other security solution, it is
really important that you do have some sort of security
protection at home on your home PC.

You definitely shouldn’t assume that — you can’t
assume, for example, that if you don’t visit
questionable websites, that you’re not going to be
inflicted. Because like I said earlier, you can go to
any legitimate website and you run the risk of having
a piece of malware download.

You definitely need some sort of protection.

The other thing I would say is you get what you pay
for. There’s a lot of cheap solutions in the
marketplace and there’s even some free solutions in the
marketplace and I’ll let you make up your own minds,
really, but if you think that you can get something
incredibly high quality for free, I think you need to
think again.

That does n mean you need to go for the most
expensive solution on the market, but reputation means
a lot in the industry and there’s a lot of organisations
like Symantec that have a very good reputation in the
marketplace that really I would certainly advice that
you do use.

The other thing I would say is, just be sensible and
use some commonsense when it comes to if you’re using
a PC that’s not your own, that’s at — whether it’s at
a library or a university or an internet cafe or
something like that, I would definitely recommend that
you don’t go to your own internet banking website or
something like that. At one of those sites because you
never know who has been on the machine, what they have
done to it, what level of security they have on it. So
you are running a high risk there.

Lastly, we heard a little bit before about going to
websites like or social engineering about sights like
Facebook. I’m not saying that people shouldn’t use
Facebook because it’s a great tool and I think that it’s
going to get even better and better, but again, we heard
that there are different privacy settings that you can
deploy on Facebook, so you should use those.

You should understand, for example, if you set up
a social networking account, you should take the time to
understand who can see your information, because there
are ways of controlling it and there are ways of
limiting the information, because the cyber criminal,
even though they do spend a lot of time and money to try
and acquire personal and valuable information, they also
go for a lot of low hanging fruit. So there is a lot of
people that display all sortses of information without
bothering to tick the most set up the most basic privacy
levels on something like Facebook and that information
is just there hanging and ready to be harvested and sold
and used for those targeted marketing purposes.

They are probably the main things I would say, but
it’s tough. There’s not any one thing that people can
do. Stay educated and for those of you who have kids
that are at school and starting to use PCs as well,
I think definitely it’s an education process to make
sure that they understand some of the potential threats
and traps that are out there as well.

>> Stephen Lau: Thank you, Nigel.

We do not present supernears now. What we do, as we
said this morning, we have donated the cost of your
souvenir, the money, to the Digital Solidarity Fund.

Take your time and if you have to leave, please do

Now we move onto another paradigm, to another
landscape to do with, from a legal perspective, we have
Prof Jackson here, who is going to talk about cyber
crime and intellectual property protection in Hong Kong.
I think that will give a different dimension and we look
towards your even light ned words.

>> Michael Jackson: Thank you, Stephen. Thank you to the
invitation to speak today.

I am an academic. I don’t practice in the field, so
my presentation will have a more academic orientation to
it. It’s entitled cyber crime and intellectual property

Nigel has just graphically illustrated what cyber
crime in actual practice or how it is largely dealt with
nowadays and that is by way of security issues.

It presents itself as security risk, it’s dealt with
by way of security technology in that seasons.

My contention is that the cyber crime legislative
agenda, as far as it continues to exist in Hong Kong,
has been effectively taken over by the copyright
community and used to push into the legislation in
Hong Kong provisions which seek to protect copyright at
my submission, the expense of one of the qualities that
we discussing today, the openness of the internet

I wanted to take folks in particular on the proposal
that’s currently been made for the enactment of a new
offence dealing with the initiation of unauthorised
communication of copyright works to the public.

I ask whether that can be justified. It cannot be
readily justified, but it seems likely that the
government will probably push ahead with it this the
form that they have proposed it.

My central thesis is that the notion of cyber crime,
which is a very evocative term, one which Nigel has
spoken of and illustrated and calls to mind ideas of
organised crime, sophisticated crime, possibly even
fills our imagination of images of armies that act
against us has been used largely nowadays to fulfil
a copyright support regime by the government. That
I submit is an unacceptable intrusion into aspects of
the internet that we seek to preserve.

Cyber crime existed before it was called more simply
computer crime or computer related crime and those of
you that were around in the late 1980s, early 90 to deal
with what was then perceived to be the principle cyber
crime threat as they were known them, namely hacking was
nothing more than that, by way of legislation.

That remains pretty much the bulk of the legislation
that exists today in Hong Kong, save for enactment of
provisions to deal with copyright protection.

The lack of cyber crime provides a very
ininstrumental means of encouraging honesty development.
That was evident most particularly, I think, with the
drafting signature and coming into effect of the
convention on cyber crime, an international treaty
proposed by the council of Europe, in the late 1990s,
early 2000.

That now has some 46 signatories and some 30
countries have ratified it. Placing upon themselves
a drawing down on themselves an obligation to enact
a raft of substantive offences dealing with the most
obvious forms of cyber crime that exist, access,
inauthorised access, child pornography, certain
copyright offences, computer fraud, computer forgery.

It also obliges them to put in place law enforcement
to deal with 24/7 cooperation and to do with search and

In large part, many have seen the convention on
cyber crime as a law enforcement convention which
obtains attraction by being wrapped up with a set of
substantive crimes which everyone felt could or should
be enacted.

The attempt to encourage the enactment of such
offences and national legislation led to the enhancement
of law even form across jurisdictions.

Hong Kong was not a party to the convention,
naturally enough, but it took those, dictated the
convention on board and thus in its own review of its
computer based legislation in the early gavist a rather
hearty slap on the back and said we have done most of
what is required, we have fraud offences, the one thing
we don’t have a a child important agofy offence so the
government used the convention on cyber crime the
vehicle to drive forward child pornography legislation
in Hong Kong, which is not limited to the on-line
community, it applies more generally to that.

Cyber crime was used to invoke threats and to drive
forward certain legislative agenda, but since then
pretty much it has gone by the buy in terms of dealing
with real cyber crime threats as I foresee them and has
been turned into a vehicle for pushing forward copyright
protection agendas.

The process of criminalisation involved in cyber
crime issues, be they in the proper sense, as
I suggested, they could be formulated or in the
copyright agenda sense, involves a host of issues.

It requires compliance with a number of rule of law
requirements, suchs certainty of legislation, such as
fair labeling, fair warning in terms of enacting
legislation and drafting it. It requires in the context
of on-line world, that there be technology neutral
drafting and that there be as far as possible, off line
on line consistency legislation. Don’t make things
criminal which would be lawful in the real world, simply
because they have taken traction in the on-line world.

More significantly, we also enacted legislation
criminalising offences nowadays, have to comply with the
fundamental rights and freedoms that we have now been
granted under the Bill of Rights and the Basic Law. On
on the of that, it is acknowledged as criminal sanctions
have always been and should continue to be extraordinary
measures that are invoked only when recurring conduct
inflicts type of harm that is egregious enough to
warrant the creation of a new offence and cannot be
adequately addressed by the civil liability.

It goes without saying, of course, that when the
question of enacting offences dealing with child
pornography were an issue, all of those necessary
criteria were readily satisfied in abundance. Fair
labeling, fair warning, precision, all came into play,
compliance with human right were satisfied, so also was
the idea that it was an extraordinary mesh to deal with,
an extraordinary problem that was terminating itself
around the world and gaining a greater problem because
of the intrusion and explosion of the internet and

Having entered public consciousness, the concept of
cyber crime dropped away this terms of the legislative
agenda. As I have said, it became the base case of
momentum in terms of the early development of cyber
crime legislation being focused on security issues,
development of security regimes, the Hong Kong document
of security technology and so on and also momentum
passed in some forms to the privacy issues, protection
of privacy.

One doesn’t really need to remind you of the number
of privacy concerns that have arisen in Hong Kong over
recent years, data look average, Edson Chen’s case,
surveillance in the placement of CCTV in public places,
recent government attempts to introduce drug testing at
schools. All have given cause for pause about the
intrusion, the erosion of privacy concerns.

That erosion is very much fostered not only by
external events, but also by what has already been
spoken of by a number of the speakers so far, blogs, web
2 influence, social networks, Facebook in doing so, they
have taken to public discouraging personal information
at a rate never seen before.

One of the speakers at the third IGF conference in
India in 2008 graphically described what he saw
happening in the social network sites as people vomiting
on the internet.

I think a very graphic and illustrative idea of what
is actually been happening.

Quite apart from the personal dam nation involved in
that, what it does, as Nigel and Ken has spoken of, is
that it offers those who would engage in cyber bully
activities, cyber stalking activities, greater
opportunities to do so, victims available to them.

Yet, sadly, the Hong Kong Government has done little
to seriously consider criminalisation in respect of
those activities, even though they are of concern.

Instead, criminalisation, the identification and
criminalisation of so-called cyber crimes has bubbled
along largely coming on the radar by way of protection
of intellectual property rights. Most usually in the
relation to copyright, where one of the original areas
that were contemplated required legislation in the
convention of use of the language of cyber crime has
been copyright holders a degree of leverage when they
argue for often inappropriately, in my view, legislation
to criminal legislation to protect their interests in
this day and age.

The Hong Kong Government has been largely complicit,
it seems to me, in the adoption or the enactment of this
legislation. It’s not shy about offering law
enforcement to the cause of copyright protection. It’s
done so and readily accepts because it is interested in
and has a commitment towards upholding a robust
copyright protection regime in Hong Kong, because of the
importance of the further sustainable development of the
creative industries in Hong Kong’s economy.

In doing so, it runs the risk of tipping a balance
that must be struck between right holders and consumers,
particularly in the free fall that the internet has
become. Leading to the overly quick characterisation of
copyright infringement as cyber crime and thus
warranting the extension of law enforcement to further
copyright protection interests.

What has happened in terms of criminalising
copyright protection has happened not simply in the
legislative sphere. It’s also happened through the
judicial process. We are all familiar with the case of
Chan nigh Ming, in which the distribution offence and
the copyright ordinance was extended to cover
distribution via P to P network, the bit torrent case.

There effectively the cause enabled copyright
holders to push forward their criminalisation agenda
without even needing to go to the legislature to do so.

It left open a number of issues in the case to do
with the liability of download errs and so on, but that
is something that they continue to press the government
to take action to remedy, although the government seems
to have taken the view that there is presently a means
to enforce those rights, based on the Chan nigh Ming and
similar cases.

Criminalisation has Edson Chen case, that is to do
with privacy protection rather than cyber crime per se.

With the proposal by the security bureau for the
enactment of new statutory provisions which would
criminalise malicious use of or misuse of data that has
been leaked.

Even there I can’t help cynically perhaps in my
mind, notice that Edson Chen, when he returned to
Hong Kong, to respond to the concerns about the images
that had appeared early in 2008, in the face of
apparently the ability of the Hong Kong criminal law
regime to do very much to help him, asserted his
copyright over the images that he finally conceded he
had taken.

A sort of copyright comes back into the or na,
whereupon the security bureau suddenly say we need to
protect Mr Chen and others privacy in the future,
cynically is this just another means of essentially
ensuring his copyright of his images is protected.
Probably not, but that’s just a slightly cynical view on
my part.

Of course, coming back to where I started, what the
government is now proposed, beginning with the
consultation in 2008, carrying forward after public
consultation with a proposal coming forward
in November 2009, is a new offence regime to deal with
what it calls copyright protection in the digital
environment, with the principle offence being one to do
with the initiating the unauthorised communication of
copyright works to the public.

I’m sure most of you are familiar with that, may
have engaged in debates about it, may have written
submissions to it, to the government about it, all
I want to go through and indicate why I’m of the view
that it is arguably an improper attempt by the
government to take forward an overly large open-ended
copyright agenda, which has serious implications for
I believe openness and communication and free flow of
information on the internet.

Most of you will probably know that in its original
form, the proposal was limited to stringing, as
a particular form of communication, that the government
saw and was necessary to deal with, but it was pointed
out, rightly, I think, that criminalisation should be
technology neutral and that the limitation to stringing
was therefore inappropriate and as a result deleted in
the final proposal.

The government says this is a more forward looking
approach, which allows new technologies and enabling
communications in public to be caught as and when they
are developed.

This the paper said will best serve the government’s
aim of affording timely and adequate protection to
copyright works being communicated on digital platforms.

So an open ended basis on which copyright holders in
the future can, as they identify and seek to take
advantage digital platforms for delivery of their
copyright works to the public, through the internet and
other digital platform, a new means of argue for
protection of their rights, without asking the
government to seriously consider the appropriateness of
legislating by way of criminalisation at that time.

The government, of course, has said that there need
to be appropriate exceptions, taking account of the
views of stakeholders over sees experience, although
when I read many of the submissions of stakeholders,
particularly the copyright community to the governments
proposal, many of the review should be very limited
exceptions made available to the protections that are
being offered to them.

The proposal is controversial in many ways.

Many of them touching on the third of the topics
covered by this panel today namely openness. In
security issue we have dealt with through Nigel.
Privacy a separate issue. I think it’s openness where
the proposal real conflicts if the proposal goes forward
in this present form. For it has the potential to
result in a substantial interference with the relative
freedom of on-line Hong Kong citizens.

It’s hard as presently formulated to see how the the
many and varied criteria I have already outlined, rule
of law, issues fundamental rights issues, off line on
line consistency issues, exemption all circumstance
issues. It is hard to see how the proposal can is the
few those many and varied criteria in order to justify

Just why civil liability will not suffice remains to
me unanswered and unclear.

The government in its original proposal acknowledge
that a proposal of the width and now proposing simply
unauthorise communication whatever digital platform one
might have in mind, was unacceptable.

It admitted that in the interests of clarity and
certainly, a blanket criminalisation of all unauthorised
communication might cast the net too wide and entail
far-reaching unwarned implications.

The government understood that what a blanket
authorisation entitling criminalisation of all new forms
of digital delivery, communication to the public, was
simply unwarranted and a step too far.

Having been informed and recognising that the
restriction it proposed stringing was objectionable,
because of the technology criteria, the natural thing
the government should have done was said we don’t see
a way to offer a blanket authorisation. We therefore
withdraw the proposal in the form that it’s been

We, for the time being, can only offer you
a protection regime, which will result in civil
liability without enhancing it by way of bringing the
government’s law enforcement agencies or co-opting them
to assist you in your copyright regime.

Instead of that, that their proposal is rethey
simply decided to offer such a blanket authorisation.

Instead of the properly nuanced reservation it has
it through everything out the window and said you have
a full, open field in which you can enforce your
copyright protection, hence forward if the proposal is
adopted, without even having to come back and ask the
government policy develop and decide whether this is the
appropriate threshold, the appropriate balance to be

The government has expressly indicated that the
proposed criminal sanction they have in mind will only
apply to the act of taking activity steps to make an
unauthorised communication to the public and is not
intended to sap ply to the simple act of downloading or
browsing infringing materials, via electronic
submission, but just how this formulation can be drafted
effectively is unclear. Many of the submissions from
the copyright community don’t accept the exclusion of
simple act of downloading or browsing.

The worry I have, therefore, is if my daughter, who
is only 11, who has a Facebook page, which I of course
administer, because she’s got to be 13 under US law to
have such a site, I facilitated her by putting in
a misleading age. If she up loads copyright to her
Facebook page, is that ever possibly going to fall
within the rubric of the proposal that is in mind? Is
it an unauthorised communication of copyright works to
the public? Is it a communication? Is it to the
public? Those terms are unexplained, open ended and
prone if given full weight leverage and you can
guarantee the copyright community will seek that full
leverage, prone free flow of communication and
meaningful across the internet.

Obviously, the offence that is if mind is one where
the liability only arises when the communication was to
such an extent as to affect preconditioning copyright
owners outside of the business environment, but I have
confidence this is an effective restraint or restriction
for reasons I mentioned below in a moment.

Another powerful objection quite apart from the
open-endedness of the terms, that the proposal entail,
the uncertainty, the lack of clarity, the blanket
authorisation, is the offences potential infringement of
our fundamental rights of freedom of expression and

Charles Mok here has I think already spoken of this
in the past, it’s been reported and expressed his
concerns about the nature of the offence, suggesting
that it’s too vague, citizens may find themselves
committing n of fence without knowing the boundaries for
their activity and as a result, over time, will come to
have chilling effect on communication via the internet,
as people become unsure whether whether they can do what
they currently do, whether they will be prosecuted,
whether those notices that some people get currently
reminding them that what they are doing is unlawful,
which seems to be effective in the eyes of many, without
a consequential criminal prosecution, a simple receipt
of notice is often I am being monitored, I shall now
therefore, stop what I’m doing.

Whether this will have a chill effect suppressing
the expression of opinion, by persons and thus the
inhibition of democratic society.

I also have a technical objection to the offences
propose, one which arises out of Chan Ni Ming. He was
not distributed to distribute, which means all the
requirements of proof of actual prejudice, of actual
distribution go out the window, as long as you have done
merely preparatory steps, that’s a sufficient basis for
proposing liability. That could there are other
objections at a technical level to do with aiding and
abetting and procuring. Who may be liable for assisting
or helping or encouraging the person who what initiated
the patrons in a bar where streaming World Cup being
watched, are the patron in the bar assisting,
encouraging the streaming who knows? Nothing is clear
from the proposal at heart.

As I have said, a key criteria is to even harrass
the civil protections that are available to copyright
holders, in it has not made up a case for enhancing
criminal sanction extending it in this case and I would
argue that the use of or characterisation of copyright
infringement in the digital backdrop, in 2 form that
it’s been proposed here, as some sort of cyber crime,
thus meriting the legislative general da is a step too
far and that’s where I’ll leave my presentation.

>> Ken Ngai: So much about copyright.

I would like to know if anyone from the floor with
any questions to any of us.

>> : This is.

>> Edmon Chung: I have a question, since we were just on
this topic copyright, I actually with like to ask the
panel, but I was wondering whether Mike gur from this
morning is still here, because I read an article
about — development in the copyright laws in Canada
addressing these type of issues and creating, while sort
of a stepping up in terms of a on-line copyright
protection, but also carving out a bigger portion for
things like match ups, so that there is a lot more
exceptions placed on things, so that general users, when
they do mash ups, they are able to utilise certain
licence copyright material, with sort of an easier
defence, sort of like news which does have that
exception at this point.

Just wonder what Michael — the two Michaels might

>> Michael Jackson: I think it’s obviously this is an issue
which has been addressed in a number of jurisdiction.
My concern is in Hong Kong, it’s a rather open ended,
unlimited development and one which has been driven by
the copyright community, without it seems much regard
for many of the interests that would counter balance
criminalisation and without perhaps ultimately a proper
consideration of the sorts of defences that you have in

Recently, last year, I attended a presentation in
Hong Kong by Lawrence, of course written on a lot of
this problem. His key point is what are we trying to do
to our children with the legislation we are enacting
along these lines and making them all potentially
criminals for doing what is essentially creative work by
them, mash ups and so on.

Because they are technology proficient and they know
how to do things and enjoy it and suddenly they find
potential that there could be criminal liability.

That’s the sort of thing that worries me.
I mentioned my daughter, perhaps a bit cynically, but
that’s the sort of worry I have about where Hong Kong is
headed in terms of this.

More considered, more balanced regime which does of
ford proper regard for creativity, for exploitation is
perhaps better approach than what is currently
formulated in Hong Kong.

>> Michael Gurstein: I’m not a lawyer and my understanding
is that even the draft new law hasn’t immersed. There’s
been some discussion on it, but not, it hasn’t come
forward. It’s a very politically contentious issue and
it’s not a partisan political issue, but there’s
a number of organised forces on either side.

The result I think is still very much unclear,
because the only interesting thing that I can suggest is
that it was probably the first time that something quite
so abstract became the basis of demonstrations in front
of parliament. There is actually an organised movement
across Canada with chapters in about a dozen cities
which organised demonstrations against a tightened
copyright regime.

>> Ken Ngai: Any others from the floor would like to comment
on this?

I have a question for Mr Priscilla Liu. At the
I beginning of this section, I show some of the
phenomenon in Hong Kong. To me, the web environment in
Hong Kong is very open. To you, Ms Liu, how do we
balance between openness of information and protection
of China that can be made?

>> Priscilla Lui: Actually, it’s very exciting discussion we
just had and it’s very interesting that Michael just
mentioned that we have to be cautious, otherwise we’ll
be making children criminals.

Michael said he’s not a practitioner. I’m
a practitioner in the field and I work for an agency
called the against child abuse.

Every day, we receive hotline calls, drop ins from
young people. I think the world is working together and
hoping that we’ll be building a safe city, a stay
community for our children.

The topic ware talking about today is even more
important or as important. What about the virtual world
that our children is facing every day.

I think from Nigel’s and also Michael’s
enlightenment, we appreciate the magnitude, the
complexity of the problems, the concerns, raised through
these issues and discussions.

How do we ensure a balance between the freedom of
speech that we all treasure, as compared with children’s
safety and protection.

I think it’s excellent that on this particular
platform, that I’ll have this opportunity to raise and
to urge for child perspective in this particular area.

It is very important, particularly with the magnitude,
the complexity we can all see that we cannot leave this
to the hands of parents, nor to the hands of children

Parents and young people, they do have important
roles to perform, because they are the ones in the very
forefront to decide, to make important decisions and to
take charge of their life.

But if we think that it stops at that, I think it’s
very unwise.

Because young people, in many way, they are
inadequate. They are not capable of doing so.

There is too little discussion and too little
effort, particularly in Hong Kong, in the aspect of the
role of government, the commercial sector, internet
providers and so on and so forth.

I see that in some other countries, they are trying
very hard, for example, in the states, they have been
using the law to ensure children being adequately
protected, adults have their own choice and decisions,
but young people need, in many different ways, to be

In terms of their network and in terms of the adult
network, data information and so on and so forth.

I also see a resource implication in the
government’s policy, because I found that in the states,
in Australia, and perhaps in many other down thinks,
they do spare budgets, finance in covering this
particular area, particularly devoted to the police, the
Interpol, the local police and so on and so forth,
because of the enormous number of cases come to the
forefront, because of this internet concerns,
particularly relating to children.

Unless and until we actually allocate resources,
manpower, training and so on and so forth, to different
protection alls, it’s a cross sector multi-disciplinary
concern, otherwise I think all the discussion will be
really lip service.

Of course, more systemic and strategic kind of
programme as for parents and for children needs to be
put in.

I see that Hong Kong is working towards that

>> Ken Ngai: I know Charles Mok may have something to
respond to other presenters.

>> Ram Mohan: Yes, before I start, I wasn’t to say.

>> Charles Mok: Before I start, I want to say I will like to
do the following in Chinese, for a number of reasons,
because I think I can do it faster that way and second,
because I want to make the load of work for the
translators to be a little bit more balanced.

Third, maybe that will bake you, some of you up
a little bit, to spice it up a little bit, as you can
listen to this in your native language.

The rest of you, maybe you can try to put your
headset on.

I’m talking about security, openness and privacy.

I’m talking about security and openness are very
troublesome topics. Openness are easy.

Most of us think that it is a good idea, the
openness of it.

They seem contradictory issues.

In the IGF organisation, under our topics, in our
region, in our Hong Kong IGF, I want to tell you about
IGF, the story.

I met John Fung three years ago and we went tory yes
in Brazil and we didn’t go to see a soccer match, but we
went to attend IGF there.

It’s a big conference and there are many streams of
topic going on.

A lot of them are dedicated to protection of
children and different organisations for all the world
are presented.

A few workshops promoting the freedom of

There are censorship issues in a few countries.

We find that a lot of them, what we talk about are
very opposing, like contradictory.

Me and John are very interested to go to this
openness and John, on the other hand, he would like to
go to the children protection.

How come they are not talking, these two schools of
thought are not talking to each other?

I think this talk communicate between these two
school of thoughts are very important.

I think it’s most important to protect our openness
on the internet. On the one hand, they do want to
protect the children. On the other hand, the school of
thought on protection of children, on the one hand, they
want to protect the children, but on the other hand,
they do not want to see cyber crime to increase.

What I’m just talking about, we are looking at
security, openness and privacy issues. These three

With the fast growing, very growing of internet
penetration, we have changing attitude towards these
three issues.

The environment has to be ongoing changing.

Whatever standpoint you are coming from, it is
consistently ing chaing.

We talk about privacy.

We have very increase our awareness of privacies and
privacy law.

Stephen Lau, me and him are involved in the hospital
authority, the cases on the privacy issues.

We have been working on these cases.

Hong Kong people and maybe perhaps for the rest of
the world, they find that they are very nervous about
privacy being stolen, their private information being
stolen. But then on the one hand, they are not very
careful with their own data, with their own information.

For example, the hospital authority, the staff who
left their information behind, he would be very angry if
his banking information was revealed.

What I’m thinking, the legal enforcement is not
enough in Hong Kong. Just now, Prof Jackson mentioned
privacy law. There was a consultation on it last year.

But I agree. We need to step up. We need to
enforce and do more consultation on privacy, on the
privacy area.

It’s not like every 10 years.

Also, on the security issues, we have our awareness
has been increased and raised.

How many SME, how many individuals? We have done
enough on our security front for ourselves.

Let me take an example.

Mr Hi is presented. Google, there is a card they
parade around the city and they collected a lot of

We have a lot of survey and also government agency
has people around doing survey, whether they have
encryption, WEA.

A lot of them hasn’t done it. Or they just do it
without using the most secure technology.

With this case, a lot of people, they were saying
Google is not doing a good job. It’s nasty.

From our point of view, as an SME, as an individual,
we have our own responsibility to protect our own

The next point I want to say, when you look at these
issues, there are ways to handle it.

Just now, the two speakers, they were talking about
it. Nigel did on the technical side.

Would there be a programme somehow, somewhere, that
is going to be so high security that it solve the
problem, that’s no more security problem. Or in the
near future, there will be some legal enforcement, so
that the cyber crime will be stopped, they will be
criminal sized before it ever happened.

I think down to one point, I don’t depend on others
to solve the problem. The one thing is I think it’s
what you need to do for yourself.

Let’s talk about Nigel’s company or Mr Fung’s
company. They do a lot of security work. These are
firefighting. You are chasing up the problem or say
legislation or the software security, they are not
catching up with the latest crime. What I look at,
there are the legal aspect, I would like to say, there
are some of the area that it’s not addressed. It cannot

For example, the slump just happened. We are
talking about legislation on it.

When we come to think about it, it might not be the
best idea, just to create some law against it for the
problem. It’s just simply passing the job, passing the
work to the government.

Also, this is like you passing the ball to the
government, so giving the authority, the government, too
much authority might not be a good thing.

There was just yesterday a participant from
Malaysia. They have this worry in their country.

This Malaysia, they see this, they abuse and misuse
the legislation.

He suggested there are three criteria. It’s totally
necessary and the law does not have too much power.

Secondly, the law has democratic oversight.

Thirdly, it is based on the human rights globally,
based on their human rights globally, the idea is based
on the human rights.

I think he made very good point. Lastly, I want to
say, I want to promote this. We are Internet
Professional Association of Hong Kong.

It is very simple, what you can do for the internet,
not what the internet can do for you.

It’s not like we are looking forward to legislation
or better software.

It’s not the best way.

Education for the next generation, we have
a thorough understanding or what it is all about. We
have a good concept, good grasp of it.

It is after all, the same mission. We have the same
mission as IGF.

It’s not we are jumping to conclusion how we can
solve this problem.

Thank you.

>> Ken Ngai: I would like to ask is around the table,
Anthony and Stephen, it is about the privacy on-line
service provider, is your point of view what is privacy?
Because it is something, ongoing changes, so today is
privacy, tomorrow maybe not. As I’m studying law,
privacy is a very narrow explanation, but a lot of
things that has had another interpretation, so how can
we provide a platform for the user to upload their
materials? How is that person going to handle his own
privacy or how is for him to interpret this privacy?

>> Priscilla Lui: As a point of view as on OSP, is quite
embarrassing, because the service provided — should
I say in Chinese or English. OK, I will speak in
English then.

>> Anthony Fung: At the OSP level, it is quite embarrassing,
because for one thing, is that you have to provide
a service attractive to your consumers, for example,
social networking.

But however, from a ditch angle, how attractive or
how flexible that you can provide to your consumers,
that does not draw negative action, such as a few things
is that, you know, a lot of websites, social networking
websites researchable. Should your names be searchable
on social networking websites. For example, when I was
still with the police force, I quite enjoy a lot of
search spiders. Why? The search speeders help us to
find criminals on the social networking website. If
these social networking websites the in the allow
searching spiders, for example, easily, they put
a comment line in one of their script that say no
searching spider allowed, then it breaks down the social
networking bond, a social norm. Secondly, how does
government or law enforcement do a back-end searching of
a criminal or try to understand the dynamic of this
social networking scenario.

What about photos?

It works both Western Australia.

For us OSPs, we encourage a lot of photo sharing,
because that introduce a lot of clicks, a lot of clicks
into your portals introduce income to your portal,
because the marketing rate.

The more you share out, then it becomes attractive
venue for criminals also, for various child pornography,
recruitment or even for job market company to recruit
you to some jobs.

What about posting? As you have rightly mentioned,
posting of personal comments.

If I post my personal comment on my own blog, which
is all right, but some of the blogs allow other of your
friends to post on your blog.

How responsible is the OSP at this level, when the
outsider post onto a potential client’s blog. Is that
a OSP’s responsible, the site owners or the consumers
responsible or the actual personal who post it? There’s
a lot of legal ramifications.

Then you come to another issue, as Prof Jackson has
rightly mentioned.

Can you regulate this or you have mentioned can you
regulate or Mr Mok has come up with, can you recollect
this? Actually, according to outside experience, it’s
difficult to regulate. Why? Because not even in
Hong Kong, even between country to country, for example,
let me take an example N retention of record. I don’t
know, I think Hong Kong is still three months or six
months, I forgot.

But in Europe, under Brussels, European convention,
they don’t want the OSPs to retain records because they
say records are personal tangible item, so should you
you shot retain those records for more than necessary,
for more than your job. I think it is very similar to
privacy ordinance, privacy commissioner in Hong Kong,
not more than your job.

However, in United States, the Patriot act or the
anti terrorist act, the government wants to control your
record. You better retain it up to 12 months or up to X
amount of time, as long as law enforcement want this
record for pay not act for the protection of national
security. You have to retain it.

There is another contentious issue, different
regions have different liking of law, so what is the OSP
standing in the middle? This problem will expire. Now
you talking about cloud. Cloud computing. There is no
jurisdiction in cloud computing, so which jurisdiction
law are you going to obey? There is another question.

What about the transmission of communication? Some
jurisdictions says communication start the data start at
the person’s computer, but if it’s an email, if I send
it toy, where does the communication end? Which
jurisdiction does it have the right over to examine
a case?

The guideline for the OSP is still, I guess,
according to the guideline of the office that you set up
in. If you set up in Brussels or Europe, it is probably
different than you set in Asia, in Japan or Hong Kong,
but then I think we are all merging into a cloud
computing, where there is no definite jurisdiction of
where the data is.

I don’t think I can outline my feedback to your
answer, but I just want to highlight some of the inner
problem that have in my mind for right now and for
anybody have absolutely right solution out there, please
suggest back to us what is feasible solution.

>> Ken Ngai: If anyone have any questions, please feel free
to raise your hand, because Stephen is one in privacy
bureau in Hong Kong there is a lot of people using

Facebook. Facebook actually has, the usage is very
high. No matter in collecting your use Ang or personal
information may not be able to comply to the regulation
or to our data principle guidelines.

Does Hong Kong need to take a deeper look at this

>> Stephen Lau: What about privacy. First and former
privacy commission in Hong Kong, I can go for days
talking about it.

But I’m not going to do that. I’m going to do

Actually, raise two issues early on. You are asking
what is the definition of privacy? Does it involve

Particularly here we talk about privacy and personal

I’m sorry to say that the definition does not

Technology might change, but definition does not.

It’s very — privacy, very simple definition, that’s
why I’m speaking in English, because it’s much better
expressed in this abstract kind of issues.

The right to be left alone.

That’s it. Privacy is the right to be left alone.

With respect to personal data is concerned, that
means that I should have control in terms of the
collection, drik, accuracy, retention of my own data.

Sometimes we provide data for purposes which you
agree to, like you want to open a bank account, then you
have provide personal data, ID card numbers, whatever,
such that the bank could operate your account and
maintain your account.

Banks do not own my data. The word is very simple.
Any data you contribute with your own permission to any
organisation, that organisation is a custodian of your

It does not own your data.

I can go on — one point is when I was privacy
commissioner, for three years into my tenure, I did
already suggest to the government a fairly serious
review of the law, based on the experience and feedback
and understanding and the fact that it took more than 10
years, I just want to tell Charles, it’s something
beyond my tenure.

Facebook. I’m sure Priscilla would be very
interested in this. You might be aware of a recent
survey. Just announced this week or last week,
Hong Kong University survey with regard the attitude and
habit of our young people going on to internet and in
particular Facebook, social media.

Very interesting. This young guy, 80 per cent of
them realise, maybe word of mouth, actually experience
or otherwise, that there is danger on the internet, in
terms of giving to the website or getting your data
visible, providing personal data to in particular social

But 70 per cent say they are quite willing to do it.

They did not actually think through, it’s one of
say, yeah, I think there’s danger, but what the hell,
I still give it. Because they reckon that there is some
advantages in it, because they see that there’s a need
relative to provide that in return for whatever return
they are looking for, whether it with friendship,
information, whatever.

That is dangerous.

Therefore, in terms of there is a lot of education
that’s required.

When you talk about Facebook and whether in fact
their privacy notice, whether their privacy, we call
them sort of privacy, I can’t remember what you call
those, choices and all this.

It’s the same as the law? The law allows it?

Under the data protection principles, it’s up to
you. If you provide the data, if you consent to provide
it, then the law said, yes, why not?

But the point about why Facebook has been under
a lot of criticism with respect to the way they would
like to deal with personal data, submitted and
distributed within Facebook, is because if any
organisation has a clientele of 400 million, which are
savvy, they are on the net, which is a very good target
for marketing all kinds of merchandise, products and
services, and they are still struggling to find
a business model upon which they can make money or maybe
making more money, and the only asset they could have is
actually the information that you have submitted or you
have given to and therefore, you suddenly find in their
privacy statements and all that, they would like to use
your data for purposes upon which you might not feel —
in fact, a lot of them do not feel comfortable.

That’s why there was this huge outcry, twice now, in
the last 12 months, with regard privacy consideration as
posed by Facebook.

My advice has always been to particular youngsters,
in fact to everybody here, if you submit any data onto
internet, be prepared that it’s visible to everybody.

That’s the bottom line.

You can do a lot of protection, but whenever you do
that, think first. Think about the value and the cost.

If you feel that is worthwhile, do it.

>> Michael Gurstein: I just want to make an apology. I made
a statement this morning that I think was — that
I misinterpreted some data. It’s actually, it’s not
relevant to this particular discussion, but it’s rather

I said that the internet usage in Canada had
declined. In fact, it has increased, but what some data
has just come out, I’m just checking the internet, but
searching around, I think what I was referring to is
that month to month usage in the US web usage has
declined for the last two months and fairly
significantly, it declined February to June, it’s
actually bin in decline.

It might be interested what people think about that,
if there’s any linkage to Burma people said.

>> : This is Ben from IET Hong Kong.

Mr Fung’s experience on this stage with the police.
Mr Fung is very good in searching the of fen errs over
the web and on the other hand, I see that if I commit
the same crime in the real world, it’s much less severe
than I do the same in the web.

Yesterday, I saw a quarrel and there’s two persons
making a lot of sort of foul language exchange and then
one said I do believe I am going to beat you up. Then
say the police went by and then the police saw that,
they were just crazy and no action was taken. On the
other hand, if I put this and leave this in a cyber
footprint on the web there, for sure, under Mr Fung they
will search me, because I make such a statement over the
web. Are we seeing that there are two levels of law
enforcement standard in maybe Prof Jackson, you can
comment on this unwith. Thank you.

>> Michael Jackson: I suppose the only obvious comment you
can make is the one that when you go on-line, you create
a permanency to what’s happened. Who happens is
recorded in some form or other and therefore, it is
evidentially available. Maybe that in the real world,
if there was a witness who do at test to what has been
said to some person, the police would likewise deal with

But often there isn’t or often they are not willing
to speak, because of all sorts of other social
relationships and so on that arise.

There is a permanency to what is done and said in
the cyber world, yes, which means that it is easier to
pursue persons in that vehicle, in that form or as
a result of that.

I don’t know that that means that you are worse off
or that means that you are going to get produce accused,
or you wouldn’t be prosecuted in the real world.

I don’t think that follows.

But it is the case where there are discerned to be
real threat, then they can have a better basis for
produce kuling you.

Taking that point and one thing that Stephen said,
about Facebook and the loading up of information into
the personal information into the web.

The problem is, although you said that it’s your
information that custodians of it, but you have lost
control over it. That is the fundamental problem that
arises. In the real world, if you have information, you
can disclose it or not and you can determine to some
extent how that is disclosed and you can deny it if
someone said you said this and you say I didn’t say

I think budge of the things that has become very
important in recent discussions about the internet is
this question of delete.

The finding a mechanism so that what you do and say
on the internet, can, at some point, deleted from it
permanently. These incidents we have of people who have
within, things that they have said and done 30, 40 years
ago have come back to haunt them in some way. Your
youth I think that’s one thing that clearly has to be
explored more fully, is ways in which what you put onto
the web can be deleted, either by you or by a process in
some time, rather than remaining permanently cached
there for someone 30 years later when you are seeking
a position of high importance, to remind you that you
spent six hours a day for two years searching
inappropriate websiteses, whatever they may be. That
records still remains.

>> Stephen Lau: When I talk about — you are right. When
I talk about being custodian, this is what the law says
of your right. You are the owner, however, yes, because
of internet, because of its interlinkage, because of
cloud computing and technology, you do lose sight or
lose control.

Therefore, this right I use the word, the right to
be deleted or the right to on security.

It’s something nowadays individuals or consumer
would like to have a control over.

Whether in fact something could be deleted
permanently, completely, you will not be sure.

You will not be sure. Because it’s quite simple.
You could Google something, if you use a different
expression for the same thing, and you get different
information coming back at you.

This is where complexity is, that’s why we are here
discussing technology advances, legal, laws, how they
could cope or chase up with technology advances, we
always falling mind and all this.

I just want to make that comment.

>> Ken Ngai: I think we are running out of time. Maybe
I let the other panellists to wrap up for one minute.

>> Anthony Fung: From the industrial point of view, is that
we try to work in partnership from various level,
forming our own coalitions with advisers from different
industries like antivirus and the NGOs, et cetera, that
we try to work closely with the government regulations
and also one thing is that we try to educate our users
as much as possible along with simple guidelines,
hopefully the customers, consumers can be protected and
be more educated if industry can offer simple

For example, one very quick example is the child
exploitation and on-line protection unit in the UK.
They recommend Facebook to put a red alert button on
Facebook if the child or the parent deem that content is
offensive, then there’s no other simpler way than
putting, than click on that one red button which sends
that particular content to the police or 24/7 basis.

Simple work with the government and work with all
different parties in industry.

I was told that I spoke too fast in Chinese last
time, so they couldn’t describe my speaking, so I do it
in English this time.

>> Charles Mok: I want to respond to this January’s question
about the differences between enforcement if the real
worm and in the cyber world. I think that is a lot of
times the real problem. What you said made me think of
new stories that I just read this morning from the
internet and it was saying that someone who is an
national guard in Mary land in the US, he was speeding,
he was a motorbike irand he was speeding and he got
pulled over by the state police and the policeman was
very rude and was wilding a weapon, his gun and it just
so happened that the biker had a helmet on with a camera
and he filmed the whole thing and put it on Youtube.

Who happened after that was a week later, he was
arrested from home, woken from his bed, and taken away,
because he apparently violated some statute in Mary land
that has to do with illegally filming or taking a record
of police action.

So the case I’m reading the case has ing nighted the
debate over whether police are twisting a decade old
statute intended to protect people from government
intrusion on privacy to instead keep residents didn’ts
from recording police activity.

I think that is a lot of times also the issue that
we face, laws were made for another world and they are
trying to enforce it in today’s situation and that
causes a lot of problems.

Finally, on a lot of the privacy issue that we talk
about with Facebook, I just also want to report that,
actually, there are actually a lot of companies that,
technology companies that are very proactive in trying
to get together like Anthony was talking about, to try
to do something about protecting various privacy and
other issues on the internet. One example is a global
organisation called global network initiative.

You can go to Google and find out more about it.

Actually, there are three corporate members,
Microsoft, Yahoo and Google, among other NGO founding

One of the things that they have been working on and
I’m a participant of, is a working group on account

There is a growing problem of people’s account,
email account, Facebook accounts and so on, being
deactivated for a number of unknown reasons, maybe
someone reported about you, I think that happened to
many of us in Hong Kong with Facebook accounts, once you
have become outspoken about certain issues, the groups
that you created or your personal account would get
someone would report you for abuse and Facebook for
a company like that, they probably don’t care to read
the Chinese content in the postings and they just simply
we got 50 complaints within a day, this must be pretty
bad, so let’s just cancel his account or suspend. They
do that a lot of time and there’s no appeal mechanism at

That is also an issue. It’s not just an
inconvenience, it is an issue that has to do with
freedom of expression.

That is actually, for example, one of the working
groups in GNI, that we are working on to try to set up
some sort of standards and appeal mechanisms and so on,
so the users can try to work with these social media or
email providers and so on, these companies to try to
have a more established and transparent way of making
appeals and their policy of removal of account,
deactivation of account.

The problem is Facebook, unfortunately, is really,
they just don’t do anything. They just don’t still
hasn’t responded to any of our demands or requests for
talking to them.

>> Stephen Lau: I just want Priscilla, you have hard word
for the panel and particularly related internet and
child abuse or protection thereof. Maybe you like to
give us advice or some consideration.

>> Priscilla Lui: Like Charles, we have a lot to say, but
time is limited and yet, I would like to use this as
a summary.

Because while Charles mentioned about collaboration,
communication, working together, I think it’s a very
important area.

I hope that more and more, the industry, the field
and so on and so forth, would allow children to join in
and would allow parents, citizens to join in more and
more time would be allowed to listen to them.

So that we’ll know the difficulty, we’ll know some
of the recommendations and the way that they solve their
own problems.

Let me use this to end my sharing.

I remember during the cope even Hague even
conference on the environmental protection and Al Gore
was being interviewed, because of time limit, he was
asked to give one answer to the solution and of course
there is no one answer and he said of course it would be
important for the government to take the lead, it would
be important to have a visionary leading government in
the community, but more important, it’s every it is zeb,
it’s not only the government, but everyone, who has the
responsibility and it’s a collective responsibility,
also in this particular area of concern, but please
don’t leave out the basic concern, which is the law and
rules and administration which is very important,
particularly for children and young children, the under

Because if you leave it to their own hands, they’re
not in a position to protect themselveses, to that

>> Stephen Lau: Thank you, Priscilla.

On behalf of myself and Ken, and on your behalf, let
me thank our speakers and our panellists for such
enlightened discussion on security, privacy and

We can provide the coupons upon which we have
donated a certain amount of money in lieu of a souvenir.

We have another for about 40 minutes to go.

So please stand up, stretch your legs and go to what
Americans call comfort station if you wish to and while
we switching name plates and resetting.

>> : Now the volunteers will distribute feedback form to
you, so please kindly fill it in and return to the
registration counter, if you finish it.

Now we will have some time for the set-up, so you
may use the time to fill the form.

(Short break)