First published: 31st May 2008
Hong Kong's Police Force are now the focus of concerns about unauthorised data leaks following the emailing of ten documents to the media. The documents appear to be confidential Police reports, and the email claimed they were downloaded using the peer-to-peer software Foxy. It has been noted in previous data leak cases that a default Foxy installation shares the user's entire computer, without clearly notifying the user.
The documents include a report on an anti-drug operation in a Kowloon West disco, including undercover agent aliases and other operational details. A Police spokesman has declined to confirm whether the files are genuine, and the technology crimes division is following up the case.
Sin Chung Kai, Legislative Councillor for the Information Technology sector, showed no restraint in commenting before the facts are known, saying it could be a hoax. Apparently demonstrating detailed knowledge of Police IT systems, he said, "The data would be stored in a standalone computer and would not be connected to the internet so it is difficult to see how it could be transferred". However, Hong Kong Police Inspectors' Association chairman Tony Liu Kit-ming had a different perspective, saying that the leak could be a result of officers taking work home, "It is common for frontline officers to write their reports at home and it poses risks to security, but they have too many things to be finished and working at home is the only way."
Previous high-profile data leak cases in Hong Kong have included Legislator Sin Chung Kai's email, the Independent Police Complaints Commission, various Hospitals, and celebrity Edison Chen.
Updated: 28th May 2008
Inquiries have confirmed that the documents are genuine, and have identified three officers as responsible for the leaks. However, more confidential files were found on the internet yesterday, including a detailed police investigation report, a report on an appraisal of an officer and the job description of an ICAC officer. These are clearly not isolated incidents.
Discussion has focussed on the practice of using home computers to work on official documents, in violation of regulations, and the lack of computers available for junior officers. Ten constables might share a computer in a police station. Computers need not be expensive, charitable organisations are aiming to empower third-world school children with the One Laptop Per Child initiative. Perhaps senior Police officers should consider a "One Secure Laptop Per Constable" programme.
There is a lesson for all organisations: encouraging home working may be attractive for many reasons, but such a move has security implications, and enlarges the security boundary of the organisation. Cost savings may be less attractive when you need to budget for securing your employees' home computers.