First published: 29th September 2009
Allan Dyer
This newsletter is not intended to promote a party political agenda, but, by advocating the use of technology in society, particularly when related to information security, there are times when there is overlap of areas of interest with Political Parties and elected politicians. Cases include discussions on the Unsolicited Electronic Messages Ordinance (UEMO) and several privacy leak incidents. A recent email from the Hong Kong Liberal Party raises questions in both these areas, and also official language policy.
It is important to note that the message, sent on 23rd September, by design or by fortuitous accident, does not contravene Hong Kong's laws. It is exempt from the provisions of the UEMO because it is a non-commercial message, an exemption I argued against, and, because it was sent to our webmaster address, it was not addressed to a particular person so it is not covered by the Personal Data Privacy Ordinance. The message, sent only in Traditional Chinese, was apparently a survey of SMEs concerning the introduction of minimum wage legislation. If it had been a commercial message, I would have reported it to OFTA for multiple breaches of the UEMO:
- Suspicion of address generation of address harvesting. "Webmaster" is a well-known address for reporting website issues, and is published on our website for that purpose. Other email addresses are published there for other contact purposes. As a human entering addresses would have chosen a more suitable address, it therefore seems likely that the address was either automatically generated, or harvested by automatic means, both activities prohibited for commercial messages by the UEMO.
- Failure to provide an unsubscribe facility.
- Failure to provide accurate sender information in English and Chinese
The message also contained a webbug, potentially tracking when the message was opened, and a misleading link, labelled as leading to the Liberal Party website, but actually leading to a third-party tracking site. If the message had been sent to a personal address, which perhaps others sent in the same batch were, it might have contravened these Data Protection Principles:
- Principle 1 -- Purpose and manner of collection This provides for the lawful and fair collection of personal data and sets out the information a data user must give to a data subject when collecting personal data from that subject. The message gave no warning that opening it, or using the misleading link, would result in a record of that activity, linked to the recipient's email address, being recorded.
- Principle 5 -- Information to be generally available This provides for openness by data users about the kinds of personal data they hold and the main purposes for which personal data are used. The message, and the website, do not have a Privacy Policy.
On receiving the message, I decided to ask the Liberal Party about these issues, sending an email to them:
Dear Liberal Party
I have received a message, apparently from you, concerning SMEs and the minimum wage. Unfortunately, the text is only in Traditional Chinese, that I cannot read. As a registered voter in Hong Kong and a Director of an SME, I would like to ask the following questions:
- What is your party's position on the official languages of Hong Kong? How do your actions support that position?
- How did you obtain the email address webmaster@yuikee.com.hk? What is your party's position on the Unsolicited Electronic Messages Ordinance, in particular, the provisions on harvesting of email addresses?
Your message contains a link that appears in the text as "http://www.liberal.org.hk/", but which actually goes to the location "http://crm.astamarketing.com/liberal/EmailMgr/CampClickThroughTracker.amx?campa ignUrlId=3D45D04D9EE0DABD22C8DA3D1790D57D92&mailContactRecordId=3D48BD5223DA39C0 B9191B682F896997A9&campaignDeliveryId=3D70B4853B3BADD4D22BB444E5AE263752", also, the bottom of your message has an image that is loaded from the URL http://crm.astamarketing.com/liberal/EmailMgr/CampOpenTracker.amx?campaignDelive ryId=3D70B4853B3BADD4D22BB444E5AE263752&mailContactRecordId=3D48BD5223DA39C0B919 1B682F896997A9
This is apparently an attempt to monitor without notification or consent which recpients of the message opened it, and which clicked through the link. What is the policy of your party on monitoring the activities of individuals without notification and consent?
I look forward to your detailed reply.
Regards
Allan Dyer
Staff at the Liberal Party confirmed on 23rd September that they had received the message and would reply to it. A response has not been received at the time of writing this article.