First published: 15th June 2017
Stephen Kai-yi WONG, Hong Kong's Privacy Commissioner for Personal Data (PCPD), has issued his investigation report into the loss of notebook computers containing personal information of Hong Kong electors by the Registration and Electoral Office (REO). The Constitutional and Mainland Affairs Bureau (CMAB) has also issued the report of its Task Force charged with reviewing the reasons leading to the same incident.
The PCPD concluded that Data Protection Principle (DPP) 4 was breached and has issued an Enforcement Notice instructing the REO to remedy and prevent any recurrence of the contravention. DPP4 is the Data Security Principle, which requires, "practicable steps to safeguard personal data from unauthorised or accidental access, processing , erasure, loss or use". Issuing an Enforcement Notice is the maximum limit of the PCPD's powers under the Personal Data (Privacy) Ordinance. Failing to comply with an Enforcement Notice is an offence punishable by a maximum fine of HK$50,000 and imprisonment for 2 years. In other words, the PCPD has told the REO, "don't do it again", and the PCPD does not have the power to do anything more.
In the Hong Kong Government structure, the REO comes under the CMAB, so the report issued by the CMAB is, essentially, the Government's internal investigation into the incident. The report recommended improvements in the handling of Personal Data, following the IT Security requirements more strictly, improvements in the general security of election venues, and changes to the REO so that staff responsibilities are clearly understood and experience is retained between elections.
Security Design
According to the PCPD's report, the REO was asked to demonstrate the security measures on a similar system, and "Considering the risk that would be brought about by the disclosure of the security technology (e.g. brand of the encryption software, composition of passwords, data access procedures, etc.), PCPD only invited experts from the OGCIO to attend the demonstration, and requested them to raise questions to the REO and offer professional advice on site." This suggests that the PCPD does not know Kerckhoffs's principle:
A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.
or Shannon's maxim:
One ought to design systems under the assumption that the enemy will immediately gain full familiarity with them.
Obviously, the possessor of the stolen notebook can identify the encryption software used and the workings of the system by inspection, so by restricting the information the REO is only preventing useful feedback on how to improve the system for future use.
The decision by the PCPD to obscure details of the security technology looks even more questionable when the CMAB report is examined. The CMAB report contains details of the two data systems installed on the two stolen netbooks, namely the Polling and Counting Access Control System (PCACS) and the Electors Information Enquiry System (EES). The PCACS (which the PCPD concluded was not a problem under the Privacy law) operated through handheld devices that connected to the stolen notebook through an encrypted WiFi network, and the database on the notebook was protected by an 8 character password. On the other notebook, the EES was protected by three layers of login: to Windows, to the encryption software protecting the EES and its database, and to the EES itself. The disc drive containing the database and EES were encrypted with AES 256. The Hong Kong Identity Numbers (HKID) were encrypted with AES 256 (presumably in an encrypted database column), and the whole database was encrypted with AES 128. The report claims, "The decryption would need to be done through the EES programme", but does not explain how that restriction was enforced, if it could be.
The report also states, "The key to decrypt the database was unrelated to the three passwords mentioned above. In other words, even if a person holds the three passwords, he/she would still not be able to decrypt the entire database using the passwords.", which presumably implies that the decryption key for the entire database was, somehow, embedded in the EES programme. Therefore, suitable reverse engineering of the EES programme could recover the decryption key.
Is it possible to guess what software was used for the disc drive encryption? What encryption software that supports AES 256 is commonly used on Windows to encrypt whole drives? Microsoft has actually provided BitLocker with Windows since Windows Vista, so the disc encryption is probably BitLocker. This is good news, if the notebook computer has a Trusted Platform Module (TPM), because BitLocker will store the key in the TPM, and the TPM will prevent brute-force password guessing. Enterprise-grade notebooks often have a TPM.
If these assumptions are correct, then the continued security of the Hong Kong Voters' database depends on:
- Does the stolen notebook computer have a TPM?
- Can the thief reverse-engineer the EES and recover the other encryption keys?
