First published: 21st March 2018
The Hong Kong Government released a Legislative Council Panel on Information Technology and Broadcasting discussion paper on 12 March 2018 about its plans for introducing an eID for all residents as key infrastructure in its "Smart City" plans.
The eID project was first announced in the Chief Executive's 2017 Policy Address, which said that it will be provided to all Hong Kong residents and will allow them to use a single digital identity and authentication to conduct government and commercial transactions online. In November 2017, the Secretary for Innovation and Technology, Mr Nicholas W Yang gave a written answer to Hon Charles Mok, revealed that the system would be launched by 2020 and adding the detail that eID will be used in a virtual form on mobile applications or other Internet platforms, and will not use smart ID cards as carrier to eliminate the limitation of using card readers and computers.
The discussion paper says that the eID would be made available for free for all Hong Kong residents to apply and use on voluntary basis. It will support digital signing with legal backing under the Electronic Transactions Ordinance (Cap. 553). The long-term goal is to make it mandatory for all government departments and public bodies to support the use of eID. The Government intends to actively promote public and private organisations to adopt eID and they will make technical provision to open up APIs. They will adopt security standards that are widely recognised internationally to ensure that the eID system is secure and reliable, consult the Privacy Commissioner and make provision for future technology.
The registration and use of eID could be provided through mobile applications and other Internet platforms. A year after launching the eID system, there will be a review of the Hong Kong Post Certification Authority, including the feasibility of providing all digital certificates by the private sector.
Development of Electronic Transactions in Hong Kong
The Electronic Transactions Ordinance (ETO) was enacted in Hong Kong on 5 January 2000 and came into force in April 2000. Hongkong Post created a public key infrastructure (PKI) and established the first public Certification Authority (CA) in Hong Kong on 31 January 2000. However, few people started using it.
In 2002, after 2 years, the Government launched a review of the ETO, with a public consultation. One of the proposals in the public consultation was to consider whether legal recognition should be extended to cover other forms of electronic signatures, in addition to digital signatures, in order to stimulate e-business development. In the ETO, an electronic signature is any symbols adopted for the purpose of authenticating or approving an electronic record, and a digital signature is a subset of electronic signature that uses an asymmetric cryptosystem and a hash function. The proposal was criticised as being a step backwards because digital signatures offer a high level of integrity, authentication and non-repudiation that other current technologies cannot match. It was predicted that recognition of other types of electronic signature would merely reduce the security and fragment the market, with a negative effect on e-business development.
Nevertheless, in 2003 the Government amended the ETO to allow a 6-digit password to be used as an electronic signature for submitting tax returns.
Early adopters always encounter difficulties. A minor difficulty was that, initially, the Hongkong Post Certificate Authority was not recognised as a trusted root CA by major browsers, including Internet Explorer. This was gradually improved, but is was not until 2010 that Mozilla included Hongkong Post's root certificate in the Firefox browser.
Another issue was that applications did not use the certificate in the same way. The process for signing a tax return was entirely different to the process for signing the application to have a library card added to a Smart ID card. The explanation was that the two applications have different security requirements, but this misses the needs of the user: a familiar process that they can understand. It is not necessary to learn a new method of handwriting one's signature when using the paper-based equivalents.
More serious were the compatibility problems. At one point, the Hongkong Post e-Cert management application required a different version of the Java Runtime Environment (JRE) to the Inland Revenue's e-Tax application. The applications only supported specific browser versions, and they were often not the most recent ones.
The Government's applications failed to keep up with evolving internet standards. Although Java looked like a good cross-platform choice in 2000, in 2015 Google and Mozilla announced their plans to remove support for NPAPI plugins that are required to run JAVA Applets in the web browser. Microsoft introduced their new browser, Edge, without JAVA support. However, at the time of writing, the GovHK software requirements for services requiring a digital certificate still include JRE, restricting browser choice to Safari and the obsolete Internet Explorer.
eID Strengths and Weaknesses
To be successful, eID has to build on the strengths of e-Cert, while avoiding its problems. The discussion paper has some positive indications:
- Based on Digital Signatures. The paper does not explicitly state this, the closest is in paragraph 7, "eID will support digital signing with legal backing under the Electronic Transactions Ordinance (Cap. 553)". Hopefully, "digital signing" means securing with a digital signature, because digital signatures have important advantages not shared by other forms of electronic signature.
- Free. Although the e-Cert annual fee is only HK$50 per annum, it is a disincentive when the expected usage is an annual tax return.
- API. Providing a well-documented API is important for getting third-party applications using the eID.
- Active Promotion. The intention to encourage usage is positive.
On the negative side:
- Compatibility. It needs to 'just work'. e-Cert has shown that even enthusiastic early-adopters become discouraged when there are recurring compatibility problems. The system must use open standards so that users are not excluded by their choice of computing environment, and must look forwards to technology developments (like the announced abandonment of browser JAVA support).
- Entrenched solutions. Active promotion may no longer be enough to bring major online services onboard. Banks, shops and payment services have all developed their own, fragmented, authentication solutions and they have little reason to adopt eID in addition. Perhaps the HKMA can make accepting eID mandatory for all HK banks.
- Poorly thought-through security implications. The proposal includes the suggestion, "the
registration and use of eID could be provided through mobile applications and other Internet platforms". While using eID in a mobile app will be essential, registration is another matter. Registration is the point at which the identity of the user is verified and bound to the digital certificate, so how is the user's identity going to be established with any degree of certainty by a mobile app? This concern is also linked to another suggestion, that there will be a, "review of the services and operating arrangements of the Hongkong Post Certification Authority, including the feasibility of providing all digital certificates by the private sector". The use of Post Offices for issuing e-Certs was one of the strengths of the system. The registration was conducted face-to-face by trusted public servants that were already vetted and trained in verifying people's identity for other purposes, and the process could take place at offices in every district. The private sector can provide the benefit of the free market when the participants bear the costs of failures, but the cost of a failure in registration is paid by the third parties who are identity theft victims or that rely on the falsely-issued certificate.
Hopefully, the eID project will correct the mistakes of the last 18 years.