Your Peace of Mind is our Commitment

Contact Us English Recent Articles

Will eID Suceed Where e-Cert Failed?

First published: 21st March 2018

The Hong Kong Government released a Legislative Council Panel on Information Technology and Broadcasting discussion paper on 12 March 2018 about its plans for introducing an eID for all residents as key infrastructure in its "Smart City" plans.

The eID project was first announced in the Chief Executive's 2017 Policy Address, which said that it will be provided to all Hong Kong residents and will allow them to use a single digital identity and authentication to conduct government and commercial transactions online. In November 2017, the Secretary for Innovation and Technology, Mr Nicholas W Yang gave a written answer to Hon Charles Mok, revealed that the system would be launched by 2020 and adding the detail that eID will be used in a virtual form on mobile applications or other Internet platforms, and will not use smart ID cards as carrier to eliminate the limitation of using card readers and computers.

The discussion paper says that the eID would be made available for free for all Hong Kong residents to apply and use on voluntary basis. It will support digital signing with legal backing under the Electronic Transactions Ordinance (Cap. 553). The long-term goal is to make it mandatory for all government departments and public bodies to support the use of eID. The Government intends to actively promote public and private organisations to adopt eID and they will make technical provision to open up APIs. They will adopt security standards that are widely recognised internationally to ensure that the eID system is secure and reliable, consult the Privacy Commissioner and make provision for future technology.

The registration and use of eID could be provided through mobile applications and other Internet platforms. A year after launching the eID system, there will be a review of the Hong Kong Post Certification Authority, including the feasibility of providing all digital certificates by the private sector.

Development of Electronic Transactions in Hong Kong

The Electronic Transactions Ordinance (ETO) was enacted in Hong Kong on 5 January 2000 and came into force in April 2000. Hongkong Post created a public key infrastructure (PKI) and established the first public Certification Authority (CA) in Hong Kong on 31 January 2000. However, few people started using it.

In 2002, after 2 years, the Government launched a review of the ETO, with a public consultation. One of the proposals in the public consultation was to consider whether legal recognition should be extended to cover other forms of electronic signatures, in addition to digital signatures, in order to stimulate e-business development. In the ETO, an electronic signature is any symbols adopted for the purpose of authenticating or approving an electronic record, and a digital signature is a subset of electronic signature that uses an asymmetric cryptosystem and a hash function. The proposal was criticised as being a step backwards because digital signatures offer a high level of integrity, authentication and non-repudiation that other current technologies cannot match. It was predicted that recognition of other types of electronic signature would merely reduce the security and fragment the market, with a negative effect on e-business development.

Nevertheless, in 2003 the Government amended the ETO to allow a 6-digit password to be used as an electronic signature for submitting tax returns.

Using e-Cert

Early adopters always encounter difficulties. A minor difficulty was that, initially, the Hongkong Post Certificate Authority was not recognised as a trusted root CA by major browsers, including Internet Explorer. This was gradually improved, but is was not until 2010 that Mozilla included Hongkong Post's root certificate in the Firefox browser.

Another issue was that applications did not use the certificate in the same way. The process for signing a tax return was entirely different to the process for signing the application to have a library card added to a Smart ID card. The explanation was that the two applications have different security requirements, but this misses the needs of the user: a familiar process that they can understand. It is not necessary to learn a new method of handwriting one's signature when using the paper-based equivalents.

More serious were the compatibility problems. At one point, the Hongkong Post e-Cert management application required a different version of the Java Runtime Environment (JRE) to the Inland Revenue's e-Tax application. The applications only supported specific browser versions, and they were often not the most recent ones.

The Government's applications failed to keep up with evolving internet standards. Although Java looked like a good cross-platform choice in 2000, in 2015 Google and Mozilla announced their plans to remove support for NPAPI plugins that are required to run JAVA Applets in the web browser. Microsoft introduced their new browser, Edge, without JAVA support. However, at the time of writing, the GovHK software requirements for services requiring a digital certificate still include JRE, restricting browser choice to Safari and the obsolete Internet Explorer.

eID Strengths and Weaknesses

To be successful, eID has to build on the strengths of e-Cert, while avoiding its problems. The discussion paper has some positive indications:

On the negative side:

Hopefully, the eID project will correct the mistakes of the last 18 years.

More Information