First published: 16th July 2020
Dear Carrie Lam
Are we guilty of obstruction to the lawful exercise of powers by the Police when anti-virus software on our computers finds and deletes spyware that has been legally installed by the Police under the "interception of telecommunications" provision in the National Security Law?
If I, as an IT Consultant, find spyware on a customer's computer, what should I do? How do I determine whether it was legally installed by the Police, or illegally installed by a criminal?
Information Security Researchers recognise that some malicious software is beyond the development capabilities of individuals or even criminal gangs, they must have been developed by nation states or their agents. In 2011 the Chinese Defence Ministry revealed that it had a "cyber blue team" for self-defence, but denied having offensive capabilities. Any offensive capability is therefore a state secret. Article 38 of the National Security law allows non-Hong Kong residents to be prosecuted for acts outside of Hong Kong. What assurance can you offer to Information Security Researchers who analyse malicious software found outside of Hong Kong, and publish their results for the better protection of information systems worldwide, that they would not be arrested on arrival in Hong Kong and prosecuted in a secret trial?
The provisions of the National Security Law appear to have been drafted in ignorance of information security. If we take reasonable steps to secure our computers and devices, we are at risk of inadvertently breaking this law. It is regrettable that there was no public consultation where these problems could have been raised before it was hastily passed and promulgated.
Updated: 16th July 2020
CE Carrie Lam's office has responded with an acknowledgement
Thank you for your email of 3 July to the Chief Executive. I am authorized to acknowledge receipt of it. Your views are duly noted and have also been relayed to the relevant bureaux for reference.