First published: 26th March 2013
In Letters to the Editor
Privacy Commissioner Allan Chiang has an unenviable job; he is a toothless tiger trapped between growing public awareness of privacy and security, and data users and aggregators who do not want to change their lax practices.
However, in his letter ("Irresponsible not to respect and protect ID card numbers", March 15), he ignores the relevance of data protection principle 4, requiring protection against unauthorised access. Setting a password to something that is widely known is negligent. Organisations using our Hong Kong identity card numbers as passwords have no reasonable excuse to think only we know our number. In addition to each company we have told, they are known by our families, schools and the security staff of some buildings.
Authentication is the process of verifying an identity, and Mr Chiang is wrong to call the distinction "meaningless". Anyone could claim to be "Allan", but if we add more information, we can distinguish between myself, Allan Dyer, and Allan Chiang. Perhaps there are two Allan Chiangs; the HKID number allows us to distinguish between them. However, just because someone identifies himself as Allan Chiang, with a particular ID card number, does not make it true. We might demand to see their ID card and compare their face to the picture before we accept that person is our privacy commissioner.
The Personal Data (Privacy) Ordinance gives us some control over how our personal data is used. Mr Chiang calls disclosing ID numbers "irresponsible" without recognising how often we expose personal data.
We expose our ID number when we open a bank or utility account, because these firms need to know who is responsible for the bills. When someone becomes a company director, they are responsible to shareholders, so it is right that their exact identity should be known. Mr Chiang is putting convenience and "efficiency" above security.
Activating my credit card at my bank branch once every few years is not onerous, compared to the risk of loss and inconvenience from identity theft. Also, there are strong alternatives for remote authentication, such as using a digital certificate from a certification authority recognised under the Electronic Transactions Ordinance.
The privacy commissioner should warn firms not to set passwords to any ID card number because they are widely known. The government should promote better security practices, including digital certificates. The Monetary Authority could insist online banking sites must accept digital certificates from a recognised certification authority.
Allan Dyer, Wong Chuk Hang
This article first appeared in the South China Morning Post print edition on Mar 26, 2013 as Setting password to something widely known is negligent