IV. The ITBB's Consultation Paper: Recommended Amendments to the Eto

In the summer of 2001, the Hong Kong Government's Information Technology and Broadcasting Bureau (“ITBB”) undertook an internal governmental review of the ETO for the purpose of ensuring that Hong Kong's e-commerce law remained up-to-date.92 Toward that end, all Hong Kong governmental departments were consulted and asked to state their views on issues pertaining to the ETO. At the end of the of the consultations, the viewpoints were compiled into a group of preliminary proposals for amendment of the ETO.93 In March, 2002, the ITBB issued its findings to the public in the Consultation Paper on the Review of the Electronic Transactions Ordinance and requested the public to comment on them. A consideration of the specific proposals follows.

A. Proposals for Legal Recognition of Other Forms of Electronic Signatures

First, the ITBB stated its view that all governmental departments should review whether the digital signature requirement can be removed, “in order to facilitate electronic transactions.”94 They proposed that other forms of electronic signatures-besides digital signatures-should be considered for legal recognition.95

The Hong Kong General Chamber of Commerce was pleased to see the ITBB's consideration of other forms of electronic signatures. According to the Chamber of Commerce, this would be consistent with UNCITRAL's Model Law on Electronic Commerce, which advocated technological-neutrality and a “minimalist” approach with as little regulation as possible. However, the Chamber of Commerce also noted that their concerns were not completely allayed by the government's proposals96 stating: “There should thus be no need to confer such sweeping powers, including determination of even the form, manner, and format of electronic record, to the Secretary for Information Technology and Broadcasting. . . . This regulatory approach is too restrictive.”97

1. Proposal to Use the Pin As a Substitute for the Digital Signature: Rejected

As previously mentioned, there are a number of electronic signatures available; the digital signature is only one type of electronic signature. Interestingly, the ITBB advocated that the personal identification number (“PIN”) be seriously considered for adoption as an alternative to the digital signature requirement. They observed that the PIN was already used extensively in banking operations around the world and in the implementation of E-government functions in many countries.98 “With proper management, [the PIN] can . . . satisf[y] the signature requirement . . . where the level of security offered by it is commensurate with the risk of the service involved, e.g. where there is [an] already established relationship between the parties . . . .”99 Their argument was that the PIN offered more economy and convenience for the user, albeit with less security, and that the individual user should decide the level of security desired.100

In its response to the government's Consultation Paper on the Review of the Electronic Transactions Ordinance, the Chamber of Commerce embraced the proposal to grant legal acceptance to PINs as an alternate form of electronic signature.101 Naturally, they took a “pro-market” approach to the issue: “We would emphasi[z]e that the aim of electronic signature authentication is to simplify, not complicate electronic commerce.”102 The Chamber of Commerce cited UNCITRAL's stance that electronic signatures should be presumed to be valid and enforceable, and should not become hamstrung by any specific technical requirements.103 They adopted the ITBB's economic argument as well: “[I]n a free market different levels of security will be needed by different businesses, at different costs.”104

However, the wholesale acceptance of the PIN as a viable substitute for the digital signature was not to be. This proposal did not become an amendment to the ETO. The serious flaws in the proposal were exposed in a journal article written by a group of law professors at The University of Hong Kong (“HKU”).105 As a foundation for discussion, the article noted that a signature must satisfy three basic requirements: (1) it must identify the signatory in order to show that the document carries his/her authority-the “authorization” requirement; (2) it must indicate that the signatory has approved the document's contents-the “approval” requirement; and (3) there must be an absence of fraud in that the signature must indeed be that of the signatory and has been applied with her/her consent to the document-the “no fraud” requirement.106 To comply with the authorization requirement, there must be a confirmation that the signature is that of the signatory; to comply with the approval requirement, the signatory must be able to ensure that the document's contents will not be altered subsequent to the signing; and, to comply with the no fraud requirement, the signature must be sophisticated enough to reasonably ensure that it has not been forged.107

A digital signature complies with all three of these requirements.108 If the hash value computed by the document's recipient is identical to that of the hash value contained in the digital signature, then it can be concluded that: (1) the document has not been altered; (2) the document was created or authorized by the owner of the private key, whose identity is confirmed by the certification authority; and (3) there is virtually no chance of fraud having occurred because it is impossible to mathematically compute the private key using the public key.109 Hence, all three requirements are fulfilled by the digital signature.

Does the PIN satisfy the three requirements? No, it satisfies only the authorization requirement-it does not satisfy the approval requirement and the no fraud requirement.110 A person with illegitimate knowledge of a PIN may use it to fabricate an electronic document and create a session record contending that the document was created by the rightful PIN owner.111 Furthermore, the culprit who has gained access to a PIN may attach it to a fabricated electronic document at any time, and the fabrication cannot be distinguished from an original document.112 In their article, the HKU. professors cast a spotlight on PIN technology and drove home the point that, in comparison to digital signature technology, it is relatively primitive and offers significantly less security.113 Their criticism, coupled with that of others, resulted in the rejection of the ITBB's proposal to grant the PIN full-fledged legal status as an acceptable form of electronic signature.

2. Proposal to Postpone Utilization Of Biometrics: Rejected

The ITBB, although acknowledging that biometrics is technologically sound, decided to call for a postponement of its utilization. They contended there was “currently no institutional arrangement in place which can support their application on a community-wide basis.”114 Furthermore, they stated that they did not foresee the emergence in the near future of an “independent and trusted third party” who could collect biometric data from subscribers on a community-wide basis, or that biometrics would gain wide acceptance in the community.115 How wrong they were! The best item of evidence indicating wide acceptance of biometrics in Hong Kong is the Hong Kong Identity Card, accepted by the government as well as the general public, and employing two thumb prints as its biometric identifier.116

To its credit, the Hong Kong General Chamber of Commerce took a view contrary to that of the ITBB and had called for “some means of enabling them [biometric identifiers] early within the current legislative framework [to] be examined.”117 Their position was that technological development should be market-driven,118 not government-driven; the role of government should be “to provide a framework to enable the market to freely develop these, rather than making a judgment as to which types of technology should mature and when.”119 It remains to be seen whether biometrics will be employed in private business to the extent that the Hong Kong government has employed it, but the almost-universal tide of acceptance created by the successful I.D. card seems to be overwhelming.120

3. Proposal to Allow for Electronic “Delivery by Post or in Person:” Accepted.

Noting that a number of Hong Kong laws allowed for legal notice to be given through “Delivery by Post or in Person,” the ITBB proposed that electronic delivery should be deemed as complying with this requirement. In order to avoid each and every law having to be amended to allow for electronic notice, an amendment to the ETO was proposed allowing that “delivery by post or in person” would be automatically interpreted to so allow.121 The Chamber of Commerce had no objection, stating “obviously we support extending [the ETO's] meaning to cover delivery by electronic means.”122 This amendment was adopted, but a proviso was added to the effect that the recipient must agree to the delivery in electronic form.

4. Proposal to Continue Most Exemptions Under the ETO: Accepted

The ITBB categorized the exemptions under the ETO into five groups: (1) where the matter or document involved is solemn (e.g., electoral process); (2) where there is an operational need (e.g., requirement to produce a document to a Government authority immediately, “on-the-spot”); (3) voluminous and complex submission (e.g., works departments); (4) need for adherence to international practices (e.g., documents to be retained by an international flight crew); and (5) need to ensure that the Government can meet its contractual obligations (e.g., submission requirements pertaining to trade-related documents concerning the franchise of the Tradelink).123

The Chamber of Commerce, given its “minimalist” approach to regulation, naturally supported “a more aggressive approach to encourage wider application of electronic means.” It opined that, over time, the need for the exclusions would be reduced.124

5. Proposed Changes in Regulation of Certification Authorities: Accepted

The ETO provides for a voluntary recognition program for CAs.125 CAs are not obliged to apply for recognition. Those who do must present, on an annual basis, evidence to the Director of Information Technology that they provide a trustworthy service.126 The ETO requires CAs to hire an independent assessor (e.g., a Certified Public Accountant) to prepare and submit an assessment report to the Director.127 In the Consultation Paper on the Review of the Electronic Transactions Ordinance, the ITBB recommended that the assessment report be divided into two parts: one part dealing with issues pertaining to the trustworthiness factors, and the other part pertaining to the non-trustworthiness factors.128 Furthermore, the ITBB proposed that the independent assessor only be required to address the trustworthiness issues, with the non-trustworthiness issues covered by a declaration made by an authorized agent of the CA.129

Additionally, the ITBB noted that sometimes, extraordinary situations will require a CA to submit a report to the Director in the middle of a reporting period, before the end of the year.130 Examples of such situations might be: (1) significant changes in the financial status of the CA; (2) changes in the liability insurance coverage of the CA; or (3) changes pertaining to “the system, procedure, security arrangements and standards used by the CA to issue certificates to its subscribers.”131 In such situations, the proposal would give the Director the authority to mandate the CA to prepare a report in mid-year covering only these extraordinary factors.132

The Chamber of Commerce agreed with these two proposals.133 However, on the issue of regulation of CAs generally, the Chamber of Commerce claimed that the Director of Information Technology Services had a conflict of interest with the Postmaster General, since the Postmaster is a designated CA under the ETO, and the Director and the Postmaster are “two departments under the same policy bureau.”134 Accordingly, the Chamber of Commerce called for the Director to confer with an independent advisory committee, consisting of representatives from other affected parties, in the discharge of its regulatory duties over the Postmaster General.135