Following is the full text of the speech delivered by the Director of Information Technology Services, Mr Lau Kam-hung, at an luncheon of a management association today (May 4):
Mrs Mak, Ladies and Gentlemen:
I am delighted to be able to address today's luncheon gathering of the IT Management Club of the Hong Kong Management Association. I enjoy to be among senior IT executives, as it will give me the opportunity to stay in touch with the latest developments in the local IT industry as well as to meet up with old friends.
As professionals in the IT field, we are all familiar with how IT has transformed the way businesses are conducted and the way people communicate all over the world. The advent of the Information Age, in particular the phenomenal growth of the Internet over the past few years, has enabled commerce to be conducted electronically across geographical boundaries and time zone. In the cyberspace, businesses are now able to reach out to new markets and new customers worldwide. The Internet has enhanced information flow of the supply chain and reduced the requirement of intermediaries between suppliers and customers, resulting in more efficient and cost-effective operations.
There is a prediction in the industry that Internet sales will increase from US$130 billion last year to US$1.8 trillion by 2003. In respect of Hong Kong, the forecast is that the total value of products and services transacted over the Internet will increase from US$60 million in 1998 to US$2.4 billion by 2003. There will certainly be ample opportunities for enterprises, big and small, to reap the benefits of conducting business electronically over the Internet.
To enable electronic commerce to take hold and flourish in Hong Kong, the Government introduced the Electronic Transactions Bill into the Legislative Council in July 1999 for the establishment of a clear legal framework conducive to the conduct of electronic transactions. The Bill was passed by the Legislative Council on 5 January 2000. The Electronic Transactions Ordinance, which was gazetted on 7 January 2000, gives legal recognition to electronic records and digital signatures and provides for a voluntary certification authority recognition scheme. Under the scheme, certification authorities, in short we call them CAs, may apply to Government for recognition on a voluntary basis.
CAs serve as trusted third parties to ensure trust and security in electronic transactions. They issue digital certificates to their subscribers. Through the use of public/private key pairs and digital certificates, individuals and businesses can -
a) establish the identity of the opposite party in electronic transactions;
b) ensure the integrity and confidentiality of electronic messages transmitted over open communication networks; and
c) safeguard the non-repudiation of electronic transactions.
The Government encourages private sector initiatives in the provision of CA services. To keep regulatory control to the minimum, there is no mandatory licensing requirement for CAs to operate in Hong Kong. Instead, under the Electronic Transactions Ordinance, the Government has put in place the voluntary certification authority recognition scheme. As the Director of Information Technology Services, I am empowered by the Ordinance to grant recognition to a CA and to digital certificates issued by a recognized CA.
Recognition will only be granted to those CAs and digital certificates that have reached a standard acceptable to the Government, thus enhancing public confidence in the conduct of electronic transactions with the use of recognized digital certificates issued by recognized CAs. In this connection, I have issued a Code of Practice for Recognized Certification Authorities in January this year. The Code of Practice, together with the Electronic Transactions Ordinance, governs the operation of recognized CAs for better protection of the interest of users of certification services.
In determining whether a CA is suitable for recognition, the following factors will be taken into account -
a) whether the CA has the appropriate financial status for operating as a recognized CA;
b) the arrangements put in place by the CA to cover any liability that may arise from its activities;
c) the system, procedure, security arrangements and standards used by the CA to issue digital certificates to subscribers;
d) a report prepared by a qualified person which contains an assessment as to whether the CA is capable of complying with relevant provisions of the Electronic Transactions Ordinance and with the Code of Practice for Recognized Certification Authorities;
e) whether the CA and its responsible officers are fit and proper persons; and
f) the reliance limits set by the CA on its digital certificates.
In respect of the recognition of digital certificates issued by a recognized CA, consideration will be given to -
a) whether the digital certificates are issued in accordance with the certification practice statement which governs the issuance of the digital certificates;
b) whether the digital certificates are issued in accordance with the Code of Practice for Recognized Certification Authorities;
c) the reliance limit set on the digital certificates; and
d) the arrangements put in place by the recognized CA to cover any liability that may arise from the issuance of the digital certificates.
Overseas CAs may also apply for recognition as recognized CAs and for recognition of their digital certificates. The same recognition criteria will apply to both local and overseas applicants.
I have also established an Advisory Committee on the Code of Practice to advise me on matters relating to the Code of Practice. The Advisory Committee comprises representatives from the industry.
Under the voluntary CA recognition scheme, there are mechanisms to monitor the operation of a recognized CA. At least once in every 12 months, a recognized CA must furnish to me a report which is prepared by a qualified person and which contains an assessment as to whether the recognized CA has complied with relevant provisions of the Electronic Transactions Ordinance and the Code of Practice during the report period. Furthermore, a recognized CA shall report to me immediately any incident that materially and adversely affects its operation. I may also call for information from a recognized CA which is relevant under the Electronic Transactions Ordinance at any time by giving a reasonable notice to the CA concerned. If from such or other information sources I become aware of incidents of non-compliance with the Ordinance and the Code of Practice on the part of a recognized CA, I may consider suspending or revoking the recognition granted to the CA or to its digital certificates, or taking other actions as appropriate to address such non-compliance.
Should a CA feel aggrieved by my decision not to grant or to renew a recognition, or to revoke or suspend a recognition under the Electronic Transactions Ordinance, the CA may appeal to the Secretary for Information Technology and Broadcasting against my decision. In turn, the decision of the Secretary in respect of an appeal is subject to judicial review.
In summary, the enactment of the Electronic Transactions Ordinance and the establishment of the voluntary CA recognition scheme are examples of Government initiatives to promote the development of electronic commerce in the local community. Other Government initiatives include the Electronic Service Delivery scheme, the development of a common and open Chinese language interface based on the ISO 10646 standard, and the establishment of a local public key infrastructure supported by the CA service of the Hongkong Post. With these initiatives, the Government is moving ahead to position Hong Kong as a leading digital city in the globally connected world of the 21st century.
If you wish to learn more about the voluntary certification authority recognition scheme, you are most welcome to visit the Web site of the Information Technology Services Department. The Web site address is http://www.info.gov.hk/itsd.
End/Thursday, May 4, 2000