Following is a question by the Hon Chan Hak-kan and a written reply by the Acting Secretary for Constitutional and Mainland Affairs, Mr Andy Chan, in the Legislative Council today (January 17):

Question:

     It has been reported that in recent years, more and more household appliances, personal electronic products and electronic toys can access the Internet and are equipped with sound-recording or video-recording functions (smart products). However, some of the smart products have poor information security features. Once hackers successfully break into such products, they can steal the personal data of the users and their family members and even carry out overhearing and peeping activities, thereby intruding on their privacy. In this connection, will the Government inform this Council:

(1) of the respective numbers of requests for assistance and complaints received in the past three years by the authorities about smart products being used to steal personal data or intrude on privacy;

(2) whether it has assessed the risks of smart products being used to steal personal data or intrude on privacy, and of the measures to lower such risks;

(3) whether the authorities will (i) issue guidelines to stipulate the information security features with which smart products should be equipped, and (ii) launch a labelling scheme so that consumers can be informed of the information security features with which such products are equipped; and

(4) whether the authorities will study the enactment of legislation to require that certain categories of smart products for sale in Hong Kong must comply with specified information security standards?

Reply:

President,

     On the Hon Chan's enquiry, we have consulted the Office of the Privacy Commissioner for Personal Data (PCPD) and the Innovation and Technology Bureau. Our consolidated reply is as follows:

(1) During the period from 2015 to 2017, PCPD respectively received two requests for assistance and one case of complaint relating to the theft of personal data or intrusion of privacy arising from the use of smart electronic products connected to the Internet.

(2) and (3) The increasing popularity in the use of Internet of Things (IoT) technologies nowadays as well as the use of smart electronic devices becoming an integral part of the daily life of the public has given rise to the potential risk of smart electronic products being used for theft of personal data or intrusion of privacy. The Office of the Government Chief Information Officer (OGCIO) and its Government Computer Emergency Response Team have been co-operating closely with the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) under the Hong Kong Productivity Council and the Hong Kong Police Force (HKPF) Cyber Security and Technology Crime Bureau to monitor the overall information security situation in Hong Kong and provide appropriate support. The OGCIO, the HKCERT, the HKPF and other professional bodies organise various activities including "Build a Secure Cyberspace" annual campaign to raise public awareness and knowledge on information security. OGCIO has also established a "Cyber Security Information Portal" to provide general users, small and medium enterprises, and organisations with practical information and guidelines. These include protective and preventive measures against cyber attacks on computers and mobile communication devices.   

     Following the launch of various mobile payment services and development of mobile games, as well as the recent cyber security incidents arising from IoT devices, OGCIO and related organisations have included relevant topics and contents in various seminars and on the "Cyber Security Information Portal" to introduce the security risks involved in mobile games, mobile payment services and household network devices, and provided appropriate preventive measures and responsive solutions for risk mitigation.

     Besides, PCPD has put in place measures to guard against the risk of data leakage, including the publication of the infographic "Protect, Respect Personal Data – Smart Use of Internet of Things" and the information leaflet "Physical Tracking and Monitoring Through Electronic Devices" to explain the possible personal data privacy risks associated with the use of IoT-enabled electronic devices, and to put forth recommendations on the different privacy protection measures to be taken. To address the users' practice of using smart electronic devices to download mobile applications, PCPD has also produced publicity videos providing recommendations to the public on the protection of personal data during the use of such applications.

(4) OGCIO provides public and private organisations with information on internationally recognised standards on information security and practice guides through its InfoSec website, in order to facilitate them to take protective and preventive measures as appropriate according to their business needs. OGCIO also actively keeps in view the latest development of the standard of information security management system ISO/IEC 27000 series, and regularly publishes and updates the information on "An Overview of ISO/IEC 27000 family of Information Security Management System Standards" on its website for reference by the public and private organisations.

Ends/Wednesday, January 17, 2018
Issued at HKT 14:30

NNNN