Submission to the Law Reform Commission Consultation Paper on Cyber-dependent Crimes and Jurisdictional Issues

1. The Consumer Council (the Council) is pleased to submit views to the Law Reform Commission Sub-committee on Cybercrime (the Sub-committee) in relation to its Consultation Paper on Cyber-dependent Crimes and Jurisdictional Issues.  The Council sets out below its views in response to the Consultation Paper with a view to enhancing protection and promotion of consumer rights.
2. For effective deterrence of cybercrimes, the Council welcomes the Sub-committee’s recommendation to reform the cybercrime law in response to the technological and societal developments in Hong Kong.  With increasing acceptance of online shopping and e-commerce by consumers in Hong Kong, as well as the growing influence of AI technologies over consumer behaviours, it is believed that a safer and fairer cyberspace will be beneficial to consumers in general.
3. The Council supports in principle the Sub-committee’s recommendation of a new piece of bespoke legislation to cover the five types of cyber-dependent crimes.  For the purpose of this consultation, the Council would like to submit comments in response to Recommendations 1, 2, 5, 8, 9, 11-15 which are relevant to enhancing consumer protection.

White hat hacking

4. The Council in general agrees that there is a need to outlaw mere unauthorized access to program or data subject to the statutory defence of reasonable excuse.   Nonetheless, the Council recognizes that white hat hacking is commonplace as an effective and accepted method to detect cybersecurity loopholes, threats and vulnerabilities.  If performed properly and with restraint, white hat hacking can enhance cybersecurity hence facilitate safer and fairer online consumer experiences.  The Council therefore agrees with the Sub-committee that prohibiting all kinds of unauthorized access could create hinderance to cybersecurity enhancement, hence specific defence or exemption for unauthorized access for cybersecurity purposes should be introduced.  The Council takes the view that “cybersecurity purposes” should be defined with care such that the defence or exemption should only be invoked when the access is made for genuine cybersecurity purposes.
5. As pointed out by the Sub-committee, cybersecurity practitioners are not formally recognized by any accrediting or professional body in Hong Kong.   The Council supports the proposal to develop an accreditation regime to provide a mechanism for certifying cybersecurity professionals, who may then be identified with ease to determine whether the statutory defence or exemption of reasonable excuse applies.  The Council notes that if the Sub-committee receives general support for the defence or exemption to be implemented through an accreditation regime in this round of consultation, it will further study how the regime should work in practice.  The Council suggests that consideration be given to a statutory regime with licensing or accreditation criteria, such as “fit and proper” requirement and continuing education requirement.  In view of the constantly changing accreditation landscape as identified by the Sub-committee, the accreditation or licensing body may publish guidelines, circulars and codes of practice in response to those changes.  The cybersecurity industry should be fully consulted on the administrative and operational issues of the accreditation regime. 

Interception and use of data of consumers by businesses

6. In Recommendation 5(b), the Sub-committee invited submissions on, inter alia, whether a genuine business which provides its customers with a Wi-Fi hotspot or a computer for use should be allowed to intercept and use the data being transmitted without incurring any criminal liability.   Examples provided in the Consultation Paper include the use of such data to track locations of devices to indicate which shops are patronized more frequently and to facilitate location-based services (e.g. the pushing of relevant advertisements).
7. The Council considers that the question needs further study in the following principal aspects: (1) the legitimate expectations of consumers using the Wi-Fi hotspot service, (2) the ability of the consumers in reading and understanding the terms and conditions associated with such use, and (3) alternatives available to achieve the same legitimate objective of enhancing consumer experience. 
8. Subject to the findings of such further study, the Council’s preliminary view is that notwithstanding any legitimate purpose of a genuine business in intercepting and using data transmitted through its Wi-Fi hotspot, it should normally be inappropriate to do so:

• The Council supports the use of technology to enhance consumer experience.  In a recent study of the Council on the use of artificial intelligence (AI) in e-commerce in Hong Kong titled “Fostering Consumer Trust – Ethical AI in Hong Kong” (https://www.consumer.org.hk/en/advocacy/study-report/ai_in_ecommerce), the Council found that 57% of the respondents to a survey agreed that AI helped reduce their time spent in choosing products, and 41% agreed that AI addressed their needs accurately.  However, the majority of the respondents were concerned about how traders adopt AI and valued the choices to opt in and opt out.  74% said that they were worried about the excessive data collection by traders.  78% hoped that traders would inform them about the use of AI, while 81% urged to have the right to opt for the use of AI tools. 
• The Council nonetheless emphasized (amongst other recommendations) the need for traders to be transparent about their data collection and processing policies and to avoid collecting excessive data.
• When a mall or shop offers its free Wi-Fi hotspot service, the consumer may legitimately expect that it is simply in the nature of a value-added service to attract patrons.  The consumer may not legitimately expect that his data would be intercepted and used for other purposes.  On the contrary, he may expect that his privacy to be fully respected and security measures (such as encryption) to have been implemented to prevent unauthorized access to his device and browsing activities.  His use of the service may not be relevant to his activities at the mall or shop at all.
• In this regard, whilst the mall or shop may set out its terms of use and require the consumer’s indication of consent to the interception of data as a condition for accessing the service, it is questionable whether a consumer may take time or care to properly review such terms in circumstances when he is “on the road” or “leisure shopping”.  Such a consumer may be less vigilant than he would otherwise have been in making consumption decisions.  His consent, even if given, may not be informed.
• The indiscriminate collection of data transmitted through the Wi-Fi hotspot would in any event be too broad.  This could potentially include personal data or even sensitive data such as bank account information and passwords.  Irrespective of whether the data is encrypted or the business intends to use such data, it is unlikely that consumers would perceive such collection to be fair.
• There are conceivably other alternatives available for a business wishing to track foot traffic and/or push advertisements.  For instance, a dedicated App which the consumer could download or a QR code to access a web platform for displaying relevant data to the consumer. 
• In any case, a distinction ought to be drawn between interception of data by the business on one hand and transmission of data from the consumer’s device to the business on the other.  Rather than the business seeking consent to the interception ofdata transmitted through the Wi-Fi hotspot, it would appear to be more appropriate for consent to be sought to the transmission of specified data (such as location data) from the consumer’s device to the business.  In the latter case, the consumer would likely be in a much better position to readily understand the data that the business proposes to collect and the use made of such data.

9. Notwithstanding the above concerns of excessive collection of data through Wi-Fi hotspots, the Council acknowledges that it is necessary and has no objection to the collection and logging of data identifying the devices connected to a public Wi-Fi hotspot for security reasons.

Web scraping and web crawlers

10. The Sub-committee invited submissions on whether there should be lawful excuse to the proposed offence of illegal interference of computer system for non-security professionals such as, inter alia, web scraping by robots or web crawlers initiated by internet information collection tools to collect data from servers without authorization. 
11. The Council understands that web scraping and web crawling collects publicly accessible data on the Internet and is commonplace in Hong Kong and worldwide.  For instance, Google uses web crawling to index pages for its search engine.  A blanket prohibition on web scraping and web crawling of information publicly accessible on the Internet may inhibit research and studies (whether for commercial, archiving, news reporting, academic or advisory purposes) required for improving market transparency, empowering consumers to make informed consumption choices and advancing consumer protection.
12. To the extent that the data in question may be subject to copyright or the website’s terms of use, or contains personal data, the collection and/or use of such data is regulated by other areas of law, that is, copyright law, tort/contract law and privacy law.  To the extent that the manner or means of collection is illegal, they may be captured by the currently proposed cyber-dependent crimes.
13. Accordingly, the Council takes the view that web scraping and web crawling of data publicly accessible on the Internet by legitimate means should be exempted from the proposed offence of illegal interference of computer system.  However, the offence could apply where the data is not publicly accessible, for instance, where protected by encryption or password from general public access.  In this regard, the Council notes that in its recent judgment in HiQ Labs, Inc. v LinkedIn Corporation, No. 17-16783, DC No. 3:17-cv-03301-EMC (19 April 2022)[1], the US Court of Appeals for the Ninth Circuit held in relation to whether the data analytics company (HiQ)’s act of scraping publicly available member profiles on LinkedIn’s website may contravene the prohibition against accessing a protected computer without authorization under 18 USC 1030(a) of the Computer Fraud and Abuse Act (“CFAA”, referred to in the Consultation Paper) as follows:

“… it appears that the CFAA’s prohibition on accessing a computer “without authorization” is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA. The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system. HiQ has therefore raised serious questions about whether LinkedIn may invoke the CFAA to preempt hiQ’s possibly meritorious tortious interference claim.”

14. On that note, the Council reiterates that it is important for traders to be transparent about their data collection and processing policies so as to bring about information transparency to consumers.  For instance, a trader which collects data by web scraping or web crawling should disclose the fact that the data were not firsthand but collected data.  The source of the data collected should also be, at the possible best, disclosed to further enhance transparency. 

Concerns over the proposed offence of knowingly possessing a device or data for committing a crime

15. The Sub-committee proposed the introduction of the offence of knowingly making available or possessing a device or data for committing a crime, as a separate offence distinct from the aforesaid proposed offence of unauthorized access.  The Sub-committee proposed that the offence should apply to a device or data so long as its primary use is to commit an offence, whether or not the device or data can be used for any other legitimate purpose.  It was proposed that the primary use should be determined objectively and regardless of a defendant’s subjective intent.  The Sub-committee further proposed that it should suffice if the device or data is believed or claimed to be capable of being used to commit an offence, irrespective of whether it is actually capable of being used to commit a crime.
16. The Council is concerned that mere possession of such a device or data by a consumer could amount to the proposed offence, as the intent to commit a crime is not required as an element of the basic offence.  The Council understands the Sub-committee’s concern that if subjective intent of a defendant was required, the need to prove the subjective mental state of the defendant would give rise to evidential difficulty.  Nonetheless, in the absence of the need to prove criminal intent, the proposed basic offence would be too wide in scope such that consumers could contravene the law unintentionally. 
17. The proposed disregard of any other legitimate purpose of the device or data as well as the subjective intent of the possessor as to the use of the device or data is also concerning.  For instance, a consumer having in his possession a device for a legitimate purpose could be committing the proposed basic offence if the objective primary use of such a device is illegitimate irrespective of whether the consumer was aware of such primary use.  Further, as the Sub-committee has observed, uses of a device or data may change as computer and internet technology develops.  With technology advancement and emergence of new crimes, a device which does not serve an illegitimate purpose today may become so in the future.  This gives rise to the question of at which point in time should the primary use of the device be taken into account to determine whether its primary use is illegitimate.  Further, it is noted that the crime which the device or data is claimed or believed to be capable of committing is not limited to cyber-dependent crimes.  This will cast further uneasiness over consumers for fear of inadvertent contravention the proposed offence.
18. With the proposed offence being so wide in scope, the Council is concerned that consumers could be discouraged from trying new innovations for fear that they could violate the law inadvertently.  Although the Sub-committee proposed the incorporation of a statutory defence of reasonable excuse to avoid over-criminalisation, the Council calls for more certainty over the ambit and applicability of the statutory defence.

Jurisdictional issues

19. In Hong Kong, cross-border transactions are becoming commonplace owing to the proliferation of online shopping and other forms of e-commerce among consumers in recent years.  The Council agrees that there is need and justification for the proposed new cybercrime law to have extra-territorial application in order to sufficiently protect consumers in Hong Kong who engage in cross-border transactions.  In respect of cyber-dependent crime where the victim is a consumer in Hong Kong, the Council considers that sufficient safeguard to consumers will be provided under the Sub-committee’s proposal that Hong Kong courts should have jurisdiction where “any act or omission or other event (including any result of one or more acts or omissions) the proof of which is required for conviction of the offence occurred in Hong Kong, even if other such act(s), omission(s) or event(s) occurred elsewhere”.

Conclusion

20. The Council welcomes and supports in principle the proposal to reform the cybercrime law to catch up with technological advances in order to effectively deter cybercrimes.  An accreditation regime should be developed to provide a mechanism for certifying cybersecurity professionals so that the proposed statutory defence or exemption of reasonable excuse could apply with certainty.  The Council is of the view that interception of consumer data by businesses should not be permitted unless there is prior authority from the consumer.  Regarding automated collection of information from the internet, the Council suggests that collection of publicly accessible data by legitimate means should be a lawful excuse to the proposed offence of illegal interference of computer system.  As regards the proposed offence of knowingly possessing a device or data for committing a crime, the Council has reservations over the proposed disregard of subjective intent and other legitimate use.  Lastly, the Council agrees that in order to safeguard consumers in cross-border transactions, Hong Kong courts should have jurisdiction when any essential element of the offence occurred in Hong Kong.