ALTA Law Research Series
Last Updated: 19 July 2010
Hong Kong’s ‘smart’ ID card:
Designed to be out of control
Chapter 5 of Bennett, C and Lyon, D Playing the Identity Card, Routledge, 2008
Hong Kong has had an ID card system for nearly sixty years, used primarily for purposes of immigration control, and for identification by government, but at the turn of this century it decided to convert it to a chip-based 'smart' ID card. This was only a few years after Hong Kong became part of the People's Republic of China. The Hong Kong Administration took the opportunity to make the smart card multi-functional from the start, but claimed that use of all the additional functions would be voluntary. This Chapter questions to what extent these uses of additional functions will be voluntary, and whether this is significant. It examines the potential for further expansion of the functions of Hong Kong's ID system, commonly known as 'function creep', and the extent to which any such expansion will or will not be under democratic control.
Sixty years of ID cards in Hong Kong
ID cards have become a pervasive fact of life in Hong Kong since their introduction following World War II and the enactment of the Registration of Persons Ordinance (ROPO) in 1949. The UK colonial government gave a commitment that the scheme would be withdrawn once the turbulent post-war conditions, particularly the influx of refugees from China, had subsided (Waters & Clarke, 2000: 15). By 1960 when the ROPO was overhauled the laminated ID card included the holder’s fingerprint and photograph, but new cards from 1973 no longer included fingerprints (Wikipedia, 2007). Neither the 1949 or 1960 ROPO made it compulsory for the card to be carried, only for the ID number to be provided in dealings with government. However, by the late 1970s the levels of illegal immigration had become overwhelming, rising to over 100,000 in 1979 (2% of the population), and the ID card became a principal means of controlling this influx, and consequently obtained a high level of local acceptance (Bacon-Shone, 2007). In 1979 ROPO was amended to allow regulations to be made requiring persons to carry their ID cards in designated areas and produce them on request to Police, and by 1980 regulations had designated all of Hong Kong’s territory (Waters & Clarke, 2000:15, Wikipedia, 2007), influenced by the influx of illegal immigrants into Hong Kong following the wars in Indochina. Further legislative amendments in 1980 (Immigration Ordinance s17C), supporting prohibitions on employment of illegal immigrants, made it mandatory for all Hong Kong residents over 15 years to carry a recognised ‘proof of identity’ in public places and produce it to Police on demand (Waters & Clarke, 2000:16, Wikipedia, 2007). Children aged 11 are required to obtain an ID card, but not to carry it until they turn 15.
The content on the ID card was a person’s name (in English and/or Chinese), sex, date of birth (DOB), photograph, various registration dates, ID card number (including a prefix such as W for domestic helpers), and symbols indicating where the holder was born, conditions of their residence in Hong Kong, and whether their reported name or DOB had changed since first registration (Waters & Clarke, 2000: 29, Wikipedia, 2007).
The political and constitutional context into which one of the world’s more technically sophisticated ID systems is being introduced strongly influences the prospects for protection of privacy. Hong Kong was a British colony until 1997, when sovereign control was resumed by the People’s Republic of China (PRC), and since then has been a Special Administrative Region (SAR) of the PRC. Its relatively short history of privacy protection is shaped by the conditions of that ‘handover’ of sovereignty.
The colonial administration’s desire to legislate on pre-handover ‘unfinished business’, particularly in relation to protection of civil rights, gave Hong Kong a data protection law, the Privacy (Personal Data) Ordinance of 1995. Hong Kong is still the only Asian jurisdiction that has a Privacy Commissioner. The continuation of United Kingdom-influenced common law means that, as in the UK, there is no common law right of privacy. Hong Kong’s ‘high degree of autonomy’ (Sino-British Declaration, 1985) from the PRC involves only limited democracy. The Chief Executive is appointed by the Central People’s Government. The members of his ‘cabinet’, the Executive Council, are all appointed by him. Legislation is made by a 60 member Legislative Council (LegCo), of which half are elected by direct elections from geographical constituencies and the other half from functional constituencies such as specified occupational groups and industries. Despite a decade of stability since the 1997 handover, there is little ‘democratic dividend’ for Hong Kong beyond a slight increase in the number of elected representatives. Although it is restrained in its interference, the mainland government shows no immediate sign of allowing Hong Kong to become more democratically governed, let alone fully democratic.
Uses of the ID card and number
In practice, the main official uses of the ID card (as distinct from the ID number) have been the requirement to produce it on demand to Police or Immigration Officers, as a travel document in some circumstances (particularly in travelling to and from the People’s Republic of China), and to present to prospective employers (Waters & Clarke, 2000:29).
Where required, ‘in all dealings with government’, individuals must provide their ID card numbers and the numbers of any other persons for whom they are required to produce details such as family members notwithstanding any other law to the contrary (ROPO s5(1)(b)). This has been one of the main factors leading to the largely unconstrained range of uses of the ID number in the public sector. It has accustomed people to producing their ID cards as well, since that is a convenient way to provide and ‘verify’ your number. Common situations of use of the ID number by government include: its inclusion on the drivers’ licence (and hence its availability to anyone to whom that licence is produced); its use by the Inland Revenue Department as the primary identifier for individuals; its compulsory collection by employers; its use in Police systems (Waters & Clarke, 2000: 30); and its use as the file number of hospital patients.
In the absence of any law that prevented this, use of the card and number in the private sector has also been widespread. They were required to be disclosed or presented to a wide range of private sector organisations, in the absence of any law that prevented this. The number was recorded in the visitors’ books of businesses and apartments, and on contracts, demanded at the scenes of accidents and so on (Waters & Clarke, 2000: 30). Production of the card is often required to verify a number already provided.
The use of number and card for many purposes created a great deal of convenience for individuals as well as business and government. Proving one’s identity was, and is, a simple matter in Hong Kong, the one caveat being that only government authorities had the means to ascertain whether the ID card or number that is proffered is lost, stolen or a good counterfeit.
Post-1997 controls – Privacy Ordinance and ID number Code
Hong Kong’s 1996 Personal Data (Privacy) Ordinance (PDPO, 1996) is a conventional ‘European style’ data protection law, based around Data Protection Principles (DPPs). Its enforcements mechanisms are weaker than most, with no effective means for victims of breaches to gain compensation, and a sporadically-used criminal enforcement process. The Privacy Commissioner’s office has been energetic in securing government and business compliance with the Ordinance, in a culture that respects laws and authority.
In 1997 the Privacy Commissioner issued a Code of Practice on the ID number (HKPCO 1997), as required by the Ordinance (PDPO 1996 s12(8)). The Code’s purpose is to specify, as a rebuttable matter of law, how the Ordinance applies to the ID number (PDPO 1996, s12), so the Commissioner was in effect required to work out whether existing uses of the number breached the DPPs. As a result of ROPO s5 the Code could not impose limits on the collection of ID numbers by government agencies, and it was questionable how it could affect other aspects of its public sector use. The Ordinance imposed separate controls on data matching. In relation to the private sector, the Commissioner was not so constrained.. This was a historic opportunity to control the uses of the ID number and therefore the card, but the opportunity was lost when the Commissioner took the view that ‘roll-back’ was not a viable option, even in the private sector, in the absence of specific statutory direction or a strong body of public opinion calling for this.
In the public sector, the Code (HKPCO Code 1997) does not impose limits on the collection of ID numbers by government agencies. It also allows the ID numbers to be used as multi-purpose internal identifiers by any organisation. The controls the Commissioner can impose on data matching because of other powers in the Ordinance take on greater significance in this context because the ability of Hong Kong agencies to collect and use ID numbers makes matching exercises so much easier. In the private sector, the Code allows routine collection of ID numbers by any organisation that requires some reliability of identification in order to avoid non-trivial losses (HKPCO Code 1997, para 2.6.3). Although private bodies cannot legally compel disclosure, they can make it a condition of doing business with an individual. It allows such numbers to be used as multi-purpose internal identifiers by any organisation. Copies of cards (eg by fax) may be required to verify identity remotely. ID numbers may be shared with other private sector organisations where collected for ‘a purpose shared by both’, but if the disclosure is for purposes of ‘data matching’ it would have to satisfy the separate rules that the Ordinance imposes on such activities. Prior to the introduction of the smart ID card, the main protection against more extensive use of ID numbers by the private sector has been the difficulty of collecting ID numbers by automated means.
The breadth of use of the ID card and number in Hong Kong is indicated by the diversity and number of complaints about them reported by the Commissioner (see HKDPO cases, 2007; WorldLII cases 2007). The Commissioner’s findings in these complaints also illustrate that, while the Code is very permissive, it is still possible to breach it and the DPPs underlying it (see Greenleaf, 2007). Excessive collection (DPP 1) is not a source of complaints of importance, given the Code’s liberal acceptance of collection of ID numbers. Wrongful disclosure (DPP 3) allegations make up more than half of the complaints received. Examples of where breaches have been found include a newspaper publishing a copy of a witness’s statement including his ID number and name; a prosecuting authority providing a witness statement to a defendant including the witness’s ID number; a finance company disclosing to its debt collector a copy of a debtor’s ID card; a business disclosing an ex-employee’s ID number to customers to stop him poaching business; inclusion of ID numbers in data provided to an affiliated company; a property company’s disclosure of tenants’ ID numbers and other particulars to an affiliated ‘club’ that provided services. The security principle (DPP 4) is also invoked where actions cause inadvertent disclosures, or make it easier for disclosures to others to occur. Breaches have occurred a company used the first six digits of its customers’ ID numbers as the default password; and where envelope printing errors or losses of a PC in a taxi have caused wholesale disclosure of customer ID numbers.
The ‘smart’ ID card system
A chip-based ‘smart’ ID card for Hong Kong was first proposed within the Hong Kong government in 1999 as part of a review of the Information Systems Strategy of the Immigration Department (ImmD), and a project team was established. In early 2000 it came to public attention through a discussion paper presented to LegCo in the course of ImmD seeking funds for a position to oversee the project, and a succession of feasibility studies and reports followed (see Waters & Clarke, 2000: Part III). ImmD had requested consultants to advise on the feasibility of the smart ID system being used not only for its core business of immigration control, but also for other applications generally, including voter registration.
In March the Privacy Commissioner expressed concerns in public about the risks of ‘function creep’, and recommended a Privacy Impact Assessment (PIA). Some legislators expressed concern about privacy issues, and attempted to link this issue to other proposed legislation concerning treason, sedition etc (the ‘Article 23’ proposals). A PIA was completed for ImmD in November 2000 (Waters & Clarke, 2000). Although an abridged version became available sometime late in 2002, its recommendations were largely ignored in the LegCo debates, and perhaps were unknown by most participants. The quality of public debate was diminished as a result.
The intended scope of the proposed system remained uncertain throughout the political debates of 2001-02. It is clear that various agencies in the Hong Kong administration took the view that the new ID system had unlimited potential for expansion of uses. By 2000 the Information Technology and Broadcasting Bureau (ITBB) was coordinating a separate investigation into potential applications for a multi-application smart card, and this seems to be the genesis of the inclusion of the driver’s licence, library card and digital signature functions in the smart ID card. Other functions were considered by ITBB including as a health card, for voting, and as a senior citizens concession card (Waters & Clarke, 2000: 41). In December 2001, well into the debates, ITBB said '[t]he potential use of the chip is large and new possible functions are emerging all the time' (ITBB, 2001). ITBB subsequently pointed out that the separate ‘card-face data’ segment will give ‘flexibility’, and will allow ‘case by case’ approval of other applications for the purpose of ‘authenticating citizens before services are provided’ (ITBB, 2002)..
In mid-2002 a Bill to amend the ROPO to enable the introduction of the smart ID card was introduced to LegCo (ROP Amendment Bill, 2001) , together with an indicative draft by ImmD of likely amendments to the ROP Regulations (ROPR, 2007). By this time, the administration had reduced the proposed initial functions of the smart ID card to four functions in addition to immigration control: a drivers’ licence; a library card; a token to carry a digital signature; and an authenticator to access e-government services. The administration insisted that all of these uses were voluntary, and that the only compulsory use of the card was for its normal immigration functions.
After hearings by LegCo committees, the legislation was passed in early 2003. Only a dozen organisations and individuals gave evidence or made submissions (LegCo, 2001, Appendix II). Only two were critical (Greenleaf, 2001 and Lee, 2001), and the Administration attempted a detailed rebuttal of one (Administration Response to Greenleaf, 2001). The Committee’s Report (LegCo, 2001) endorsed the Administration’s general approach, but stressed that ‘the storage of [any non-ROP] data in a chip requires the consent of the card holder’, and that this should be reflected in both the Ordinance and Regulations.
During this whole period 2000-03 there was no significant public disquiet at the proposed changes to the ID system. Hong Kong’s newspapers took only intermittent interest, when prompted by some LegCo development, and no public protest, NGO opposition or even letters to the editor appeared. However, In June 2003, only a couple of months after the ID legislation was passed, an estimated half a million people from a population of 6 million took to the streets to protest against attempts by the government to introduce a ‘security’ law.
The new Hong Kong ID card is a contact smartcard which contains on its face the same information as the previous card. The chip on the card contains all of this information in a separate ‘card face segment’ and separately contains templates of two fingerprints. In some cases it contains a digital signature and PIN, where the user has allowed a digital signature (a HK Post eCert) to be added.
The ‘roll-out’ of smart cards to replace the existing ID cards started in 2003 and was only completed in March 2007. As of September 2007, all previous ID cards are invalid, and those who have failed to apply in time are potentially liable for a fine of HK$5000 (HK Administration, 2007). The effects of the smart ID card have therefore not yet been fully felt by Hong Kong’s citizens. Both claims of its benign effect, and arguments about its potential abuses (as are found in this paper) are still largely predictive.
The inadequacies of controls on function creep
The core problem of the Hong Kong ID system is the failure ever to define its purpose with precision. This was so with the previous ‘dumb’ paper-based system. Its conversion into a smart-card-based system exacerbates that problem by being based around an intended but undefined expansion of functions, coupled with greater technological possibilities. To warn of this risk is not to posit a ‘function creep conspiracy’. It is likely that the authors of future function creep will have had nothing to do with the introduction of the smart ID card, they will merely be opportunistic beneficiaries of the loopholes that have been created.
The longer-term risks of ID system expansion, while they did not capture the imagination of the Hong Kong public, were clear to some local commentators:
'The risk is that the smart ID card, once extensively used for all purposes, may enable the government and other personal data users to use the card as a means of abusive social control and massive invasion of privacy. This is the evil we must guard against.' (Lee 2002 , para 2)
The main question this Chapter seeks to answer is to what extent did Hong Kong guard against the ‘evil’ about which Lee warns, when it enacted legislation to introduce the smart ID card in 2003? It could have been the appropriate time for LegCo to more precisely define the circumstances under which government agencies collect and use the ID number, and to re-assess the use of the ID number by the private sector. Even if it could not define all possible future acceptable uses of the ID card and number, LegCo could have ensured it had powers to examine proposed future expansions and approve them if they were in the public interest. In other words, it could have ensured legislative oversight of function creep. Like any identification system, Hong Kong’s smart ID system cannot be understood by focusing on the ID card alone. We must also consider the ROP database that stands behind the card, and the ID number the use of which is facilitated by the card and its chip.
New uses of the card and chip
The amended ROPO and ROPR give LegCo weak control over the expansion of uses of the smart ID card and chip. We need to consider both new functions that require changes to the card or chip, and those that do not.
Despite improvements made to the Bill during the legislative process, it still allows new content to be added to the card or chip, enabling new uses, merely by amendments to regulations. Such regulations do not require positive LegCo approval, but can be disallowed by LegCo. It is also possible that new uses of the card/chip may not require amendment of any other Ordinance. Such additional information can only be included in identity cards or their chips ‘with the consent of applicants for or holders of identity cards’ (ROPO s7(2A)), as required by the LegCo Bills Committee. The Regulations add that the person to whom the card relates can have such data removed on request, and that the purpose of adding new data, and the data to be added, must be listed in Schedule 5 (ROPR cl 4A(1). Parties entitled to add such data do not need to be listed in Schedule 5, but only need to have the permission of the Commissioner of Registration to add data. As yet, only the HK Post eCert is listed (see Greenleaf, 2007). Function creep in the chip without a new amending Ordinance is therefore limited to data which can be described as added by consent, a valuable limitation achieved through the legislative process and the submissions that warned that the Bill was too broad.
Despite this useful limitation, we need to consider the types of expansion by regulations that this still leaves open. As described above, the structure is already in place to allow private sector additions to the content of the chip, because the Commissioner of Registration can give permission to ‘any person’ to add data. Such permission will also constitute ‘lawful authority’ to store, alter or add to data in a chip, so that doing so is not an offence (ROPR cl 12(1A)). The way is therefore open for medical data, stored value ‘purses’ or other data to be added to the ID card, making it much more seriously ‘multi functional’ than it is at present. The only check on this is that regulations adding to Schedule 5 can be disallowed by LegCo, assuming that the issue appears important enough. The Bills Committee noted, and was apparently satisfied with, an Administration undertaking ‘to brief the relevant Panels before introducing subsidiary legislation to provide for the incorporation of new non-ROP related applications on the card face of a smart ID card or in the chip ...’ (LegCo, 2001: para 33).
Any additional government use of the card that does not require additional data on the card does not require a Schedule 5 change, so there is no LegCo opportunity for scrutiny. New uses of the card can arise if any government agency decides to use the ID card in replacement for some identification card of its own, relying on the power to require a person to furnish their card number when dealing with government (ROPO s5). Sometimes there will need to be some coincidental change to other legislation, as with the need to carry a driver's licence, and the library card application (see Administration Response to Greenleaf 4.3). However there is no reason to expect that such coincidental changes will always be needed, and it was not needed with the fourth initial ID card application, the online change-of-address facility (ibid). LegCo has no power to disallow such uses, unless it passes new legislation, and may not even become aware of some new uses. The potential expansion of the uses of the ID system is therefore not tied to changes of the card or chip, and can occur without LegCo scrutiny.
The use of card readers to do ID checks (including fingerprint comparisons) was originally proposed to be open to any 'authorized persons' approved by the Chief Executive, without any LegCo scrutiny of the exercise of this power (Greenleaf, 2007). The Bills Committee took up the argument in submissions that this could be used to allow private sector security guards, or even some mainland government officials, to fingerprint people (Greenleaf, 2002). Reg 11A was amended to restrict this power to ‘a police officer or a member of the Immigration Service’ who would have to have reason to believe that the person concerned held an ID card that was not theirs (ROPR 2003, Reg 11A).
Expanded uses of the ROP database
An ID system can only be understood in the context of the databases behind it. Waters & Clarke (2000) set out in the first PIA the extent of the ROP database, and warned that it would be more attractive to external users, once it was augmented by the smart ID system, because of its expanded digital content (see also Greenleaf, 2001, and Lee, 2001: para 5). The permitted uses of the ROP database by the Immigration Department itself are very broad, and were made broader by the 2003 amendments (ROPO as amended, 2003: s9): (i) to enable public officers to verify the identity of persons; (ii) to enable verification of identity ‘for any other lawful purpose’ and (iii) for ‘such purposes as may be authorized, permitted or required by or under any Ordinance’. Other than for its power of disallowance of (iii), if it notices, LegCo has no role in controlling the expansion of uses of the ROP database.
Powers to allow new forms of disclosure from the ROP database by the Immigration Department to external organisations are equally broad. New classes of users only require approval in writing from the Chief Secretary for Administration (ROPO as amended, 2003: s11), and may apply to a 'class or category of persons by name, office or description'. No regulations subject to LegCo scrutiny are required, and the Privacy Commissioner does not have adequate powers to control these disclosures (Greenleaf, 2007).
Expanded uses of the ID number
As outlined above, prior to the smart ID system, the collection of the ID card number in Hong Kong was already largely uncontrolled because of the weaknesses of the privacy Ordinance (PDPO, 1996) and the ID Number Code (HKPCO, 1997). In this permissive context, the introduction of the smart ID card would be likely to dramatically increase the collection and retention of ID numbers and their use to link internal organizational data, provided it brought with it greater ease of electronic capture of ID numbers and other basic identity information such as name.
This risk is heightened by the existence of the 'card face segment'. There is a separate segment on the ID card chip for 'card face data' (ID number, name, data of birth and data of issue), which can be accessed electronically by libraries as part of the proposed library card function, ‘and on a case by case basis for other functions that may be approved in future’ (ITBB, 2002). The chip therefore has differential levels of security for different segments.
The new s12 (ROPO, 2003) creates an offence where anyone 'without lawful authority or reasonable excuse, gains access to, stores, uses or discloses, any record kept by the Commissioner on particulars furnished to a registration officer', but it is still an open question whether accessing card face data is ever illegal because of this (Greenleaf, 2007). However, the new Reg 12(1A) (ROPR, 2003) is more effective, providing simply that ‘any person who, without lawful authority or reasonable excuse ... (b) gains access to any data stored in a chip’ is guilty of an offence. The only exceptions are where a person accesses their own data via a government-approved facility, and where a third party is authorised under Schedule 5 (eg a HK Post eCert) (ROPR, 2003: Reg 12(1B)), so the remaining question is who can give a third party ‘lawful authority’ to access data on the chip? The Administration’s answer (HK Administration Response to Greenleaf, 2002: para 3) is that the Commissioner of Registration can do so, and can enforce this because the card face data is encrypted (Greenleaf, 2007).
It seems therefore that the 2003 legislation provides for bureaucratic discretion, coupled with technical control and criminal sanctions, to determine who can access the card-face data. LegCo oversight does not seem to be a necessary part of the picture. These controls, while valuable, still allow the possibility that the Administration could authorize any private sector or public sector party to use card readers (with the appropriate cryptographic keys) to read and capture card face data. The weak controls in the PD(P)O and the Commissioner's Code would have little effect on limiting where this could occur (Greenleaf, 2007).
In summary, the 2003 amendments authorizing the smart ID card system ensured that LegCo control of its expansion could be largely bypassed once it was safely in place. Whether in practice it will be bypassed, or whether the Administration will seek LegCo approval for all forms of expansion, is of course a different matter. LegCo has the capacity to disallow any regulations providing for the addition of any new data to the card or chip and the addition of any other parties entitled to do fingerprint checks. On the other hand, it does not have any general formal control over new uses of the ID card or chip which do not require new data to be added, new uses of the ROP database, expansion of disclosures from the ROP database or decisions as to who will be given the technical capacity to access the data on the card-face segment of the chip. Therefore, too many matters have been left to administrative discretion, and put outside the formal powers of LegCo to disallow expansions.
The limited 'voluntariness' in the four new functions
The Administration claimed that all four initial non-immigration uses are voluntary. This is correct in two limited senses: (i) it is not compulsory for anyone to have extra information on the ID card, and (ii) it is possible to carry out the four applications by means other than the use of an ID card. However, in relation to each proposed use, the 'voluntariness' is significantly limited or qualified, either in that (a) citizens/consumers will not remain unaffected by new uses even if they ostensibly opt out of them, or (b) they are not being given a genuinely non-discriminatory choice. They are better described as 'quasi-voluntary'. It can also be argued that '[e]ven if the adoption of non-immigration applications by the users is optional, convenience and usefulness will eventually dictate adoption' (Lee, 2002: para 6).
More important, the label of ‘voluntariness’ does not answer the question of whether an additional use of the ID card should be allowed, either for these proposed uses or any in future. One result of the 2003 legislation is that LegCo has to a large extent lost its ability to control extensions of the use of the ID system, provided those extensions can be labeled 'voluntary' in the weak sense described above.
The following discussion is not necessarily a criticism of the four applications now being carried out by use of the existing Hong Kong smart ID system. Rather it is a criticism of the lack of thorough investigation of what was being proposed that took place before its introduction. Furthermore, it is not a criticism of the extent to which these applications really are voluntary, the value of which was underlined in the first PIA, subject to the caveat that it was ‘not implemented in such as way as to make the choice of the application a practical necessity’ (Waters & Clarke, 2000: 64). As the PIA authors recognised, voluntariness is not a slogan or an absolute: it needs examination.
Driver's licence on backend computer
It is proposed that the ID card will also serve in lieu of a driver’s licence. At present, all drivers have a plastic licence which can be inspected by police. It is therefore not necessary in many cases for police who have pulled over a driver to do a backend check, as they can readily establish that the person does hold a driver's licence and the driver's identity (if necessary by also requiring production of ID card with photo). They cannot check if it has been suspended unless they contact the backend system.
Under the new system, the default position will be that drivers will not have a separate licence (the plastic licence) unless they opt-in in order to obtain one. There will be no licence data on the ID card chip. Instead, the licence will be constituted by the data on the backend computer, which Police will access through a person providing their ID card. If (as seems likely) most drivers will not opt-in to obtain the plastic licence, then Police who have pulled over a driver will always need to do a backend check, as they otherwise cannot even establish that the person has ever held a driver's licence. The Administration claims that 'circumstances for checking should be no different from (not more comprehensive than) the current practice’ (Administration Response to Greenleaf, 2002: para 1.1). This does not seem to be correct if most drivers will no longer hold a visible licence.
Furthermore, where a person does opt-in to obtain a plastic licence, police checking of the backend database could still become more likely than it was before. Holders of plastic driver's licences will not be exempt from producing their ID card ‘for inspection’ (ROPR, 2003: Reg 11). Police will still be able to ask for production of an ID number so as to verify the person’s identity (ROPO, 2003: s5). The ID card may be able to be swiped, once Police are equipped with card readers for online checks. If this becomes commonplace then the plastic licence may become meaningless in interactions with Police, and only used for hiring cars, overseas driving, and other interactions where a visible licence is essential.
This change is only 'voluntary' if you consider that a requirement to opt-in in order to maintain the status quo is 'voluntary'. This is a compulsory change to a substantially different system from which you can only partly opt-out. It is not necessarily an objectionable change (particularly given that Hong Kong driver's licences are already based on ID number) but it is certainly not voluntary.
Library card use
Leisure & Cultural Services Dept. (LCSD) will be able to read/copy electronically from the chip all data on the face of the card (‘card face data’) (ITBB, 2002). No other proposed application requires reading only that data. The library application is the first of what may be other applications for ‘authenticating citizens before services are provided’ based on reading card-face data, and it is very important for that reason. Without the library application, there would have been no current need to design a card with a separate card face segment. By adding what ITBB describes as the 'straight-forward and non-controversial' library application (ITBB, 2002), the basis for many possible extended uses has been designed in to the Card from the outset.
The library card application 'has been designed to use the ID card number as a matching key to the library card number' (Administration Response to Greenleaf 1.4). This increases the risk that a person's library borrowings could become known to others because it is easier to find out a person's ID number than their library number. No doubt security measures have been taken to prevent this from eventuating, but the risk has been increased through correlation with another numbering system. A person's borrowings of books or films is sensitive information which can indicate beliefs and interests, especially important in a jurisdiction which is part of the PRC.
It seems that this application will be 'voluntary' in the stronger 'opt-in' sense because at least existing library users will have to apply to use their smart ID card for library purposes (HK Smart ID, 2007: ‘Library Services’ section). There was no need for the ID number to be used as the library number. The library card number could have been stored on a separate component on the ID card, providing the convenience of dispensing with a separate library card, without the dangers of expanding use of the ID number into another information system (Bacon-Shone, 2007). The Administration rejected this argument on the grounds of cost and arguable inconvenience if an ID card was lost or remote services were being used (Administration Response to Greenleaf, 2002, para 1.4).
HK Post eCert on the chip
During the ‘roll-out’ of the HK smart ID card from 2003-07, all persons obtaining new cards have been offered the option of including a digital signature on the ID card chip, the e-Cert provided by Hong Kong Post. Use of the e-Cert was free for a period of time. The ‘voluntariness’ of this arrangement has to be considered in the context of what freedom of choice have Hong Kong citizens been given in obtaining and using digital signatures.
First, in 2007 no digital signature other than an e-Cert from HK Post can be included on a smart ID card, five years after the Administration’s 2002 claim that it will 'consider allowing digital certificates by recognized certification authorities (CAs) ....other than HKPost' on the ID card 'when there is strong public support' (Administration Response to Greenleaf, 2002, para 1.2). This statement conveniently ignored that: (i) there is no evidence of 'strong public support' for a government-provided digital signature on the chip; and (ii) no other CA provider will ever be given the opportunity to ask all SAR residents whether they agree to have their company's digital signature on the chip.
The privacy dangers of digital signatures on ID cards are largely matters of future possibility, not of current policy or practice in Hong Kong. One danger of digital signatures on a government ID card arises from abuses of government power in breach of the law (for example, governments obtaining access to the private key, or capturing data relating to digital signature use). Other dangers would require legislative changes such as requirements that an ID number always be used in conjunction with a digital signature, or vice-versa, in electronic transactions. These potential dangers are less if there are multiple signature providers. The likelihood of collaboration in abuses is greatly reduced by the number of parties involved. The likelihood of effective opposition by signature providers to undesirable legislative changes is greater the more providers there are.
It is true that digital signature certificates are available on other media and from other providers in Hong Kong, but the only option put in front of every eligible person in Hong Kong was for a (free) HK Post e-Certs on an ID card. In theory, citizens were free to choose, but in practice they may not have been making an informed choice. Despite its 'first mover advantage', HKPost has been unable to achieve a high take-up of e-Certs, with only 0.28% of those issued being renewed when payment was required, and only 10% of those issued ever being used (Ming Po, 2007). The potential dangers of a government-endorsed de facto digital signature monopoly coupled with an ID card are unlikely to materialize for the present. The HK government is no longer requiring eCerts for online tax returns, and is allowing PINs instead (Bacon-Shone, 2007).
The Administration claimed that to allow for signatures from multiple CAs on one card would raise 'more issues on privacy protection (Administration Response to Greenleaf 1.2). All this means is that it would have needed to get the protective measures right at the outset. The provision of only the e-Cert on the chip was and is unjustifiably discriminatory, denying citizens the full choice that should have been available to them. Also, if the use of a digital signature is ever made the only practical option in other contexts (as discussed below), this reduces the extent of voluntariness in holding an e-Cert on the smart card. Voluntariness is a matter of degree, here as elsewhere.
Online change of address use
ESD Life is the Hong Kong government’s online service for provision of e-government services (ESD Life, 2007). In 2002, use of a HK Post eCert was compulsory for online change of address with multiple government departments via ESD kiosks, but an additional Certification Authority (Digi-Sign) has now been approved. The HK Post e-Cert was also proposed as the only way by which drivers would be able to check the status of their licences online. It has also been the only way by which one could participate in share voting online (Webb, 2002). The main issue here is whether the exclusive relationship between the e-Cert and the ID card is giving Hong Kong residents as full a choice of options for electronic change of address and other functions as is reasonably practicable. To the extent that it is necessary to use a HK Post e-Cert – as distinct from other authentication methods or other providers - in order to carry out online transactions, this application becomes less voluntary than it seems.
The smart ID card is not the only token on which the e-Cert may be carried. It is also possible to inform government departments by post or personal attendance of a change of address, but that is increasingly unattractive to many people – and to government. An alternative means of accessing government services, authentication by a PIN stored on the ID card, was explicitly rejected by ITBB, which proposed that the e-Cert use will be the only method implemented on the ID card without giving any convincing justification (see Greenleaf, 2007). This unwillingness to consider inclusion of a PIN on the ID card seems to undermine its argument that the use of the e-Cert on the ID card is ‘voluntary and non-discriminatory’ (Administration Response to Greenleaf, 2002, para 1.3). Users are denied the widest possible choice of options in electronic transactions.
In summary, the use of the ID card as a drivers’ licence is only 'voluntary' if a requirement to opt-in in order to maintain the status quo (ie keep a plastic licence) is 'voluntary'. The library card example illustrates how LegCo ought to consider the full context of even a 'straight-forward and non-controversial' application, and the cost-benefits of alternatives, before deciding whether it is justified. The provision of only the e-Cert on the chip was and is unjustifiably discriminatory. It unjustifiably denies citizens choice and is not ‘voluntary’. Similarly, lack of other authentication mechanisms such as a PIN on the ID card undermines the argument that the use of the e-Cert on the ID card is 'voluntary and non-discriminatory'. Voluntariness is a matter of degree in arguments about identification, a relevant factor but not a conclusive one. These four examples show why close LegCo scrutiny of the whole context in which any proposed expansions of the ID system will operate is necessary. LegCo, not the Administration, should decide whether each change is in the public interest or involves unjustifiable dangers. ‘Voluntariness’ is a red herring, if used to deflect the need for proper legislative scrutiny.
Conclusions: Designed to be out of control
What could Hong Kong learn from its experience in rebuilding its ID system? The most obvious thing is that LegCo oversight has been diminished more than it should have been, partly because of exaggeration of the importance of ‘voluntariness’.
Ongoing Privacy Impact Assessments needed
If Legco regained more oversight of the proposed expansions of the system, it should have some process for obtaining independent expert advice, because the issues are complex and the Administration should not be allowed to completely set the agenda. Despite various calls to do so (Waters & Clarke, 2000; Lee, 2002; Bacon-Shone, 2002; Greenleaf, 2002), the Immigration Department (ImmD) did not obtain a proper Privacy Impact Assessment (PIA) on the non-immigration uses of the ID card (see Greenleaf, 2007).
There may be many more proposed applications of the ID system in years to come. LegCo should implement a better process by which it can approve or disapprove any proposed expansions on the basis of comprehensive, expert and independent PIAs. The ROPO would ideally be amended to require them, with the terms of reference for the PIA(s) requiring approval by LegCo, to ensure that all implications are canvassed, including whether or not the application should be an allowed use of the ID card. It should be necessary for PIAs to be published in sufficient time to allow public comment before LegCo assesses them.
The Privacy Commissioner should at least comment, to help ensure that the PIA consultant had appropriate privacy expertise. The Commissioner should have an ongoing pro-active oversight over the uses and expansions of the ID system, and could have more immediate and concrete input than a PIA which might have to be justified in each instance. It is also possible that Hong Kong’s bureaucrats might be more respectful of intervention by one of their own with established expertise and credentials.
A comprehensive code for the ID system is needed
The first PIA recommended a comprehensive code controlling all aspects of Hong Kong's ID system (Waters & Clarke, 2000: 63):
From a privacy perspective, it is desirable for the objectives of the HKSAR ID Card system to be expressly specified in law. The current situation, where there is a statutory framework for Registration, and for access to registration data; but where the uses of the Card and Card Number are not defined and only loosely controlled, is unsatisfactory. A comprehensive statutory framework for the ID Card system as a whole, including registration and uses of the card and card number, would provide important privacy protection, and give re-assurance to the HK population in the face of concerns about 'function creep' and increased surveillance. It would also clarify and remove any uncertainty over the authority for specific uses and disclosures.
The Administration claims that the current composite of the PDPO, the ID number Code, the ROPO and the ROPR, and the Immigration Ordinance, constitute such a comprehensive code (Administration Response to Greenleaf 5.3), but the numerous gaps and inconsistencies, let alone their nearly incomprehensible scatter over these documents, mean that this is not so.
Enactment of a comprehensive code could also provide an opportunity for a re-assessment by LegCo of all of the ways in which both the public and private sectors use the ID system, or may do so in future. The development of such a code would be an ideal assignment for Hong Kong’s Law Reform Commission, which has extensive experience in privacy issues.
Caution in ID expansion appropriate in Hong Kong
The political context is the appropriate point on which to conclude this chapter. ID systems are an important element in the mechanisms by which States exercise control over populations. Fully democratic political systems have more checks and balances by which potential abuses of ID systems may be prevented. Expansions of ID systems carry a lower level of risk in such systems. An unavoidable factor which should be considered in this instance of the remaking of an ID system is that Hong Kong is part of the People's Republic of China (PRC). Although it does have a high degree of autonomy it does not have complete control over its political destiny. The PRC is not a democracy, nor is Hong Kong a full democracy. After ten years its democratic future is still uncertain (HK Administration 2007a).
When all these factors are considered, it seems appropriate for Hong Kong to take a very cautious approach to any proposals for expanded uses of its ID system. This is particularly so when the change to a smart-card based system is in itself a major technological and social change which may have consequences and difficulties not yet foreseen. The Administration claimed in 2002 that it was already taking a cautious approach (HK Administration Response to Greenleaf 5.6), and it is true that there has not been a headlong rush into more applications. Nevertheless the current approach leaves too much control in the hands of the Administration and not in the hands of the more democratic body, LegCo. It is not yet a cautious enough approach, because the Administration trusts itself too much. There are insufficient checks against the temptation for expansion, which may become more powerful now that the roll out of the new smart ID system is complete.
In the remaking of the Hong Kong ID card from 2000-2003 the Administration got most of what it proposed: a technically sophisticated smart ID card system; no defined limitations on the eventual expansion of the system; a system that was (modestly) multifunctional from the start; and the ability to expand many aspects of the system with little likely interference from LegCo in the form of disallowances or need for LegCo approval. It is an ID system that is out of the control of the semi-elected representatives and largely under the control of Hong Kong’s mandarins.
APEC (2004) – Asia-Pacific Economic Cooperation (APEC) APEC Privacy Framework, APEC, 2004 http://www.asianlii.org/apec/other/agrmt/apf209/
Bacon-Shone (2007) – Bacon-Shone J, personal communication, University of Hong Kong, 2007
Basic Law (1990) - Basic Law of the Hong Kong Special Administrative Region, adopted 4 April 1990 by the Seventh National People’s Congress of the People’s Republic of China, Third Session.
Berthold and Wacks (2002) – Berthold, M and Wacks, R Hong Kong Data Privacy Law: Territorial Regulation in a Borderless World Thomson, Sweet & Maxwell Asia, 2002
BORO (1991) - Bill of Rights Ordinance, Chapter 383, Laws of Hong Kong, enacted 1991
Ghai (1999) - Ghai, Y Hong Kong’s New Constitutional Order, The Resumption of Chinese Sovereignty and the Basic Law, Hong Kong University Press, 1997 (2nd Ed 1999)
Greenleaf (2002) – Greenleaf, G. Submission on the smart ID Card and the Registration of Persons (Amendment) Bill 2001, Submission to Bills Committee on Registration of Persons (Amendment) Bill, Hong Kong Legislative Council, October 2002, at <http://www2.austlii.edu.au/privacy/articles/hkidcard/>
Greenleaf (2002a) - Greenleaf, G ‘Summary Submission Concerning the “Smart” ID Card and the Registration of Persons (Amendment) Bill’, LegCo Paper No. CB(2) 2620/01-02(01) (2002) at http://www.legco.gov.hk/yr01-02/english/bc/bc56/papers/bc561011-2620-1e-scan.pdf
Greenleaf (2007) – Greenleaf, G ‘Hong Kong’s ‘smart’ ID card: The legal framework for function creep‘ available at <http://law.bepress.com/unswwps/>
HK Administration Response to Greenleaf (2002) – Security Bureau, Information Paper on the Registration Of Persons (Amendment) Bill 2001, LEGCO PAPER NO. CB(2)21/02-03(01) (Oct. 11, 2002), at <http://www.legco.gov.hk/yr01-02/english/bc/bc56/papers/bc561011cb2-21-1e.pdf> (Visited 10/10/07) This paper was in response to Greenleaf (2002).
HK Administration (2002) – HK Administration paper "Provision of Registration of Persons records" LC Paper No. CB(2) 150/02-03(01) http://www.legco.gov.hk/yr01-02/english/bc/bc56/papers/bc561028cb2-150-1e.pdf
HK Administration (2002a) – "HKSAR Identity Card Project - Latest Developments and the Second Privacy Impact Assessment Report" [CB(2)2433/01-02(07)] (10 July 2002) <http://www.legco.gov.hk/yr01-02/english/panels/se/papers/se0710cb2-2433-7e.pdf>
HK Administration (2007) ‘Invalidation of old identity cards’ <http://www.smartid.gov.hk/en/replace/invalidation.html>
HK Administration (2007a) – Green Paper on Constitutional Development, 2007, available at <http://www.cmab-gpcd.gov.hk/doc/GPCD-e.pdf>
HKPCO (2007) – Hong Kong Privacy Commissioner’s Office Complaint Case Notes and Enquiry Case Notes at <http://www.pcpd.org.hk/english/casenotes/case.html>
HKPCO (1997) – Hong Kong Privacy Commissioner Code of Practice on the Identity Card Number and other Personal Identifiers, 1997
HKPCO (1997a) - Privacy Commissioner for Personal Data “Transfer of Personal Data outside Hong Kong: Some Common Questions’, Fact Sheet 1, at http://www.pcpd.org.hk/english/publications/guid_note.html
HK Post e-Cert (2007) – Hong Kong Post e-Cert Home page <http://www.hongkongpost.gov.hk/index.html> (viewed 8/10/07)
HK Smart ID (2007) – Government of Hong Kong Smart ID Home page <http://www.smartid.gov.hk/en/> (viewed 8/10/07)
ITBB (2001) - ITBB LegCo Panels briefing ‘Non-immigration Applications for Incorporation into the Smart ID Card’, 20 Dec 2001
ITBB (2002) - Information Technology and Broadcasting Bureau (ITBB), Hong Kong 'Update on non-Immigration Applications for Incorporation into the Smart ID Card', ITBB, 4 July 2002
Lee (2002) Submission from Professor Matthew Lee to LegCo [CB(2)2785/01-02(02)] (11 October 2002)
LegCo (2001) – Hong Kong Legislative Council Report of the Bills Committee on Registration of Persons (Amendment) Bill 2001, LC Paper No. CB(2)1473/02-03, available at http://www.legco.gov.hk/yr01-02/english/bc/bc56/reports/bc560319cb2-1473-e.pdf
Ming Po (2006, 2007) - Ming Po (Chinese language newspaper, Hong Kong), 3 & 4 Nov 2006, 27 June 2007
PDPO (1995) - Personal Data (Privacy) Ordinance, 1995, Hong Kong, at <http://www.hklii.org>
Privacy Law Project (2003) - World Legal Information Institute (WorldLII) Privacy Law Project, commenced 2003 and ongoing, at <http://www.worldlii.org/int/special/privacy/> includes Office of the Privacy Commissioner for Personal Data Hong Kong Case Notes and Office of the Privacy Commissioner for Personal Data, Hong Kong Administrative Appeal Board Case Notes
ROPO - Registration of Persons Ordinance at <http://www.hklii.hk/hk/legis/en/ord/177/>
ROPR - Registration of Persons Regulations at <http://www.hklii.hk/hk/legis/en/reg/177A/>
ROP Amendment Bill (2001) – Registration of Persons (Amendment) Ordinance 2003 (9 of 2003)
Waters (2000) – Waters, N Initial Privacy Impact Assessment Report, Pacific Privacy Pty Ltd, 2000; abridged version of consultancy report to HKSAR Identity Card Project available at <http://www.legco.gov.hk/yr00-01/english/fc/esc/papers/esc27e1.pdf> (accessed 8/10/07)
Webb (2002) – Webb, David M. ‘DeVoted to Failure - HK's Share Voting System’, 2002 at <http://webb-site.com/articles/devoted2failure.htm>
Wikipedia (2007) – ‘Hong Kong Identity Card’, Wikipedia (accessed 8/10/07)
[*] Professor of Law, University of New South Wales and Director, Cyberspace Law and Policy Centre; formerly, Distinguished Visiting Professor, University of Hong Kong Faculty of Law 2001-02; Work on this Chapter was written in part as work on an Australian Research Council Discovery project ‘Interpreting Privacy Principles’; It was written while the author was a Visiting Fellow at the AHRB Research Centre in Intellectual Property and Technology Law, University of Edinburgh Faculty of Law; The assistance provided by Nigel Waters & Roger Clarke’s ‘Initial Privacy Impact Assessment Report’ is acknowledged and will be obvious from numerous references to it; Valuable comments were provided by Robin McLeish and Professor John Bacon-Shone; Joeson Wong, Phd student at UNSW provided information concerning e-Certs.