Webtrends Tracking Code
 
UK Home >  Legal Info About... >  Crime and Security >  Crime (Hong Kong)

Crime (Hong Kong law)

This guide is based on the law of Hong Kong. It was last updated March 2005. AUK version is also available.

Overview

The internet is a criminal's playground. The ease with which it is possible, for example, to set up a spoof site, and do so anonymously, is cause for concern. Crime involves police, fines and prison sentences, as well as suing and being sued. Assuming your business intends to operate entirely above board, you may wonder what this subject has to do with you. You're not a hacker, you're not a thief. Possibly, this subject will have nothing to do with you - if you're fortunate. However, new media and e-commerce businesses risk becoming the victims of crime and risk being held criminally responsible for the actions of their employees. While the law is very much in its infancy in Hong Kong, it is worth being aware of the risks and of the general principles that apply in this area of the law.

Crimes Ordinance

Hong Kong does not, as yet, have developed legislation dealing with computer crimes. Such legislation as there is can be found in section 161 of the Crimes Ordinance (Cap 200), which provides that it is an offence to obtain access to a computer:

  • With an intent to commit an offence;
  • With a dishonest intent to deceive;
  • With a view to gain for oneself or another; or
  • With a dishonest intent to cause loss to another.

Conviction upon indictment of any of these offences carries a maximum punishment of five years.

This section was enacted in 1993 before the explosion in the Internet and e-commerce generally. The section is not therefore well suited to cover the types of computer launched attacks that we have seen recently on the world stage.

There is legislation in the pipeline (Criminal Jurisdiction Ordinance (Amendment of Section 2(2)) Order 2002, which is still being debated) which will enable Hong Kong courts to exercise jurisdiction over the offences of

  • unauthorised access to a computer;
  • criminal damage relating to the misuse of a computer; and
  • access to a computer with criminal or dishonest intent

when these crimes are committed or planned outside the geographical boundaries of Hong Kong.

Viruses

A virus can corrupt data held on a computer or network so as to render it useless. Where corruption occurs, the person who developed and/or introduced the virus onto the relevant system will, depending on the exact circumstances, be guilty of an offence under the Crimes Ordinance.

Alternatively, a virus could get into your system without your knowledge, and it could spread to those receiving e-mail attachments from your system. This could very well result in your liability for negligence (i.e. civil liability, as opposed to criminal). In such an action, a court might want to know what procedures were in place in your business to detect viruses, to show that you were not negligent. Accordingly, effective virus detection software could serve your legal interests as well as those of your system's security.

Software piracy

According to an independent global study in early 2000 reported by the Business Software Alliance (BSA) and the Software & Information Industry Alliance (SIIA), of the 615 million business software applications installed globally during 1998, 231 million, or 38%, were pirated. It is a crime that can be punished with imprisonment and a fine. Software piracy is not only a matter for the police; it can also involve customs officers, trading standards authorities and advertising standards authorities, as well as civil actions for damages.

You should also consider the risks of your business using illegally copied software. Many businesses are either unaware that they have unlawful copies on their system or turn a blind eye to it. Even if such a business is not caught, piracy poses other costs. Illegally copied software may contain viruses that can wreak havoc on a business.

You also need to watch out for illegally bundled software. Some resellers offer a system bundled with numerous copies of popular programs. Check that all documentation and necessary licences are supplied with the software and that they are valid.

Bear in mind that, even if it is individual employees obtaining and using illegal software, your business and/or its directors and other officers can be held liable.

Guidance to employees

If you have not given formal guidance to your employees on what software they can and cannot use, you should do so. An employee's handbook, for example, could be used to explain to each employee, among other matters, that he or she:-

  • Must not copy any program installed on his or her computer for any purpose without prior written permission;
  • Must not install any program onto his or her computer without prior written permission;
  • That [the business] will not tolerate any employee making unauthorised copies of software;
  • That any employee found copying software illegally is subject to disciplinary measures and even dismissal;
  • If he or she wants to use software licensed by [the business] at home, he or she must consult with [a manager] to ensure that such use is permitted by the relevant licence.

If covering such matters in a handbook or by any other means, make sure they are read and understood by each employee.

If you have not got one, you should consider compiling an inventory of all software stored on all computers (and elsewhere) and ascertain that valid licences exist for each piece of software (and any authorised copies of it). Any unlicensed software found should be deleted and, if appropriate, replaced with licensed copies.

Fraud

One reason many people are reluctant to shop on-line is a fear of credit card fraud. Many are under the impression that when they give their details to a web site, their credit card number will be intercepted by an internet eavesdropper. Fraud takes many different forms with varying penalties depending on the circumstances. The difficulty for the police is in catching those responsible.

Spoofing attacks, for example, can cause serious security problems for some companies, yet the attack can be straightforward and the attacker may be untraceable. Most of these attacks involve mail spoofing, where the "from" address is falsified in one or a series of e-mail messages, making the recipient think they are communicating with a legitimate person or business. Another variation is to create a dummy web site to persuade the user that they are accessing the legitimate site ("phishing") . Although the user enters the correct URL, the local name server has been spoofed into believing that the domain name corresponds to the address of a web server run by hacker. Typosquatters can also commit fraud by taking advantage of users entering an incorrect URL. You can learn more about typosquatting in our Branding and Intellectual Property guide.

Internet pornography

Pursuant to the Control of Obscene and Indecent Articles Ordinance (Cap 390), it is an offence to publish an obscene article. Publication covers distribution, circulation, selling, hiring, giving, or lending the obscene article. Distribution by email would fall within the definition of distribution, as would the placing of an obscene article on a web site. It should also be noted that distribution does not require any element of financial gain to be present. The definition of article includes "anything consisting of or containing material to be read or looked at or both read and looked at, any sound recording, and any film, video-tape, disc or other record of a picture or pictures." The article will be considered obscene if, by reason by its obscenity, "it is not suitable to be published by any person." Obscenity includes "violence, depravity and repulsiveness". The penalty for this offence is up to three years imprisonment and a fine of up to HK$1,000,000.

Protection of children

The Control of Obscene and Indecent Articles Ordinance (Cap 390) makes it an offence to publish any indecent article to a person who is a juvenile, whether or not that person knows the article is indecent or that such person is a juvenile. The punishment for this offence is up to 12 months imprisonment and a fine of HK$400,000 on a first conviction and up to 12 months imprisonment and a fine of HK$800,000 on a second or subsequent conviction.

ISPs and pornography

The liability of ISPs for pornography posted onto their servers has yet to be addressed by the Hong Kong courts. World wide examples have led to differing findings and it is therefore difficult to draw any solid conclusions. In a well publicised case, German prosecutors brought charges against the local manager of CompuServe in connection with child pornography on the internet. On the other hand, the American Courts have taken a more lenient view with respect to ISP liability.

An EU Directive on Electronic Commerce provides that, generally speaking, ISPs will have no liability for data content when they only provide access or transmission services. Even if they take a more active role and host a web site, they will not be liable for the content of that web site, provided that:

  • they do not know of any offending material which appears upon that site; and
  • they move swiftly to remove such material once they have knowledge of its existence.

Generally speaking, ISPs should make it a condition that anyone wishing to host adult or offensive material first presents a visitor with a clearly readable warning on the nature of the material in the site and that it is only suitable for those aged over 18. The ISP should also reserve the right to remove any site not complying with the conditions of use. Although the ISP will not monitor the sites it hosts, in the event of complaint, the ISP will be justified in removing the site if it does not comply with the condition.

In England, a criminal case decided that someone could be guilty of importing indecent photographs of children where he was under the impression that he was importing pornographic material but unaware that it was child pornography. This reasoning could be relevant to ISPs. Knowing that a site contains illegal material could be enough for a prosecution - knowledge of the degree of illegality might not be necessary.

Images downloaded by employees

Downloading illegal images may well make an employee liable for summary dismissal. This will however depend on whether dismissal is an appropriate sanction in the particular circumstances, so it should not be considered a general rule. No dismissal should take place until a full and proper investigation is carried out and fair disciplinary procedures followed. It is always advisable to seek advice from your solicitor before dismissing.

Any employer should have an internet and e-mail policy (you can download one here). The policy should specifically prohibit downloading pornography and make it clear to employees that this behaviour will not be tolerated and is likely to lead to instant dismissal. Having such a policy not only clarifies the rules for the employee but might also help you as the employer if there is a question of vicarious liability.

Issues of this kind are rarely clear-cut. If you are in any doubt over how to address a particular situation, you should always consult your solicitor.

Data Protection

The Personal Data (Privacy) Ordinance (Cap 486) provides for certain minimum standards that must be applied by a data user to ensure the ongoing security and integrity of any personal data that they may have. The Ordinance provides for 6 data privacy principles, which govern the handling of personal data.

For example, data principle 4 governs the security of personal data. This principle provides that "all practicable steps shall be taken to ensure that personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user are protected against unauthorised or accidental access, processing, erasure or other use..."

The operator of a web site would therefore be under an obligation, under this principle, to take appropriate steps to secure against unauthorised or unlawful processing, which would include hackers who might try to access personal information stored on the web site. What is an appropriate level of security will vary according to the type of information stored. For example, medical and financial details would demand greater security than details of interests and hobbies. The business operating the web site is also obliged to ensure the reliability of any employees with access to personal data.

Similar demands are placed on businesses that store personal information in other ways, not just web sites. If personal data is held for the purposes of marketing or as employee records, whether manually or on a computer system, the Ordinance will also apply.

Failure to comply with the Ordinance can lead to the serving of an enforcement notice; failure to comply with the notice is a criminal offence. The Ordinance provides for other offences where misleading information is given in response to requests for access to personal data made under the Ordinance.

Jurisdiction

One of the most important legal issues arising out of the growth of the internet is the question of jurisdiction and the difficulty in applying domestic laws when considering offences which have been partially committed overseas. As yet there is no local case law on this point.

Pornography will be met with varying levels of acceptance in different jurisdictions. For example, it is possible that the on-line seller of lingerie could fall foul of a strict regime such as Saudi Arabia's. Where the web site operator and the user are located in different countries, enforcement of national laws can be problematic. Generally, however, national authorities will only sanction extradition if the conduct complained of would constitute an offence if committed on its own territory.

If your web site has particular target markets, you can make it clear on the home page of your web site and use a disclaimer to reduce your risk of liability. For more information, see our guide on Jurisdiction.

Links

If you have a report to make on the sale or use of illegal software, you should contact FAST or BSA.

Any questions? Please contact peter.bullock@out-law.com / +852 2521 5621 or one of our other contacts.

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.