獨立媒體(香港)聲明: 要求廉署及警方交待接觸黑客公司 修訂《截取通訊及監察條例》保公眾私隱

獨立媒體(香港)聲明: 要求廉署及警方交待接觸黑客公司 修訂《截取通訊及監察條例》保公眾私隱

獨立媒體(香港)聲明:
要求廉署及警方交待接觸黑客公司
修訂《截取通訊及監察條例》保公眾私隱

維基解密日前揭發,香港廉政公署曾聯絡 Hacking Team公司(註),要求該公司示範一套名為『伽利略』(Galileo Remote Control System)的遠程控制類惡意軟件,該軟件可截取電腦及手機等多個平台的通訊數據。廉署在7月15日凌晨證實署方曾聯絡該黑客公司,同時據《明報》報導,該黑客公司的電郵中,有至少3個本港警方的電郵地址及5個廉署執行處人員的電郵地址。

本會關注網絡自由, 一直跟進《截取通訊及監察條例》(下稱《條例》)的發展。《條例》設立的原意,是規管公職人員所進行的截取通訊及指明類別的秘密監察行動,確保四個指定的執法機關( 即海關、香港警務處、入境事務處和廉政公署)在偵測罪行和保障公共安全之餘,同時保障市民私隱及權利不受侵犯。

公眾或不知情下電腦被監控、入侵

廉署在被維基解密揭發後,才承認曾聯絡該黑客公司。由此可見,《條例》對執法機關的監管與制衡能力明顯不足。如廉署確實購入該黑客軟件,軟件除可偵察外,亦可主動入侵他人電腦,公眾私隱與資訊自由或因而受損。

『伽利略』這類黑客軟件,容許政府入侵目標對象的智能電話和電腦,從iPhone和Android平台暗中竊取數據,監控網路使用者的通訊,窺探加密的檔案和電郵,並可在目標電腦上遠端開啟咪高峰和鏡頭。系統可儲存及泄漏的資料廣泛,如訪問過的網站、文件操作、鍵盤輸入記錄、文檔和圖片信息、VoIP電話監控(例如skype)、程式執行情況、聲音監聽、視像鏡頭監視、螢幕截圖、即時通信(Skype、Windows Live Messenger、Wechat等)、剪貼板的內容、賬戶密碼、發出和接受電郵、電話錄音、GPS位置、聯絡人資料等。

同時,由於該黑客軟件附有後門,可供 The Hacking Team 有審查黑客軟件的使用和所截取和監控的資料,廉署調查對像的資料可能會經這個黑客軟件,落入外人手上,意即同時把本港受監視者的資料全數輸送外地。

本會要求:

一、當局須向立法會保安事務委員會,詳細交代執法部門採用監控軟件是否合法,以及交代廉署、警方及所有執法關交代所使用網絡監管軟件的詳情,包括供應商、軟件名稱及版本、購買軟件後被監控人數及其中調查至提控人數。

二、立法會保安事務委員會須召開特別會議,要求當局交代事件。

三、修改審議中的《2015年截取通訊及監察(修訂)條例草案》。現時的《條例》監管範圍已過時,執法機關不再需要透過《條例》截取現時流行的即時通訊(如whatsapp、telegram),他們可直接向法庭申請手令,向網絡供應商索取有關資料。當局須修訂《條例》的「通訊」範圍,監管網絡供應商不濫供個人資料予執法機關,保障公眾私隱。

四、廉署及所有執法機關停止使用外國黑客軟件。

獨立媒體(香港)
二零一五年七月十六日

副本送:廉政公署、保安局、立法會保安事務委員會

註:Hacking Team 是一家來自意大利、專業從事監視技術的黑客團隊及公司,並以協助政府監視公民聞名。他們成立於2003年,專門出售各種間諜程式和惡意程式予全球政府、執法機關與情報組織監控人民,宣稱客戶遍佈全球30個國家,包括了人權記錄不良的埃及、新加坡、越南等。

Statement of the Hong Kong Inmedia:

The ICAC and Police Force shall disclose details on contacts with hacker companies Amend the Ordinance to secure privacy

The WikiLeaks has previously disclosed that, Independent Commission Against Corruption (the ICAC) has contacted the Hacking Team (note).  It asked the company to demonstrate a remotely controlling malicious programme called “Galileo Remote Control System”, which can intercept computers and mobile phones and similar telecommunication platforms. The ICAC, in the early morning of 15 July, has admitted that the Commission has contacted the company. According to the Ming Pao, in that email corresponds with the company, there are in fact at least 3 addresses of the local police and 5 addresses of the ICAC Operations Department.

The Hong Kong In-media gravely concerns Internet freedom, and monitors the development of the Interception of Communications and Surveillance Ordinance (Cap 589). The legislative intent of the Ordinance, is to monitor any interception of communication or any covert surveillance for the purposes of a specific investigation or operation, by or on behalf of public officers; as well as to ensure the four operative departments, namely the Customs and Excise Department, Police Force, Immigration Department and the ICAC, would respect citizens’ rights and privacy, while acting for crime prevention and/or the protection of public security.

Interception and surveillance without public notice

The ICAC has only admitted contacting the hacking company after the WikiLeaks leaked it. From this, we can see that the Ordinance does not sufficiently restrict and regulate the power prescribed to those operative departments for public interest. Had the ICAC subsequently bought the surveillance services, privacy and rights of the public would be severely undermined with unrestricted surveillances, if not offensive and malicious interception of computing devices.

“Galileo Remote Control System” is a investigative tool to spy all kinds of mobile devices and computers, stealing information from iPhone or Android platforms, reading data of internet users and accessing encrypted emails or files, as well as proving remote access to microphones and cameras. The system can save and leak information on web surfing history, documents transmission, keyboard input records, text and files and pictures, VoIP call monitoring, programme execution process, audio interception, camera interception, screen shots, instant messaging (Skype, Windows Live Messenger, Wechat, etc), materials of the clipboard, account passwords, in and out of mailboxes, phone recording, GPS location and contacts information, etc. At the same time, the spyware creates a backdoor, allowing the Hacking Team themselves to scrutinize the intercepted information and thereby releasing all personal data or information of such targets to even more outsiders that one cannot possibly trace.

The Hong Kong In-media calls that,

  1. The authorities must report to the Legislative Council Panel on security in details, the legal basis of the law enforcement agencies’ use of such interception or surveillance technology, in particular the details of any software that the ICAC, Police Force and other agencies currently in use, including but not limited to information of suppliers, spyware name and versions, the number of targets and the investigation to prosecution ratio.
  2. The Panel on Security must then call a special meeting to discuss the matter concerned.
  3. The government must amend the Interception of Communications and Surveillance (Amendment) Bill 2015. The coverage of the current Bill is unquestionably obsolete, the law enforcement agencies need not go through scrutiny of the Ordinance to intercept popular telecommunication platforms like Whatsapp and Telegram. Instead they can obtain a warrant from Court, obtaining information from Internet suppliers. The authorities must amend the types of platforms of telecommunications covered by the Ordinance, stopping any abuses of such means, so as to secure privacy of all citizens.
  4. The ICAC and other law enforcement agencies must stop using hacker software of other countries.

Hong Kong In-media

16 July 2015

CC: The ICAC, Security Bureau and Legislative Council the Panel on Security

Note: The Hacking Team is an infamous Italty-based hacking company that sells offensive intrusion and surveillance capabilities to governments in order to monitor the citizens. Founded in 2003, they aims to serve governments, law enforcement bodies and intelligence agencies across the globe with spyware and malware, claiming that their clients are from 30 countries, including the human rights ill recorded countries Egypt, Singapore and Vietnam.

獨立媒體(香港)聲明 :《截取通訊及監察條例》過時 須大幅修訂防政治監控

獨立媒體(香港)聲明 :《截取通訊及監察條例》過時 須大幅修訂防政治監控

獨立媒體(香港)聲明
《截取通訊及監察條例》過時 須大幅修訂防政治監控

《截取通訊及監察條例》(下稱「《條例》」)由2006年8月9日生效至今,漏洞叢生,立例長達九年,監察執法機關既未能發揮其職能,《條例》涵蓋範圍亦已過時。今年保安局終提出修訂,立法會亦已成立法案委員會跟進,惟在未有足夠公眾討論下,獨立媒體(香港)(下稱「本會」擔心《條例》只會小修小補,使執法機構針對示威者及記者的監控,變得無皇管。

在雨傘運動後,截取通訊及監察事務專員邵德煒曾向記者承應,沒有警方監控透過互聯網傳送的個人通訊如 Whatsapp 的資料,間接承應《條例》沒有包括網際通訊。此外,執法機構又以機密為由,拒絕向立法會議員提供截取通訊器材的清單,本會認為這些情況反映《條例》過時,執法機構權力過大,公眾無從監察,故此,就《條例》的修訂,本會要求:

一、修訂通訊定義 納入監管截取網絡通訊

《條例》須擴闊通訊定義,把網絡通訊(如電郵、Google Hangout, Whatsapp, Telegram等等)列入「通訊」(communication)的範圍內。《條例》早於2006年生效,當時列明受監管的截取只限郵政服務及電訊系統,在今日網絡通訊日益普遍的社會,《條例》明顯過時。截取通訊及監察事務專員(註一),曾公開承認通訊服務供應商有提供協助,但卻不就網絡通訊是否納入《條例》作回應,反映《條例》明顯存在不明文的灰色地帶。近年,不單是政黨或非政府組織、記者還是律師,均以網絡通訊作主要的聯絡媒介,如不盡快把網絡通訊列入「通訊」的監管範圍,將對市民個人資料的私隱、結社自由與表達自由構成重大威脅。

二、訂明「暴力」定義 不容當局任意擴闊

《條例》須更具體指明第3條裡,「有關特定」及「暴力」的定義。《條例》設立的原意,是就公職人員所進行的截取通訊及指明類別的秘密監察行動,訂定規管機制;以確保四個指定的執法機關( 即海關、香港警務處、入境事務處和廉政公署)在偵測罪行和保障公共安全之餘,同時保障市民的私隱及其他權利。當中,《條例》的《實務守則》列明,「除非倡議、抗議或表達異見(不論是為達到某政治或社會目的或並非為該等目的)相當可能是藉暴力手段進行的,否則該等作為本身不得視為對公共安全的威脅」、「『暴力』並不涵蓋輕微推撞或輕微毀壞公物等」。有鑑於雨傘運動期間,政府視戴眼罩及使用保鮮紙為暴力,反映執法機關對「暴力」的定義無限擴大,明顯與《條例》的《實務守則》不符。事實上,《實務守則》亦提及,2006年保安局局長承諾,不會以「公共安全」作理由,進行條例草案下的監察行動及達致政治目的。因此,為免引起公眾揣測,擔心政府會藉執法機構進行政治監控,當局須就此訂立更清晰的定義。

三、 加入保護「新聞材料」條文

強烈促請《條例》須對「新聞材料」的截取通訊及監察訂立更詳盡的條文。前專員胡國興早已在首份周年報告承認「條例本身對新聞材料的著墨較諸於法律專業保密權有所不及」;於2010年,更首次有執法機構承認,無意監聽了新聞材料(註二)。《條例》訂立快將十年,在言論及新聞自由日益受損的今天,本會認同香港記者協會的建議(註三),「增設新聞材料保密權,一如法律專業保密權,規定執法機構申請授權時,必須在誓章述明取得可能享有新聞材料保密權的可能性,使授權當局在審批時能充分考慮申請是否符合批出的準則。」,並促請當局儘快回應新聞工作者的訴求,讓記者能夠繼續發揮監察政府的第四權角色,保衛公眾知情權。

四、賦予《條例》法律效力,訂立違規罰則

《截取通訊及監察條例》多年來監察不力,有名無實,致使執法機關九年來屢次違規,卻毫無罰則;截取通訊及監察事務專員(下稱「專員」)在《截取通訊及監察條例年報2013》(下稱《2013年報》)更只把錯失歸結為「大多是因為不察或疏忽所引致,純粹由個別人員引起,而非監控制度有任何紕漏」(註四),反映執法機構權力過大,《條例》及公眾皆無從監察。其根本原因,即為《條例》毫無實際法律效力,也從無就執法機關違規訂立罰則。本會促請當局勿再拖延,賦予《條例》法律效力,訂立違規罰則,保護公眾私隱權。

五、加強監察器材存放的監察,跟進抽取式儲存媒體的處理系統

《2013年報》揭視,執法機關對於監察器材存放的處理輕率,明顯威脅個人資料私隱權利。《2013年報》指出,有執法機關的提取秘密監察器材的人員,遺失了兩件監察器材的記錄正本(註四)令專員難以監察,反映出加強監察器材存放監察的必要性。

此外,本會亦促請當局就監察器材內,抽取式儲存媒體(如記憶卡、光碟和磁帶)的處理訂立具體監察條文。《條例》現仍並未為抽取式儲存媒體,訂立如其他監察器材的提取與交還程序,現行條例下執法人員即抽取式儲存媒體即使被換掉、取出也無從知悉,遑論監察。就此,《2013年報》雖表示「已採用防竄改標貼」、「將抽取式儲存媒體封存在器材內」,並研發了抽取式儲存媒體的原型,然而《條例》目前尚無法律效力。

獨立媒體(香港)
二零一五年四月八日

註一:http://the-sun.on.cc/cnt/news/20141203/00407_062.html
註二:http://life.mingpao.com/cfm/dailynews3b.cfm?File=20101123/nalgg/gga1.txt
註三:http://www.hkja.org.hk/site/portal/Site.aspx?id=A1-1088&lang=zh-TW
註四:http://www.info.gov.hk/info/sciocs/chi/pdf/Annual_Report_2013.pdf

圖:蘋果日報

Hong Kong In-Media Statement
Interception of Communications and Surveillance Ordinance Outdated, requires drastic amendment to prevent political surveillance

Interception of Communications and Surveillance Ordinance (hereinafter refers to “the Ordinance”), which took effect on 9 August 2006, has been ridden with loopholes over its nine year’s existence. The law enforcement agencies failed to carry out their functions, and the Ordinance’s scope of coverage has become obsolete. This year, the Security Bureau finally proposed to review the law, with the Legislative Council setting up a bills committee to follow up with the amendment. Given the lack of sufficient public consultation, Hong Kong In-Media (herein after refers to as “Our organisation”) fears the new amendment will only fix minor problems and allow law enforcement to monitor protesters and journalists without receiving any oversight.

After the Umbrella Movement, Darryl Saw, the Interception of Communications and Surveillance Commissioner, told reporters that police was not surveiling personal communication transmitted on the Internet, such as through Whatsapp, indicating that the Ordinance does not cover Internet communications.

In addition, law enforcement agencies continue to refuse to provide a list of interception equipment to the LegCo citing confidentiality as the reason. Our organisation believes these situations have proved that the Ordinance has become outdated, and law enforcement agencies have grown too powerful to be overseen by the public. Therefore, on the occasion of the amendment, our organisation requests:

First, amend the definition of communication to include Internet communication in the interception of communications regulation

The Ordinance should expand the definition of communication, and include Internet communications (e.g., Email, Google Hangout, Whatsapp, Telegram) into the list. When the Ordinance took effect in 2006, it states that the intercepting act over inspects content transmitted by postal services or by telecommunications systems. The Internet is increasingly popular in today’s society. The Ordinance is obviously obsolete.

The Interception of Communications and Surveillance Commissioner (Note 1) once publicly admitted telecom operators provided assistance (to law enforcement’s interception and surveillance operations), but did not comment on whether Internet communications are covered by the Ordinance, indicating there’s obviously a murky grey zone in the Ordinance. In recent years, political parties, NGOs, journalists and lawyers all use Internet communication tools as a major platform for communication. If the government does not include Internet communication into the Ordinance’s scope of coverage, that would pose a severe threat to citizens’ personal information privacy, freedom of association and freedom of expression.

Second, enhance the clarity of the definition of “violence" and oppose any arbitrary abusive use by the authorities

The Ordinance should clarify the definitions of ‘relevant specific’ and ‘violence’. The intention of the enactment of the Ordinance is to set up a regulatory mechanism to oversee public officers’ interception of communications and certain types of covert surveillance operations. It is designed to ensure the four law enforcement agencies (Customs, Police, Immigration Department and ICAC) will protect citizens’ privacy and other rights while detecting crimes and keeping the public safe.

The Ordinance and the Code of Practice prescribe that “advocacy, protest or dissent (whether in furtherance of a political or social objective or otherwise), unless likely to be carried on by violent means, is not of itself regarded as a threat to public security”, and “’Violence’ does not cover minor scuffles or minor vandalism”.

During the Umbrella Movement, the authorities regarded wearing goggles and using plastic wrap as using violence, which is clearly not in line with what the Ordinance and the Code of Practice have prescribed. In fact, the Code of Practice quotes the former secretary of security’s pledge in 2006 that “law enforcement agencies will under no circumstances undertake surveillance operations under the Bill on grounds of public security to achieve a political objective. …”

Therefore, the authorities must set a clear definition on this to ease public speculation and concern over the government’s political surveillance conducted by the law enforcement agencies.

Third, add provision to protect “journalistic material"

We strongly urge the Ordinance should set detailed provision on the interception and surveillance operations that may obtain “journalistic material". The former commissioner Woo Kwok Hin noted in the first annual report that journalistic material is not given as much prominence in the body of the Ordinance as LPP”; In 2010, law enforcement for the first time admitted that they wiretapped journalistic material by accident (Note 2). The Ordinance has been in force for nearly a decade.

Given today’s eroding freedom of speech and freedom of media in Hong Kong, our organisation agreed with the Hong Kong Journalists Association’s recommendation (Note 3),“to add the same level of protection to journalistic material as that of LPP. It is recommended that the Ordinance shall require law enforcement agencies to clearly state in the affidavit any likelihood of obtaining protected journalistic material during interception or covert surveillance operations, so that the authorising officers can thoroughly consider whether the application satisfies all the conditions needed for the authorisation.”

We urge the authorities to respond to media professionals’ concern as soon as possible, so that journalists can continue playing their roles in overseeing the government and safeguarding the public’s right to know.

Fourth, make the Ordinance legally binding and establishing penalties for non-compliance

For many years, the Ordinance has been ineffective in overseeing non-compliances and has become a rubber stamp. The law enforcement agencies repeatedly violated the ordinance, but received almost no penalties. In the 2013 Annual Report, the commissioner observed that“most of the irregularities encountered and mistakes made by LEA officers were attributable to their inadvertence or negligence, which were uniquely related to the individuals concerned rather than defects in any of the control systems”(Note 4) .

This comment indicated that the law enforcement possess too much power for the Ordinance and the public to oversee. The fundamental reason is because the Ordinance is not legally binding and therefore is unable to punish non-compliances of law enforcement agencies. Our organisation urges the authorities to give the ordinance legal force to punish non-compliances and protect the public’s rights to privacy.

Fifth, enhance the supervision of the storage of surveillance devices and follow up with the control system for removable storage media

The 2013 Annual Report revealed that law enforcement agencies handled the storage of surveillance devices quite recklessly, which obviously posed a threat to personal privacy rights. The 2013 annual report noted that a law enforcement agency lost the original copy of a Record of Issue in respect of two surveillance devices (Note 4), which made it difficult for the commissioner to conduct examination. This reflected the necessity of enhancing the oversight of the storage of surveillance devices.

In addition, our organisation urges the authorities to set up clear provision on the supervision of removable storage media (e.g. memory cards, discs and tapes). The Ordinance has yet to establish procedures for the issue and return of removable storage media. Under the existing Ordinance, there is no way for us to know if law enforcement officers have replaced or removed the memory cards, discs and tapes, not to mention supervise such activities. The 2013 Annual Report noted that some law enforcement agencies have adopted “the use of tamper-proof labels to seal the RSM inside the devices at the time of issue”, and the development of “prototypes of RSM which have affixed to them a Quick Response Code”. However, the Ordinance remains not legally binding.

Hong Kong In-Media
8 August 2015

Note 1:http://the-sun.on.cc/cnt/news/20141203/00407_062.html
Note 2:http://life.mingpao.com/cfm/dailynews3b.cfm?File=20101123/nalgg/gga1.txt
Note 3:http://www.hkja.org.hk/site/portal/Site.aspx?id=A1-1088&lang=zh-TW
Note 4:http://www.info.gov.hk/info/sciocs/chi/pdf/Annual_Report_2013.pdf

Photo Credit: Apple Daily