In Hong Kong, the HKSAR Govt (the “Govt”) introduced plans to habits pilot research of growing a Good Town with the Web of Issues (IoT) and fifth-generation (5G) cell networks as early as 2015[1]. The speculation in the back of the Govt’s Good Town Blueprint is that 5G cell networks would play a pivotal position for its good town construction via facilitating ultra-high-speed, ultra-reliable and occasional latency communications, and via provisioning community capacities for largescale device-to-device communique that will in the end permit scalable implementation of IoT gadgets and products and services around the town.
While the Govt has mentioned that their Good Town Blueprint is people-centric with its core missions closely excited about upper high quality of residing, prosperity of commercial and eco-friendliness, it failed to deal with rising issues with cybersecurity and private information coverage that go along with the adoption of IoT[2].
Considerations with IoT
It’s regularly stated that the generation at this degree is liable to hacking as they open channels for undesirable surveillance. Such arguments must now not be impulsively disregarded as they’ve not too long ago discovered forged floor with those issues having been echoed and stated via the United States Division of Place of birth Safety (DHS) which considered IoT as a big subject of nationwide safety[3].
Taking into account IoT because the cornerstone of the Govt’s ‘Good Town Blueprint’ and it’s been 5 years for the reason that challenge used to be conceived, with Hong Kong paving its manner for mass implementation of IoT packages, there seems to be an oversight or a loss of attention given to the possible cybersecurity and knowledge possibility affects of popular IoT utilization at its present shape.
One main impediment to achieving cybersecurity and knowledge coverage utopia is that those gadgets have been by no means advanced with the protection or safety of information on the core in their designs. Present trade practices dictate that IoT gadgets are to be designed to have the naked minimal computational energy this is wanted for his or her duties and due to this fact via their nature, in most cases lack the wanted computational energy to run cybersecurity tool. Alternatively, with shoppers rising and making improvements to their figuring out of cybersecurity and private information dangers that include the adoption and utilization of IoT[4], there’ll come a time when present trade practices and IoT requirements now not fulfill the calls for of the marketplace.
Safety Via Regulation and Licensing
To extend the motivation to switch trade practices and make stronger the practicality of integrated cybersecurity features in IoT merchandise, main adjustments are required to keep an eye on the trade in relation to design, production and intake.
Previous this yr, the United Kingdom Govt unveiled a conceivable new regulatory regime geared toward mitigating safety dangers related to IoT via converting the best way those merchandise are produced, retailed and supported all over their lifetime[5]. If effectively legislated, IoT producers must abide via the next necessities:
- IoT gadgets should every have their very own distinctive passwords that can’t be reset to common manufacturing facility surroundings;
- IoT producers should arrange a public level of touch for shoppers to file flaws in their bought merchandise; and
- IoT producers should explicitly state the minimal period of time system will proceed to obtain safety updates on the level of sale.
Separate to the above, not obligatory regulation underneath the proposed regulatory plan invokes a compulsory labeling machine that calls for IoT producers to self-assess and enforce a safety label on their user IoT merchandise.
The tendencies in UK are indubitably thrilling, but, must Hong Kong enact a an identical regulatory regime as to acclimatize to the latest IoT panorama?
Present IoT Regulation in Hong Kong
This present day, there is not any explicit regulation on IoT in Hong Kong. Many of the problems in terms of IoT are handled via current legislations.
As an example, when it comes to information coverage, the Private Knowledge (Privateness) Ordinance (Cap. 486) (“PDPO”) applies to IoT builders who gather private information from its customers. Underneath the present Knowledge Coverage Theory (Four) (“DPP4”), all practicable steps will likely be taken to be sure that private information held via a knowledge consumer are safe in opposition to unauthorized or unintentional get right of entry to, processing, erasure, loss or use having explicit regard to, among different issues, any safety features included into any apparatus through which the knowledge is saved.
As well as, if the IoT developer engages a knowledge processor (whether or not inside or outdoor Hong Kong) to procedure the knowledge at the information consumer’s behalf, the IoT developer (as a knowledge consumer) should undertake contractual or different way to forestall unauthorized or unintentional get right of entry to, processing, erasure, loss or use of the knowledge transferred to the knowledge processor for processing (DPP4 (2) of PDPO).
It is very important word that contraventions of the DPPs don’t represent an offense itself, however the Privateness Commissioner for Private Knowledge (PCPD) might serve an enforcement understand at the IoT developer (as a knowledge consumer) asking for it to rectify or treatment any information comparable problems. If the IoT developer contravenes an enforcement understand, the IoT developer will devote an offense and is answerable for HK$50,000 and to imprisonment for two years, or for 2nd or next conviction, a fantastic at HK$100,000 and to imprisonment for two years (s.50A(1) of the PDPO).
Code of Follow at the Operation and Control of IoT Gadgets
Even if there is not any explicit IoT regulation in Hong Kong, the Communications Authority (CA) in Hong Kong introduced on 1st December 2017 to create a brand new licensing regime for the availability of WIoT platforms and repair suppliers offering wi-fi connections for his or her consumers to glue IoT gadgets to the general public telecommunications networks the usage of the shared frequency band of 920-925 MHz with a purpose to underpinning the preparation of Hong Kong for embracing the brand new technology of IoT and the 5G cell products and services, in addition to more than a few good town packages[6]. To this point, there are three WIoT licenses issued[7].
Moreover, the CA has additionally issued a Code of Follow at the Operation and Control of IoT Gadgets (“CoP”)[8] to supply sensible steerage to WIoT licensees regarding the provision of enough provider and the safety and promotion of the pursuits of customers of telecommunications items and products and services.
The CoP is advanced for the operation and control of IoT gadgets attached to public telecommunications networks to[9]:
- ensure that the availability of enough provider via IoT provider suppliers;
- support user coverage;
- make stronger consumer self belief in the usage of IoT gadgets connecting to public telecommunication networks; and
- function a reference for non-telecommunications licensees (equivalent to system producers, distributors, utility builders) in formulating necessities and practices in regards to the operation and control of IoT gadgets/products and services.
It is very important word that the CoP is simply a ‘perfect apply’ information for IoT provider suppliers to look at on a voluntary foundation. For non-telecommunications licensees equivalent to system producers, distributors, and alertness builders who might provide and deploy IoT gadgets within the telecommunications and different trade sectors (e.g. private, recreational, family, delivery, scientific or monetary sectors), the CoP best serves as a connection with lend a hand in formulating appropriate necessities and practices in regards to the operation and control of IoT gadgets/products and services (para. three of the CoP).
Out of the CoP’s ten advisable perfect practices, the next are price highlighting (para. five of the CoP):
- advice for distinctive usernames and powerful passwords to be followed for IoT gadgets;
- customers must be supplied with some degree of touch to file safety problems;
- tool of the IoT gadgets must be up to date in a well timed means and must now not affect at the purposes of the gadgets;
- delicate information must be saved securely within the IoT gadgets to forestall unauthorized get right of entry to and amendment; and
- private information must be safe in response to the PDPO.
The CoP additionally recommends that IoT provider suppliers must ceaselessly habits exams on possible dangers related to their day by day operation and control of IoT gadgets (para. 6 of the CoP).
The suggestions are most commonly aligned with the United Kingdom’s proposed regulatory regime, and the CA has additionally taken reference from the United Kingdom’s Code of Follow for Client IoT Safety when designing the CoP[10]. Alternatively, we must pressure that for the reason that CoP is simply a ‘perfect apply’ reference for IoT system producers, the CoP has no felony binding.
Additionally, the CA’s WIoT licensing regime best applies to wi-fi IoT provider suppliers and does now not observe to IoT system producers, this can be too slim on the subject of scope and prone to be insufficient in addressing the particular problems relating to IoT as highlighted above.
Govt’s Evaluate of Telecommunications Regulatory Framework
With the exception of the CA’s WIoT licensing regime and the CoP, the Govt’s Trade and Financial Construction Bureau (“CEDB”) has finished a public session at the Evaluate of Telecommunications Regulatory Community (RTRN) in February 2019[11].
The RTRN targets to check the telecommunications regulatory framework underneath the Telecommunications Ordinance (Cap. 106) (“TO”) to be sure that it’s in keeping with the development of telecommunications applied sciences equivalent to 5G and IoT.
The CEDB has put ahead 4 suggestions, particularly:
- to keep an eye on telecommunications purposes of gadgets within the 5G and IoT technology thru TO and CA;
- to offer protection to underground telecommunications infrastructure via introducing legal liabilities for negligent harm;
- to streamline mechanism for issuing non-carrier licenses; and
- to enlarge the scope of the CA’s selections made underneath the TO that may be handled via the proposed enchantment mechanism.
Even if the RTRN supplies higher regulatory route in growing the technological infrastructure in Hong Kong, it’s however disenchanted to notice that the RTRN has now not adequately handled the particular problems relating to safety and knowledge privateness problems when it comes to IoT gadgets.
Concluding Remarks
May just the solution for a long term of protected IoT-enabled Good Town be safeguarded thru a complete licensing regime? Or may or not it’s performed thru a extra product-centric legal responsibility evidence scheme? Those are one of the crucial ‘tip of the iceberg’ problems that stakeholders in Hong Kong must get started eager about.
Lawmakers in Hong Kong must additionally get started eager about how the particular problems when it comes to IoT’s safety and knowledge coverage will also be addressed. As an example, thru a extremely enforceable powerful framework or a government-backed licensing regime.
Must Hong Kong enact an identical regulation to the United Kingdom regulatory regime? It can be conceivable for lawmakers to introduce a an identical law that acclimatizes to the present tech panorama in Hong Kong. But, as many IoT hardware producers are positioned in PRC with Hong Kong simply contributing as an IoT retail and repair hub, it’s tricky to evaluate whether or not any such regulatory regime could be efficient.
[1] Place of business of the Govt Leader Knowledge Officer: https://www.smartcity.gov.hk/
[2] Hong Kong Good Town Blueprint: https://www.smartcity.gov.hk/blueprint/HongKongSmartCityBlueprint_e-flipbook_EN/cell/index.html#p=1
[3] Division of Place of birth Safety – Securing the Web of Issues: https://www.dhs.gov/securingtheIoT
[4] IoT user insights: https://www2.gemalto.com/iot/iot-consumer-insights.html
[5] Govt reaction to the Regulatory proposals for user Web of Issues (IoT) safety session: https://www.gov.united kingdom/authorities/consultations/consultation-on-regulatory-proposals-on-consumer-iot-security/result/government-response-to-the-regulatory-proposals-for-consumer-internet-of-things-iot-security-consultation
[6] Communications Authority, ‘Press Free up – Communications Authority Creates New Wi-fi Web of Issues Licence: https://www.coms-auth.hk/en/media_focus/press_releases/index_id_1570.html (ultimate accessed: 17th Would possibly 2020)
[7] Communications Authority, ‘Record of Licensees’: https://www.coms-auth.hk/cell/en/licensing/telecommunications/wiot/list_of_licensees/index.html (ultimate accessed: 17th Would possibly 2020)
[8] Communications Authority, ‘Code of Follow at the Operation and Control of Web of Issues Gadgets (Factor 1 – June 2019): https://www.coms-auth.hk/filemanager/commentary/en/add/511/cop-iot_e.pdf
[9] Communications Authority, TRAAC Paper No. three/2019 ‘Proposed Code of Follow on Operation and Control of Web of Issues Gadgets for Public Telecommunications Services and products’ dated 28 March 2019: https://www.ofca.gov.hk/filemanager/ofca/en/content_757/traac3_2019_p.pdf
[10] Communications Authority, Slide 6 of the TRAAC Paper No. three/2019 ‘Proposed Code of Follow on Operation and Control of Web of Issues Gadgets for Public Telecommunications Services and products’ dated 28 March 2019: https://www.ofca.gov.hk/filemanager/ofca/en/content_757/traac3_2019_p.pdf
[11] Legislative Council Panel on Knowledge Era and Broadcasting, ‘Evaluate of Telecommunications Regulatory Framework’ (LC Paper No. CB(1)120/19-20(04) dated 11th November 2019: https://www.legco.gov.hk/12 months19-20/english/panels/itb/papers/itb20191111cb1-120-Four-e.pdf
