Five specific new offences to rein in cybercrime with tougher penalties of up to life imprisonment have been proposed by Hong Kong’s Law Reform Commission as part of the city’s duty under national security legislation to ensure internet safety.

The commission’s recommendations could help tackle issues ranging from the illegal use of metadata and jamming systems by flooding them with internet traffic to interfering with companies or hospitals’ computer data systems, no matter if a person committed the crime inside or outside the jurisdiction.

Citing the need to catch up with fast-changing technology, the commission said the proposed new offences were partly a consolidation of existing laws, including the offence of obtaining access to a computer with dishonest intent, long decried by critics as a one-size-fits-all charge.

Members of the Law Reform Commission’s cybercrime subcommittee (from left) Wesley Wong SC, Dr Chow Kam-pui, Derek Chan SC and Cindy Cheuk.

“The last review was conducted 22 years ago and since then technology has improved drastically,” senior counsel Derek Chan Ching-lung, a member of the commission’s cybercrime subcommittee in charge of the reforms, said on Tuesday.

“There still aren’t appropriate and specific laws in Hong Kong [to target cybercrimes].”

The maximum sentence under the proposals in most cases is 14 years in jail, as opposed to the present range of two to five years’ prison for existing offences. Light offenders, though, could be dealt with summarily with jail terms of two years or less.

However, when an act was so grave as to endanger the lives of others, a sentence of life imprisonment would be incurred, in line with the current penalty under the offence of criminal damage.

The commission, however, stopped short of inserting an express provision to exempt whistle-blowers relying on a public interest defence, maintaining that a “reasonable excuse” defence allowed courts sufficient flexibility to rule on an individual basis.

In a consultation paper, the commission noted Beijing enacted the national security law in Hong Kong in 2020, a year after the subcommittee was formed.

“The duty of Hong Kong to safeguard national security reaffirmed the need for reform of cybercrime laws in Hong Kong and the subcommittee has taken this into consideration in its pursuit of the cybercrime project,” it said.

Chan noted that cybercrime could affect national security, including attempts to hack into military systems, although he acknowledged that “on a practical level” such acts were likely to be covered by the legislation itself, rather than the new cyber laws.

The committee, a government-appointed statutory body, turned to seven other places for reference, including mainland China and common law jurisdictions such as Australia, Canada, and England and Wales.

Beijing enacted the national security law in Hong Kong in 2020.

The proposed offences would have extraterritorial application so long as the crime in question had a local connection, such as a victim being from Hong Kong or damages incurred in the city.

Hong Kong mostly relies on the Crimes Ordinance and Telecommunications Ordinance to currently handle cybercrimes, and the five proposed offences are derived mainly from them to plug loopholes, according to the commission.

Under the proposals, unauthorised access to computer programs and data will amount to an offence, and those with an intent to carry out further crimes will face an aggravated variation.

But the commission is consulting the public on whether lay internet users or professionals who attempt to hack systems to test their soundness should be granted an exemption.

Metadata – which provides information or patterns about data rather than actual content – will come under a new offence banning unauthorised interception, although the commission is calling for submissions on whether exemptions should be granted to businesses which often rely on it to track patrons’ shopping activities.

The offence of illegal interference of computer data targets the damaging, deletion, deterioration, alteration and suppression of data, whereas interference of computer systems covers the so-called distributed denial of service attack (DDOS), where a hacker jams a system by flooding it with internet traffic.

Making available or possessing a device for the commission of a crime refers to tools such as ransomware, a computer virus or source codes.

But the commission maintained that an individual had to deploy such items knowingly to be found guilty, meaning that those whose computer was hacked to launch a DDOS attack should not attract criminal liabilities. Neither will an instant messenger user who may be involved in a chat containing illegitimate details.

All offences come in an aggravated form if further criminal activities or a high degree of severity are involved.

The maximum sentence for illegal interference of computer data or systems would be life imprisonment because they resulted in greater disruptions, said subcommittee member Chow Kam-pui, an associate professor who specialises in computer science at the University of Hong Kong.

“Some medical systems contain patients’ vitals. If they are interfered with illegally, it could cost lives and therefore, we feel the need to insert [such a penalty],” he said.

On legal defence, Chan acknowledged that the commission had not explicitly recommended public interest as a qualified factor.

“The whole point about using reasonable excuse is to let the court have some flexibility, and the defendants to have some flexibility, to argue what is reasonable and what is not reasonable by reference to our own societal standards,” he said.

Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, agreed current cybercrime laws were outdated and there was a need for reform.

But he urged the authorities to provide more clarifications, as he was worried some residents could fall foul of the proposed new law.

Citing buying tickets as an example, he worried concertgoers could breach the law by purchasing them from scalpers, who used bots to bulk buy.

“It remains unclear whether the resident would become an accomplice in such a case,” he said.

“We need to have a clear law and penalties. The biggest problem is that the internet is ever-changing … and we will never know what will happen next. That’s why we need the consultation period to come up with a framework.”

Professor Michael C. Davis, a former law professor at the University of Hong Kong, said he was worried the law would be used to supplement the national security law.

“Will this proposed ordinance be available as a charge, with the prosecution claiming the criminal intent is an offence involving national security?” he asked.

“Could all social media become a target? Given the wide criminalisation of speech in the context of national security and sedition charges is there a risk a charge under this ordinance will be added?”

Davis said he was also worried the proposed amendment would be used to reverse the outcome of an earlier decision by the Court of Appeal in 2019 which limits the reach of an ordinance that prohibits “access to a computer with criminal or dishonest intent” to cover a person using their own tech devices.

The consultation period lasts until October 19.