MB Feb | Big brother is watching

The recent proposed cybersecurity bill has raised concerns it does not comprise enough measures to rein in the powers of authorities from mass surveillance

If you’re reading this article online at this moment, have you ever thought of who knows what you are doing now? Besides the obvious answer of yourself, your Internet service provider will probably monitor your online traffic. Who else? The government—that some are worried the proposed cybersecurity bill might grant the administration legitimacy for mass surveillance in the online sphere.  

The authorities have finished a 45-day public consultation in January on the cybersecurity bill, which serves to improve the city’s regulations on the prevention and protection of its major public and private infrastructures against cyber attacks. Currently, the city only follows the Law on Combating Computer Crimes in tackling cyber incidents.  

The bill proposes the set-up of a three-tier cybersecurity system: the establishment of a top-level cyber security standing committee led by the Chief Executive, a cyber security incidents prevention and emergency centre for enforcing measures, and government departments and private entities in various fields of safeguarding the infrastructure. The centre, headed by the Macau Judiciary Police, will operate around the clock and monitor live online data traffic in binary code, as well as investigate cybersecurity incidents.  The bill also suggests the implementation of real-name registration system for telecommunications services, in which providers will require their customers to provide identification before they could access to Internet, mobile and other telecom services. 

“[The real-name registration system] deserves no merit considering a weak civil society in the face of a government with strong surveillance capabilities,” said local activist Jason Chao Teng Hei. But what worries him the most is the powers granted to the Judiciary Police.   

Lip service 

Noting the police could intercept the online data to prevent cyber attacks and intrusions, he said the bill gives high discretionary powers to the police on when to do so. The activist is also highly concerned the proposal permits the police carry out background checks upon persons in charge of overseeing critical telecom infrastructures in the private sector, and have access to the premises of private entities running the infrastructures for compliance reviews, including gaming operators, banks, electricity and water suppliers, hospitals, television and radio broadcasters.  

“A mere mention of ‘respect for privacy’ in the consultation paper by no means reflects true respect for the privacy,” he said, adding the bill does not include any mechanisms for public supervision or appeals. “Without effective measures to defend people from government’s abuse of power, any reference to ‘privacy’ is no more than lipstick on a pig.” 

“Based on Macau government’s poor record in transparency, accountability, and respect for the rule of law,” he added, “the proposed legislation might be seen as an attempt to authorise a legal framework for mass surveillance.” 

Freedom of expression 

Albeit the lack of cybersecurity bill at the moment, this does not mean the government hasn’t monitored the content in the cybersphere. In the aftermath of Typhoon Hato that swept the city and killed 10 last year, the police arrested two siblings for distributing inaccurate messages via social media platform Wechat.  

“The government must have monitored the online content: whenever a certain kind of messages pop up, the police can quickly address the matter,” said political commentator Larry So Man Yum. “With the measures like the real-name registration system [for telecommunications services], it will only be easier for the authorities to track down [individuals].” 

In the perspective of preventing cyber attacks, Mr. So thinks the government has legitimate reasons to establish the bill. “But it will inevitably affects the freedom of expression,” he noted. “It will create a chilling effect among netizens… who will be less willing to express their opinions in the anxiety of offending the authorities.” 

The administration should strive a balance in safeguarding the cybersecurity while the freedom of expression in the society will not be sacrificed, the commentator added.  

More talents needed 

With the transformation of the city into a global casino hub and one of the top performing economies in the world in the past decade, some observers have warned the city might more likely fall into the radar of hackers and urged the territory to improve its relevant regulations to stay vigilant against cyber attacks. The city’s largest telecom provider, Companhia de Telecomunicações de Macau S.A.R.L (CTM), supported the government’s initiative to set up the cybersecurity law, which is commonplace in other jurisdictions.  

Its chief executive Vandy Poon Fuk Hei remarked in a recent public occasion that security and privacy of individuals could coexist and not be sacrificed. Using his company as an example, Mr. Poon noted, “We keep an eye on the traffic of our network services, but we never get into the details of the communications of customers: it’s been like this for the past… and it will be like this onwards.” 

Johnny Au Ka Fai, president of the Computer Chamber of Macau, supported the establishment of the bill as well, which could be helpful in curbing crime rates of online frauds, telephone frauds and other Internet crimes. According to the latest figures from the Judiciary Police, they launched 466 investigations in regards of computer crimes in 2016, declining by about 23 percent from 607 cases and 605 cases respectively in 2015 and 2014. Among the 466 cases in 2016, about 8.37 percent, or 39 cases, were related to malicious access to computer systems and improper usage of computer data, dropping by 37.1 percent from the previous year. 

Given the low unemployment rate here, Mr. Au is concerned whether there are enough human resources to support the implementation of the cyber security bill. “When we talk about cyber security, legislation is only the first step,” he added. “It is also important for the public, including the small-and medium-sized enterprises, to increase their awareness of cyber security, in particular amid the increasing popularity of e-commerce.” 

With the territory’s recent push to become a smart city, some believe a sound legal regime could help the city to achieve this goal in addition to its partnership with Chinese e-commerce giant Alibaba Group Holding Ltd. The government signed a smart city framework agreement last August with the Chinese firm, which will provide Macau information technology (IT) infrastructure and solutions, such as big data services, in multiple areas from tourism to urban management to transport management.  

Evil law 

But the partnership has met with doubts over privacy and security concerns of the protection of personal data. The pan-democratic New Macau Association was one of the parties voicing concerns at the time, which is also critical towards the proposed bill this time. “Even though the authorities say the main target for this bill is the operators of the critical infrastructures, the operators cover public bodies and private entities in various areas, such as finance, gaming, medical, transport, and telecom,” said Sulu Sou Ka Hou, legislator and vice-president of the New Macau Association.  “This means the administration could indirectly monitor the online activities of residents—and tourists—via overseeing the key infrastructures.” 

He criticised the bill is lack of measures to safeguard the rights of residents and enhance the transparency of the system. “The bill should have conditions mandating the authorities to announce any information in regards of the interception of online data, namely the frequency, the amount of data, time period and the instructions it has given to the operators [of key infrastructures],” he added.   

“Article 32 of the Basic Law clearly states the communications freedom and privacy of Macau residents should be protected,” he said of the city’s mini-constitution. “Without any changes… this is just an ‘evil law’ for the sake of so-called ‘security’.” 

Addressing the criticisms towards the proposed bill, the Macau Judiciary Police refuted a statement that some individuals made “subjective and inaccurate accusations” and these “irrational and emotional” behaviours won’t help improve the bill. 

“Most residents and industry representatives in the consultation sessions supported the legislation of the cybersecurity bill,” the statement read. “The operation of the cybersecurity incidents prevention and emergency centre will follow the advanced practices of western countries.” 

Recent Publicised Cyber Attacks in Macau 

February 2014 — Website of casino operator Sands China Ltd is down as part of a cyber attack against the websites of its parent firm Las Vegas Sands Corp 

March 2015 — Local telecom service provider CTM reports its firewall system is under a rare network attack, causing disruption in its fixed-line and mobile phone network for an hour 

Early 2017 — Albeit some enquires, no public bodies have reported they are under a WannaCry cyber attack, a global ransomware campaign that hackers encrypt targeted computers and demand payments to recover files. The cyber attack has affected over 300,000 computers in more than 150 jurisdictions 

Singapore excels in cyber security 

Singapore is the best performer among 193 states in the world in terms of cyber security, according to a survey carried out by the United Nations International Telecommunication Union. 

The Global Cybersecurity Index published last year found Singapore topped the list, with the United States and Malaysia trailing behind. The index measures the commitment of the states in five areas of cybersecurity, namely legal, technical, organisational, capacity building and cooperation. 

The report did not measure the performances of Macau and Hong Kong, but China ranked 32rd on the list.