In Hong Kong, the HKSAR Govt (the “Govt”) introduced plans to habits pilot research of growing a Sensible Town with the Web of Issues (IoT) and fifth-generation (5G) cell networks as early as 2015. The speculation in the back of the Govt’s Sensible Town Blueprint is that 5G cell networks would play a pivotal function for its sensible town building by means of facilitating ultra-high-speed, ultra-reliable and coffee latency communications, and by means of provisioning community capacities for largescale device-to-device verbal exchange that will in the end permit scalable implementation of IoT units and products and services around the town.
While the Govt has said that their Sensible Town Blueprint is people-centric with its core missions closely concerned with upper high quality of residing, prosperity of industrial and eco-friendliness, it failed to deal with rising issues with cybersecurity and private information coverage that go together with the adoption of IoT.
Considerations with IoT
It’s incessantly mentioned that the era at this level is liable to hacking as they open channels for undesirable surveillance. Such arguments will have to no longer be impulsively disregarded as they have got lately discovered cast floor with those issues having been echoed and said by means of the USA Division of Native land Safety (DHS) which considered IoT as a big topic of nationwide safety.
Taking into consideration IoT because the cornerstone of the Govt’s ‘Sensible Town Blueprint’ and it’s been 5 years because the undertaking used to be conceived, with Hong Kong paving its manner for mass implementation of IoT packages, there seems to be an oversight or a loss of attention given to the prospective cybersecurity and information possibility affects of in style IoT utilization at its present shape.
One primary impediment to achieving cybersecurity and information coverage utopia is that those units have been by no means advanced with the protection or safety of information on the core in their designs. Present trade practices dictate that IoT units are to be designed to have the naked minimal computational energy this is wanted for his or her duties and due to this fact by means of their nature, most often lack the wanted computational energy to run cybersecurity device. Then again, with shoppers rising and bettering their figuring out of cybersecurity and private information dangers that include the adoption and utilization of IoT, there’ll come a time when present trade practices and IoT requirements now not fulfill the calls for of the marketplace.
Safety Thru Regulation and Licensing
To extend the motivation to switch trade practices and support the practicality of integrated cybersecurity functions in IoT merchandise, primary adjustments are required to keep watch over the trade on the subject of design, production and intake.
Previous this yr, the United Kingdom Govt unveiled a conceivable new regulatory regime geared toward mitigating safety dangers related to IoT by means of converting the best way those merchandise are produced, retailed and supported all through their lifetime. If effectively legislated, IoT producers should abide by means of the next necessities:
- IoT units should each and every have their very own distinctive passwords that can not be reset to common manufacturing unit environment;
- IoT producers should arrange a public level of touch for shoppers to document flaws in their bought merchandise; and
- IoT producers should explicitly state the minimal period of time gadget will proceed to obtain safety updates on the level of sale.
Separate to the above, non-compulsory regulation below the proposed regulatory plan invokes a compulsory labeling device that calls for IoT producers to self-assess and put in force a safety label on their person IoT merchandise.
The traits in UK are definitely thrilling, but, will have to Hong Kong enact a identical regulatory regime as to acclimatize to the latest IoT panorama?
Present IoT Regulation in Hong Kong
At the present time, there is not any explicit regulation on IoT in Hong Kong. Many of the problems in the case of IoT are handled by means of current legislations.
For instance, relating to information coverage, the Non-public Information (Privateness) Ordinance (Cap. 486) (“PDPO”) applies to IoT builders who accumulate private information from its customers. Below the present Information Coverage Concept (Four) (“DPP4”), all practicable steps might be taken to make certain that private information held by means of a knowledge consumer are safe in opposition to unauthorized or unintentional get admission to, processing, erasure, loss or use having specific regard to, among different issues, any security features integrated into any apparatus wherein the knowledge is saved.
As well as, if the IoT developer engages a knowledge processor (whether or not inside of or outdoor Hong Kong) to procedure the knowledge at the information consumer’s behalf, the IoT developer (as a knowledge consumer) should undertake contractual or different approach to stop unauthorized or unintentional get admission to, processing, erasure, loss or use of the knowledge transferred to the knowledge processor for processing (DPP4 (2) of PDPO).
It is very important word that contraventions of the DPPs don’t represent an offense itself, however the Privateness Commissioner for Non-public Information (PCPD) would possibly serve an enforcement understand at the IoT developer (as a knowledge consumer) inquiring for it to rectify or treatment any information comparable problems. If the IoT developer contravenes an enforcement understand, the IoT developer will devote an offense and is answerable for HK$50,000 and to imprisonment for two years, or for 2d or next conviction, a fantastic at HK$100,000 and to imprisonment for two years (s.50A(1) of the PDPO).
Code of Follow at the Operation and Control of IoT Units
Even though there is not any explicit IoT regulation in Hong Kong, the Communications Authority (CA) in Hong Kong introduced on 1st December 2017 to create a brand new licensing regime for the availability of WIoT platforms and repair suppliers offering wi-fi connections for his or her consumers to attach IoT units to the general public telecommunications networks the usage of the shared frequency band of 920-925 MHz with the intention to underpinning the preparation of Hong Kong for embracing the brand new generation of IoT and the 5G cell products and services, in addition to more than a few sensible town packages. Up to now, there are three WIoT licenses issued.
Moreover, the CA has additionally issued a Code of Follow at the Operation and Control of IoT Units (“CoP”) to supply sensible steerage to WIoT licensees regarding the provision of ample carrier and the security and promotion of the pursuits of shoppers of telecommunications items and products and services.
The CoP is advanced for the operation and control of IoT units hooked up to public telecommunications networks to:
- be certain that the availability of ample carrier by means of IoT carrier suppliers;
- toughen person coverage;
- beef up consumer self assurance in the usage of IoT units connecting to public telecommunication networks; and
- function a reference for non-telecommunications licensees (similar to gadget producers, distributors, utility builders) in formulating necessities and practices in regards to the operation and control of IoT units/products and services.
It is very important word that the CoP is simply a ‘easiest apply’ information for IoT carrier suppliers to look at on a voluntary foundation. For non-telecommunications licensees similar to gadget producers, distributors, and alertness builders who would possibly provide and deploy IoT units within the telecommunications and different industry sectors (e.g. private, recreational, family, shipping, clinical or monetary sectors), the CoP best serves as a connection with help in formulating appropriate necessities and practices in regards to the operation and control of IoT units/products and services (para. three of the CoP).
Out of the CoP’s ten really helpful easiest practices, the next are value highlighting (para. five of the CoP):
- advice for distinctive usernames and powerful passwords to be followed for IoT units;
- customers will have to be supplied with some degree of touch to document safety problems;
- device of the IoT units will have to be up to date in a well timed way and will have to no longer have an effect on at the purposes of the units;
- delicate information will have to be saved securely within the IoT units to stop unauthorized get admission to and amendment; and
- private information will have to be safe in line with the PDPO.
The CoP additionally recommends that IoT carrier suppliers will have to incessantly habits checks on doable dangers related to their day-to-day operation and control of IoT units (para. 6 of the CoP).
The suggestions are most commonly aligned with the United Kingdom’s proposed regulatory regime, and the CA has additionally taken reference from the United Kingdom’s Code of Follow for Shopper IoT Safety when designing the CoP. Then again, we will have to tension that because the CoP is simply a ‘easiest apply’ reference for IoT gadget producers, the CoP has no felony binding.
Additionally, the CA’s WIoT licensing regime best applies to wi-fi IoT carrier suppliers and does no longer observe to IoT gadget producers, this can be too slim in the case of scope and prone to be insufficient in addressing the precise problems relating to IoT as highlighted above.
Govt’s Evaluate of Telecommunications Regulatory Framework
Except the CA’s WIoT licensing regime and the CoP, the Govt’s Trade and Financial Construction Bureau (“CEDB”) has finished a public session at the Evaluate of Telecommunications Regulatory Community (RTRN) in February 2019.
The RTRN goals to study the telecommunications regulatory framework below the Telecommunications Ordinance (Cap. 106) (“TO”) to make certain that it’s in step with the development of telecommunications applied sciences similar to 5G and IoT.
The CEDB has put ahead 4 suggestions, particularly:
- to keep watch over telecommunications purposes of units within the 5G and IoT generation via TO and CA;
- to give protection to underground telecommunications infrastructure by means of introducing prison liabilities for negligent injury;
- to streamline mechanism for issuing non-carrier licenses; and
- to enlarge the scope of the CA’s choices made below the TO which may be handled by means of the proposed enchantment mechanism.
Even though the RTRN supplies higher regulatory route in growing the technological infrastructure in Hong Kong, it’s nevertheless upset to notice that the RTRN has no longer adequately handled the precise problems relating to safety and information privateness problems relating to IoT units.
May the solution for a long term of protected IoT-enabled Sensible Town be safeguarded via a complete licensing regime? Or may just or not it’s accomplished via a extra product-centric legal responsibility evidence scheme? Those are one of the vital ‘tip of the iceberg’ problems that stakeholders in Hong Kong will have to get started fascinated with.
Lawmakers in Hong Kong will have to additionally get started fascinated with how the precise problems relating to IoT’s safety and information coverage may also be addressed. For instance, via a extremely enforceable tough framework or a government-backed licensing regime.
Will have to Hong Kong enact identical regulation to the United Kingdom regulatory regime? It can be conceivable for lawmakers to introduce a identical law that acclimatizes to the present tech panorama in Hong Kong. But, as many IoT producers are positioned in PRC with Hong Kong simply contributing as an IoT retail and repair hub, it’s tricky to evaluate whether or not one of these regulatory regime can be efficient.
 Hong Kong Sensible Town Blueprint: https://www.smartcity.gov.hk/blueprint/HongKongSmartCityBlueprint_e-flipbook_EN/cell/index.html#p=1
 IoT person insights: https://www2.gemalto.com/iot/iot-consumer-insights.html
 Govt reaction to the Regulatory proposals for person Web of Issues (IoT) safety session: https://www.gov.united kingdom/authorities/consultations/consultation-on-regulatory-proposals-on-consumer-iot-security/consequence/government-response-to-the-regulatory-proposals-for-consumer-internet-of-things-iot-security-consultation
 Communications Authority, ‘Press Unlock – Communications Authority Creates New Wi-fi Web of Issues Licence: https://www.coms-auth.hk/en/media_focus/press_releases/index_id_1570.html (final accessed: 17th Would possibly 2020)
 Communications Authority, ‘Record of Licensees’: https://www.coms-auth.hk/cell/en/licensing/telecommunications/wiot/list_of_licensees/index.html (final accessed: 17th Would possibly 2020)
 Communications Authority, ‘Code of Follow at the Operation and Control of Web of Issues Units (Factor 1 – June 2019): https://www.coms-auth.hk/filemanager/observation/en/add/511/cop-iot_e.pdf
 Communications Authority, TRAAC Paper No. three/2019 ‘Proposed Code of Follow on Operation and Control of Web of Issues Units for Public Telecommunications Services and products’ dated 28 March 2019: https://www.ofca.gov.hk/filemanager/ofca/en/content_757/traac3_2019_p.pdf
 Communications Authority, Slide 6 of the TRAAC Paper No. three/2019 ‘Proposed Code of Follow on Operation and Control of Web of Issues Units for Public Telecommunications Services and products’ dated 28 March 2019: https://www.ofca.gov.hk/filemanager/ofca/en/content_757/traac3_2019_p.pdf
 Legislative Council Panel on Knowledge Era and Broadcasting, ‘Evaluate of Telecommunications Regulatory Framework’ (LC Paper No. CB(1)120/19-20(04) dated 11th November 2019: https://www.legco.gov.hk/year19-20/english/panels/itb/papers/itb20191111cb1-120-Four-e.pdf