E-certificates will hold their own against PINs
I refer to the article by Allan Dyer 'E-commerce growth in HK under threat from tax bill' on March 4, regarding the Inland Revenue Bill 2001.
The Electronic Transactions Ordinance (ETO) does not stipulate digital signature as the only form of electronic signature in all cases that can satisfy signature requirement under the law. Section 14 of the ETO allows the use of other forms of electronic signature in specified cases.
In a review of the ETO last year, the use of a personal identification number (PIN) or password was found to be acceptable for services where the security level of the PIN or password is commensurate with the risks associated with such services.
In such cases, it was decided to introduce legislation so that the corresponding implications, including any concerns over security, could be thoroughly examined by the Legislative Council and the community. The filing of tax returns is a good example of a case whereby a password can be accepted as sufficiently secure for the purpose of filing the returns.
Our proposal to adopt a six-digit password reflects prevailing commercial practices. We have also taken into account the convenience of taxpayers using the same password for both the telefiling system and the Teletax Service.
A six-digit numeric password should provide ample security protection against unauthorised access. The system will revoke any taxpayer's password if it is not correctly entered after five unsuccessful attempts. Furthermore, the six-digit password must be used in conjunction with the nine or 10-digit Taxpayer Identification Number.
We do not agree that our proposed system fails to meet the requirements of Article 6 of the Uncitral Model Law of Electronic Signatures 2001. The reliability of any application will depend on the overall system design. With the tight technical and administrative controls that will be put in place, the proposed system should provide the required reliability for the electronic filing of tax returns with the use of passwords.
The Inland Revenue Department (IRD) will ensure that passwords are encrypted and securely stored. Segregation of duties, control procedures and an audit trail will be put in place to ensure nobody in the IRD can tamper with the passwords.
As regards the admissibility of passwords in legal proceedings, the IRD will not use the password alone to establish non-repudiation of tax return data. We will address the non-repudiation issue by seeking to establish before court that the taxpayer has used his password to furnish an electronic return and that these details have not been tampered with. It will be up to the court to decide whether the non-repudiation averred should be accepted or rejected. We agree that efforts to promote IT must be properly directed. We consider that the proposed system of electronic filing is consistent with this goal.
We agree with Mr Dyer that promotion of digital certificates should be stepped up. In this regard, Hongkong Post will offer citizens a year's free use of its digital certificates to be embedded in the smart ID cards in a convenient one-stop process. This provides us with a golden opportunity to reach 6.8 million smart ID card holders. We believe this initiative will create a critical mass of e-Cert holders, which in turn will drive the development of e-business.
Alice Lau Mak Yee-ming,
Commissioner,
Inland Revenue
