Borderless crime hard to crack
His 44th was a particularly cruel birthday for Rajesh Sadhwani. It was the day in March last year that he received an e-mail on his BlackBerry telling him that his password for his Yahoo e-mail account had been changed.
Shortly afterwards, the jewellery designer received an e-mail, warning him to 'enjoy what else is to be unleashed'. There was also a message from his account with social networking site Facebook telling him to 'watch his back'.
Sure enough, when Sadhwani checked, he could not log in to his Yahoo and Facebook accounts. Then he discovered friends of his had been sent abusive messages from his Facebook page.
The hacker had also cracked his Expedia and Orbitz travel accounts, destroying his itinerary for an upcoming business trip to the Basel Jewellery Show in Switzerland.
Sadhwani went to the Central Police Station and made a detailed report. He also confirmed with Yahoo, Expedia and Facebook that he was indeed the proper account owner and his passwords were changed back.
But the damage was done. Sadhwani had used his Yahoo account as an online database to help organise his life, which included seven years' worth of copies of all the designs for his successful jewellery company, as well as all his business contacts and correspondence. There were also details of his teenage daughter's plans to study in the United States.
Investigators in the US found the e-mails had originated from Bergen county in New Jersey. Sadhwani now had his suspicions about who the hacker was, as the area is home to estranged relatives who are also competitors in the jewellery business.
In the next few months, he learned that some of his clients had been contacted in Europe, obviously using the details stolen from his Yahoo account. But he decided to leave the case alone.
'My contacts, connections and business dealings had been obviously forwarded on. But it was really commercial espionage and I really thought it would end there,' he said.
This was wishful thinking. Six months later, on September 12, Sadhwani received his most distressing e-mail from the hacker.
This time there was a direct threat against his daughter. 'Don't think I don't know your schedule ... London one day, New York the next ... you really think she'll be safe when she goes to school all by herself???'
This prompted him to act, making a photocopy of his daughter's passport and sending it to the US consulate general to ask for help. The e-mail was again traced to Bergen county in New Jersey, and the Apline Police Department, responsible for the area, in tandem with the county Computer Crimes Department, conducted an investigation from information provided by Sadhwani and raided a home there.
During a police interview, one of the occupants of the house admitted his relative, who was based in Hong Kong but travelled to the US on business, used the computer. The occupants of the house then admitted the relative had been responsible for hacking the accounts. They expressed their regret, and said it would not happen again.
Sadhwani wants the case prosecuted in Hong Kong, as this is where the hacker is based, and where he lives with his daughter. But the matter has not moved so quickly in Hong Kong as it has in the US.
The South China Morning Post has identified several loopholes in the city's statutes governing identity theft, which in some cases may make it more difficult for police to identify what an offender should be charged with. Hong Kong law does not recognise one's 'identity' - much less virtual identity - as someone's personal property, capable of being owned and protected.
Sadhwani made his second report to police on January 8. He provided the police with a full statement as well as all the evidence collected by the police in the US.
Police investigators have confirmed the investigation into the case is ongoing and a person of interest has been interviewed.
Sadhwani said he was frustrated with the slow progress of the case in Hong Kong.
'The guy is here, he has committed this crime, why can he not be prosecuted now?' he said.
Despite the growing incidence of internet crime, a cyber-criminal in Hong Kong is highly unlikely to be prosecuted.
Of the 791 such reported cases in 2008, only 25 were prosecuted and 19 people convicted. In 2005, of the 667 reported cases, there were 17 prosecutions and 15 convictions. That is a conviction rate for internet crimes of 2.5 per cent and 2.4 respectively for those two years.
A Department of Justice spokesman said Hong Kong had a specialised department tackling computer crimes, and is at the forefront in tackling commercial crimes, including computer and electronic crime.
This is an edited version of a story which ran in the Sunday Morning Post on April 4