• Fri
  • Dec 19, 2014
  • Updated: 3:26am
CommentLetters

Firms should not use ID card numbers

PUBLISHED : Tuesday, 26 March, 2013, 12:00am
UPDATED : Tuesday, 26 March, 2013, 3:28am

Privacy Commissioner Allan Chiang has an unenviable job; he is a toothless tiger trapped between growing public awareness of privacy and security, and data users and aggregators who do not want to change their lax practices.

However, in his letter ("Irresponsible not to respect and protect ID card numbers", March 15), he ignores the relevance of data protection principle 4, requiring protection against unauthorised access. Setting a password to something that is widely known is negligent. Organisations using our Hong Kong identity card numbers as passwords have no reasonable excuse to think only we know our number. In addition to each company we have told, they are known by our families, schools and the security staff of some buildings.

Authentication is the process of verifying an identity, and Mr Chiang is wrong to call the distinction "meaningless". Anyone could claim to be "Allan", but if we add more information, we can distinguish between myself, Allan Dyer, and Allan Chiang. Perhaps there are two Allan Chiangs; the HKID number allows us to distinguish between them. However, just because someone identifies himself as Allan Chiang, with a particular ID card number, does not make it true. We might demand to see their ID card and compare their face to the picture before we accept that person is our privacy commissioner.

The Personal Data (Privacy) Ordinance gives us some control over how our personal data is used. Mr Chiang calls disclosing ID numbers "irresponsible" without recognising how often we expose personal data.

We expose our ID number when we open a bank or utility account, because these firms need to know who is responsible for the bills. When someone becomes a company director, they are responsible to shareholders, so it is right that their exact identity should be known. Mr Chiang is putting convenience and "efficiency" above security.

Activating my credit card at my bank branch once every few years is not onerous, compared to the risk of loss and inconvenience from identity theft. Also, there are strong alternatives for remote authentication, such as using a digital certificate from a certification authority recognised under the Electronic Transactions Ordinance.

The privacy commissioner should warn firms not to set passwords to any ID card number because they are widely known. The government should promote better security practices, including digital certificates. The Monetary Authority could insist online banking sites must accept digital certificates from a recognised certification authority.

Allan Dyer, Wong Chuk Hang

Share

More on this story

Respect and protect ID card numbers
15 Mar 2013 - 12:00am

For unlimited access to:

SCMP.com SCMP Tablet Edition SCMP Mobile Edition 10-year news archive
 
 

 

 
 
 
 
 

This article is now closed to comments

captam
Thank you Mr. Dyer for writing to the editor on this subject.
Your views are exactly in line with my on-line comment which was posted on 15 March, following publication of Chiang's silly letter "Respect and protect ID card numbers" .
It is unfortunate that so few people get to read the on-line "comments".

Login

SCMP.com Account

or