The head of the Census and Statistics Department has said it would take years for hackers to decrypt personal data in two missing tablet computers.
The department reported the missing devices to the police in July and August last year, after they were lost during the 2016 census. But it only revealed the matter to the public on Tuesday night upon enquiries from local media.
Leslie Tang Wai-kong, Commissioner for Census and Statistics, denied that the department tried to cover up the incident.
He said on a RTHK programme on Wednesday that the department immediately reported the cases to the police and the 46 people affected. The Office of the Privacy Commissioner was satisfied with the remedial measures taken, he said, adding that the department attached great importance to the privacy of census respondents.
Tang also said the department sought advice from government tech experts, who said the risk of leaks was very low as it would take years to decrypt the devices.
“Even if there was a hacker, would it be worth years of their time trying passwords to obtain the personal information inside?” he said, adding that the tablets only contained information on basic population statistics.
Asked if those who lost the tablets were punished, Tang said most of the census officers were university students and not department staff members.
Security still needed
IT sector lawmaker Charles Mok said Tang’s claim that it would take years to decrypt the data was unfounded.
“If so, does that mean no security is needed for any data once it is encrypted? That encrypted data can be shared with everyone? Of course not,” he said.
“We cannot accept that official announcements were only made after media enquiries,” he added.
Last week, the Registration and Electoral Office announced that it lost two laptops containing the personal information of all registered voters. The Office also said the computers were encrypted and thus “extremely difficult to break through.”
Mok said the Office has yet to explain whether the computers were turned on when they were stolen, what kind of encryption was used and who has the encryption keys: “No one can say for certain that it cannot be decrypted.”
“I believe the government, first of all, should conduct an overall investigation or examination of various government departments, in addition to these two, that have been holding, handling personal data from citizens, to make sure that they have been fully in line with the [government] IT guidelines,” he said.
“In these cases, they are probably not fully in compliance with those guidelines.”
Mok has launched a campaign asking the public to file complaints to the privacy commissioner using an online platform.
The anti-corruption watchdog has arrested 72 people in the Information Technology Functional Constituency for alleged vote-rigging activities during the the 2016 Legislative Council election.
Mok welcomed the action and said he hoped it will send a strong message to people trying to influence or interfere with the results in unlawful ways.
“We should hope the ICAC would be able to fully investigate and find out who are the people who are really behind it,” he said.
Mok said the government should respond to demands from the industry to increase the number of voters in the sector by making the members of more industry organisations eligible to vote.
He also said the Registration and Electoral Office should confirm that voters are truly IT sector professionals before allowing them to vote.