Hong Kong gov’t hires Shenzhen company to build new email system, raising security concerns

The government has awarded a HK$237 million contract to a Shenzhen company to build, support and maintain a new centralised email system for 22 bureaus and departments. The announcement raised security concerns despite the government saying that the contractor will not be able to access user data.

Old email systems such as Domino and Exchange have long been in use at the Hong Kong government. The Office of the Government Chief Information Officer (OGCIO) – under the Innovation and Technology Bureau – started a tender process in March last year, and applied to the legislature for funding to build a new centralised system. It was approved last November by the Finance Committee.

The contract was awarded in February to a Shenzhen firm named Richinfo Technology Company Limited, which is listed on the Shenzhen Stock Exchange. It will work with the OGCIO to provide services for the daily operation and maintenance of the email system for seven years.

Several lawmakers raised concerns over the matter last year. They asked the OGCIO to explain the reasons for the proposed Centrally Managed Messaging Platform (CMMP), and answer questions on security issues.

In a reply last July, the OGCIO said the current email system architecture was built on a decentralised model, which was incompatible with new technology such as cloud computing. It said that the system lacked security protection functions such as security patches and encryption standards. The system also failed to use computing resources optimally.

“All communications over the network relating to CMMP will be encrypted to safeguard information security,” it said. “When handling e-mails containing confidential information, users will encrypt each confidential e-mail separately with their own digital certificates to ensure that only the sender and the recipients can read the e-mails.”

“Moreover, the accounts of CMMP will be protected by the management system and an independent audit trail mechanism that can record activities in the system. No unauthorised persons, including Contractor staff, can access user data.”

“As for the daily operation and maintenance, all work involving sensitive information (including user data) will be handled by the staff of OGCIO as in the existing arrangements. Contractor staff cannot access such information.”

It added that security specifications of the system will follow government regulations, while the primary server and disaster recovery facilities will be housed at government data centres in different districts.

The awarding of the contract was posted on a Government Logistics Department website and reposted on social media by an IT industry concern group on Wednesday. The post expressed concern that the move would allow authorities in Beijing to access the Hong Kong government’s internal information.

“Everything in the government has been taken over by mainlanders, even internal communication systems were awarded to a mainland company, and the cost was not cheap – why did it get the bid? You understand why,” one commenter said.

“Why doesn’t the Innovation and Technology Bureau move its office to Shenzhen? What’s the point of them staying in Hong Kong?” another joked.

Wong Ho-wa, an IT sector member of the chief executive election committee, told HKFP that the data will only be stored in Hong Kong, according to the tender.

“The important thing is that there must be an audit of the system after it is completed,” he said.

“Anyway, I think public concern is justified,” he said, adding that it was “weird” for such a project to be granted to a mainland company.

Local participation

At a Finance Committee meeting last November, IT sector lawmaker Charles Mok asked if the government’s requirements were too strict. He said local companies would have a hard time winning the contract.

In response, Deputy Government Chief Information Officer Victor Lam said that the government would not rule out awarding the contract to local or overseas companies. Lam also said bidders must fulfil all requirements of the tender, then the government would choose the one with the lowest bidding price.

“In our understanding, many local companies are interested in participating in this project,” Lam said at the time.

“The requirements are appropriate. This is a rather large-scale project involving 10,000 users. There must be a 99.95 per cent [reliability] for the 10,000 users. If companies do not have the experience to do this, we would not have the confidence to implement this system.”

“If local companies cannot do so on their own, they can also work with larger companies to create this system.”

Support HKFP  |  Code of Ethics  |  Error/typo?  |  Contact Us  |  Newsletter  |  Annual & Transparency Report