BIGGEST INHIBITOR TO THE
ADOPTION OF CLOUD COMPUTING
SENSITIVE DATA IN THE CLOUD
• More data, more storage, more risks
• Identifiable personal information examples
• Credit card information
• Medical records
• Tax records
• Customer account records
• Human resources information
• Banking and insurance records
• Browsing history, emails and other communication
• Sensitive personal data?
CLOUD SECURITY - STAKEHOLDERS
How to select
a cloud vendor?
•How to satisfy
•How to remain
•How to ensure
•Are my data
safe in the
•Would I know
if there is
ISSUES ON CLOUD SECURITY
Is the data
spying or attacks?
What is the level
of control and
Where is the
What to do with
data in transit &
Who can see
control of data
Info on 3rd
• Some countries have laws restricting storage of data
outside their physical country borders: India, Switzerland,
Germany, Australia, South Africa and Canada
• EU: Data Protection Directive; Safe Harbor Principles – no
sending PII outside European Economic area unless
• USA: US Patriot Act, 40+ states have breach notification
laws (25 states have exemption for encrypted personal
• Canada: Freedom of Information and Protection of Privacy
• Section 33(2)(f) of Personal Data (Privacy) Ordinance,
• Standard discussions through HK/Guangdong Expert
Committee on Cloud Computing Services and
• Guidelines and information via infocloud.gov.hk
Can we still trust the „cloud‟?
What are the local laws that govern data being
collected, transferred and stored?
COMMUNICATIONS – GOVERNMENT
• Article 30 of the Basic Law specifies that the freedom and privacy
of communication of Hong Kong residents shall be protected by law.
• Interception of Communications and Surveillance Ordinance (Cap
589) -- since 2006
• Regulate law enforcement agencies‟ lawful interception of
communications and covert surveillance operations for the
prevention and detection of serious crimes and the protection of
• Not applicable to non-public officers, and cannot be used to apply
to non-governmental bodies and individuals.
• LEAs are required by the ICSO to obtain an authorization from a
panel judge or a designated authorizing officer prior to any
interception of communications and covert surveillance operations.
COMMUNICATIONS – NON-GOVT
• s24 of Telecommunications Ordinance (Cap 106) does not allow a
telecommunications officer, or any person who, though not a telecommunications
officer, has official duties in connection with a telecommunications service to wilfully
intercept any message
• s27 of Telecommunications Ordinance (Cap 106) imposes prohibition on any person
who damages, removes or interferes with a telecommunications installation with
intent to intercept or discover the contents of a message
• s29 of the Post Office Ordinance (Cap 98) states that no person shall open any postal
packet or take any of the contents out of any postal packet or have in his possession
any postal packet or mail bag or any of the contents of any postal packet or mail bag
or delay any postal packet or mail bag
• If such activities involve the collection of personal data, they are subject to the
provisions of the Personal Data (Privacy) Ordinance.
• The hacking of the computer system is dealt with mainly by section 161 of the Crimes
Ordinance (Cap 200) (obtains access to a computer with intent to commit an offence
or with a dishonest intent) and section 27A of the Telecommunications Ordinance
(Cap 106) (by telecommunications, obtains unauthorized access to any computer).