Guidance on requesting App system access permission by TC260
On 20 September 2020, the National Information Security Standardisation Technical Committee (TC260) published the Practice Guidance on Requesting System Access Permission via Mobile Applications (Apps). The Guidance addresses typical non-compliant operations such as not giving users the option to deny system-access requests, sending frequent or excessive requests, bundling requests for a single permission, collecting personal information without authorisation, and misusing sensitive permissions. The Guidance sets out basic principles regarding how App operators will request system access permissions from users, as well as specific requirements on how the 10 typical Android system access (e.g. requests to access contacts, SMS, call logs, locations, etc.) will be handled.
Among other requirements, the Guidance provides that each system access (either by the App or any of the integrated SDKs) must be specified clearly in manifest documents (e.g. AndroidManifest.xml). If a user denies a permission request, no additional requests for the same access should be sent to the user within 48 hours. No unalterable unique device identification codes (e.g. IMEI or MAC address) should be collected unless used in the context of security risk control. When accessing cameras, microphones, locations or other systems to obtain personal sensitive information, explicit notifications should be given to users and no personal information should be collected in any unnoticeable manner. The following functions should only be activated by users after they have been fully informed of this information: making calls and sending messages; turning on or turning off Wi-Fi, Bluetooth, or GPS; shooting, recording, or making screenshots or screen recordings; accessing or creating text messages, contacts, or other personal information contained in clipboards or public storage without authorisation.
Please click here for the full text (Chinese only) of the Guidance.
Draft security guidance on integrating third-party SDKs in Apps
TC260 published a draft guidance concerning the secure integration and use of third-party software development kits (SDKs), which refer to toolkits provided by third-party service providers or developers to implement certain functions of an App (e.g. pushing messages or marketing materials, conducting statistical analysis, enabling third-party account or log-in or facial recognition, providing payment, mapping, or customer services, etc.).
The draft focuses on common problems involved in the use of third-party SDKs, such as inherent security vulnerabilities of SDKs (e.g. the ZipperDown vulnerability event), malicious SDKs (e.g. the “parasitic push” event), and illegal collection of personal information via SDKs. Tailor-made to each type of problems, the draft recommends certain measures to both App operators and SDK developers while taking into consideration current mobile-internet technologies and application scenarios.
For example, consider the common complaint that users have not been properly informed that their personal data has been processed by third-party SDK developers during their use of certain Apps. Without knowing the purpose, method, or scope of the collection (or even noticing the collection itself), their personal information may have already been transferred to the third-party's servers or shared with other parties. The draft points out that this is largely due to the lack of independent display pages or interfaces of third-party developers. As a result, if third-party developers collect personal information directly from users and act as data controllers, the App operator when integrating such third-party SDKs into the App will provide separate pages, links or other convenient channels for the third-party developers to display their own policies and obtain informed consents from users.
Please click here for the full text (Chinese only) of the Draft Guide.
Hong Kong appeals court dismisses Uber driver challenge of hire-car permit regime
On 1 September 2020, the Court of Final Appeal upheld the convictions of 24 uber drivers for contravening s.52(3) of the Road Traffic Ordinance (Cap.374) (RTO), which makes it an offence to drive a motor vehicle for the carriage of passengers for hire or reward without a hire-car permit. The appeal request lodged by the drivers impacts the legality of Uber’s business model in Hong Kong.
On 23 September 2020, the Court of Final Appeal handed down the 32-page written judgment after examining the overall regulatory scheme of hire-car permits and the legislative history of the Road Traffic Ordinance (Cap. 374). The court also considered the argument that since the Uber business model was not contemplated by lawmakers when enacting s.52(3) of the RTO, it could not have been the legislative intent to criminalise the conduct of Uber drivers. In the end, the Court took the view that the prohibition on the unlicensed carriage of passengers for hire or reward must cover Uber drivers because this type of activity falls “well within the mischief” targeted by the law. In particular, the Court noted that “whether ride hailing services should be permitted to operate in Hong Kong, on the other hand, is a question of transport policy, not a question of law, and is not a matter for the Court to determine.”
The decision of the Court of Final Appeal is no doubt a blow to Uber’s operations in Hong Kong. Uber has reportedly requested meetings with the Hong Kong government to find a solution.
Hong Kong has been slow in developing regulations for ride-sharing Apps as well as other sharing-economy business models. Although Hong Kong was one of the first international cities that Uber moved into as it rapidly expanded outside the US, it has been operating in a grey area over the past six years. The latest legislative development impacting Uber concerned a 27 March 2020 research paper published by the Reason Office of Hong Kong Legislative Council Secretariat and entitled “Regulations of Ride-hailing Apps in Selected Places”.
IAMAI Self-Regulation Code signed between OTT platforms in India
On 4 September 2020, the Internet and Mobile Association of India (IAMAI) developed a “Universal Self-Regulation Code for OCCPs” (i.e. online-curated content providers). This code has been signed by 15 OTTs, including Netflix, Amazon Prime Video, Jio Cinema, and many more. While some OTT platform providers followed their own self-censorship codes in the past, this is new for others, such as Netflix. The code requires signatories to set up their own framework for age classification, title descriptions, and parental-control tools. It also includes a requirement for a consumer-complaints framework, which covers a method for consumers to voice their complaints, as well as an internal consumer-complaints department or advisory panel (consisting of a minimum of three members, including an independent external advisor and two senior executives from the platform). The code has been in effect since 15 August 2020.
The official IAMAI press release can be found here.
Recommendations on Cloud Services by Telecom Regulatory Authority of India
On 14 September 2020, the Telecom Regulatory Authority of India (TRAI) published Recommendations on Cloud Services, after going through multiple consultations and feedback sessions since publishing its first set of recommendations on 16 August 2017. The recommendations start with establishing a non-profit industry body that will provide consultation and guidance to the regulator on the appropriate level of rules needed for a “light touch regulatory framework”. It has been recommended that the initial industry body be registered under the Societies Registration Act, and for the structure to be reviewed after two years, including whether further sub-entities are needed to cover different market segments. The Cloud Service Providers (CSPs) that need to enrol with the industry body are providers of IaaS and PaaS services in India, with an option for SaaS providers or other CSPs enrolling voluntarily for membership if they wish. The industry body and the resultant regulatory framework seek to draw a line between regulation of cloud services and the regulation of telecommunication services, while acknowledging that an increasing number of CSPs rely on telecommunication services.
The full TRAI report can be found here.
SAL Report on attribution of civil liability for accidents involving autonomous cars
In September 2020, the Singapore Academy of Law (SAL) Law Reform Committee (LRC) published its third report under the series “Impact of Robotics and Artificial Intelligence on the Law”. The third report, entitled “The Attribution of Civil Liability for Accidents Involving Autonomous Cars”, considers challenges that automation raises for laws, principles and practices applied when accidents occur, and compares each issue and regulatory framework to non-autonomous vehicles, such as identifying the party liable for an accident, establishing that party’s liability, and assessing a relevant defence. In particular, the report addresses whether the current fault-based negligence framework in Singapore can continue to apply. This report contains case studies of legislative approaches in the EU, US and Japan. Having been recently ranked first in the 2020 KPMG Autonomous Vehicle Readiness Index, this report explores how Singapore can continue to be a leader in this field, since many governments are adopting a “wait and see” approach.
The official SAL report can be found here.
MOUs between Singapore and Chongqing businesses to encourage innovation collaborations in manufacturing, logistics and tourism
As of 15 September 2020, as part of the Smart China Expo 2020 (held online), Singapore and Chongqing businesses signed 17 memoranda of understanding (MOUs) to explore digital transformation and connectivity collaboration opportunities amid Covid-19 restrictions. MOU signatories not only included local businesses, but district governments and banking institutions. The Joint Innovation Development Fund (JIDF) evaluation committee endorsed fourteen joint proposals from Singapore and Chongqing companies. The JIDF consists of funding of RMB 40 million, funded by the Singapore Infocomm Media Development Authority (IMDA), Enterprise Singapore and Chongqing Application Development Administration Bureau. The MOUs cover a wide range of projects, such as partnerships to build new fintech industrial parks, develop a smart elderly home-care system, promote application development, cooperate on AI technology for smart transportation and smart buildings, and launch an international blockchain-based platform for freelancers in Singapore and Chongqing.
The official IMDA press release can be found here.
Singapore to use facial recognition in national identity scheme
The Government Technology Agency of Singapore (GovTech) announced that it will allow biometric checks for Singaporeans to access services under its National Digital Identity (NDI) programme, which provides an identity verification method for individuals to access various government services. The cloud-based facial verification biometric technology is provided by iProov, a UK company, and implemented by Toppan Ecquaria. iProov previously provided authentication technology in the UK, including to the NHS and the UK Home Office. After undergoing initial trials in the Singapore tax office and DBS, a major Singapore bank, it will be rolled out nationwide.
The facial recognition technology works through a camera on a mobile device, computer or a kiosk, to confirm that the user undergoing the authentication process is the correct person using the service and a real person. An individual's awareness and consent is one of many requirements from GovTech in using this technology, which can then replace existing verification methods, such as sending an SMS passcode. Companies that sign up to the national biometric verification scheme will not need to collect any biometric data for itself, and will instead rely on a score indicating how close the scan is to the government file image of an individual.