Government misled LegCo over HKIDs
12 April 2021
In 2013, facing opposition from investors (led by Webb-site), professionals, businesses and the media, the Government withdrew a proposal to redact Hong Kong Identity (HKID) card numbers from the Companies Registry.
Now it's back, and the Government hopes to ram it through a neutered Legislative Council (LegCo), first submitting a discussion paper to the Financial Affairs Panel (FAP) for its meeting last Friday, 9-Apr-2021. At the meeting, Secretary for Financial Services and the Treasury Christopher Hui Ching Yu (Mr Hui) told the FAP (at 13:13:55 in the English-dubbed video):
"In April we conducted a study. We found that there were 588,000 entries on the register and only 8 of them have the same name and the same 4 digits on the ID card, so the probability is very low." (English translation)
Oh, really? This contradicts the position in a consultation paper published on 17-Dec-2009 by the Government-appointed Standing Committee on Company Law Reform, which said (para 7.15(a)):
"in view of the fact that different persons having the same name are quite common in Hong Kong, restricting access to identification numbers may deprive the public of a means of uniquely identifying individuals, and might make it easier for the dishonest to escape creditors or otherwise engage in fraudulent activity. The option of masking 3 or 4 digits of an identification number would not serve the purpose of identifying a person as there are cases of persons with the same name having similar identity card numbers;"
Also, in a defensive press release on 31-Mar-2021, the Government claimed that the partial HKID (the prefix letter(s) and 3 digits of the HKID) "should be sufficient to enable searchers to ascertain the identity of the director concerned".
Really? So, how big a risk is mistaken identity? Is Mr Hui correct that out of more than half a million people in the register, only 8 (pairs) have the same name and the same 4 digits on their HKID? Of course not, and we'll prove it. A brief reminder: HKIDs have a 1-letter or sometimes 2-letter prefix followed by 6 numerals. So if 3 numerals are masked (any 3 of 6), there are 1,000 possible HKID numbers behind the mask. There is also a check-digit (in brackets) on the card, which can be calculated using our handy generator here. Conversely, if one numeral is redacted in the HKID, it can be calculated if the check-digit is known.
We didn't have to look far to find matches. We picked just one common name, "Chan, Chi Keung". That is, we entered family name "Chan" and given name "Chi Keung", into the Companies Registry ICRIS search system. It's the most fun you can have for HK$22 on a Sunday afternoon, although it really should be free (article here), like grown-up registries in other countries/places.
The result was 245 records, of which 243 showed a redacted HKID, none used a passport (the alternative to HKID) and 2 had neither an HKID nor a passport. One of the records, currently the 180th in the sequence, had a malformed HKID of "E30031***)" in the passport field. It should actually read "E30***4" in the HKID field.
It did not take us long to find a match:
We verified that these are different people - one is D301704 and the other is D307144. In each example, we won't tell you which order they are in, even though the information is publicly available and you can find it yourself (it's in the source code of the results page) - so we're not identifying anyone. The point here is just to prove that there are different people behind the masks, by allowing fellow journalists and others to enter the HKIDs and retrieve the name "Chan, Chi Keung".
Here's another pair:
They are in fact E741628 and E745318. And another:
They are in fact E810705 and E812355. And another pair (the first and third entries, ignore the middle entry):
These are in fact G448179 and G448639. Notice that the 4th character is the same, "8", so they only differ by 2 digits. Even if the Registry were to display 5 characters and redact only two, as in "G448**9", they would still appear the same. And here's another:
These are in fact G635260 and G638460 - again, they only differ by 2 digits, so would be the same if masked as "G63**60". Are you counting? Here's our 6th match:
These are in fact G644167 and G645047. There are 2 more pairs of names sharing the same masked ID. They appear at different points in the sequence, because in each pair, one has a Chinese-character name and the other does not.
- The 7th pair, currently 5th and 212th in the sequence, show the HKID as "A94***5". They are different people, A940655 and A946685 (again, only 2-digits apart).
- The 8th pair, currently 38th and 215th in the sequence, show the HKID as "D15***3". They are different people, D159443 and D150573.
So just by searching for a single name, we found 8 pairs of people with the same name and same masked ID, showing how real the risk of mistaken identity is. And you will recall that Mr Hui claimed they could only find 8 matches in the entire database, not just with one name like we did. Given that there are many other popular names in HK, there are probably hundreds or thousands of other pairs.
Incidentally, in these 245 records, there were also 21 double entries: that is, a person had used the same ID with 2 variations of his/her Chinese-character name (blank, or slightly different characters), 2 triple-entries and 1 quad-entry (take a bow, E30***4). So in fact, there were 215 unique IDs and 2 records with no form of ID, all with the English name "Chan, Chi Keung".
We hope that LegCo takes note of this and sends Mr Hui back to his database to tell us the true number of 4-character matches in his 588,000-people database, which is surely more than the 8 we found. What a confusing place Hong Kong is becoming. How ironic that the Government passed a law in 2019 prohibiting face masks in public assemblies so that people could be identifiable, arguably deterring them from committing crimes, but now wants to mask the identities of people trading with the privilege of limited liability, incentivising fraud and corruption. Masks may protect people from infections but sunshine is the best disinfectant in the Companies Registry. Keep the masks off the HKIDs, and drop the paywall while you are at it.
If you have a view on this, please drop an email to the LegCo Financial Affairs Panel at firstname.lastname@example.org.
Late last night at 23:20, the Government published a response (Response) to this article without directly citing it. The Response claimed that our search used "any three out of the six numbers instead of the first three". That claim is false because, as shown above, we didn't pick which numerals to redact: the Companies Registry does that - these are direct screenshots from the registry search. We did not selectively choose different numerals to redact. Currently, they are redacting the 3rd to 5th numerals; in future they plan to redact the 4th to 6th numerals.
If the registry shifts the 3-digit mask, it will make no difference to the probability of a match, because there will still be 1000 possible HKIDs that look the same when masked. The only circumstance in which the probability would change is if the numbers are not fully utilised or unevenly distributed - for example, if they stopped issuing sequential numbers at 499999, then blanking the first 3 digits would only have 500 possible matches, while blanking the last 3 digits (as proposed by Government) would have 1000 possible matches and a higher risk of mistaken identity. However, we know from Webb-site Who's Who that the number space in many letters was exhausted long ago - and a few years from now they will have to start using ambiguous letters like O or Q (which can look like zero when written) or more likely move to a regular double-letter system.
Apart from immigrants, numbers are generally issued on birth certificates and become HKIDs when the holder reaches 11. By the time they are old enough to be directors at age 18, the numbers in their alpha-numeric sequence will likely be exhausted. More info here and here.
Second, in the Response, the Government admitted that its search only involved current directors of current companies, not former directors of current companies or former directors of dissolved companies. There are currently about 3 million companies in the register, of which 1.4 million are active. To anyone performing due diligence or investigative journalism, the past and present directorships are all relevant, so the Government's search was artificially constrained. Searchers need to know whether the director has left a trail of corporate bankruptcies behind her, or has been associated with other individuals via former directorships of the same company - so the proper test is the whole database, not a smaller subset.
Third, in the Response, the Government claimed that it could only find 8 pairs with "identical Chinese and/or English full names". The problem there is that directors use variations of their names when filing, sometimes with or without a Chinese name, sometimes omitting an English given name. So the same person may file as "Peter Chan", "Peter Chan Chi Keung" or "Chan Chi Keung", with a chinese name given as "陳志強" or "陳志强" (look closely, the third character is different). A person born in the mainland may use "Zhang" rather than "Cheung", "Wang" or "Huang" rather than "Wong" and so on. So if the HKIDs are masked, then a simple search by English or Chinese name won't capture all of his past and present directorships, while a full HKID would do so.
Fourth, given the poor state of the registry's web site, we have no confidence in the I.T. department that even their narrow search of current company directors was executed correctly - for example, did they treat 2 people with the same English name, same masked HKID, but one of whom did not state a Chinese-character name, as different? What about the same English name but slightly different Chinese characters? Searchers should be able to use English, still an official language in Hong Kong and the language of international finance, if Hong Kong is to maintain its role as an international financial centre.
Finally, the whole point of an identity number is to uniquely identify someone, a more precise version of a person's name. Any masking of results will frustrate that objective. The HKID is not a secret and should not be abused by commercial entities as a password for services instead of setting up a secure password or other authentication method only for that service. Without a full HKID, searchers will not be able to match results across other public registries such as the Land Registry and obtain public information about the unique individual.
This goes further than directorships and property ownership - look for example at the list of appointees to public bodies such as District Fight Crime Committees (soon to elect seats in the rejigged Chief Executive Election Committee) and you will often find common names with no indication of who they are. Which "Wong Chi Chung", for example, sits on the Eastern District committee? We have no idea. The Government should disclose full HKIDs when appointing people to any public body, or including them in any public licence register, so that the public can know to whom they are referring and the media can investigate any conflicts of interest they may have.
For more on this subject, listen to our discussion on RTHK Radio 3 "Backchat" this morning, podcast here.
© Webb-site.com, 2021