Category: data loss

Japanese data losses expose surveillance of foreign residents

A scandal over leaked security documents has exposed the Japanese security service’s monitoring of foreigners, amongst other ‘anti-terrorist’ operations. The documents were posted on the web in November, and according to a report in the Yomiuri Shimbun last month, include “a list of foreigners being monitored by the division, and files related to secret police strategies – for example, guidelines for nurturing informants”.

Not only does this expose the concentration of the Japanese security services on foreigners, many included on the list simply by virtue of being ‘foreign’, rather than being any actually determined threat, but it is also a reminder that the Japanese laws on information sharing, leaking and so on, are archaic. As the newspaper says:

“At present, there is no law to punish those leaking confidential information. Even worse, stealing electronic data is not included in the list of offenses punishable under the Penal Code. In many cases, this makes it impossible for suspects to be held criminally responsible.”

I am not quite sure that the theft of electronic data is actually unpunishable, at least from conversations I have had with specialists in Japan, however I should add that there is, I am told, no law against selling stolen electronic data, which means that even if the theft could be punished, it would not reduce the economic incentives to steal data (which I have mentioned before is not uncommon).

Then of course there is the wider issue of whether it serves a higher purpose that this information is released anyway. No doubt it does embarrass the government, but there is not reason to think that this actively compromises real security in Japan as the NPA are quoted as claiming. If anything this does us a favour in reminding just how prejudiced much of the Japanese state’s relationship with its foreign residents, especially those who are non-white, is, and how much state surveillance is directed at them.

(thanks to Ikuko Inoue for sending me this story)

Latest round of Wikileaks shows nothing new, but changes everything

The ongoing Wikileaks revelations have been fascinating, but the latest round, those of US diplomatic cables, are perhaps the least revealing thus far. Basically, there’s a lot of the usual personal opinion and gossip that one would expect and the unsurprising revelations that the US gathers information on its allies as well as its enemies. The only really challenging insight is that Saudi Arabia want Iran dealt with far more urgently, it seems, than Israel. But then, even that is hardly unexpected given the religious and political gulf between those two states.

The more important thing for the longer-term is the process going on here, the fact that nation-states, even powerful ones, no longer seem to be able to have complete control over the information that they generate. Potentially, this is not about international relations at all or about any one particular nation-state, but potentially challenges the asymmetrical relationship between all nation-states the their peoples. Of course, there are already right-wing US politicians scrambling to label Wikileaks as a terrorist organisation, which just shows how corrupted the use of the idea of ‘terrorism’ has become, but below this, it demonstrates the very real fear of losing control amongst the political elite. The problem is that, with the current wave of nationalism sweeping the USA, such desperate sentiments play well to the gallery…

Private Sector Data Losses

People often concentrate rather too much on abuses by the state of personal data. But private sector organisations are certainly no better. One key example was made public this week, when the new UK Information Commissioner, Christopher Graham, announced that he would be prosecuting a major mobile phone company (he is not saying which one yet*) for selling personal information which it held on customers. The trade in personal information is a very difficult thing to regulate: telecoms companies will deny up front that they ever do anything like this, but yet we know it happens frequently in every jurisdiction, in both management-sanctioned and illicit forms; and practically, of course, once the information is ‘out there’, it cannot be recalled. So, no-one should feel safe just because they have ticked (or unticked) that little box under all that often indeciferable text about what a company might do with your data. I hope that whatever firm this is, it gets hits where it will hurt most, on its bottom line.

*Update: T-Mobile have now confirmed that they are the company responsible.

Private sector data loss in Japan

I’ve blogged a fair bit in the past about state and private data losses in the UK. In Japan too this has been a big problem, and is a reasons given by central government for the need to centralise databases and by opponents talking about the risk of such centralisation.

The latest major data loss, just the other day, was by the giant banking combine, Mitsubishi UFJ Nicos, which accidentally ‘threw away’ personal data on almost 200,000 customers from 1993 to 2001. Of course MUFJ Nicos say there is no security or financial risk, but then organisations in these situation always say something like that…

Not all of these data losses are accidents however. Back in April, another part of the Mitsubishi keiretsu (a Japanese term for a loosely-connected ‘family’ of companies), Mitsubishi UFJ Securities, fired one of its managers, Hideaki Kubo, who is alleged to have stolen personal data on almost one and and half million customers, and had allegedly already sold data on 49,000 to data brokers for the rather unimpressive sum of just 32,0000 Yen (around $3200 US). He is believed to have had considerable debts.

In short, it doesn’t matter how strong your firewalls are, or how good your computer security is, if there is an employee, or a government bureaucrat with access to sensitive data, who is in financial difficulty or who is simply aggrieved or greedy, then data will leak out. The risks are not small, in fact it seems almost inevitable, and I believe that the number and scale of such losses are probably significantly under-reported by both private firms and government. Of course, it is also significant just how many supposedly reputably companies are prepared to pay for stolen data. This trade is certainly not taken seriously enough by regulators in most countries…

At the IT Strategic Headquarters

Yesterday we visited the Prime Minister’s IT Senryaku Honbu (IT Strategic Headquarters). (This has actually been the only national-level government agency that has agreed to speak to us, and some of the reasons for refusal have been rather telling, not least that of Houmusho (the Ministry of Justice), which claimed that they had nothing to do with privacy and so on, which betrays a level of ignorance about the effects of their own policies that is probably more the result of bureaucratic sectionalism and literalism than anything else but is nevertheless interesting!). The IT Strategic HQ is responsible for developing the ‘i-Japan’ strategy, the latest incarnation of what has at various times been called ‘Information Society Japan’ and ‘e-Japan’ policy. They are also the agency that wrote the most recent Japanese data protection laws, which I wrote about a couple of weeks ago.

We were treated to a prepared presentation on the latest incarnation of the i-Japan strategy, in which the ‘i’ seems to stand for ‘inclusion’ and ‘innovation’ but not apparently for ‘interactive’, which one might expect from its use elsewhere in computing. However it was the brief interview we had afterwards that was more enlightening.

In short, the government has acknowledged that what they originally wanted out of juki-net has failed due to opposition, despite the supreme court victory that ruled that the current cut-down version was constitutional. However, as Kanshi-no! argued, they are not going to back down that easily. The movement towards the creation of centralised government databases will continue, and there most likely will eventually be a fully configured identification system (and card) and rather alarmingly, the new i-Japan strategy makes it quite clear that laws that currently prevent this from happening will simply be changed or removed. They do not want opposition groups, nor indeed the current global recession, to be able to hold up or change these plans.

However the main thrust of development of centralised databases has shifted away from juki-net and the jyuminhyo (residents’ registration) system, towards national insurance, health and pensions. This is, as the agency than runs juki-net, Lasdec, suggested to us – and I am now beginning to think that this suggestion was rather more of a loaded hint than I had first thought – by far the most data-rich area of government records and therefore in many ways more suitable for being the basis of an architecture of central registration and identification. The database that the government intends to create in this area will also have the possibility for citizens to add in (voluntarily, they say), information from private sources, such as bank account and other financial details. Of course this could be more ‘convenient’ in terms of benefits and taxes, but it also puts an enormous amount of previously private data in the government’s hands and presents a huge temptation to identity fraud and theft from both outside and, more importantly inside the state bureaucracy (and let’s not forget, most identity fraud is an inside job).

It gets more worrying still as despite the advanced stage of these plans, the government has apparently still not decided exactly who will have access to this database, and the police in particular, as well as private insurance companies, are still considered as potential users. It seems that although the IT Strategic HQ might have developed data protection in Japan but they do not appear to understand its principles of necessity, proportionality and consent – indeed I asked them about these principles and they really had no serious reply. Instead they claimed that people in Japan wanted to have these central databases because the current fragmented system had led to poor security and data losses, and in any case, ageing society and the pensions crisis meant this had to be done. I have noticed that in Japan, ‘ageing society’ like ‘terrorism’ in the UK, seems to have become the spectre evoked to silence potential criticism.

There are many other issues too: the government is also trying to introduce a voluntary system of Electronic Health Records (EHR), but this is not as developed as the Connecting for Health centralised database that is still experiencing significant problems in its introduction in the UK; and there are some rather less controversial social inclusion measures included the provision of computers for schools and so on. However my overall impression after leaving the IT Strategic HQ was of a government that was determined to press ahead with centralised collection and control of personal information regardless of the views of citizens or of whether it is really necessary even to achieve the policy aims they have. And this won’t change as the result of a change in government either. If, as seems likely, the Liberal Democratic Party (LDP or Jyuminshuto) are voted out, the Democratic Party of Japan (DPJ or Minshuto) which will succeed them, has already said that it will create a central database.

(Thank-you to the officials of the IT Strategic Headquarters for their time).

A juki-net footnote

I had a conversation yesterday (not a formal interview) with Midori Ogasawara, a freelance journalist and writer who used to report on privacy issues for the Asahi Shimbun newspaper. This was mainly to set up further interviews with those who are or were involved with campaigns on surveillance and privacy issues in Tokyo. However I also managed to clarify a few of my own questions about juki-net and the opposition which it attracted.

In short, there seem to have been several objections.

  1. First of all was the objection to the idea of a centralised database, which was able to link between other previously separate databases.
  2. Secondly, there was the fact that this was the national state asserting authority over both local government and citizens. Both Local Authorities and citizens groups had argued for ‘opt-in’ systems, whereby firstly, towns could adopt their own policies towards juki-net, and secondly and more fundamentally, individual citizens could decide whether they wanted their details to be shared.
  3. The third objection was to there being a register of addresses at all. Many people saw this simply as an unnecessary intrusion onto their private lives, and in any case, the administration of welfare, education and benefits worked perfectly well before this (from their point of view) so why was such a new uniform system introduced?
  4. Next there were objections based on what was being networked. The jyuminhyo (see my summary from the other day) is not actually a simple list of individuals and where they live, but is a household registry. It might not, like the koseki, place the individual in a family line, but is still a system based on patriarchal assumptions, with a designated ‘head’ of the household, and ‘dependents’ including wives and even adult children.
  5. Finally, there was the question of the construction of an identification infrastructure. Whether or not juki-net is considered as an identification system, and it does have a unique identifying number for each citizen, and has the potential to be built on to create exactly such a comprehensive system of national identification. Lasdec, who we talked to the other day, may not approve of this, or believe it will happen, but they are only technicians, they are not policymakers and don’t have the power or the access to know or decide such matters. And in the end, if they are required by law to run an ID system then they will have to run it.
  6. There were, as I already mentioned, objections to the potential loss or illicit sharing of personal information. I don’t think this is intrinsic to juki-net, or indeed to database systems, but of course both databases and networks make such things easier. People are also quite cynical about promises of secure systems. Lasdec may say that that juki-net is secure, but there have been enough incidences of government data leaks in the past for people not to accept such assertions.
  7. Finally, Juki-net connects to the border, passport and visa system. The reason that foreigners will finally be included on the jyuminhyo (and therefore juki-net) from 2012 is not therefore to respond to long-term foreign residents’ requests for equal treatment but in fact to make it even easier to sort out and find gaikokujin, check their status, and deal with unofficial and illegal migrants. Groups campaigning for the rights of foreign workers (mainly the exploited South-East Asian and Brazilian factory workers) have therefore been very much involved. Of course it also makes it possible to connect the overseas travel of Japanese people to a central address registry.

I’ll be meeting Midori again soon, I hope, along with other researchers and objectors. I am also still hoping to be able to talk to officials from the Homusho (Ministry of Justice) and the Somusho (Ministry of Public Management, Home Affairs, Posts & Telecommunications), but they are are currently passing around my request to different offices and generally delaying things in the best bureaucratic traditions!

Identification in Japan (Part 2): Juki-net

As I mentioned yesterday, one of the big developments in state information systems in Japan in recent years has been the development of the jyuminkihondaichou network system (Residents’ Registry Network System, or juki-net). Very basically juki-net is a way of connecting together the 1700 (recently restructured from 3300) local authorities’ residents’ registries (jyuminhyo). These are a record of who lives in the area and where, that are held on a multiplicity of different local computer (and even still, paper) databases. Japanese government services are always struggling to catch up with massive and swift social changes, particularly the increased mobility of people, that made first the Meiji-era koseki (family registers) and then the disconnected local jyuminhyo (which were both themselves introduced to deal with earlier waves of increased social and spatial mobility) inadequate.

Operational from 2002, juki-net is restricted by law to only transmitting four pieces of personal data (name, sex, date-of-birth and address), plus a randomly-generated 11-digit unique number. Nevertheless, the system was strongly opposed and has sparked multiple legal challenges from residents’ groups who did not want to be on the system at all, and who considered the risk of data leakage or privacy violation to be too great for the system to be lawful. These challenges were combined together into one class-action suit, which finally failed at the highest level, the Supreme Court, in March 2008. The court ruled that juki-net was constitutional and there was no serious security risk in the system itself but according to some analysts did not address the possibility of mistakes being made by operatives. But this would seem to me to be a problem of data protection in general in Japan, rather than an issues that is specific to juki-net. Like Brazil, but unlike Canada and the UK for example, Japan has no independent watchdog agency or commissioner for safeguarding privacy or kojin deta (personal data), and other than internal procedures, the courts are the citizen’s only recourse. In any case, as Britain’s comparatively frequent incidence of data loss by public authorities shows, even having such a system does not necessarily make for better practice. There is in Japan, as in Britain, training and advice in data protection provided by a specialist government information systems agency.

We interviewed officials at that government agency, Lasdec (the Local Authorities Systems Development Centre) today. Lasdec also developed and runs juki-net and is responsible for the new jyuminhyo / juki-net card that enables easy access to local (and some national) services via the web or ATM-like machines at local government offices. Unsurprisingly they were quite bemused by the opposition to juki-net, which they say was based on a lack of understanding amongst citizens about what it was, and a general fear of computers and databases. They argued that many people (including one or two local authorities) had the impression juki-net was, or was planned to be, an extensive database of all personal information held by different parts of the government, or even was the basis for a new system of national identification or indeed was a new system of national identification – indeed that was the impression one got from reading both Japanese and foreign civil and cyber-liberties groups’ reports in 2002/2003 with plenty of stories of the new Japanese ‘Big Brother’ system (see the archived collection here for example).

However Lasdec argued that both ideas were incorrect. The officials recognised both that the 11-digit unique number was adapted from a previous failed identification scheme, and that juki-net could in theory become the basis for any proposed future national ID scheme, but this was prevented by the enabling law. In any case juki-net was not even the best existing system on which to base an ID system: passport, driving licence and healthcare databases all had more information and certainly information with higher levels of personal identifiability – and no-one seems to be objecting the amount of information contained on the driving licence system, for example. Juki-net has no photos or other biometric data and no historical information. Likewise the residents’ card can have a photo if the resident wishes, but this is not shared through juki-net, and in fact the card itself is entirely voluntary. In addition, only in one city has take-up of the card exceeded more than 50% of the adult population (Lasdec has detailed information on take-up but only published a ‘league table’ without percentages). You also do not lose anything by chosing not to have or use the card.

The officials at Lasdec were, as with many technical and systems engineers in both public and private sectors whom I have interviewed, far more aware of privacy, data protection and surveillance issues than most politicians and mainstream (non-technical) government officials. They did not shy away from the terms kanshi (surveillance) or kanshi shakai (surveillance society) and indeed were as critical of the unregulated spread of things like CCTV in public space as many activists. They saw themselves in fact as controllers of information flow as much as facilitators. They were committed to the minimalist model of information-sharing set out by the law governing juki-net and wanted to find always the ways that information that was necessary to be shared could be shared without the creation of central databases or the exchange of additional unnecessary information. In addition, new laws came into force (in 2006), which make the residential information more private than it was before. In fact, such local registers used to be entirely public (anyone could access them), and now they are far more restricted – this only seems to have been noticed by direct marketing firms, who of course were not 100% happy with this change.

This puts me into a strange position. I have colleagues here who have been utterly opposed to juki-net, and I have always assumed that it was in some way similar or equivalent to the UK National Identity Register / ID card scheme. However in fact, it seems very similar to the ‘information clearing house’ idea which I and others have proposed for the UK, in opposition to the enormous NIR which would seem to suck in every kind of state-held information on the citizen! In addition juki-net does not require any more information from the Japanese citizen than is already held by the state, again unlike the NIR in the UK, for which multiple new forms of information are being requested by the state and indeed there are fines, and ultimately prison sentences, proposed by law for refusal to give up or update such information. In contrast, juki-net is more like the electoral register in the UK, to which hardly anyone objects.

This all makes me wonder exactly what it is that provoked such vociferous opposition to juki-net. If it is a actually or potentially repressive surveillance system, somewhat like Barthes’ famous description of Tokyo, it is one with an empty centre; there is no ‘Big Brother’ only a rather well-meaning set of bespectacled technicians who are just trying, as they see it, to make things work better so that people don’t have to keep proving who they are every time they move to a new area. Perhaps there are particular cultural and political factors (that is after all the working hypothesis of this entire project – and perhaps in making assumptions about both systems and oppositions across borders we obscure the specifics). Perhaps it is the association of the 11-digit number with previous proposed ID schemes. Perhaps, as in Germany, in new government information systems, there are resonances with older systems of identification and control that hark back to more repressive, fascist, times. Or perhaps there is a general cynicism of successive government ‘information society’ / ‘e-Japan’ / ‘i-Japan’ strategies and initiatives, each of which promise empowerment and in practice deliver more bureaucracy. These are some questions I need to explore further with other officials academics and activists.

EU Telecommunications Directive in effect

From today, private lives in the UK will be a little less private, as EU Directive 2006/24/EC becomes part of national law.

Traffic data on e-mail, website visits and Internet telephone calls now have to be recorded and retained by Internet Service Providers (ISPs). Specifically, the Directive mandates the retention of: the source of a communication; the destination of a communication; the date, time and duration of a communication; the type of communication; the type and identity of the communication device; and the location of mobile communication equipment.

This is coming into force despite the fact that many countries and ISPs still object to the directive. It has to be said that many ISPs are objecting on grounds of cost rather than any ethical reason. German courts are yet to determine the constitutionality of the directive and Sweden is not going to implement it at all.

As with many of these kinds of laws, it was rushed through on a wave of emotion after a particular ‘trigger event’ – in this case, the 7/7 bombings in London in 2005. There was a whole lot of devious practice in the Council of Ministers to get it passed too – if the Directive had been considered as a policing and security matter, it would still have needed unanimity, which means that the objections of Germany and Sweden would have vetoed the Directive. Instead, it was reclassified as ‘commercial’ on the grounds that it was about the regulation of corporations, and commerical matters need only a majority vote. How convenient…

The Home Office in Britain says our rights are safe because of RIPA, which is hardly cause for rejoicing. My main concerns, apart from the fact that this is yet another moment in the gradual erosion of private life, are that:

1. police access will rapidly become routine rather than specific, and this could be extended to many other public authorities – the original drafts of the Communications Bill would have extended the right of access to such data to all RIPA-empowered organisations (which includes most public authorities);

2. the data will be used illicitly by ISP employees for criminal purposes (remember that most identity thefts are inside jobs) – the records will be a blackmailers delight;

3. there will more ‘losses’ of this data by ISPs and others who have access to it. Remember the accidental revelation of user data by AOL in the USA?

Incompetence and Surveillance

There is an opinion piece in The Daily Telegraph (UK) today by Alasdair Palmer, which argues that it is the incompetence and human fallibility of the UK government rather than any lack of desire which prevents an Orwellian surveillance state from emerging in the UK. It is hardly new but it’s an attractive argument, one which I have used before and which we used to a certain extent in our Report on the Surveillance Society, and one which draws on the deep well of cynicism about government which has long characterised British politics.

However there are a number of problems with the argument. The first is whether it is really true. A totalitarian society does not have to be competent in the sense of having correct information, in fact one of the central messages of Nineteen Eight-Four is that ‘truth’ is a product of state control in such societies. This was obvious in the case of Stalin’s purges. The accusations made against individuals did not rely on the accuracy of the accusation but on the very fact of accusation, something brought out very strongly in Orlando Figges’ recent book, The Whisperers. In the UK in recent years we have seen some elements of this. It doesn’t matter for example, whether someone really is a terrorist, the word ‘terrorist’ is just redefined in law and practice to encompass that person. New terms are invented to describe quasi-crimes (like anti-social behaviour) which come to have the force of ‘crime’ and become the focus of state surveillance activity. And I have shown how the recent arguments over photography in public places show a genuine totalitarianism in the attempt to define the limits of the collection and interpretation of visual images. It doesn’t matter how competent the state is at carrying out its desires here. The very fact that it defines what is acceptability in this way can create a new ‘normality’ and a ‘chilling effect’ on protest and resistance – which makes such activity even more essential.

The second problem is the idea that incompetence protects us. It didn’t in Soviet Russia and it doesn’t today. The government’s uselessness in handling data harms people. The loss and leakage of private personal information can lead to real effects on people’s lives: information theft, fraud and so on. The loss of trust in those who control information also has knock-on effects on those organisations that genuinely rely on personal information to provide essential services and care: education, health services, social work etc. A loss of trust caused by failed repression leads to a generalised loss of trust in government and in other people: it damages social trust. It is perhaps because British people have such a low level of social trust anyway that we expect things to fail.

The third problem relies on the first two and is the idea that state incompetence is enough to protect us. Of course it isn’t. Cynicism is no basis for thinking of, and creating, a better society. Do we want to live in a society where our only protection is the fact that state is structurally or contingently unable to create a totalitarian situation even though it continues to try? I certainly don’t. The emergence of surveillance societies, competent or otherwise, requires the imagination of alternatives – including greater democracy, accountability, transparency, and regulation and control of both state and corporate organisations in our favour – and political action to demand and create those alternatives.

A faith in failure is simply a form of nihilism.

The loneliness of personal data

Surveillance like this harms us all: it makes our lives banal and reveals only the sadness and the pain.

Still from I Love Alaska
Still from I Love Alaska

There is something at once banal and heartbreaking about what is revealed through the examination of personal data. The episodic film, I Love Alaska, captures this beautifully. The film by Lernert Engelberts and Sander Plug is based on AOL’s accidental exposure of the search data of hundreds of thousands of its users, and focuses on just one, 711391. The film consists of an actress reading out the (unusually discursive and plain language) search terms of User 711391 like an incantation, with background sound from Alaskan locations and static camera shots that serve to emphasize her boredom, isolation and loneliness.

I was watching episode 5 of the film when two stories popped into my inbox that just happened to be related. The first was from the New York Times business section and dealt with the other side of the recent US sporting scandal over revelations that baseball player Alex Rodriguez has taken steroids. Like User 711391, Rodriguez had given up his data (in this case, a sample) in the belief that the data would be anonymous and aggregated. But it wasn’t.

So, then we come to how the state deals with this. The Toronto Globe and Mail comments on the way the Canadian federal government is, like so many others, proposing to introduce new legislation to monitor and control Internet use. The comment argues that there is no general need to store personal Internet use data (or Canada will end up like the UK…), and that Internet surveillance should be governed by judicial oversight. Quite so. But, as the NYT article points out, it isn’t just the expanding appetite of the state for data (frequently coupled in the UK with incompetence in data handling) that we should fear but the growth in numbers of, and lack of any oversight or control over, private-sector dataveillance operations.

Some people will argue that any talk of privacy here is irrelevant: User 711391 was cheating on her husband; Rodrguez was taking steroids; there are paedophiles and terrorists conspiring on the Internet. With surveillance the guilty are revealed. Surely, as Damon Knight’s classic short story, ‘I See You’, claimed, with everything exposed we are truly free from ‘sin’? But no. In its revelations, surveillance like this harms us all: it makes our lives banal and reveals only the sadness and the pain. For User 711391, her access to the Internet served at different times as her main source of entertainment, desire, friendship, and even conscience. The AOL debacle revealed all of this and demeaned her and many others in the process. Most of us deserve the comfort of our very ordinary secrets and the ability for things to be forgotten. This is the true value of privacy.

(Thanks to Chiara Fonio for letting me know about I Love Alaska)