Japanese data losses expose surveillance of foreign residents

A scandal over leaked security documents has exposed the Japanese security service’s monitoring of foreigners, amongst other ‘anti-terrorist’ operations. The documents were posted on the web in November, and according to a report in the Yomiuri Shimbun last month, include “a list of foreigners being monitored by the division, and files related to secret police strategies – for example, guidelines for nurturing informants”.

Not only does this expose the concentration of the Japanese security services on foreigners, many included on the list simply by virtue of being ‘foreign’, rather than being any actually determined threat, but it is also a reminder that the Japanese laws on information sharing, leaking and so on, are archaic. As the newspaper says:

“At present, there is no law to punish those leaking confidential information. Even worse, stealing electronic data is not included in the list of offenses punishable under the Penal Code. In many cases, this makes it impossible for suspects to be held criminally responsible.”

I am not quite sure that the theft of electronic data is actually unpunishable, at least from conversations I have had with specialists in Japan, however I should add that there is, I am told, no law against selling stolen electronic data, which means that even if the theft could be punished, it would not reduce the economic incentives to steal data (which I have mentioned before is not uncommon).

Then of course there is the wider issue of whether it serves a higher purpose that this information is released anyway. No doubt it does embarrass the government, but there is not reason to think that this actively compromises real security in Japan as the NPA are quoted as claiming. If anything this does us a favour in reminding just how prejudiced much of the Japanese state’s relationship with its foreign residents, especially those who are non-white, is, and how much state surveillance is directed at them.

(thanks to Ikuko Inoue for sending me this story)

Latest round of Wikileaks shows nothing new, but changes everything

The ongoing Wikileaks revelations have been fascinating, but the latest round, those of US diplomatic cables, are perhaps the least revealing thus far. Basically, there’s a lot of the usual personal opinion and gossip that one would expect and the unsurprising revelations that the US gathers information on its allies as well as its enemies. The only really challenging insight is that Saudi Arabia want Iran dealt with far more urgently, it seems, than Israel. But then, even that is hardly unexpected given the religious and political gulf between those two states.

The more important thing for the longer-term is the process going on here, the fact that nation-states, even powerful ones, no longer seem to be able to have complete control over the information that they generate. Potentially, this is not about international relations at all or about any one particular nation-state, but potentially challenges the asymmetrical relationship between all nation-states the their peoples. Of course, there are already right-wing US politicians scrambling to label Wikileaks as a terrorist organisation, which just shows how corrupted the use of the idea of ‘terrorism’ has become, but below this, it demonstrates the very real fear of losing control amongst the political elite. The problem is that, with the current wave of nationalism sweeping the USA, such desperate sentiments play well to the gallery…

Private Sector Data Losses

People often concentrate rather too much on abuses by the state of personal data. But private sector organisations are certainly no better. One key example was made public this week, when the new UK Information Commissioner, Christopher Graham, announced that he would be prosecuting a major mobile phone company (he is not saying which one yet*) for selling personal information which it held on customers. The trade in personal information is a very difficult thing to regulate: telecoms companies will deny up front that they ever do anything like this, but yet we know it happens frequently in every jurisdiction, in both management-sanctioned and illicit forms; and practically, of course, once the information is ‘out there’, it cannot be recalled. So, no-one should feel safe just because they have ticked (or unticked) that little box under all that often indeciferable text about what a company might do with your data. I hope that whatever firm this is, it gets hits where it will hurt most, on its bottom line.

*Update: T-Mobile have now confirmed that they are the company responsible.

Private sector data loss in Japan

I’ve blogged a fair bit in the past about state and private data losses in the UK. In Japan too this has been a big problem, and is a reasons given by central government for the need to centralise databases and by opponents talking about the risk of such centralisation.

The latest major data loss, just the other day, was by the giant banking combine, Mitsubishi UFJ Nicos, which accidentally ‘threw away’ personal data on almost 200,000 customers from 1993 to 2001. Of course MUFJ Nicos say there is no security or financial risk, but then organisations in these situation always say something like that…

Not all of these data losses are accidents however. Back in April, another part of the Mitsubishi keiretsu (a Japanese term for a loosely-connected ‘family’ of companies), Mitsubishi UFJ Securities, fired one of its managers, Hideaki Kubo, who is alleged to have stolen personal data on almost one and and half million customers, and had allegedly already sold data on 49,000 to data brokers for the rather unimpressive sum of just 32,0000 Yen (around $3200 US). He is believed to have had considerable debts.

In short, it doesn’t matter how strong your firewalls are, or how good your computer security is, if there is an employee, or a government bureaucrat with access to sensitive data, who is in financial difficulty or who is simply aggrieved or greedy, then data will leak out. The risks are not small, in fact it seems almost inevitable, and I believe that the number and scale of such losses are probably significantly under-reported by both private firms and government. Of course, it is also significant just how many supposedly reputably companies are prepared to pay for stolen data. This trade is certainly not taken seriously enough by regulators in most countries…

At the IT Strategic Headquarters

Yesterday we visited the Prime Minister’s IT Senryaku Honbu (IT Strategic Headquarters). (This has actually been the only national-level government agency that has agreed to speak to us, and some of the reasons for refusal have been rather telling, not least that of Houmusho (the Ministry of Justice), which claimed that they had nothing to do with privacy and so on, which betrays a level of ignorance about the effects of their own policies that is probably more the result of bureaucratic sectionalism and literalism than anything else but is nevertheless interesting!). The IT Strategic HQ is responsible for developing the ‘i-Japan’ strategy, the latest incarnation of what has at various times been called ‘Information Society Japan’ and ‘e-Japan’ policy. They are also the agency that wrote the most recent Japanese data protection laws, which I wrote about a couple of weeks ago.

We were treated to a prepared presentation on the latest incarnation of the i-Japan strategy, in which the ‘i’ seems to stand for ‘inclusion’ and ‘innovation’ but not apparently for ‘interactive’, which one might expect from its use elsewhere in computing. However it was the brief interview we had afterwards that was more enlightening.

In short, the government has acknowledged that what they originally wanted out of juki-net has failed due to opposition, despite the supreme court victory that ruled that the current cut-down version was constitutional. However, as Kanshi-no! argued, they are not going to back down that easily. The movement towards the creation of centralised government databases will continue, and there most likely will eventually be a fully configured identification system (and card) and rather alarmingly, the new i-Japan strategy makes it quite clear that laws that currently prevent this from happening will simply be changed or removed. They do not want opposition groups, nor indeed the current global recession, to be able to hold up or change these plans.

However the main thrust of development of centralised databases has shifted away from juki-net and the jyuminhyo (residents’ registration) system, towards national insurance, health and pensions. This is, as the agency than runs juki-net, Lasdec, suggested to us – and I am now beginning to think that this suggestion was rather more of a loaded hint than I had first thought – by far the most data-rich area of government records and therefore in many ways more suitable for being the basis of an architecture of central registration and identification. The database that the government intends to create in this area will also have the possibility for citizens to add in (voluntarily, they say), information from private sources, such as bank account and other financial details. Of course this could be more ‘convenient’ in terms of benefits and taxes, but it also puts an enormous amount of previously private data in the government’s hands and presents a huge temptation to identity fraud and theft from both outside and, more importantly inside the state bureaucracy (and let’s not forget, most identity fraud is an inside job).

It gets more worrying still as despite the advanced stage of these plans, the government has apparently still not decided exactly who will have access to this database, and the police in particular, as well as private insurance companies, are still considered as potential users. It seems that although the IT Strategic HQ might have developed data protection in Japan but they do not appear to understand its principles of necessity, proportionality and consent – indeed I asked them about these principles and they really had no serious reply. Instead they claimed that people in Japan wanted to have these central databases because the current fragmented system had led to poor security and data losses, and in any case, ageing society and the pensions crisis meant this had to be done. I have noticed that in Japan, ‘ageing society’ like ‘terrorism’ in the UK, seems to have become the spectre evoked to silence potential criticism.

There are many other issues too: the government is also trying to introduce a voluntary system of Electronic Health Records (EHR), but this is not as developed as the Connecting for Health centralised database that is still experiencing significant problems in its introduction in the UK; and there are some rather less controversial social inclusion measures included the provision of computers for schools and so on. However my overall impression after leaving the IT Strategic HQ was of a government that was determined to press ahead with centralised collection and control of personal information regardless of the views of citizens or of whether it is really necessary even to achieve the policy aims they have. And this won’t change as the result of a change in government either. If, as seems likely, the Liberal Democratic Party (LDP or Jyuminshuto) are voted out, the Democratic Party of Japan (DPJ or Minshuto) which will succeed them, has already said that it will create a central database.

(Thank-you to the officials of the IT Strategic Headquarters for their time).