Category: data sharing

Varieties of anti-surveillance activism in Japan

Although some progressive activists would like it to be otherwise, anti-surveillance feeling is not confined to the left, indeed in many countries, like the USA, libertarian individualist right-wing anti-surveillance activism is perhaps more common. And it seems that such a position is not unusual in Japan either.

Having returned from a weekend of hot springs, fine sake-tasting and eating way too much, today we met with the Mayor of the Suginami ward of Tokyo, Hiroshi Yamada, a prominent figure in the anti-juki-net campaign, and a also one of the leaders of a group of right-wing figures trying to promote a new nationalist grouping at that end of the Japanese political spectrum. But this new right is not at all a simple matter of ‘back to the 1930s’ that some commentators would have you believe. Yes, this group – which also includes the Mayors of major cities including Yokohama and Nagoya as well as popular journalists like Yoshiko Sakurai – has very conservative, revisionist views, on Japanese history, but in many ways they have far more in common with the new US libertarian right in their rejection of large state and high taxes, and in other areas too, for example Sakurai has rather unscientific views on climate change!

Part of the this libertarian outlook is the rejection of state intrusion into the private lives of individuals. Mayor Yamada saw the juki-net system as part of unwelcome movement towards a more top-down society, concentrating power at the centre. He was very clear that the state’s ability to collect information on the individual should be based on what the individual wanted to give up, not on what the state thought it needed (this is very much the opposite of what the Prime Minister’s IT Strategic HQ said to us last week). He was also most concerned about the risks posed by large databases, both as an attractive target to external hackers and to corrupt use from inside operators. Yamada is not opposed to what he calls IT shakai (IT society), but the use of IT should be based on what is useful to individuals, and of course what is actually he needed, he argued, would often be less expensive than the massive computerisation schemes favoured by the current administration as part of their i-Japan strategy. In this sense, he said he would oppose any move to unnecessary centralised databases and certainly to any possible national ID register or card.

In most respects, what Mayor Yamada said could probably have been said by any left-wing civil liberties activist in the UK, or by conservative right opponents of intrusive state like Conservative ex-Shadow Cabinet Minister, David Davis. Perhaps many aspects of what is felt to be wrong with surveillance society do not correlate neatly with old left-right divisions. This view was shared by Toshimaru Ogura, a Toyama University professor and major figure in left-wing anti-surveillance activism whom we met with just afterwards, along with campaigning journalist, Midori Ogasawara again. Just as the Convention on Modern Liberty event earlier in the year showed for the UK, there are many different varieties of anti-surveillance feeling in Japan, and whilst opponents may disagree with each other, and may even find other aspects of the politics of their erstwhile collaborators utterly distasteful, they do collaborate, even if it is only for short periods.

Professor Ogura’s analysis, as that of Ogasawara and indeed of Kanshi-no! whom we met the other day, is much more focused on the way in which surveillance excludes and discriminates – against union members, activists, gaikokujin (foreigners) and so on – and also the ways in which it favours the interests not just of the state but capital. We’ll be talking to groups who deal with the concerns of these excluded people in the last week we are here. Privacy is important, but Ogura’s analysis is concerned with the disproportionate effects of surveillance. It is not just that privacy is affected but that particular groups’ and individuals’ rights are damaged more than others, and those people are not generally the ‘ordinary taxpayers’ to whom Yamada and the libertarian right are trying to appeal.

Like me, Professor Ogura is also particularly interested in the way in which particular corporations and business coalitions pushing technological ‘solutions’ to social and organisational problems can have a profound influence the way government makes decisions. Such coalitions would still be there however large government was, and in some ways, without a government large enough to stand up to the private sector, a different kind of more purely market-driven surveillance society would emerge. In that sense, it is what government does, and to whom it responds, that is more important that more arbitrary questions of ‘size’.

There’s a lot more to consider here too, in particular the extent to which any of the things we consider under the umbrella of ‘surveillance’ are actually and actively part of some coordinated state (or other) plan. I’m starting to develop a sense of this here, but I will leave those thoughts to another post.

(Thank-you to Mayor Hirioshi Yamada, Professor Ogura Toshimaru and again, to Midori Ogasawara for being so generous with their valuable time).

At the IT Strategic Headquarters

Yesterday we visited the Prime Minister’s IT Senryaku Honbu (IT Strategic Headquarters). (This has actually been the only national-level government agency that has agreed to speak to us, and some of the reasons for refusal have been rather telling, not least that of Houmusho (the Ministry of Justice), which claimed that they had nothing to do with privacy and so on, which betrays a level of ignorance about the effects of their own policies that is probably more the result of bureaucratic sectionalism and literalism than anything else but is nevertheless interesting!). The IT Strategic HQ is responsible for developing the ‘i-Japan’ strategy, the latest incarnation of what has at various times been called ‘Information Society Japan’ and ‘e-Japan’ policy. They are also the agency that wrote the most recent Japanese data protection laws, which I wrote about a couple of weeks ago.

We were treated to a prepared presentation on the latest incarnation of the i-Japan strategy, in which the ‘i’ seems to stand for ‘inclusion’ and ‘innovation’ but not apparently for ‘interactive’, which one might expect from its use elsewhere in computing. However it was the brief interview we had afterwards that was more enlightening.

In short, the government has acknowledged that what they originally wanted out of juki-net has failed due to opposition, despite the supreme court victory that ruled that the current cut-down version was constitutional. However, as Kanshi-no! argued, they are not going to back down that easily. The movement towards the creation of centralised government databases will continue, and there most likely will eventually be a fully configured identification system (and card) and rather alarmingly, the new i-Japan strategy makes it quite clear that laws that currently prevent this from happening will simply be changed or removed. They do not want opposition groups, nor indeed the current global recession, to be able to hold up or change these plans.

However the main thrust of development of centralised databases has shifted away from juki-net and the jyuminhyo (residents’ registration) system, towards national insurance, health and pensions. This is, as the agency than runs juki-net, Lasdec, suggested to us – and I am now beginning to think that this suggestion was rather more of a loaded hint than I had first thought – by far the most data-rich area of government records and therefore in many ways more suitable for being the basis of an architecture of central registration and identification. The database that the government intends to create in this area will also have the possibility for citizens to add in (voluntarily, they say), information from private sources, such as bank account and other financial details. Of course this could be more ‘convenient’ in terms of benefits and taxes, but it also puts an enormous amount of previously private data in the government’s hands and presents a huge temptation to identity fraud and theft from both outside and, more importantly inside the state bureaucracy (and let’s not forget, most identity fraud is an inside job).

It gets more worrying still as despite the advanced stage of these plans, the government has apparently still not decided exactly who will have access to this database, and the police in particular, as well as private insurance companies, are still considered as potential users. It seems that although the IT Strategic HQ might have developed data protection in Japan but they do not appear to understand its principles of necessity, proportionality and consent – indeed I asked them about these principles and they really had no serious reply. Instead they claimed that people in Japan wanted to have these central databases because the current fragmented system had led to poor security and data losses, and in any case, ageing society and the pensions crisis meant this had to be done. I have noticed that in Japan, ‘ageing society’ like ‘terrorism’ in the UK, seems to have become the spectre evoked to silence potential criticism.

There are many other issues too: the government is also trying to introduce a voluntary system of Electronic Health Records (EHR), but this is not as developed as the Connecting for Health centralised database that is still experiencing significant problems in its introduction in the UK; and there are some rather less controversial social inclusion measures included the provision of computers for schools and so on. However my overall impression after leaving the IT Strategic HQ was of a government that was determined to press ahead with centralised collection and control of personal information regardless of the views of citizens or of whether it is really necessary even to achieve the policy aims they have. And this won’t change as the result of a change in government either. If, as seems likely, the Liberal Democratic Party (LDP or Jyuminshuto) are voted out, the Democratic Party of Japan (DPJ or Minshuto) which will succeed them, has already said that it will create a central database.

(Thank-you to the officials of the IT Strategic Headquarters for their time).

Why Japan is a surveillance society

We met yesterday with member of the Campaign Against Surveillance Society (AKA Kanshi-No!) a small but active organisation formed in in 2002 in response to the Japanese government’s jyuminkihondaichou network system (Residents’ Registry Network System, or juki-net). plans and the simultaneous introduction of police video surveillance cameras in Kabukicho in Tokyo. We had a long and detailed discussion which would be impossible to reproduce in full here, but I did get much more of a sense of what in particular is seen as objectionable about past and current Japanese government actions in this area.

The main thrust of the argument was to do with the top-down imposition of new forms of control on Japanese society. This they argued was the product of the longtime ruling Liberal Democratic Party’s neo-liberal turn and has thus been some time in the making. It is not a post-9/11 phenomenon, although they were also clear that the G-8 summit held in Hokkaido in 2008 used many of the same forms of ‘community action’ in the name of preventing terrorism as are used in the name of anzen anshin (safety) or bohan (security) from crime in Japanese cities everyday.

However, they argued that this might be a product of neo-liberalism, but the forms of community security were drawn from or influenced by a much older style of governance, that of the Edo-period mutual surveillance and control of the goningumi (five family groups). (this is actually remarkably similar to the argument that I, David Lyon and Kiyoshi Abe made in our paper in Urban Studies in 2007!). Thus the mini-patoka and wan-wan patrol initiatives in Arakawa-ku were seen as as much a part of an imposed state ordering process as the more obviously externally-derived CCTV-based form of urban governance going on in Shunjuku.

Underlying all this was the creation of an infrastructure for the surveillance society, juki-net. They were certainly aware of the way that juki-net had been limited from the original plans, and indeed they regarded these limits as being the major success of the popular campaign against the system, however they argued that the 11-digit unique number now assigned to every citizen was the most important element of the plans and this remained and could therefore serve as the foundation for future expansion and linking of government databases. They pointed to the way that the passport system had already been connected.

Kanshi-no! were also concerned, in this context, about the development of plans for experimental facial recognition systems to be used in Tokyo (at a location as yet unrevealed). This would imply the development of a national database of facial images, and a further extension of the personal information held by central government on individuals.

So was this all in the name of puraibashi (privacy) or some wider social concerns of something else? Certainly, privacy was mentioned, but not as much as one would expect in an interview with a British activist group on the same issues. I asked in particular about the decline of trust and community. The argument here was that community and any lingering sense of social trust had already been destroyed and that CCTV cameras and other surveillance measures were not responsible in themselves. However, from an outside perspective it does seem that there is more of a sense of social assurance and community, even in Tokyo than there is in the UK. I do wonder sometimes when people (from any country) refer back to some time when some idealised ‘trust’ or ‘community’ existed, when exactly it was! Rather than a  particular time, it seems to be a current that either asserts itself or is suppressed of co-opted into the aims of more powerful concerns in particular times and places.

I asked at one point what immediate change or new laws Kashi-no! would want, and the answer was quite simple: no new laws, just for the state to respect the constitution which they said already made both CCTV cameras and juki-net illegal (although of course the Supreme Court recently disagreed).

(Thank-you to the two members of Kanshi-no! for their time and patience with my questions)

Tokyo Brandscaping and the SuiPo system

Brandscaping is a term used in marketing to describe the metaphorical landscape of brands (either for a particular brand, company or sector), however it is also being used by some researchers, including me, to describe the way in which brands are being infiltrated into urban landscapes, with the ultimate aim of being ‘inhabitable’ perhaps even 24/7 (see for example Disney’s move into urban development with Celebration in Florida).

Contemporary brandscaping makes use of new ambient intelligence, pervasive or ubiquitous computing technologies (‘ubicomp’) and ubiquitous wireless communications to create a landscape in which the consumer is targeted with specific messages directing them to certain consumption patterns. Such communication cans of course be two-way and provide corporations with valuable and very personal data on consumption patterns. As I’ve argued in many presentations over the last few years, ubicomp is necessarily also ubiquitous surveillance (what I call ‘ubisurv’ – hence the name of this blog!) because to work it requires locatability and addressability. Japan, and Tokyo in particular, has been the site for a number of cutting edge experiments in this regard, including the ‘Tokyo Ubiquitous Technology Project’ which embedded 1000 RFID tags which can communicate with RFID-enabled keitai (mobile phones) in upscale Ginza as well as several other pilot schemes around Ueno Park and Shinjuku.

TUTP is not all about marketing surveillance however, part of the scheme has involved ‘Universal Design’ (UD) principles, with one experiment to embed chips in the yellow tactile tiles designed to help guide sight- and mobility-impaired people around the city so that useful access information could be passed through specially-enabled walking sticks. I’m very interested in such experiments as they indicate an alternative direction for ubicomp environments which are about genuinely enabling people who are currently disabled by social and architectural norms, and creating a richer sensory landscape. They show that both surveillance and ‘scary’ technology like RFID chips can be humanised.

Unfortunately in our consumer-capitalist world (and Tokyo is the exemplary city of hyper-consumption), marketing and building brandscapes tends to take priority over enabling the excluded and the disadvantaged. But there are different ways of doing this too, which can be more or less intrusive and consensual. The other day I was talking about the growth in functionality of the Suica smart travel card system. Suica-enabled keitai can now, be used buying all sorts of things and since 2006 there have been a growing number of ‘SuiPo’ (short for ‘Suica Poster’) sites, Suica-enabled advertising hoardings that will, on demand send information to your mobile e-mail address with on particular advertising in which you are interested if you pass your Suica card or phone over a scanner placed next to the poster (see photos below)

The difference between SuiPo and the Ginza RFID scheme however is that it with SuiPo is that it is the consumer who makes the choice whether to activate any particular poster’s additional information system. In this sense it is a development of the i-Mode system in which many keitai can read information from special barcodes embdedded in magazine advertisements. It doesn’t automatically call your phone every time you pass an enabled poster, once you have signed up. Not as high-tech but slightly more consensual. However this will, of course, lead to the accumulation of a lot of data on consumption interests. This potentially generates a massive consumer surveillance tool, because it can be linked up travel patterns (your registered Suica card sends information back on where you go – I was wrong about the absolute differences between London’s Oyster and Tokyo’s Suica systems the other day) and information about consumption.

So will this potential become reality? The page on privacy and data protection on the SuiPo website (as usual the link is hidden away at the bottom of the front page!), is pretty standard stuff except for the legitimate purposes for which the data can be used once you sign up. They are, for those who don’t read Japanese, for:

  1. Sending the specific requested information to you;
  2. Improving services;
  3. Data processing and analysis;
  4. JR East’s promotional marketing; and
  5. JR East customer questionnaires.

Purposes 2 and 3 pretty much allow JR to do anything it likes with the data once you have signed up, and there is no statement as to what can or cannot be done with data once it has been ‘mined’ – analysed and transformed into more useful to the company or other organisations (corporate or state) which might want to buy or access such knowledge. ‘Ubisurv’ indeed…

A juki-net footnote

I had a conversation yesterday (not a formal interview) with Midori Ogasawara, a freelance journalist and writer who used to report on privacy issues for the Asahi Shimbun newspaper. This was mainly to set up further interviews with those who are or were involved with campaigns on surveillance and privacy issues in Tokyo. However I also managed to clarify a few of my own questions about juki-net and the opposition which it attracted.

In short, there seem to have been several objections.

  1. First of all was the objection to the idea of a centralised database, which was able to link between other previously separate databases.
  2. Secondly, there was the fact that this was the national state asserting authority over both local government and citizens. Both Local Authorities and citizens groups had argued for ‘opt-in’ systems, whereby firstly, towns could adopt their own policies towards juki-net, and secondly and more fundamentally, individual citizens could decide whether they wanted their details to be shared.
  3. The third objection was to there being a register of addresses at all. Many people saw this simply as an unnecessary intrusion onto their private lives, and in any case, the administration of welfare, education and benefits worked perfectly well before this (from their point of view) so why was such a new uniform system introduced?
  4. Next there were objections based on what was being networked. The jyuminhyo (see my summary from the other day) is not actually a simple list of individuals and where they live, but is a household registry. It might not, like the koseki, place the individual in a family line, but is still a system based on patriarchal assumptions, with a designated ‘head’ of the household, and ‘dependents’ including wives and even adult children.
  5. Finally, there was the question of the construction of an identification infrastructure. Whether or not juki-net is considered as an identification system, and it does have a unique identifying number for each citizen, and has the potential to be built on to create exactly such a comprehensive system of national identification. Lasdec, who we talked to the other day, may not approve of this, or believe it will happen, but they are only technicians, they are not policymakers and don’t have the power or the access to know or decide such matters. And in the end, if they are required by law to run an ID system then they will have to run it.
  6. There were, as I already mentioned, objections to the potential loss or illicit sharing of personal information. I don’t think this is intrinsic to juki-net, or indeed to database systems, but of course both databases and networks make such things easier. People are also quite cynical about promises of secure systems. Lasdec may say that that juki-net is secure, but there have been enough incidences of government data leaks in the past for people not to accept such assertions.
  7. Finally, Juki-net connects to the border, passport and visa system. The reason that foreigners will finally be included on the jyuminhyo (and therefore juki-net) from 2012 is not therefore to respond to long-term foreign residents’ requests for equal treatment but in fact to make it even easier to sort out and find gaikokujin, check their status, and deal with unofficial and illegal migrants. Groups campaigning for the rights of foreign workers (mainly the exploited South-East Asian and Brazilian factory workers) have therefore been very much involved. Of course it also makes it possible to connect the overseas travel of Japanese people to a central address registry.

I’ll be meeting Midori again soon, I hope, along with other researchers and objectors. I am also still hoping to be able to talk to officials from the Homusho (Ministry of Justice) and the Somusho (Ministry of Public Management, Home Affairs, Posts & Telecommunications), but they are are currently passing around my request to different offices and generally delaying things in the best bureaucratic traditions!

Identification in Japan (Part 2): Juki-net

As I mentioned yesterday, one of the big developments in state information systems in Japan in recent years has been the development of the jyuminkihondaichou network system (Residents’ Registry Network System, or juki-net). Very basically juki-net is a way of connecting together the 1700 (recently restructured from 3300) local authorities’ residents’ registries (jyuminhyo). These are a record of who lives in the area and where, that are held on a multiplicity of different local computer (and even still, paper) databases. Japanese government services are always struggling to catch up with massive and swift social changes, particularly the increased mobility of people, that made first the Meiji-era koseki (family registers) and then the disconnected local jyuminhyo (which were both themselves introduced to deal with earlier waves of increased social and spatial mobility) inadequate.

Operational from 2002, juki-net is restricted by law to only transmitting four pieces of personal data (name, sex, date-of-birth and address), plus a randomly-generated 11-digit unique number. Nevertheless, the system was strongly opposed and has sparked multiple legal challenges from residents’ groups who did not want to be on the system at all, and who considered the risk of data leakage or privacy violation to be too great for the system to be lawful. These challenges were combined together into one class-action suit, which finally failed at the highest level, the Supreme Court, in March 2008. The court ruled that juki-net was constitutional and there was no serious security risk in the system itself but according to some analysts did not address the possibility of mistakes being made by operatives. But this would seem to me to be a problem of data protection in general in Japan, rather than an issues that is specific to juki-net. Like Brazil, but unlike Canada and the UK for example, Japan has no independent watchdog agency or commissioner for safeguarding privacy or kojin deta (personal data), and other than internal procedures, the courts are the citizen’s only recourse. In any case, as Britain’s comparatively frequent incidence of data loss by public authorities shows, even having such a system does not necessarily make for better practice. There is in Japan, as in Britain, training and advice in data protection provided by a specialist government information systems agency.

We interviewed officials at that government agency, Lasdec (the Local Authorities Systems Development Centre) today. Lasdec also developed and runs juki-net and is responsible for the new jyuminhyo / juki-net card that enables easy access to local (and some national) services via the web or ATM-like machines at local government offices. Unsurprisingly they were quite bemused by the opposition to juki-net, which they say was based on a lack of understanding amongst citizens about what it was, and a general fear of computers and databases. They argued that many people (including one or two local authorities) had the impression juki-net was, or was planned to be, an extensive database of all personal information held by different parts of the government, or even was the basis for a new system of national identification or indeed was a new system of national identification – indeed that was the impression one got from reading both Japanese and foreign civil and cyber-liberties groups’ reports in 2002/2003 with plenty of stories of the new Japanese ‘Big Brother’ system (see the archived collection here for example).

However Lasdec argued that both ideas were incorrect. The officials recognised both that the 11-digit unique number was adapted from a previous failed identification scheme, and that juki-net could in theory become the basis for any proposed future national ID scheme, but this was prevented by the enabling law. In any case juki-net was not even the best existing system on which to base an ID system: passport, driving licence and healthcare databases all had more information and certainly information with higher levels of personal identifiability – and no-one seems to be objecting the amount of information contained on the driving licence system, for example. Juki-net has no photos or other biometric data and no historical information. Likewise the residents’ card can have a photo if the resident wishes, but this is not shared through juki-net, and in fact the card itself is entirely voluntary. In addition, only in one city has take-up of the card exceeded more than 50% of the adult population (Lasdec has detailed information on take-up but only published a ‘league table’ without percentages). You also do not lose anything by chosing not to have or use the card.

The officials at Lasdec were, as with many technical and systems engineers in both public and private sectors whom I have interviewed, far more aware of privacy, data protection and surveillance issues than most politicians and mainstream (non-technical) government officials. They did not shy away from the terms kanshi (surveillance) or kanshi shakai (surveillance society) and indeed were as critical of the unregulated spread of things like CCTV in public space as many activists. They saw themselves in fact as controllers of information flow as much as facilitators. They were committed to the minimalist model of information-sharing set out by the law governing juki-net and wanted to find always the ways that information that was necessary to be shared could be shared without the creation of central databases or the exchange of additional unnecessary information. In addition, new laws came into force (in 2006), which make the residential information more private than it was before. In fact, such local registers used to be entirely public (anyone could access them), and now they are far more restricted – this only seems to have been noticed by direct marketing firms, who of course were not 100% happy with this change.

This puts me into a strange position. I have colleagues here who have been utterly opposed to juki-net, and I have always assumed that it was in some way similar or equivalent to the UK National Identity Register / ID card scheme. However in fact, it seems very similar to the ‘information clearing house’ idea which I and others have proposed for the UK, in opposition to the enormous NIR which would seem to suck in every kind of state-held information on the citizen! In addition juki-net does not require any more information from the Japanese citizen than is already held by the state, again unlike the NIR in the UK, for which multiple new forms of information are being requested by the state and indeed there are fines, and ultimately prison sentences, proposed by law for refusal to give up or update such information. In contrast, juki-net is more like the electoral register in the UK, to which hardly anyone objects.

This all makes me wonder exactly what it is that provoked such vociferous opposition to juki-net. If it is a actually or potentially repressive surveillance system, somewhat like Barthes’ famous description of Tokyo, it is one with an empty centre; there is no ‘Big Brother’ only a rather well-meaning set of bespectacled technicians who are just trying, as they see it, to make things work better so that people don’t have to keep proving who they are every time they move to a new area. Perhaps there are particular cultural and political factors (that is after all the working hypothesis of this entire project – and perhaps in making assumptions about both systems and oppositions across borders we obscure the specifics). Perhaps it is the association of the 11-digit number with previous proposed ID schemes. Perhaps, as in Germany, in new government information systems, there are resonances with older systems of identification and control that hark back to more repressive, fascist, times. Or perhaps there is a general cynicism of successive government ‘information society’ / ‘e-Japan’ / ‘i-Japan’ strategies and initiatives, each of which promise empowerment and in practice deliver more bureaucracy. These are some questions I need to explore further with other officials academics and activists.

India to issue biometric ID cards

According to The Times (and many other sources), this week, India is to create a central database, a unique identification number and biometric ID cards for all of its citizens. The scheme will be run by the newly-created Unique Identification Authority and cost an estimated £3 Billion (or around $5 Billion US).

As in Brazil, there is a felt need for such a system because of the proliferation of IDs and the dangers of anonymity and invisibility in a society where this can be a life or death issue. None of this, of course, means that the particular measures chosen will achieve their aims or will not create other problems. The Times with predictable journalistic cliche, calls this the largest Big Brother scheme in the world and the leader of the project is talking about a “ubiquitous online database” . However, it is rather difficult to see how it will be anything like that when most of India’s chaotic multi-level bureaucracy, especially at local level, still ‘works’ on the basis of paper-based filing systems.

There are suggestions too that this has purposes in crime-fighting and anti-terrorism, although the Indian government website on the scheme makes no such claims (which have in any case been discredited in the discussion about the proposed UK National Identity Register and ID card). It instead focuses on how ‘the Unique ID will be helpful in reducing identity related fraud and allow only targeted people to get the benefits from the government’ (MIT website).

Discussions on listservs has also served to question claims made in The Times article. The paper talks about ‘1.2 Billion’ people being enrolled, but in fact the scheme would only cover over-18s, which would be less than 2/3 of that number It also seems unclear exactly how the cards will be biometric. If it is just a photograph and fingerprint, this would be much the same as the Brazilian scheme. Of course the UK had more ambitious plans, but these were scrapped due to cost and reliability concerns.

Japan, where I am now, has instituted its own central database, and unique ID number, juki-net, and I will be talking to one of the people responsible for dealing with the technology that enables local governments to use the system this coming week…

(Thanks to John Bredehoft for pointing out the problem with the figures).

Data Protection in Japan

Comprehensive data protection in Japan is fairly recent. Until 2003, data protection was still governed under much two earlier ‘ information society initiatives: firstly, the Act for the Protection of Computer Processed Personal Data Held by Administrative Organisation (1988) and secondly, the Protection of Computer Processed Personal Data Act (1990), which are based on the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. These laws were limited an applied only to the state, and within that, only to some national government organisations rather than all of them.

Lawyers and those concerned with privacy within and without government were well aware of these limitations, and in the late 90s, a special Privacy Issues Study Working Group was set upby the Electronic Commerce Promotion Council of Japan (ECom). This committee issued Guidelines Concerning Protection of Personal Data in Electronic Commerce in the Private Sector in March 1998. The Chair of that committee, Professor Masao Horibe, provides an account here.

Subsequently, a Personal Data Protection Legislation Special Committee was established in January 2000 under the Advanced Information and Telecommunications Society Promotion Headquarters (now the IT Strategic Headquarters), a body responsible directly to the Japanese cabinet. This body has issued all the laws and directions regarding IT, e-Japan etc.

The need to “protect personal data” (kojin deta) was mentioned in Article 22 of the Basic Law on the Formation of an Advanced Information and Telecommunications Network Society within the rubric of ‘security’. This was followed up by the e-Japan strategy of January 2001, which under the section on the Facilitation of E-Commerce, recommended that “Necessary legislative measures should be taken to win the confidence of consumers, including submission of a bill to protect personal data to the ordinary session of the Diet in 2001.”

The Bill was introduced in March 2001, but as a result of concerns about its effects on the freedom of the press, was left to fall by 2002. However the Personal Information Protection Bill was passed in 2003, one of five bills with implications for data protections to be passed in that Diet session.The bill came into force in 2005. I’ll discuss the content and operation of the bill later, but there’s a good summary in English from when the Bill was passed here.

The one particularly interesting thing to note here is that it doesn’t designate or establish any one body to oversee the operation of the law or the enforcement of rights, or deal with complaints as in European countries and Canada, for example, Instead it keeps data protection as an internal matter for designated government ministries (and for companies), with legal action an option if all else fails. The law is generally on the side of data flow and commercial / administrative convenience, which is not surprising given its origins in industry-led e-commerce promotion organisations.

Goverment gives personal data to private companies

It has been revealed that the British government has been passing information gathered by the police on citizens to private companies. The Guardian todayshowed that data on climate change protestors found its way from the police to the ridiculously-renamed Department for Business, Enterprise and Regulatory Reform (BERR) to power company, E-ON.

Now, of course the government can argue that electricity supply is a matter of  ‘resilience’, ‘contingency planning’ and ‘national security’, but then how can they justify it being in private corporate hands in the first place? How exactly can companies whose primary aim is to provide ‘shareholder value’ at all costs, many of whom are transnationals that have no commitment to the UK, be treated as if they were state organisations, and be given data from state databases? The boundaries between public and private are being increasingly eroded, and once, again it is the relationship between citizen and state which suffers.

The government cannot just give data, especially data which was collected in very questionable ways for highly dubious reasons in the first place, to whoever it thinks might find it useful. This kind of action shows that the the state is now quite often simply the servant of private enterprise, and the police no better than an adjunct to private security. It makes a mockery of regulation of surveillance power and data protection, and does nothing for our already-weakened trust in the state’s ability to protect our rights or or information.

EU Telecommunications Directive in effect

From today, private lives in the UK will be a little less private, as EU Directive 2006/24/EC becomes part of national law.

Traffic data on e-mail, website visits and Internet telephone calls now have to be recorded and retained by Internet Service Providers (ISPs). Specifically, the Directive mandates the retention of: the source of a communication; the destination of a communication; the date, time and duration of a communication; the type of communication; the type and identity of the communication device; and the location of mobile communication equipment.

This is coming into force despite the fact that many countries and ISPs still object to the directive. It has to be said that many ISPs are objecting on grounds of cost rather than any ethical reason. German courts are yet to determine the constitutionality of the directive and Sweden is not going to implement it at all.

As with many of these kinds of laws, it was rushed through on a wave of emotion after a particular ‘trigger event’ – in this case, the 7/7 bombings in London in 2005. There was a whole lot of devious practice in the Council of Ministers to get it passed too – if the Directive had been considered as a policing and security matter, it would still have needed unanimity, which means that the objections of Germany and Sweden would have vetoed the Directive. Instead, it was reclassified as ‘commercial’ on the grounds that it was about the regulation of corporations, and commerical matters need only a majority vote. How convenient…

The Home Office in Britain says our rights are safe because of RIPA, which is hardly cause for rejoicing. My main concerns, apart from the fact that this is yet another moment in the gradual erosion of private life, are that:

1. police access will rapidly become routine rather than specific, and this could be extended to many other public authorities – the original drafts of the Communications Bill would have extended the right of access to such data to all RIPA-empowered organisations (which includes most public authorities);

2. the data will be used illicitly by ISP employees for criminal purposes (remember that most identity thefts are inside jobs) – the records will be a blackmailers delight;

3. there will more ‘losses’ of this data by ISPs and others who have access to it. Remember the accidental revelation of user data by AOL in the USA?