Category: identity theft

At the IT Strategic Headquarters

Yesterday we visited the Prime Minister’s IT Senryaku Honbu (IT Strategic Headquarters). (This has actually been the only national-level government agency that has agreed to speak to us, and some of the reasons for refusal have been rather telling, not least that of Houmusho (the Ministry of Justice), which claimed that they had nothing to do with privacy and so on, which betrays a level of ignorance about the effects of their own policies that is probably more the result of bureaucratic sectionalism and literalism than anything else but is nevertheless interesting!). The IT Strategic HQ is responsible for developing the ‘i-Japan’ strategy, the latest incarnation of what has at various times been called ‘Information Society Japan’ and ‘e-Japan’ policy. They are also the agency that wrote the most recent Japanese data protection laws, which I wrote about a couple of weeks ago.

We were treated to a prepared presentation on the latest incarnation of the i-Japan strategy, in which the ‘i’ seems to stand for ‘inclusion’ and ‘innovation’ but not apparently for ‘interactive’, which one might expect from its use elsewhere in computing. However it was the brief interview we had afterwards that was more enlightening.

In short, the government has acknowledged that what they originally wanted out of juki-net has failed due to opposition, despite the supreme court victory that ruled that the current cut-down version was constitutional. However, as Kanshi-no! argued, they are not going to back down that easily. The movement towards the creation of centralised government databases will continue, and there most likely will eventually be a fully configured identification system (and card) and rather alarmingly, the new i-Japan strategy makes it quite clear that laws that currently prevent this from happening will simply be changed or removed. They do not want opposition groups, nor indeed the current global recession, to be able to hold up or change these plans.

However the main thrust of development of centralised databases has shifted away from juki-net and the jyuminhyo (residents’ registration) system, towards national insurance, health and pensions. This is, as the agency than runs juki-net, Lasdec, suggested to us – and I am now beginning to think that this suggestion was rather more of a loaded hint than I had first thought – by far the most data-rich area of government records and therefore in many ways more suitable for being the basis of an architecture of central registration and identification. The database that the government intends to create in this area will also have the possibility for citizens to add in (voluntarily, they say), information from private sources, such as bank account and other financial details. Of course this could be more ‘convenient’ in terms of benefits and taxes, but it also puts an enormous amount of previously private data in the government’s hands and presents a huge temptation to identity fraud and theft from both outside and, more importantly inside the state bureaucracy (and let’s not forget, most identity fraud is an inside job).

It gets more worrying still as despite the advanced stage of these plans, the government has apparently still not decided exactly who will have access to this database, and the police in particular, as well as private insurance companies, are still considered as potential users. It seems that although the IT Strategic HQ might have developed data protection in Japan but they do not appear to understand its principles of necessity, proportionality and consent – indeed I asked them about these principles and they really had no serious reply. Instead they claimed that people in Japan wanted to have these central databases because the current fragmented system had led to poor security and data losses, and in any case, ageing society and the pensions crisis meant this had to be done. I have noticed that in Japan, ‘ageing society’ like ‘terrorism’ in the UK, seems to have become the spectre evoked to silence potential criticism.

There are many other issues too: the government is also trying to introduce a voluntary system of Electronic Health Records (EHR), but this is not as developed as the Connecting for Health centralised database that is still experiencing significant problems in its introduction in the UK; and there are some rather less controversial social inclusion measures included the provision of computers for schools and so on. However my overall impression after leaving the IT Strategic HQ was of a government that was determined to press ahead with centralised collection and control of personal information regardless of the views of citizens or of whether it is really necessary even to achieve the policy aims they have. And this won’t change as the result of a change in government either. If, as seems likely, the Liberal Democratic Party (LDP or Jyuminshuto) are voted out, the Democratic Party of Japan (DPJ or Minshuto) which will succeed them, has already said that it will create a central database.

(Thank-you to the officials of the IT Strategic Headquarters for their time).

Brazil: Surveillance Society or Security Society?

although there are many forms of surveillance in evidence, Brazil is not fundamentally a ´surveillance society´

What I am doing here is a broad survey of issues around surveillance. I am trying to get to grips with as wide a range of indicators as possible. One impression I have already – which as an impression may be partly or entirely wrong – is that although there are many forms of surveillance in evidence, Brazil is not fundamentally a ´surveillance society´ in the way that the UK is, or in the rather different way that Japan is: Brazil is much more a ´security society´. This is not to say, for example, that there are not many CCTV cameras in the country: Marta Kanashiro´s article in Surveillance & Society last year indicated that there are well over a million cameras (the total is hard to estimate because of the number of illegal installations).

However, surveillance here is very much tied into security. It´s not a ´security state´ – although it still retains reminders of its more authoritarian past – the concentration on security is largely private. Industry reports I have found, for example, this one from the Massachussets South America Office, indicate that the security industry is growing at rates of betwen 10 and 15% regardless of wider economic trends. Foreign companies are poised like vultures over the thousands of SME security companies that make up the huge private security sector, and positively salivate over the high crime figures.

If one talks in abstracts and absolutes, investment in security at a national level seems to make a difference to these figures. The Fórum Brasileiro de Segurança Pública (or Fórum Segurança, the Brazilian Forum on Public Safety), an independent network of local groups, experts and members of state and private secuirty organisations, has started to publish an annual report. The second report, available late last year, indicates a strong correlation between increased spending ($35 Billion US in 2007) and the decline in homicides. For example, in Rio there was an increase in spending of 4.4% and a decline in homicides of 4.7%. A summary in English is available here.

The big thing is not so much public space surveillance (although the industry report mentioned above estimates a $1Bn US market for electronic surveillance technology mainly for the private sector), but both fortification (especially the upsurge in the building of secure condominiums) and the increasing numbers of human security operatives. These may be private security, the new Municipal Guards – basically private security now employed by more than 750 local mayors – or even more worryingly, the urban militias, particularly in Rio. Despite the massive investment in public safety highlighted by Fórum Segurança, official police and other state agents of security and safety are still poorly paid, demotivated and not trusted. To remedy their perceived weakness, in particular in dealing with drug trafficking gangs, so-called Autodefesas Comunitárias (ADC, or Community Self-Defence) groups have emerged. These are paramilitaries made up of current and former police, soldiers, firemen and private security, who basically invade favelas to drive out traffickers in the name of safety, but which soon come to dominate the area and create a new kind of violent order. Now a report by the Parliamentary Hearing Commission into the Militias of Rio de Janeiro, has named names (including several local representatives), and various measures are promised.

The new Brazilian ID system

The new Brazilian ID-card
The new Brazilian ID-card (from Renato Siqueira's Conversa Digital)

There are more details of the new Brazilian ID card and system on Renato Siqueira’s Conversa Digital blog, including some informative images and photos. It seems that far from eliminating the various different numbers currently used, this new system will merely create a kind of overlay. And, not only that, but the CPF, RG and electoral number will be printed on the back. Unless every single transaction will actually require the taking of fingerprints or the verification of photos, this card will be even more of a convenient source of personal information to thieves and fraudsters than ever before. Plus the chip technology is the same standard format that has proved to easy to clone and access illicitly elsewhere…

Identity and Identification in Brazil

My host and colleague here at PUCPR, Rodrigo Firmino, and I are working on a small bit of research and a paper for The Second Multidisciplinary Workshop on Identity in the Information Society (IDIS 09), at the the London School of Economics, on June 9th this year.

Our paper is based around a case of identity theft, which is endemic in Brazil, which we use to open up the laws, practices and technologies of identification here. One thing that is already clear is that Brazil is a highly bureaucratic state – for example, the forms you need to fill in just to get a mobile phone are incredible in their detail – yet the forms of identification which one needs for every transaction with the state and many private organisations too, are highly insecure.

One example is that every personal cheque has printed on it not only the usual information (bank name and address, bank sort code, account holder name and account number), but also has the 11-digit Cadastro de Pessoas Fisicas (CPF) (a taxpayer’s card) number and the 9-digit Registro Geral (RG) (the national ID card) number. This must be a utter joy to fraudsters and identity thieves!

What’s more, all these are not just numbers in a database somewhere but physical documents in their own right, and on each there is a lot of this cross-identification: the CPF card also has the name and date of birth, the CPF number is ubiquitous, appearing also on the RG card and the driving licence. The latter has its own 11-digit registration number, but also has the RG number, name, and place and date of birth. What is even more interesting is that the RG card not only contains a photo and a thumbprint (the state database contains prints of all 10 fingers and thumbs), but also the names of both parents. This means it can be related more easily to the birth certificate. It reminds me a little of the Japanese system which still prioritises the family above the individual in some ways, but there is no actual equivalent of the koseki, the Japanese family register.

Now, in the name of security and “para integrar os bancos de dados de diversos órgãos dos sistemas de identificação do Brasil” (to inegrate the databases of the diverse organisations of identification systems in Brazil), the Ministry of Justice is proposing to merge some of these – the RG, CPF, Driving Licence and Electoria Regisirtation, into a new, smart, Registro de Identidade Civil (RIC) card based on a unique number. Whilst this will have many of the same problems as new smart ID systems everywhere else, at the very least it might stop Brazilian citizens carrying around multiple documents that list almost everything thieves and fraudsters need and can access without any sophisticated equipment. The process is due to start now, and run until 2017, so we will be taking a look at this as it proceeds.

I’ll put some pictures up with explanations later today…

Australian police data loss and corruption

Here´s a tangled web… at first glance the story being reported in Australian outlets of the state of Victoria´s secret police losing highly confidential data on criminal associates looks like another of those stories so familiar from the UK about an incompetant state unable to safeguard personal data.

But it turns out to be rather more complicated.

It seems that this data loss involves corrupt officers connected to a drugs-smuggling ring. Now, research on identity theft by Jennifer Whitson and Kevin Haggerty in Canada has shown that a high percentage of incidents of frauds are related to the selling or use of data by employees or other organisational insiders. In the UK, we assume incompetance by our state and its numerous private sector associates, but perhaps in this assumption we are too quick to dismiss the possibility of corruption, crime and conspriacies…