Japanese data losses expose surveillance of foreign residents

A scandal over leaked security documents has exposed the Japanese security service’s monitoring of foreigners, amongst other ‘anti-terrorist’ operations. The documents were posted on the web in November, and according to a report in the Yomiuri Shimbun last month, include “a list of foreigners being monitored by the division, and files related to secret police strategies – for example, guidelines for nurturing informants”.

Not only does this expose the concentration of the Japanese security services on foreigners, many included on the list simply by virtue of being ‘foreign’, rather than being any actually determined threat, but it is also a reminder that the Japanese laws on information sharing, leaking and so on, are archaic. As the newspaper says:

“At present, there is no law to punish those leaking confidential information. Even worse, stealing electronic data is not included in the list of offenses punishable under the Penal Code. In many cases, this makes it impossible for suspects to be held criminally responsible.”

I am not quite sure that the theft of electronic data is actually unpunishable, at least from conversations I have had with specialists in Japan, however I should add that there is, I am told, no law against selling stolen electronic data, which means that even if the theft could be punished, it would not reduce the economic incentives to steal data (which I have mentioned before is not uncommon).

Then of course there is the wider issue of whether it serves a higher purpose that this information is released anyway. No doubt it does embarrass the government, but there is not reason to think that this actively compromises real security in Japan as the NPA are quoted as claiming. If anything this does us a favour in reminding just how prejudiced much of the Japanese state’s relationship with its foreign residents, especially those who are non-white, is, and how much state surveillance is directed at them.

(thanks to Ikuko Inoue for sending me this story)

Private Sector Data Losses

People often concentrate rather too much on abuses by the state of personal data. But private sector organisations are certainly no better. One key example was made public this week, when the new UK Information Commissioner, Christopher Graham, announced that he would be prosecuting a major mobile phone company (he is not saying which one yet*) for selling personal information which it held on customers. The trade in personal information is a very difficult thing to regulate: telecoms companies will deny up front that they ever do anything like this, but yet we know it happens frequently in every jurisdiction, in both management-sanctioned and illicit forms; and practically, of course, once the information is ‘out there’, it cannot be recalled. So, no-one should feel safe just because they have ticked (or unticked) that little box under all that often indeciferable text about what a company might do with your data. I hope that whatever firm this is, it gets hits where it will hurt most, on its bottom line.

*Update: T-Mobile have now confirmed that they are the company responsible.

Private sector data loss in Japan

I’ve blogged a fair bit in the past about state and private data losses in the UK. In Japan too this has been a big problem, and is a reasons given by central government for the need to centralise databases and by opponents talking about the risk of such centralisation.

The latest major data loss, just the other day, was by the giant banking combine, Mitsubishi UFJ Nicos, which accidentally ‘threw away’ personal data on almost 200,000 customers from 1993 to 2001. Of course MUFJ Nicos say there is no security or financial risk, but then organisations in these situation always say something like that…

Not all of these data losses are accidents however. Back in April, another part of the Mitsubishi keiretsu (a Japanese term for a loosely-connected ‘family’ of companies), Mitsubishi UFJ Securities, fired one of its managers, Hideaki Kubo, who is alleged to have stolen personal data on almost one and and half million customers, and had allegedly already sold data on 49,000 to data brokers for the rather unimpressive sum of just 32,0000 Yen (around $3200 US). He is believed to have had considerable debts.

In short, it doesn’t matter how strong your firewalls are, or how good your computer security is, if there is an employee, or a government bureaucrat with access to sensitive data, who is in financial difficulty or who is simply aggrieved or greedy, then data will leak out. The risks are not small, in fact it seems almost inevitable, and I believe that the number and scale of such losses are probably significantly under-reported by both private firms and government. Of course, it is also significant just how many supposedly reputably companies are prepared to pay for stolen data. This trade is certainly not taken seriously enough by regulators in most countries…

Australian police data loss and corruption

Here´s a tangled web… at first glance the story being reported in Australian outlets of the state of Victoria´s secret police losing highly confidential data on criminal associates looks like another of those stories so familiar from the UK about an incompetant state unable to safeguard personal data.

But it turns out to be rather more complicated.

It seems that this data loss involves corrupt officers connected to a drugs-smuggling ring. Now, research on identity theft by Jennifer Whitson and Kevin Haggerty in Canada has shown that a high percentage of incidents of frauds are related to the selling or use of data by employees or other organisational insiders. In the UK, we assume incompetance by our state and its numerous private sector associates, but perhaps in this assumption we are too quick to dismiss the possibility of corruption, crime and conspriacies…