So here's an update on my activity in protesting the National ID in Japan.
I've gotten A LOT of negative feedback (All of it indirect. I would be SO MUCH EASIER if they would just talk to me directly, rather than critcize me behind my back.) from the IT community, vendors, peers, professors, etc. about my position to support the anti-National ID campaign. However, the people at the Ministry of Public Management, Home Affairs, Post and Telecom who are in charge of the National ID have actively solicited my involvement in trying to "fix" things. I think part of it is to try to use me as "cover". The Minister frequently refers to the fact that he has a "panel of experts" working on the security and privacy issues. At that level, I've been somewhat co-opted and am criticized by my peers. At the working level, I have spent hours with the bureaucrats convincing them of the importance of privacy and the thinking behind better architecture and software. We are now preparing one of the most extensive reports on privacy with the help of many of our friends in the US, Canada and Europe and will be translating all of the material into Japanese. This may be the first report of its kind in Japanese.
The National ID bill says that the National ID number cannot be used for anything other than the processing of local government paperwork. I asked on the record during the study group whether this number would be used as a taxpayer ID. They told me "no." The media, however, are reporting that banks are using the National ID as an identifier, that the police are thinking of using the National ID, they are thinking of using the National ID in passports and that they are considering using the National ID as a tax payer ID as well. The Minister recently told the banks that they should stop using the National ID.
Yesterday, I had a very frank discussion with the bureaucrat who is in charge of the National ID. I told him that I had heard that "it's starting" and that everyone was starting use the National ID for other things beyond the original intent of the bill. He told me that they were not going to budge from their position and that they would resist expanding the scope of the National ID. He said that they did not HAVE to create a bill for the National ID in order to build the network, but that they did so to try to make sure there was a public debate. I'm not sure if I buy this completely, but it sure did spark a debate. He said that because of the way the bill was written, anyone using the National ID would have to change or amend the bill and that they couldn't do it without permission, which he wasn't going to give. I told him that this would be a great opportunity for the Ministry to show it's credibility by striking down the various proposals to use the National ID for other things if they were sincere. I agreed to try to let them convince me that they were sincere and that if I were convinced I would try to convince others.
After spending time with the folks from the Ministry of Public Management, Home Affairs, Posts and Telecom, I'm starting to get a sense that maybe they're not the "bad guys." They don't understand a lot about technology and are very focused on local government and supporting infrastructure. I think it's actually the Financial Services Agency, the Ministry of Economy Trade and Industry and a variety of other Ministries who are pushing for expanding the scope of the National ID and that the Ministry of Public Management, Home Affairs and Telecom is sort of "in the dark" on a lot of this stuff. Focusing on them may be the wrong approach. Supporting them in holding true to their promise to limit the use and bashing all of the other people trying to piggy back on their ID system may be the more effective approach. I'm going to have to investigate this more.
One of the biggest problems with my position against the National ID is that it continues to grown and morph into things that have negative effects. My position is that a National ID without a method to limit the scope of its use, without a watchdog organization, without an ethical privacy framework including "privacy impact assessments" when building new stuff around it was irresponsible and increased risk. I am not so concerned about the security of the current ID system, which is quite limited in its scope, but rather, the data structures, architectures, and additional systems that might try to use this number scheme in the future.
I do not have a strong position on the current privacy bill as it relates to private enterprise and I don't think that the media's right to investigative journalism should be limited at this point. I am only concerned that the part of the privacy bill that outlines the use of personal information and databases by the government is very weak and without much substance.
My problem is that people seem to think I am against using IT in government, pushing for stronger government control of private enterprise, questioning the security of the National ID system and blowing the risks out of proportion, using ignorant politicians to put undue pressure on the bureaucrats, trying to make money by scaring the public and selling security solutions and generally being stupid and unfair...
So my current action items are:
Sit down with the non-techie activists and make sure that they are focused on the important issues and not on the emotional issues that are not relevant. ("Cows are 10 digit numbers, why are we 11 digit numbers!" or "I don't want to be a number!")
Talk to the vendors who are criticizing me and figure out whether they are confused about my position or whether they are trying to sell some weak system and fear a privacy impact assessment.
Talk the Ministry of Public Management, Home Affairs, Posts and Telecom into taking a strong stand on privacy issues and combating publicly and legally those who attempt to abuse their infrastructure.
Educate the public about privacy enhancing technology, educate MYSELF about privacy enhancing technology, and try to support its development and deployment.
Engage in a global debate about privacy issues in general and make sure Japan is in sych with the rest of the rational world. (If there is any left.)