Joi Ito's conversation with the living web.

Recently in the Japanese National ID Category

National IDs and gravestones »

My graveAs I've blogged before, I spent years fighting the Japanese national ID system, pushing for a 3 year moratorium on the bill to allow privacy and security to be fully considered before rolling the system out. Even though our movement had majority support among politicians, the public and even the media, the system rolled out "because it would have caused too much confusion to stop it," according to one senior policy oriented politician. Afterwards, I had a choice of either continuing to protest a running system from the outside, or work on the inside trying to point out issues...

Yokohama Committee for the Protection of Identification Information »

Today was the City of Yokohama Committee for the Protection of Identification Information Committee meeting. I was appointed to this committee in 2003 in the wake of their decision to allow their citizens to opt out of the Japanese Basic Resident Code database. I was reappointed again today. I joined a number of these government committees to try to help protect rights, prevent stupid decisions and change bad laws, but I am increasingly frustrated by the Japanese bureaucracy and the ability to cause any change through these committees. (Although local government committees are clearly more sincere than central government committees.)...

Japanese government bans Ejovi's talk »

Ejovi was prevented from giving his talk by the Japanese Ministry of Internal Affairs and Communications. Ejovi did the security audit on the local government system connected to the Japanese National ID system (Jyukinet) for the prefecture of Nagano. I audited his audit and wrote an opinion for Governor of Nagano last December. It does suck that they blocked is talk, which I think would have been fair and balanced as Ejovi says. However, I can easily imagine the government taking a hard stance on this considering all of the trouble they are having controlling the spin. Anyway, welcome to...

Feeling like a cog with a rubber stamp »

Two years ago I marched in protest against the Japan National ID. Last year, after we failed, a few cities and prefectures resisted. Yokohama took the position that the bill was illegal because it required privacy protection and the privacy bill had not passed. They allowed citizens to opt out and an whopping 24% of their citizens opted out. Now that the privacy bill of the central government is in place, Yokohama is being forced to "normalize" with the central government. Last year, I accepted an appoint to the Yokoyama personal information protection committee which would oversee their integration of...

My letter to the governor of Nagano about his security audit »

The governor of Nagano ordered an security audit of their network with a focus on the Basic Residents Registry system of the central government. I was asked to take a look at the audit and provide a 3rd party opinion. Since I am on the central government panel working on the security of the Basic Residents Registry, my letter has become a bit controversial and apparently my phone is ringing off the hook right now in Tokyo. Lucky for me I'm in the US...I'm not looking forward to returning to Tokyo.The central government denies security problems and I am going to have to deal with this when I return to Tokyo...The audit is not yet completed and my audit of the audit is an opinion based on incomplete information. I will be meeting with both sides when I return to Tokyo and will probably be required to write another opinion after the final results of the audit have been submitted and I have heard the arguments from the central government.Mainichi reports some of this in EnglishHere's the letter:December 11, 2003Governor Yasuo TanakaDear Governor Tanaka:I have reviewed in detail the security audit that your outside auditors conducted on three towns in Nagano. I reviewed their process, data and analysis. I also interviewed the key members of the team for several hours and discussed their methodology and conclusions.Generally speaking, the security level at the sites was below average and a variety of personal information about your citizens is at risk of being stolen and modified.The team conducted audits from the Internet and from inside the local government offices. The team was given very limited time to conduct their audits. The penetration test from the Internet was not successful. The tests from inside the government offices were quite successful. The audit was limited to computers inside the local government offices, so the Jyukinet was not attacked directly. However, the computer that connects directly to Jyukinet, the “CS server” and the “Reams server” which is inside the local government network both have databases of the Jyukinet data of the citizens living in the city. Both of these servers were vulnerable and the audit team was able to take control of them. This would theoretically allow them to edit, delete and create new citizen records. It was not tested, but it is likely that editing this database would cause these false records to be sent to the central Jyukinet system.In addition, there were numerous files containing sensitive personal information unrelated to Jyukinet accessible on the local government network with no protection.Although it was not possible to penetrate the local government network from the Internet, there were dialup accounts for remote offices that allowed users to connect to the local government’s network. It is possible that these dialup accounts could be exploited to allow someone to dial into the network. In addition, the library in one city was directly connected to the network. As anyone can use the library’s machines or connect their computer to the network, anyone can download the sensitive files being “shared” on the machines without any “hacker skills”.Breaking into the CS Server and the Reams server, which contained Jyukinet data for the local citizens, was quite easy. They were running systems that had not been properly updated with security patches. The passwords were very obvious on the system as well as on the database and were quickly cracked. The software running on the server was written with “buffer overflow” vulnerabilities that show a lack of understanding of security by the developer of the code. I recommend a third party security audit of the software running on these systems. A computer engineer using freely available tools would be able to exploit any of these vulnerabilities to gain access to the Jyukinet data.In summary, I believe that the security level of the networks were below average and any average computer network engineer could break into and steal or damage a variety of personal information including Jyukinet information. The people working in the office and in particular, the vendors providing the system security are not sensitive to security and privacy issues. The servers have not been maintained properly and the selection of passwords (many had default passwords or easily guessable passwords) was irresponsible and showed a complete lack of attention to security. I strongly urge that the priority on security for privacy purposes be increased significantly, both in local government offices and vendors providing solutions to these local governments. I believe that the citizens and the people responsible for protecting their information are significantly at risk.Best regards,Joichi Ito

Meeting with Yoshiko Sakurai and others about Japanese National ID - Jyukinet »

Had a meeting today with Yoshiko Sakurai and and other members of the anti-Jyukinet (National ID) "movement" this morning. I have been working with Sakurai-san and this group since September 2001. A lot has happened since then. We first tried very hard get a moratorium on the deployment before operation began. We got a great deal of support, but in the end operation began. Several local governments and prefectures resisted on the basis that there was a clause that privacy must be assured and the privacy bill had not been passed. A very watered down and poorly written privacy bill was passed and several anti-Jyukinet local governments lead by Yokoyama decided to participate in Jyukinet with a opt-out clause. There are still some local governments which are resisting, but such resistance is getting more and more difficult. Although we were able to raise privacy concerns when we were at the peak of our rallying efforts, people clearly do not feel too strongly about privacy issues generally.Today we discussed a new angle that appears to be more convincing to many local governments. The cost of deploying the system is very high considering limited benefits. Although the central government says that they only spent $400M or so, it appears that it really cost more like $700M. In addition, there is a fairly substantial burden on the local governments. Although we would like people to think of things in terms of social cost and privacy risk, the more simple message is whether it is worth spending all of this money on a system which is supposed to be used only for receiving local government services. This message may be easier to spread.I am in a somewhat awkward position right now. After the deployment began, I realized that it would be difficult to stop the system. While Sakurai-san continues to protest Jyukinet quite vocally and support the few local governments who are opposed to Jyukinet, I have started working within the system trying to educate the bureaucrats and trying to head of any new projects that might increase the risk. I am meeting regularly with "both sides" trying to figure out the most effective way to reduce risk. It is important that Sakurai-san continue to be vocal so that people continue to pay attention to the issues, but God is in the details. I am becoming immersed and inundated with the details. For example, early on in the process, I told the central government that they needed to educate the vendors and the local governments about privacy. I was soon presented with an "opportunity" to lecture local governments and vendors about privacy. Thanks... It's becoming physically and mentally quite difficult to continue this effort since it has very little to do with my "day job", but it's also very difficult to disengage since there are so few of "us".Someone please help me... I wish we had EPIC in Japan. OK I'll stop wining...

Privacy speech to local government IT vendors »

Yesterday, I gave a talk to approximately 150 IT vendors who will be installing the national ID systems at the local government offices and will the the "privacy advisors" to the local governments.Almost a year ago, I was handing out leaflets and protesting with a megaphone in Ginza to try to stop the national ID. Then the bill passed and I joined the oversight committee for the national ID to try to increase their awareness of security and privacy issues. Then I started working with the local governments who "opted out" of the national ID. Now that the system is in place full swing, I am working hard to increase the awareness of the people who will be installing and training the people who are in charge of one of the weakest links in the system, the point of entry into the database. At the same time, I am working on educating the ministry and the awareness in the public so that we can prevent "function drift", or the use of the national ID # beyond the scope of its original intent, which is to use it only for government services.I am supportive of my colleagues who are still working on protesting the system and local governments resisting it, but I am focusing my attention on future systems that the government is planning to implement and to try to do what I can to improve the security and privacy of those systems that have already been deployed or will imminently be deployed.

Meeting with Mayor Nakada of Yokohama and first meeting of personal information protection committee »

Today was the first meeting with the Mayor of Yokohama and the committee for personal information protection. I wrote about it before here. I was happy to finally meet the 4 other committee members who turned out to be very smart and a good variety of backgrounds. One human rights expert, one lawyer, one law professor, one computer security professor and me.

Appointed committee member of the Committee for the Protection of Indentification Information for the City of Yokohama »

I was just appointed committee member of the Committee for the Protection of Identification Information for the City of Yokohama.

Banks try to use national ID, Ministry stops them »

Recently banks began allowing people to use their basic resident ID code as a method of identification for opening bank accounts. This is exactly the "function creep" that I had been warning against and protesting in my activity against the basic resident ID code. I received a letter a few days ago from the director of local governments in charge of the basic resident ID code reporting that they have contacted the banking community and notified them that their activity was illegal and they should cease.

Protesting the National ID - an update »

So here's an update on my activity in protesting the National ID in Japan.

MS to give access to source code to Japanese government »

Japan TimesThe Japan Times Online Microsoft to reveal source code to Japan, which has eyed Linux Microsoft Corp. will disclose the source code of the Windows operating system to the Japanese government in line with the government's e-Japan project, company officials said Wednesday. I recently made a public comment on the record at the oversight committee for the National ID about Microsoft and trying to get them to open up the source code. I wonder if this had any effect. I guess we must all have had an effect. I assume many people have been saying this. It's a great...

Lessig/Yamagata/Ito discussion for Chuo Koron »

So yesterday's discussion with Hiroo Yamagata and Lawrence Lessig went well. It was a lot of fun and I think a constructive discussion. Hiroo was in good form. But he usually is... in person. ;-) He had written something negative about Mr. Ikeda in the afterward of translation of "The Future of Ideas" and had gotten in a dispute with Mr. Ikeda. He had just finished the battle and I guess they have both gotten over it now. Maybe Hiroo was just tired from that. I do generally agree with Hiroo's position, although maybe not the way he said it....

Roger Clarke on ENUM »

Roger Clarke, one of my favorite privacy experts and the person I learned the notion of separation of "entities" and "identities" has written a paper about the problems with ENUM. I wrote about ENUM when Australia announced their initiative. I am on a mission to make sure that Japan doesn't try to link ENUM with the national ID...Roger ClarkeFrom: Roger Clarke Subject: Glitterati: ENUM: Case Study in Social Irresponsibility I've just finished a paper on a proposed Internet scheme that will have extremely serious implications if it's implemented: ENUM - A Case Study in Social Irresponsibility http://www.anu.edu.au/people/Roger.Clarke/DV/enumISOC02.html As always, constructively...

National ID and privacy issues continue »

Facing off with the bureaucrats.. Sorry I didn't blog anything yesterday. I've been in overdrive this week with Jun (my chairman) in town and a continuous stream of extremely early morning meetings... Jun was mentioned I that I was spending too much time on this non-work-related stuff. He's right... Anyway... Yesterday, I started the day with a meeting of our anti-national ID group. I reported on my thoughts of how we should connect the privacy movement with the whistle blower protection law. Since I had the second National ID security oversight committee meeting later in the day, I wanted to...

Suddenly a co-author of a book on the Japanese National ID »

I had asked Gosuke to ghost write a short article for the Tokyo Shimbun (newspaper) based on a discussion with me. It was about the problems with the National ID. (I DID review it.) Then, I was asked to write an blurb in a book about the National ID so I asked Gosuke to add some more of my thoughts to the aritcle and we gave it to the publisher. Before I knew it, with the mere contribution of a 2 page ghost-written article, I was the co-author of the book, my name on the front of the book...

Information Security Seminar »

Now I'm sitting on a panel sponsored by the government about security. The panel is focused on the security of government networks. I am sitting on the far left and the guy in favor of the national ID is sitting on the far left. I just talked about the importance of privacy and the fact that privacy is different from security. I talked about how privacy is not only a right of citizens, but a necessary element for demcracy. I talked about how the OECD guidelines for privacy were written before the Internet and that we needed to look...

R&D Venture Project Team Committee Meeting »

So here I am sitting in the "Research and Development Venture Project Team" worrying about my Foma card intefering with the microphone again... They call it a team since it probably seems more "venture-like" than a "committee" but it is in fact a government committee. I THINK that this committee was mostly initiated through meetings that I had with the Minister of Education, Science and Technology Koji Omi after I gave a talk at the committee on business, academic and government cooperation. It was a very "high level" committee and I thought that it wasn't practical enough. Minister Omi...

Ministry's Efforts to Co-Opt Me? »

Japan has a process where they make boards and inquiry panels to discuss important issues with experts and the public. These inquiry panels are defined by law and are supposed to be an important part of the law making process, but in fact they are often used to diffuse public pressure and just act like they care. I am often asked to join such panels and I find I learn a lot about what is going on and can usually influence the direction ever so slightly. I usually feel this is better than not doing anything, but I am often...

MOF Accidentally Leaks Information on Web? »

I just got a call from a Kyodo News reporter asking for a comment about the Ministry of Finance (MOF) leaking (accidentally?) financial metrics on their web page before the official annoucement date. They are apparently going to make some announcement about their mistake and he wanted a quote from me to run in the story. I can't seem to find anything on the web about this. Does anyone know anything? (I thought it was the FSA, but it was the MOF) Anyway, the comment I made was that comparing Nippon Ham vs. Worldcom the CFO of Worldcom is taken...

National ID Card Technology - Popular Science »

found on Slashdot An article in Popular Science about what a national ID would look like and contain. On the issue of social security numbers on ID card, they mention that even though social security numbers on ID cards have been rejected by the federal government, "it's a good guess the Department of Homeland Security would manage it". On smart card technology, they say:For example, an ER doctor could view medical information and enter data about treatment (if the card's data storage device is read-write capable), but could not see security-related data (such as a traveler's flight history, or...

Just got my national ID # »

I got my national ID in the mail today. Setagaya-ku used an outside agency and we got ours later than other wards. Now I have to figure out what to do. I personally think that asking to change the number or sending it back sends a political message, and maybe I should do that, but for real change I have to push and lobby closer to where the decision are being made. Maybe I'll try to meet with the mayor of our ward and explain to him why I am unhappy. I wonder how open people will be about...

Mysterious caller pretending to be government official tries to steal National ID's »

Meanwhile, the Kanagawa Prefectural Government warned Tuesday that people should be wary of a mysterious caller who tries to get private information by pretending to be an official in charge the national resident registry network.Mainichi Interactive - Top News Thanks to gt for pointing this one out....

Lies and Secrets - by Gosuke Takama »

Lies and Secrets Japan's national ID network has gone live already by Gohsuke Takama Tokyo, Jul 31, 2002 It's Up and Running Already Rhetorics and politics are good friends. Almost everyone in Japan including politician has been believing that Japan's national ID network system, the Basic Residents Registers Network, would go live on Aug 5 of this year. Opponents of national ID have been thinking there is some chance to stop launching. But the truth is that it is already live since more than a week ago, technically. And it has gone without privacy protection laws which left behind in...
Whiplash by Joi Ito and Jeff Howe
Freesouls by Joi Ito

Category Archives

Monthly Archives