Joi Ito's Web

Joi Ito's conversation with the living web.

Recently in the Japanese National ID Category

My grave
As I've blogged before, I spent years fighting the Japanese national ID system, pushing for a 3 year moratorium on the bill to allow privacy and security to be fully considered before rolling the system out. Even though our movement had majority support among politicians, the public and even the media, the system rolled out "because it would have caused too much confusion to stop it," according to one senior policy oriented politician. Afterwards, I had a choice of either continuing to protest a running system from the outside, or work on the inside trying to point out issues and watch over the deployment. I ended up on various government oversight committees where I have continued to point out issues and still argue that they should shut the current system down.

To my surprise, my hometown Mizusawa has the second highest proliferation of the national ID cards at 10% and hosted our Ministry of Internal Affairs and Communications study group today. As the local government officials discussed their system proudly, I felt some pain as I pointed out some of the risks. They knew that I was local so they asked my support for their initiative in that local family style... Scenes from The Godfather cross my mind. It reminded me a bit of the scene in Godfather II during Michael Corleone's trial where they bring the brother of key witness Pentangeli from Sicily to the hearing. All it takes is one look from the brother to change the Pentangeli's position. OK. It's wasn't that bad, but it reminds me of the same thing.

My family has been building and running schools in the town for the last three generations and we just rebuilt our nurse school, which at some point I will have to "run". Until recently, our family funded the schools, but now relies partially on government support. As with most semi-public endeavors in small towns, it requires "community support." Thus The Godfather reference above.

After the study group meeting at City Hall, I visited our family grave. I took a look at where my name will at some point be etched as the 19th family head of the Ito family. I took the opportunity to grill my uncle a bit more about the specifics of our history since I'll be the custodian of this information at some point. I also had him collect up various family history documents. It appears that the first Ito, moved into our current home about 400 years ago and was some kind of union of a 25th descendent of Emperor Kanmu, the 50th Emperor (we're on #125 now), and Kawatari Fujiwara. I can't understand the old-fashioned Japanese text to understand the details of the arrangement. I believe Kawatari Fujiwara was from the Fujiwara family that lived in our region until they were defeated around 400 years ago. The only thing left from this period of the Fujiwara estate/castle is a golden pagoda and mummies in Hiraizumi. Anyway, the story I heard from my mother was that after their defeat, the survivors fled and started their own families in the region, and took the character "Fuji" from "Fujiwara" and changed their names to "Saito", "Goto" and "Ito" which all use "Fuji" character for the "To" part of the names. Anyway, I'm not positive about the details so I better find out more before I have to take over the family and my children start asking me all kinds of questions.

As always, staring at the place on the gravestone where my name will be etched along with all of the previous family members makes me feel like a mere blip in history and is humbling and strange.

Today was the City of Yokohama Committee for the Protection of Identification Information Committee meeting. I was appointed to this committee in 2003 in the wake of their decision to allow their citizens to opt out of the Japanese Basic Resident Code database. I was reappointed again today. I joined a number of these government committees to try to help protect rights, prevent stupid decisions and change bad laws, but I am increasingly frustrated by the Japanese bureaucracy and the ability to cause any change through these committees. (Although local government committees are clearly more sincere than central government committees.) I think part of it is because I am spending more and more time outside of Japan where board positions or public debate appear to have more direct effect. Generally speaking, Japanese government committees allow you to say what you feel, but it is very unclear exactly what effect what you say has. (One exception was when I think I did permanent damage in a committee to the stupid idea of Japan trying to do a version of the Clipper chip when it was in vogue in the US.)

The meeting today was open to the public and there was one reporter and two citizen observers. The city officials reported on the status of the system. 836,654 or 23.78% of the people are opted out of the system and only 15,503 people have asked to be issued national ID cards. After the report, we were asked to discuss issues generally.

My opinion was that because of all of the commotion that we made around the security issues of the system, the security of the core system itself is fairly good, but the local government networks that it connects to are still a mess. Also, my main concern has always been the risk of the data being collected and abused OUTSIDE of the core network and these issues have not been addressed. There have been some fraudulent cards, but major crimes have not been committed. I warned that this is because barely anyone is using the network. If the government comes up with some useful application for the ID system, I'm sure fraud will increase. I also pointed out that at this level of usage, it can't be making any financial sense for the local governments who have installed and are running the system. Yokohama is one of the largest cities, but in small towns, there are still only dozens of users. I added rather bluntly that considering the cost and the potential risk because of the ill-conceived architecture, I still think they should shut the whole thing down and start from scratch building something useful using modern privacy technology to address specific needs rather than continue to use this expensive and pointless system. The system was basically a product of the e-Japan initiative to make Japan #1 in IT and fuel it with government spending. Of course building a national ID system would be a great way to spend a lot of money. Anyone who has run a business knows, that you shouldn't invest good money after bad. Just because it cost a lot to build doesn't mean we need to keep investing.

I doubt, of course, that my opinion will change anything, but at least it's on the public record.

Ejovi was prevented from giving his talk by the Japanese Ministry of Internal Affairs and Communications. Ejovi did the security audit on the local government system connected to the Japanese National ID system (Jyukinet) for the prefecture of Nagano. I audited his audit and wrote an opinion for Governor of Nagano last December. It does suck that they blocked is talk, which I think would have been fair and balanced as Ejovi says. However, I can easily imagine the government taking a hard stance on this considering all of the trouble they are having controlling the spin. Anyway, welcome to my world Ejovi. Ejovi, if you really want to give this talk, I think you need to do it with some political backup like Nagano or another local government.

Two years ago I marched in protest against the Japan National ID. Last year, after we failed, a few cities and prefectures resisted. Yokohama took the position that the bill was illegal because it required privacy protection and the privacy bill had not passed. They allowed citizens to opt out and an whopping 24% of their citizens opted out. Now that the privacy bill of the central government is in place, Yokohama is being forced to "normalize" with the central government. Last year, I accepted an appoint to the Yokoyama personal information protection committee which would oversee their integration of the national ID system with the hope that I could help them in their resistance. Today, almost a year after the first meeting, I spent the afternoon in what was basically a rubber stamp session. We voiced our opinions, but at this point there really wasn't much choice. These inquiry committee are constitutionally defined organs for people to interact with the law making process, but I felt more like a cog with a rubber stamp than a participant in a democracy.

The governor of Nagano ordered an security audit of their network with a focus on the Basic Residents Registry system of the central government. I was asked to take a look at the audit and provide a 3rd party opinion. Since I am on the central government panel working on the security of the Basic Residents Registry, my letter has become a bit controversial and apparently my phone is ringing off the hook right now in Tokyo. Lucky for me I'm in the US...

I'm not looking forward to returning to Tokyo.

The central government denies security problems and I am going to have to deal with this when I return to Tokyo...

The audit is not yet completed and my audit of the audit is an opinion based on incomplete information. I will be meeting with both sides when I return to Tokyo and will probably be required to write another opinion after the final results of the audit have been submitted and I have heard the arguments from the central government.

Mainichi reports some of this in English

Here's the letter.

December 11, 2003 Governor Yasuo Tanaka

Dear Governor Tanaka:

I have reviewed in detail the security audit that your outside auditors conducted on three towns in Nagano. I reviewed their process, data and analysis. I also interviewed the key members of the team for several hours and discussed their methodology and conclusions.

Generally speaking, the security level at the sites was below average and a variety of personal information about your citizens is at risk of being stolen and modified.

The team conducted audits from the Internet and from inside the local government offices. The team was given very limited time to conduct their audits. The penetration test from the Internet was not successful. The tests from inside the government offices were quite successful. The audit was limited to computers inside the local government offices, so the Jyukinet was not attacked directly. However, the computer that connects directly to Jyukinet, the “CS server” and the “Reams server” which is inside the local government network both have databases of the Jyukinet data of the citizens living in the city. Both of these servers were vulnerable and the audit team was able to take control of them. This would theoretically allow them to edit, delete and create new citizen records. It was not tested, but it is likely that editing this database would cause these false records to be sent to the central Jyukinet system.

In addition, there were numerous files containing sensitive personal information unrelated to Jyukinet accessible on the local government network with no protection.

Although it was not possible to penetrate the local government network from the Internet, there were dialup accounts for remote offices that allowed users to connect to the local government’s network. It is possible that these dialup accounts could be exploited to allow someone to dial into the network. In addition, the library in one city was directly connected to the network. As anyone can use the library’s machines or connect their computer to the network, anyone can download the sensitive files being “shared” on the machines without any “hacker skills”.

Breaking into the CS Server and the Reams server, which contained Jyukinet data for the local citizens, was quite easy. They were running systems that had not been properly updated with security patches. The passwords were very obvious on the system as well as on the database and were quickly cracked. The software running on the server was written with “buffer overflow” vulnerabilities that show a lack of understanding of security by the developer of the code. I recommend a third party security audit of the software running on these systems. A computer engineer using freely available tools would be able to exploit any of these vulnerabilities to gain access to the Jyukinet data.

In summary, I believe that the security level of the networks were below average and any average computer network engineer could break into and steal or damage a variety of personal information including Jyukinet information. The people working in the office and in particular, the vendors providing the system security are not sensitive to security and privacy issues. The servers have not been maintained properly and the selection of passwords (many had default passwords or easily guessable passwords) was irresponsible and showed a complete lack of attention to security. I strongly urge that the priority on security for privacy purposes be increased significantly, both in local government offices and vendors providing solutions to these local governments. I believe that the citizens and the people responsible for protecting their information are significantly at risk.

Best regards,
Joichi Ito

Had a meeting today with Yoshiko Sakurai and and other members of the anti-Jyukinet (National ID) "movement" this morning. I have been working with Sakurai-san and this group since September 2001. A lot has happened since then. We first tried very hard get a moratorium on the deployment before operation began. We got a great deal of support, but in the end operation began. Several local governments and prefectures resisted on the basis that there was a clause that privacy must be assured and the privacy bill had not been passed. A very watered down and poorly written privacy bill was passed and several anti-Jyukinet local governments lead by Yokoyama decided to participate in Jyukinet with a opt-out clause. There are still some local governments which are resisting, but such resistance is getting more and more difficult. Although we were able to raise privacy concerns when we were at the peak of our rallying efforts, people clearly do not feel too strongly about privacy issues generally.

Today we discussed a new angle that appears to be more convincing to many local governments. The cost of deploying the system is very high considering limited benefits. Although the central government says that they only spent $400M or so, it appears that it really cost more like $700M. In addition, there is a fairly substantial burden on the local governments. Although we would like people to think of things in terms of social cost and privacy risk, the more simple message is whether it is worth spending all of this money on a system which is supposed to be used only for receiving local government services. This message may be easier to spread.

I am in a somewhat awkward position right now. After the deployment began, I realized that it would be difficult to stop the system. While Sakurai-san continues to protest Jyukinet quite vocally and support the few local governments who are opposed to Jyukinet, I have started working within the system trying to educate the bureaucrats and trying to head of any new projects that might increase the risk. I am meeting regularly with "both sides" trying to figure out the most effective way to reduce risk. It is important that Sakurai-san continue to be vocal so that people continue to pay attention to the issues, but God is in the details. I am becoming immersed and inundated with the details. For example, early on in the process, I told the central government that they needed to educate the vendors and the local governments about privacy. I was soon presented with an "opportunity" to lecture local governments and vendors about privacy. Thanks... It's becoming physically and mentally quite difficult to continue this effort since it has very little to do with my "day job", but it's also very difficult to disengage since there are so few of "us".

Someone please help me... I wish we had EPIC in Japan. OK I'll stop wining...

Yesterday, I gave a talk to approximately 150 IT vendors who will be installing the national ID systems at the local government offices and will the the "privacy advisors" to the local governments.

Almost a year ago, I was handing out leaflets and protesting with a megaphone in Ginza to try to stop the national ID. Then the bill passed and I joined the oversight committee for the national ID to try to increase their awareness of security and privacy issues. Then I started working with the local governments who "opted out" of the national ID. Now that the system is in place full swing, I am working hard to increase the awareness of the people who will be installing and training the people who are in charge of one of the weakest links in the system, the point of entry into the database. At the same time, I am working on educating the ministry and the awareness in the public so that we can prevent "function drift", or the use of the national ID # beyond the scope of its original intent, which is to use it only for government services.

I am supportive of my colleagues who are still working on protesting the system and local governments resisting it, but I am focusing my attention on future systems that the government is planning to implement and to try to do what I can to improve the security and privacy of those systems that have already been deployed or will imminently be deployed.

Mayor Nakada officially appointing me to committee member. I was one of the people who recommended the Mayor to the WEF to be chosen as a GLT. He became a GLT this year. At 38, he is one of the youngest mayors in Japan.
Today was the first meeting with the Mayor of Yokohama and the committee for personal information protection. I wrote about it before here. I was happy to finally meet the 4 other committee members who turned out to be very smart and a good variety of backgrounds. One human rights expert, one lawyer, one law professor, one computer security professor and me.

Now that the privacy bill looks like it is going to pass, we deliberated about a variety of things, regarding what Yokohama should do after it passes. We also talked about what to do about the 845,000 people who opted out of the national ID. Currently they are going to send a type of deletion record to the central government, but I pointed out that this list is also information about the people who opted out and in fact is maybe even worse if you consider the fact that this list could be used to profile the people opting out. I suggested that we try to come up with some sort of technical option for the people who opted out of the national ID that would let them benefit from Internet enabled local government services without registering for the national ID.

The Yokohama City government also noted that data for the people who opted out was created during the trial and that in fact they all actually had national ID's even though the opted out. The local government has asked the prefectural government and the central government to delete these records, but they have not complied.

This committee will not have a regular meeting schedule or formal output style but will meet as needed on an ad hoc basis as issues arise to deliberate on.

I was just appointed committee member of the Committee for the Protection of Identification Information for the City of Yokohama. I was appointed by Hiroshi Nakada, the mayor of Yokohama. Yokohama is one of the most active opponents of the Japanese Basic Resident Code system and has made it optional for the residents of the City of Yokohama. Mayor Nakada argues (rightly) that the current Basic Resident Code law is illegal because there is not sufficient privacy protection as originally mandated in the law. This argument is quite valid until the privacy bill passes. The privacy bill is being deliberated in the Diet at this moment. I believe, and have said publicly, that this privacy bill currently being drafted is too strong on business and too lenient on bureaucrats and would not constitute strong privacy vis a vis the issue of National ID.

Currently of the 3,450,000 residents of Yokohama, 845,000 people have opted out of receiving national ID's. When the privacy bill passes, it is likely that Yokohama will have to hook its network up to the national network. Yokohama has passed a local bill and created this small committee of five people to advise the mayor who has made it clear in the bill that Yokohama would disconnect their local system from other prefectures and the national system in the event that there was evidence of privacy failures in the system. The bill states that the mayor will seek the advice of the committee to judge whether such privacy breaches have occurred and what they should do about it.

The press conference just ended so there is no press yet, but I will provide links if there is any press coverage.

Mayor Nakada is 38 year old, young for a Japanese mayor. He was selected as a Global Leader for Tomorrow by the World Economic Forum this year.

Recently banks began allowing people to use their basic resident ID code as a method of identification for opening bank accounts. This is exactly the "function creep" that I had been warning against and protesting in my activity against the basic resident ID code. I received a letter a few days ago from the director of local governments in charge of the basic resident ID code reporting that they have contacted the banking community and notified them that their activity was illegal and they should cease. (Sorry about the delay. I contacted him to make sure I could post a copy of the letter he sent me.) Yes! Nice job Inoue-san. If the Ministry of Public Management, Home Affairs, Posts and Telecom and continue to take a strong position to preventing the use of the national ID beyond the original scope and stick to the law that they drafted stating such, it would be a great thing that could let them turn all of the negative publicity of the national ID into positive publicity. I hope they stick to their guns and prevent other Ministries from using the basic resident code.

Many of my skeptical friends warn me to be wary, but I have to applaud positive acts for what they are. This was a great first step.

So here's an update on my activity in protesting the National ID in Japan.

I've gotten A LOT of negative feedback (All of it indirect. I would be SO MUCH EASIER if they would just talk to me directly, rather than critcize me behind my back.) from the IT community, vendors, peers, professors, etc. about my position to support the anti-National ID campaign. However, the people at the Ministry of Public Management, Home Affairs, Post and Telecom who are in charge of the National ID have actively solicited my involvement in trying to "fix" things. I think part of it is to try to use me as "cover". The Minister frequently refers to the fact that he has a "panel of experts" working on the security and privacy issues. At that level, I've been somewhat co-opted and am criticized by my peers. At the working level, I have spent hours with the bureaucrats convincing them of the importance of privacy and the thinking behind better architecture and software. We are now preparing one of the most extensive reports on privacy with the help of many of our friends in the US, Canada and Europe and will be translating all of the material into Japanese. This may be the first report of its kind in Japanese.

The National ID bill says that the National ID number cannot be used for anything other than the processing of local government paperwork. I asked on the record during the study group whether this number would be used as a taxpayer ID. They told me "no." The media, however, are reporting that banks are using the National ID as an identifier, that the police are thinking of using the National ID, they are thinking of using the National ID in passports and that they are considering using the National ID as a tax payer ID as well. The Minister recently told the banks that they should stop using the National ID.

Yesterday, I had a very frank discussion with the bureaucrat who is in charge of the National ID. I told him that I had heard that "it's starting" and that everyone was starting use the National ID for other things beyond the original intent of the bill. He told me that they were not going to budge from their position and that they would resist expanding the scope of the National ID. He said that they did not HAVE to create a bill for the National ID in order to build the network, but that they did so to try to make sure there was a public debate. I'm not sure if I buy this completely, but it sure did spark a debate. He said that because of the way the bill was written, anyone using the National ID would have to change or amend the bill and that they couldn't do it without permission, which he wasn't going to give. I told him that this would be a great opportunity for the Ministry to show it's credibility by striking down the various proposals to use the National ID for other things if they were sincere. I agreed to try to let them convince me that they were sincere and that if I were convinced I would try to convince others.

After spending time with the folks from the Ministry of Public Management, Home Affairs, Posts and Telecom, I'm starting to get a sense that maybe they're not the "bad guys." They don't understand a lot about technology and are very focused on local government and supporting infrastructure. I think it's actually the Financial Services Agency, the Ministry of Economy Trade and Industry and a variety of other Ministries who are pushing for expanding the scope of the National ID and that the Ministry of Public Management, Home Affairs and Telecom is sort of "in the dark" on a lot of this stuff. Focusing on them may be the wrong approach. Supporting them in holding true to their promise to limit the use and bashing all of the other people trying to piggy back on their ID system may be the more effective approach. I'm going to have to investigate this more.

One of the biggest problems with my position against the National ID is that it continues to grown and morph into things that have negative effects. My position is that a National ID without a method to limit the scope of its use, without a watchdog organization, without an ethical privacy framework including "privacy impact assessments" when building new stuff around it was irresponsible and increased risk. I am not so concerned about the security of the current ID system, which is quite limited in its scope, but rather, the data structures, architectures, and additional systems that might try to use this number scheme in the future.

I do not have a strong position on the current privacy bill as it relates to private enterprise and I don't think that the media's right to investigative journalism should be limited at this point. I am only concerned that the part of the privacy bill that outlines the use of personal information and databases by the government is very weak and without much substance.

My problem is that people seem to think I am against using IT in government, pushing for stronger government control of private enterprise, questioning the security of the National ID system and blowing the risks out of proportion, using ignorant politicians to put undue pressure on the bureaucrats, trying to make money by scaring the public and selling security solutions and generally being stupid and unfair...

So my current action items are:

Sit down with the non-techie activists and make sure that they are focused on the important issues and not on the emotional issues that are not relevant. ("Cows are 10 digit numbers, why are we 11 digit numbers!" or "I don't want to be a number!")

Talk to the vendors who are criticizing me and figure out whether they are confused about my position or whether they are trying to sell some weak system and fear a privacy impact assessment.

Talk the Ministry of Public Management, Home Affairs, Posts and Telecom into taking a strong stand on privacy issues and combating publicly and legally those who attempt to abuse their infrastructure.

Educate the public about privacy enhancing technology, educate MYSELF about privacy enhancing technology, and try to support its development and deployment.

Engage in a global debate about privacy issues in general and make sure Japan is in sych with the rest of the rational world. (If there is any left.)

Japan Times
The Japan Times Online Microsoft to reveal source code to Japan, which has eyed Linux

Microsoft Corp. will disclose the source code of the Windows operating system to the Japanese government in line with the government's e-Japan project, company officials said Wednesday.

I recently made a public comment on the record at the oversight committee for the National ID about Microsoft and trying to get them to open up the source code. I wonder if this had any effect. I guess we must all have had an effect. I assume many people have been saying this. It's a great step forward, even if it is just MS trying to keep Linux out.

P504iS01289.jpgSo yesterday's discussion with Hiroo Yamagata and Lawrence Lessig went well. It was a lot of fun and I think a constructive discussion. Hiroo was in good form. But he usually is... in person. ;-) He had written something negative about Mr. Ikeda in the afterward of translation of "The Future of Ideas" and had gotten in a dispute with Mr. Ikeda. He had just finished the battle and I guess they have both gotten over it now. Maybe Hiroo was just tired from that. I do generally agree with Hiroo's position, although maybe not the way he said it. I think Mr. Ikeda and others had inferred that Larry was against privacy policies. In a mailing list Mr. Ikeda had said that my efforts to stop the National ID were futile and that we didn't have any privacy anyway. The struggle for privacy is a struggle of data structures and can be achieved without destroying the end-to-end nature of the Net. It think it is simplistic to equate privacy with control of the Net. I just finished reading Hiroo's English translation of his afterward. It's quite good. He should post it on the Net.

Hiroo Yamagata
Freedom is supposed to be a good thing. People say Communism died and Freedom prospered, so freedom should be good. But when you ask these people to explain the actual benefits of freedom, hardly anyone can give you a meaningful answer. This isn't (necessarily) because they are stupid. It's because freedom itself doesn't do anything. Freedom is just an environment that allows you to do something.

We talked about the issues from the book and the Japan context. When is going to happen to physical layer, code layer and content layer in Japan?

Are the wires, the spectrum and fiber going to be opened up in Japan? It sure looks like we're headed that way. The government seems quite incapable of stopping the ADSL players from eating NTT's lunch and there is serious discussion of opening up the spectrum.

The code layer is a mess. I talked about the National ID and the fact that lack of understanding about the architecture of the Net is causing Japan to launch itself into a direction without much discussion about the policy of code. We talked about how many people talk about end-to-end, but don't really understand it's high level political ramifications. On the other hand, it's better to have people believing in it and writing code with that philosophy to fight off the circuit-heads who try to make the Network smart and make connections look like circuits. I think education and discussion about the political ramifications of architecture and code are essential, but having a lot of people educated with the right philosophy vis a vis network architecture, security, privacy, and free software (even if they don't understand all off the political issues) is better than nothing.

Content... We don't have MS or Hollywood and most patents and copyright extensions hurt Japan economically. It is very frustrating that Japan tries to "harmonize" with the US and doesn't realize that if they are going to give up something that is a net loss for Japan, they should negotiate for something in return. This is at the government level. At a more basic level, I think Japan should try to run an end-run around these guys with some new idea about how to deal with content. I guess the fact that Sony has a content business in the US and that big Japanese technology companies have "figured out" the patent thing puts these guys in a neutral to hostile position on this issue and doesn't help move this forward...

I gave a copy of Dogs and Demons to Hiroo who knows the construction industry well. It will be interesting to see what he thinks of it.

I think the Japanese are very non-active right now and has Hiroo points out in his afterward, Japan didn't have "the Framers" like Thomas Jefferson who "got it" to inspire the legal professionals to pound the table like Larry. I think it's going to take a lot of luck to get it right in Japan... but for better or for worse, the "other side" is not very smart either so we just MIGHT get lucky. Does this sound depressing?

Roger Clarke, one of my favorite privacy experts and the person I learned the notion of separation of "entities" and "identities" has written a paper about the problems with ENUM. I wrote about ENUM when Australia announced their initiative. I am on a mission to make sure that Japan doesn't try to link ENUM with the national ID...

Roger Clarke
From: Roger Clarke
Subject: Glitterati: ENUM: Case Study in Social Irresponsibility

I've just finished a paper on a proposed Internet scheme that will have extremely serious implications if it's implemented:

ENUM - A Case Study in Social Irresponsibility

As always, constructively negative feedback much appreciated.


ENUM is meant to provide a means of mapping from telephone numbers to IP-addresses: "today, many addresses; with ENUM, only one", as its proponents express it.

Any such capability would be extremely dangerous, providing governments, corporations, and even individuals, with the ability to locate and to track other people, both in network space, and in physical space. The beneficiaries would be the powerful who seek to manipulate the behaviour of others. It would do immense social, sociological and democratic harm.

The astounding thing is that the engineers responsible for it are still adopting the na・e position that its impact and implications are someone else's problem. With converged computing-and-communications technologies becoming ever more powerful and ever more pervasive, engineers have to be shaken out of their cosy cocoon, and forced to confront the implications, along with the technology and its applications.


Outline Description of ENUM
The Context
Implications of ENUM
Responses by the ENUM WG

Roger Clarke

Facing off with the bureaucrats..
Sorry I didn't blog anything yesterday. I've been in overdrive this week with Jun (my chairman) in town and a continuous stream of extremely early morning meetings... Jun was mentioned I that I was spending too much time on this non-work-related stuff. He's right... Anyway...

Yesterday, I started the day with a meeting of our anti-national ID group. I reported on my thoughts of how we should connect the privacy movement with the whistle blower protection law. Since I had the second National ID security oversight committee meeting later in the day, I wanted to get an update from everyone on where things were. One of the things that many of the local governments were asking for was the right to allow their citizens to choose whether they use the National ID system to receive local government services. The ministry had been telling them that that this was not possible. Also, there were some comments that the government was planning to use an extended National ID number as a tax tracking number, which currently is not allowed under the law.

Later in the day, I attended the committee meeting. I made several points. Since they are using Microsoft Windows out-of-the-box, I mentioned that the recent ruling by the DoJ against MS had a clause that made me worried that maybe the US government might include some malicious code in Windows. (There is a clause that says, "any API, interface or other information related to any Microsoft product if lawfully directed not to do so by a governmental agency of competent jurisdiction." Dan writes about it.) Even if they do not, I mentioned that Japan should make an effort to get MS allow us to do a security review of Windows and possibly swap some modules that we do not feel good about. I mentioned that China has successfully made demands on Microsoft and that China was working on desktop Linux for the government.

I told them that should not use the local government ID as the taxpayer ID and that it should be a separate, and hopefully a non-human-readable number.

I mentioned the whistleblower protection bill I was working on and that we should consider building in anonymity and pseudonymity into the law. I said that I thought people should be allowed to anonymously receive clarification on laws and procedure and that they should be allowed to pseudonymously receive guidance and counseling on issues before "going public" with their case, for instance.

Finally, I asked why numbers could not be "opt-in" for the local government ID. I did not receive a satisfactory answer and said that I would like them to explain this to me "off-line".

I had asked Gosuke to ghost write a short article for the Tokyo Shimbun (newspaper) based on a discussion with me. It was about the problems with the National ID. (I DID review it.) Then, I was asked to write an blurb in a book about the National ID so I asked Gosuke to add some more of my thoughts to the aritcle and we gave it to the publisher. Before I knew it, with the mere contribution of a 2 page ghost-written article, I was the co-author of the book, my name on the front of the book as if I had done something important. Luckily, the co-author is Yoshiko Sakurai who I respect deepy. All of the royalties go to the protest movement. So, I guess some people are trying to make sure I don't look too co-opted by the government. ;-)

Now I'm sitting on a panel sponsored by the government about security. The panel is focused on the security of government networks. I am sitting on the far left and the guy in favor of the national ID is sitting on the far left. I just talked about the importance of privacy and the fact that privacy is different from security. I talked about how privacy is not only a right of citizens, but a necessary element for demcracy. I talked about how the OECD guidelines for privacy were written before the Internet and that we needed to look at the future. I talked about Roger Clarke's distinction between entity and identity and the fact that Privacy Enhancing Technologies can make the same networks much more robust from a privacy perspective and that this was a different way of thinking about architecture than just security...

Chris Goggans (aka Erik Bloodaxe) spoke yesterday. I wish I could have heard him. I heard it was a good talk. He is the one that got me invited to this panel. Pretty funny. One of the most famous hackers from American invites me to a government sponsored panel in Japan...

The mic cables look shielded... I wonder if I can stay connected even when I talked on the mic...

achstudy_thumb.jpg omi_thumb.jpg
So here I am sitting in the "Research and Development Venture Project Team" worrying about my Foma card intefering with the microphone again... They call it a team since it probably seems more "venture-like" than a "committee" but it is in fact a government committee. I THINK that this committee was mostly initiated through meetings that I had with the Minister of Education, Science and Technology Koji Omi after I gave a talk at the committee on business, academic and government cooperation. It was a very "high level" committee and I thought that it wasn't practical enough. Minister Omi eventually dissolved the former committee and worked with us to set up a new one. This committee was set up to involve more people actually involved in trying to promote high tech ventures. Minister Omi is one of the smartest and most serious about learning of the senior politicians I know. He actually listens to people like me and acts on what he learns from such meetings. I was able to have some influence over the selection of the committee members and invited David Milstein of Fidelity Ventures and Date-san who is working on university incubation. I think we have a good group.

The committee is a 3rd tier committee which is above a "study group" but below an inquiry committee, so the output from this study group should have some teeth. (The consumer inquiry committee I am on is one tier above, but the police committee on malicious programs I am on is one tier below. This is the minimum level to get air conditioning in the government building. ;-p ) I think it was the most influential committee we could make and still include people like Date-san who are actually doing new stuff.

This is the first meeting of the overview committee of the National ID system. The press were ALL here and I got a lot of TV cameras in my face. I guess I'm going to end up on the evening news. I wonder what the comments will be.

Ishii Takemocho-sensei, a good friend and an very honest person was chosen as the chair. I'm going to go and see him soon. Kazuhisa Ogawa, the military analyst who I also respect highly for his outspoken and thoughtful style is also on the committee.

I pushed very hard to have this committee as open as possible and they agreed and announced that all of the minutes and the agendas will be posted on the web page and that they will have a press briefing after every meeting. I guess this is OK. Having the press actually in the meetings would be difficult to manage. Also, I got approval to blog freely. ;-) So here I am...

Japan has a process where they make boards and inquiry panels to discuss important issues with experts and the public. These inquiry panels are defined by law and are supposed to be an important part of the law making process, but in fact they are often used to diffuse public pressure and just act like they care. I am often asked to join such panels and I find I learn a lot about what is going on and can usually influence the direction ever so slightly. I usually feel this is better than not doing anything, but I am often citied as having been co-opted. In the past, the issues haven't been so important or public so it hasn't really mattered. This time it does.

A month or so ago, the Ministry of Public Management, Home Affairs, Posts and Telecommunications which is in charge of the National ID that I have been protesting approached me and asked me if I could organize a panel to review the privacy issues around the National ID. I consulted with our protest movement we decided that if the results were made public and we could fund some privacy research, this was probably a good thing. We are now in the process of organizing a global survey of privacy technology, privacy commissioners and other things that would be useful in considering how to set up the Japanese government privacy policy. We hope to create a recommendation about what Japan should do in creating new system as well as what we can do to minimize privacy invasiveness in the current system. So far so good.

Now I have been contacted again, but this time the request is to be on the board of the National ID committee and be in charge of privacy! Apparently this is a request from the minister. (Very interesting since I practically called him a liar on a live national news program where we debated against each other and I think he called me something that sounded a lot like "stupid." Anyway...) It is probably a move to try to co-opt me. I replied saying that I have no intention of stopping my anti-National ID activity or becoming "quiet." I said I would consider taking the post if I was allowed to be completely open and public about what we discussed in the meetings and if I were allowed to continue to protest the National ID. I think that if I were to take such a post, it would negatively impact the movement. Having said that, as we all know from Karl Auerbach's ability to really be a pain in the ass to ICANN as a board member, I think co-opting doesn't work when one is able to be public with one's comments. So I'm thinking about this. If they come back and tell me that I have to stop protesting or I have to keep the meeting discussions confidential, I will obviously say, "No." On the other hand, if I am able to blog everything that is going on inside, I wonder if they will be able to co-opt me. Anyway, this may end up being quite an interesting test for this medium and my blog...

On the other hand, (since I know my investors, board members and employees are now reading my blog...) I probably don't have to time to do the job properly considering the fact that I have a REAL JOB and this whole thing was supposed to be just a hobby... hmm.... And if I focus my REAL JOB too much on my hobby, it compromises my independence... hmm... All this is SO difficult.

I just got a call from a Kyodo News reporter asking for a comment about the Ministry of Finance (MOF) leaking (accidentally?) financial metrics on their web page before the official annoucement date. They are apparently going to make some announcement about their mistake and he wanted a quote from me to run in the story. I can't seem to find anything on the web about this. Does anyone know anything? (I thought it was the FSA, but it was the MOF)

Anyway, the comment I made was that comparing Nippon Ham vs. Worldcom the CFO of Worldcom is taken away in handcuffs and in Japan apologies and some shifting around (although I would agree Worldcom is probably worse than Nippon Ham.) is all that happens at Nippon Ham. When US agencies leak information risking national security, it is treason. In Japan, it is just a breach of a confidentiality agreement and the guy might lose his job. When Yamaichi went bust, the CEO cried and the Ministry of Finance which really guided Yamaichi down their path to death, shook their finger at them instead of taking responsibility. My feeling is that accountability in Japan is weak and that the government's use of IT just increases the damage they can cause. Although The Ministry of Public Management, Home Affairs, Posts and Telecommunications is creating the National ID, the risk is to be taken at the local government level. I will be interested to see who takes the blame for this FSA botch up. It probably won't have a huge impact on the economy, but releasing numbers before the official announcement date could impact the market.

Since I've started bashing the National ID publicly, every time there is a government screwup in IT, the reporters call me for comments. That's how I find out about the incidents early. Now that I have a blog, I can scoop them. ;-)

found on Slashdot
An article in Popular Science about what a national ID would look like and contain. On the issue of social security numbers on ID card, they mention that even though social security numbers on ID cards have been rejected by the federal government, "it's a good guess the Department of Homeland Security would manage it".

On smart card technology, they say:

For example, an ER doctor could view medical information and enter data about treatment (if the card's data storage device is read-write capable), but could not see security-related data (such as a traveler's flight history, or a non-citizen's visa status) that an airport or INS official might require. But how secure are smart cards? Detailed instructional hacking sites can be found on the Web, many focusing on European cards. And the more data on a card, the more valuable the card becomes to an identity thief.
Yup. This is definitely a risk. I wonder how many terrorists would actually use un-forged ID cards when traveling?
Popular Science | Your ID Please, Citizen


I got my national ID in the mail today. Setagaya-ku used an outside agency and we got ours later than other wards. Now I have to figure out what to do. I personally think that asking to change the number or sending it back sends a political message, and maybe I should do that, but for real change I have to push and lobby closer to where the decision are being made. Maybe I'll try to meet with the mayor of our ward and explain to him why I am unhappy.

I wonder how open people will be about telling people their ID #'s. Unlike social security numbers in the US, the national ID hasn't proliferated widely so people are still feeling pretty secretive about their numbers. I think that suddenly receiving it in the mail has been a shock for many people as well. I wonder if it would be cool to start calling people by their ID #'s. Proably not. I wonder if that's illegal...

Meanwhile, the Kanagawa Prefectural Government warned Tuesday that people should be wary of a mysterious caller who tries to get private information by pretending to be an official in charge the national resident registry network.
Mainichi Interactive - Top News Thanks to gt for pointing this one out.

Lies and Secrets

Japan's national ID network has gone live already

by Gohsuke Takama
Tokyo, Jul 31, 2002

It's Up and Running Already

Rhetorics and politics are good friends. Almost everyone in Japan including politician has been believing that Japan's national ID network system, the Basic Residents Registers Network, would go live on Aug 5 of this year. Opponents of national ID have been thinking there is some chance to stop launching. But the truth is that it is already live since more than a week ago, technically. And it has gone without privacy protection laws which left behind in Japan's diet for more discussions after summer.

A news appeared on Jul 19 said that the Ministry of Public Management, Home Affairs, Posts and Telecommunications would start testing of the network from Jul 22, using actual Basic Resident Registry's record update data including newly issued Resident Number. It also noted that transfer of the Resident Registry data from local government owned computers to the National server and the Prefectural servers would be completed by Jul 20.

This clearly means that all the residents in Japan already numbered and huge databases that holding whole Japan's 125 million residents' data are already up and running. If so, what the difference between before and after Aug 5? A: Deleting the data of moving out people from the record. That's all. And that sounds more likely just a little change in Local Government staff's operation procedure at the request counter than launch of nation wide computer networks.

Now this is the beginning of activation for Japan's national ID systems that apply for Japanese and naturalized foreigners: 11 digit number national ID, networked resident record system based on the ID numbers, and national ID card that based on contactless radio transaction smartcard, with 32 bit CPU and co-processor supposed to handle crypto and digital signature, which will be issued from 2003.

This status makes computer security specialists worried. If organized crimes or foreign spy agents get access to one of these, that could be a disaster. Clear and present danger is here now. World class crackers might be difficult to ignore temptations to try their penetration skills on this network because it is built on Windows NT/2000 servers and possibly MS SQL too. You got the idea?

Databases and National ID Networks

Japan has nearly 3300 local governments, i.e. cities, towns and villages. Until a few month ago their residents' records were all separated. But now the Basic Residents Registers Network connected them all.

But this network has strange design structure. Data of residents' records at cities, towns and villages in a prefecture are copied to the Prefectural server. Then data of whole Japan's 125 million residents' records are copied to the National server. So the records of Japan's every resident - name, birth date, address, gender and ID number - are sitting in these servers.

Also there is another strange structure. the National server which is locating at Local Authorities Systems DEvelop Center, LASDEC for short, has an additional offers residents' data for the administrative bodies of central government. A funny thing is that the data once transferred to administrative bodies would not be covered by Basic Residents Registry Law which regulates the residents registry.

Japan's Privacy Bills

Japan would be having two privacy laws, the Personal Data Protection Law and the Law Concerning Access to Information Held by Administrative Organs. However, both are still in discussions and far from passing the diet, because the diet ended on Jul 31, even with 40 days extension to normal schedule.

Many pointed out both bills have problems. For the Personal Data Protection bill, which originally designed as EU/OECD style protection of personal information bill, but it had too many modifications. And all the news media are now opposing to this bill especially on strong consent requirement with data subjects and punitive provisions. If a news media discovers some wrong doing in a big corp boss, how could they get consent with him?

More problematic is another. The bill for Law Concerning Access to Information Held by Administrative Organs. This bill is supposed to be for protection of personal information collected and held by government administrative organs. However, many words set in the bill already crippling the law itself. The bill does not have clear set of rules on "collection limitation" of personal information. It also permits the government to use anyone's personal information if needed and "Change of Use Purpose" without notifying to data subject person. Plus, no penalty for government stuff upon duty violations. If this bill was passed, the government can use anyone's personal information for almost in any way, any purpose, legally.

Missing Information and Secrecy Lovers

What do Japanese people have in mind about this national ID network? That is another side of the problems. A poll done by Kyodo Communications on June 30 brought up that 83.2% of Japanese did not know about this Basic Residents Registers Network and they would be given numbers. Is this a result of secrecy or just a lack of PR?

Since that time, news media started having more reporting. On Jul 22, Asahi Newspaper did another poll and the result was drastically different. 59% answered they heard the name of Basic Residents Registers Network, 86% showed concern on privacy information leaks, and 76% answered that they prefer to postpone the launch of the network.

Opposition started from local government side too. 7000 population rural town Yamatsuri-cho disconnected to the network on the day of testing started. There are more than 60 cities and towns, including 3 million population Yokohama-city, manifesting or concerning disconnecting until privacy laws set.

The allies of four minority parties brought a bill to the diet that repeal the Basic Residents Registers Network. (Japan has seven political parties.) But it dead in a water without even a discussion. A group of politicians in leading conservative majority the Liberal Democratic Party tried to make up another bill that postpone the launch. But it also dead even before proposed on the last day of the diet by time constraint and their slow action. And on Jul 31, the Prime Minister Junichiro Koizumi is still saying the launch date is Aug 5 and go ahead.

Ministry of Public Management, Home Affairs, Posts and Telecommunications

Prime Minister's office


joipamph.jpg speak.jpg gaitomedia.jpg

Today I will be on the news at 5:30pm on TBS and 10:30pm (thanks Sakiyama-san) on Fuji TV protesting the National ID. From 1pm to 3pm today, Yoshiko Sakurai, her team and I held a rally passing out pamphlets and giving speeches in the middle of the busy shopping district of Ginza. The media was around in force today, but it is really too little too late. We've been doing this since September of last year and the day before it goes live, the media is finally focused. We will continue our struggle, but it will be harder now that the law is officially running. At least now almost everyone I meet says that they have been protesting this all along instead of threatening me that I will lose everything if I continue...

I have been interviewed several times by TV. It seems that the media is focused very much on the security of Jyukinet. I believe, that although this is very important, the bigger risk is the use of the 11 digit number in databases in the bureaucracy and the effect that this will have on the ease in which lists can be created, cross references and leaked.

The media is also discussing quite a bit, the storage on the IC card. This is practically irrelevant. What is relevant is the IC card being using to link real world transactions to databases.

The other big risk is that 11 digit number can be written down, read and distributed easily. Why didn't they use digital signatures or some sort of hash function that is not human readable?

Everyone wants me to talk about the security of the Jyukinet, and the cut the sections where I talk about the nature of identity and the concept of privacy underpinning democracy. Oh well.

With respect to the security of the network, it is important to note that the Somusho is saying that it is safe because they have firewalls and leased lines, but anyone who knows anything about computer networks know that this is not true. No network is safe. Having said that, I think it is important to focus, not on the technical issues such as firewall security, but on the fact that the safest network is a small network with the least number of users and terminals.

I was was scheduled to participate on the last panel discussion at a e-government conference held by the Nikkei today. I was supposed to go straight from the airport after returning from Aspen. There were terrible thunderstorms in Tokyo and the traffic was terrible. It was obvious I would not make it in time. Luckily Ushii was on the scene and the moderator, Sekigushi-san had a computer connected to the Internet on stage. I was able to email them my comments which they put up on the big projector. As usual, I was protesting the national ID and preaching privacy.

Anyway, sorry Sekiguchi-san for not making it! Ushii sent me to photo to the right from his computer on the scene. I felt like I was "virtually" there. Thanks to my Crusoe empowered Sony Vaio and my NTT Docomo Foma 64k card, I was able to keep in touch with the moderator, Sekiguchi-san and Ushii through the session...

Lights, Camera....

...and there was no action.

As we approach the August 5 start date for the national ID, Yoshiko Sakura, Ben Shimizu and I (with a lot of help from Gosuke Takama) are leading a drive to sign up as many politicans as possible to pass a bill freezing the start of the national ID program for 3 years until we can have sufficient public debate and technical planning. The architecture is bad, the security sucks, there aren't sufficient guidelines on what the government can use the information for and there is no watchdog organization or even a privacy commissioner. Having said that, even if the security was better and there were a privacy commissioner, I still would be against the national ID. The architecture is wrong and the basic approach to information about people is wrong. There are much better ways to do the same thing without using a single IC card and a single human readable 11 digit number. 83% of Japanese interviewed in a recent survey don't even know that the national ID program exists!

Last week, Yoshiko Sakurai with her amazing pursuasiveness signed up many of the leading LDP politicans including Kamei, Hirasawa and Shiozaki as well as members of all of the major opposition parties. Yesterday was a press conference to announce that we had signed up enough diet members to stop the August 5 launch... not. Over the last few days very strong invisible forces moved to try to squash our movement by putting pressure on the politicans supporting our movement. Koizumi-san, who I strongly support, made a stupid comment yesterday saying that he was for the National ID. (Never attribute to malice, that which can be sufficiently explained by stupidity. I guess in this case, ignorance.) The mayor of Yokoyama, the young Nakata apparently rushed to see Koizumi-san and explain that he should not support the National ID. The dark forces were very quick to label our movement as anti-Koizumi. Sakurai-san is trying to get us a meeting with Koizumi-san to explain the situtation to him and get him to understand. The press conference ended up being us, a bunch of press and the few bold politicians willing to publicly show their support to our movement. (The photo is a picture of the Network TV cameras from my seat. The empty area in the middle was where we were going to seat the politicians. The room is a room in the diet offices building.)

So, we're not back to the drawing board, but have been pushed back once again. With the US pushing for a privacy czar and concerns being raised in the global debate, I'm hoping that the global environment might help... but this may be wishful thinking.

Anyway, if you don't hear from me for awhile, call the Amnesty International and tell that I was last seen protesting the Japanese National ID.


We had another meeting to plan our strategy to stop the implementation of the Japanese national ID program. This program, which as already passed as law will assign 11 digit numbers to everyone and will cause to be distributed by the local governments, IC cards that will become ID cards including the national ID. The network architecture is a mess, the security is weak, there is very little in place limiting the use of the collected information, there is no privacy watchdog organization and the privacy bill that is trying to be passed right now actually deliberately allows for the government to use collected information quite freely.

Originally, the privacy bill was supposed to be in place before the national ID could be implemented, but somehow the the bureaucrats have convinced themselves that they could move forward with the national ID without the privacy bill. The privacy bill is very poorly written anyway and doesn't protect us from abuse by the government and is overly restrictive for business.

I have been involved in trying to stop this bill since November last year, but since the law had already been passed (I didn't even know about it!) it's been quite an uphill battle. We are getting close though. There are very few politicians who feel strongly about it so I think we might be able to convince enough politicians to put the program on hold until we can discuss the risks more.

This process has really shown me how broken the law making system is in Japan. Almost everyone we talk to is now against it, but we still can't stop it. It is like a tanker with no one on board.

There is a Japanese web page describing our efforts.