EFF has been monitoring governmental
proposals for national identification schemes, with an eye toward
evaluating the privacy implications of these new systems. In Japan,
where an existing program issues unique ID numbers to citizens at the
municipal level and shares information on a national network, a bill is
under consideration that would create a new ID framework. Submitted by
the Japanese Cabinet in February of 2012, the “My Number Bill” would
issue new unique ID numbers to participating citizens. The stated
purpose is to streamline information sharing between governmental bodies
administering tax, social security, and disaster mitigation programs.
If the law is enacted, the My Number system will begin operating in
2015.
So far, there are no signs that Japan's government will follow the increasingly common trend of requiring citizens to submit biometric data, such as fingerprint or iris scans, in order to enroll. Nevertheless, it’s clear that data submitted by participating citizens will be subject to greater information sharing than under the prior system. This planned expansion gives rise to serious questions about whether individuals’ personally identifiable information will be adequately protected. While the existing ID framework is highly controversial due to privacy concerns, this proposal will disseminate personal data farther and wider, making it even harder for individuals to exercise control their own information.
Japan’s current unique ID system
Under the mandatory Basic Resident Register program, every Japanese citizen must provide his or her name, birthdate, gender and physical address to municipal governments. With the implementation of the Resident Basic Register Network System in 2002, these four types of information began to be fed into a nationwide computer network, the Juki-net, set up to share data between government agencies. The new system combined the resident registration databases of 3,200 municipal governments, and assigned every Japanese citizen an ID number. [1] Under this framework, citizens may also opt to obtain ID cards, which contain integrated circuit chips.
When an individual moves to a new city, or changes his or her name following marriage or divorce, the informational updates are logged in the Juki-net. The practice of logging such updates afforded government for the first time the ability to instantly obtain information about personal histories and to track individuals' movements over the course of multiple years, according to the analysis of Midori Osagawara, a former journalist who reported on the Juki-net for national Japanese newspaper Asahi Shimbun. “In the past, [a government] official could barely track [an individuals’] data by looking at the paper-based Resident Basic Registry, because the registry was discretely stored in the municipal office,” Osagawara noted in her thesis on Japan ID systems. “By removing the constraint of a stored location, the government could transcend the constraint of time, too. Now, personal data on Juki-net are automatically updated with references to the past.”[2]
The Juki-net became a major source of controversy in Japan when it was launched. A newspaper opinion poll conducted just before implementation found that 86 percent of respondents were afraid of data leakage or improper use of information, while 76 percent thought implementation should be postponed. Several lawsuits challenged the new system, charging that it constituted a violation of the right to privacy guaranteed by Article 13 of the Japanese Constitution. Protests were mounted as well; 70 municipal assemblies and 29 mayors passed resolutions demanding the government postpone Juki-net’s implementation. In one city, whose mayor made it possible for citizens to opt out, 839,539 citizens went to city offices to register for non-participation.[3] Following a Supreme Court ruling that found Juki-net to be constitutional, the citizens who’d requested to opt out were enrolled anyway.
In 2008, the Juki-net withstood a legal challenge when Japan’s Supreme Court ruled that it was constitutional, reversing a lower court’s 2006 ruling that the system violated privacy rights guaranteed by Article 13 of the Japanese Constitution.
Plaintiffs had argued that Juki-net illegally subjected citizens to risks of personal information leakage, and that it infringed upon rights guaranteed under Article 13 of the Japanese Constitution, which states, “all of the people shall be respected as individuals. Their right to life, liberty, and the pursuit of happiness shall, to the extent that it does not interfere with the public welfare, be the supreme consideration in legislation and in other governmental affairs.” Yet the court rejected these arguments when it found the Juki-net system did not violate Article 13.
The court determined that there was a low risk that information could be leaked due to the technical system design, and highlighted the absence of a centralized database that would enable consolidated control over personal information by any single governmental agency. It also found that the nature of the collected data was not highly confidential.
While Japan’s decision to prevent the creation a centralized database places it ahead of the curve on privacy when compared with many other countries that have implemented national ID systems, it’s important to remember that any digital collection of personal information opens the door to potential data breaches. Meanwhile, the court’s assertion that the data is not of a highly sensitive nature fails to take into consideration the fact that reliable inferences can be made about highly sensitive data by building upon multiple categories of non-sensitive data. For instance, Carnegie Mellon researchers Alessandro Acquisti and Ralph Gross published an article in 2009 demonstrating how social security numbers could be easily predicted by combining various kinds of widely available data, such as individuals’ birthdates and places of birth.
Expanded information sharing
The My Number Bill would essentially take the Juki-Net a step farther, by generating new unique ID numbers and allowing information sharing between the agencies that administer social security, tax, and disaster mitigation programs. The newly generated unique ID numbers would be used as a "key" to link records of individuals' income and payments, and benefits for pensions, health care and other services.
The My Number Bill also seems to be envisioned as a first step toward an increasingly networked system that would integrate highly sensitive information and could be opened up to private-sector use.
The bill was drafted based on a policy outline that won Cabinet approval in June of 2011. The policy outline hints at plans to formulate special statutes around highly confidential personal information, such as medical records. It also describes the possibility of linking unique ID numbers to medical data for research purposes, as long as patients’ anonymity is maintained. Yet this sets a dangerous precedent; researchers Arvind Naravayan and Vitaly Shmatikov, among others, have shown that attempts at “de-identification” are not always effective.
Under the bill, the lack of a centralized database is designed to prevent single governmental body from storing personal information, and an independent monitoring body will be created to ensure personal information is adequately protected. Nevertheless, these measures against data leakage can never be guaranteed to be 100 percent effective.
According to the policy framework paper, the program would be launched in January 2015 in the spheres of social security, tax, and disaster mitigation; by around 2018, the government will evaluate progress and consider expansion to other areas, such as the medical field. Taking into account political controversy currently surrounding Japan’s consumption tax increase, which is tangentially linked to the unique ID proposal since the program aims to streamline tax administration and processing, it’s still too early to say whether the My Number Bill will win approval.
Reactions from the Japanese public
The Japan Federation Bar Association has publicly opposed the My Number Bill, criticizing the program for failing to respect the right to control one’s own personal information.
A number of nongovernmental organizations, such as Japan’s Privacy Action and the Anti Ju-Ki Net Association, also came out against Japan’s proposed unique ID system in public comments submitted to the Cabinet Secretariat in July and August of 2011. They argued that the national ID isn’t really necessary to reform social security and tax programs, and that human rights and personal privacy will be jeopardized no matter what, since it’s impossible to guarantee 100 percent safety when it comes to technology and the potential for human error or active exploitation. Others argued that statutory protections of personal information are ineffective, and that not enough consideration has been given to the shortcomings of the Ju-ki Net. Some NGOs expressed doubts that the ID system would protect citizens’ rights, and called for a cost-benefit analysis prior to implementing the new program.
The Japan Medical Association has voiced concerns about the idea of linking unique ID numbers to medical records. At a press conference in March, the organization noted that highly sensitive patient information could be leaked.
Osagawara, the Japanese journalist and surveillance scholar, offered a sharp critique of the Juki-net, focusing on the expanding requirements for information sharing. “Even in a short-term observation, Juki-net’s development shows how a computer network inevitably expands for data sharing,” she wrote. “Once it is established, it increases the scope of data, engages in multiple tasks, and escapes from legal constraints and democratic transparency.”
We have concerns that the unique ID proposal seems to be moving Japan in a worrisome direction of expanded information sharing that is more sensitive in nature. As we have seen in places such as the UK, where leaks of everything from medical histories to criminal records were attributed to the very government agents entrusted with overseeing a database administered by the UK government’s Department for Work and Pensions, serious challenges arise when digital records of sensitive personal information are created and incorporated into a national network.
So far, there are no signs that Japan's government will follow the increasingly common trend of requiring citizens to submit biometric data, such as fingerprint or iris scans, in order to enroll. Nevertheless, it’s clear that data submitted by participating citizens will be subject to greater information sharing than under the prior system. This planned expansion gives rise to serious questions about whether individuals’ personally identifiable information will be adequately protected. While the existing ID framework is highly controversial due to privacy concerns, this proposal will disseminate personal data farther and wider, making it even harder for individuals to exercise control their own information.
Japan’s current unique ID system
Under the mandatory Basic Resident Register program, every Japanese citizen must provide his or her name, birthdate, gender and physical address to municipal governments. With the implementation of the Resident Basic Register Network System in 2002, these four types of information began to be fed into a nationwide computer network, the Juki-net, set up to share data between government agencies. The new system combined the resident registration databases of 3,200 municipal governments, and assigned every Japanese citizen an ID number. [1] Under this framework, citizens may also opt to obtain ID cards, which contain integrated circuit chips.
When an individual moves to a new city, or changes his or her name following marriage or divorce, the informational updates are logged in the Juki-net. The practice of logging such updates afforded government for the first time the ability to instantly obtain information about personal histories and to track individuals' movements over the course of multiple years, according to the analysis of Midori Osagawara, a former journalist who reported on the Juki-net for national Japanese newspaper Asahi Shimbun. “In the past, [a government] official could barely track [an individuals’] data by looking at the paper-based Resident Basic Registry, because the registry was discretely stored in the municipal office,” Osagawara noted in her thesis on Japan ID systems. “By removing the constraint of a stored location, the government could transcend the constraint of time, too. Now, personal data on Juki-net are automatically updated with references to the past.”[2]
The Juki-net became a major source of controversy in Japan when it was launched. A newspaper opinion poll conducted just before implementation found that 86 percent of respondents were afraid of data leakage or improper use of information, while 76 percent thought implementation should be postponed. Several lawsuits challenged the new system, charging that it constituted a violation of the right to privacy guaranteed by Article 13 of the Japanese Constitution. Protests were mounted as well; 70 municipal assemblies and 29 mayors passed resolutions demanding the government postpone Juki-net’s implementation. In one city, whose mayor made it possible for citizens to opt out, 839,539 citizens went to city offices to register for non-participation.[3] Following a Supreme Court ruling that found Juki-net to be constitutional, the citizens who’d requested to opt out were enrolled anyway.
In 2008, the Juki-net withstood a legal challenge when Japan’s Supreme Court ruled that it was constitutional, reversing a lower court’s 2006 ruling that the system violated privacy rights guaranteed by Article 13 of the Japanese Constitution.
Plaintiffs had argued that Juki-net illegally subjected citizens to risks of personal information leakage, and that it infringed upon rights guaranteed under Article 13 of the Japanese Constitution, which states, “all of the people shall be respected as individuals. Their right to life, liberty, and the pursuit of happiness shall, to the extent that it does not interfere with the public welfare, be the supreme consideration in legislation and in other governmental affairs.” Yet the court rejected these arguments when it found the Juki-net system did not violate Article 13.
The court determined that there was a low risk that information could be leaked due to the technical system design, and highlighted the absence of a centralized database that would enable consolidated control over personal information by any single governmental agency. It also found that the nature of the collected data was not highly confidential.
While Japan’s decision to prevent the creation a centralized database places it ahead of the curve on privacy when compared with many other countries that have implemented national ID systems, it’s important to remember that any digital collection of personal information opens the door to potential data breaches. Meanwhile, the court’s assertion that the data is not of a highly sensitive nature fails to take into consideration the fact that reliable inferences can be made about highly sensitive data by building upon multiple categories of non-sensitive data. For instance, Carnegie Mellon researchers Alessandro Acquisti and Ralph Gross published an article in 2009 demonstrating how social security numbers could be easily predicted by combining various kinds of widely available data, such as individuals’ birthdates and places of birth.
Expanded information sharing
The My Number Bill would essentially take the Juki-Net a step farther, by generating new unique ID numbers and allowing information sharing between the agencies that administer social security, tax, and disaster mitigation programs. The newly generated unique ID numbers would be used as a "key" to link records of individuals' income and payments, and benefits for pensions, health care and other services.
The My Number Bill also seems to be envisioned as a first step toward an increasingly networked system that would integrate highly sensitive information and could be opened up to private-sector use.
The bill was drafted based on a policy outline that won Cabinet approval in June of 2011. The policy outline hints at plans to formulate special statutes around highly confidential personal information, such as medical records. It also describes the possibility of linking unique ID numbers to medical data for research purposes, as long as patients’ anonymity is maintained. Yet this sets a dangerous precedent; researchers Arvind Naravayan and Vitaly Shmatikov, among others, have shown that attempts at “de-identification” are not always effective.
Under the bill, the lack of a centralized database is designed to prevent single governmental body from storing personal information, and an independent monitoring body will be created to ensure personal information is adequately protected. Nevertheless, these measures against data leakage can never be guaranteed to be 100 percent effective.
According to the policy framework paper, the program would be launched in January 2015 in the spheres of social security, tax, and disaster mitigation; by around 2018, the government will evaluate progress and consider expansion to other areas, such as the medical field. Taking into account political controversy currently surrounding Japan’s consumption tax increase, which is tangentially linked to the unique ID proposal since the program aims to streamline tax administration and processing, it’s still too early to say whether the My Number Bill will win approval.
Reactions from the Japanese public
The Japan Federation Bar Association has publicly opposed the My Number Bill, criticizing the program for failing to respect the right to control one’s own personal information.
A number of nongovernmental organizations, such as Japan’s Privacy Action and the Anti Ju-Ki Net Association, also came out against Japan’s proposed unique ID system in public comments submitted to the Cabinet Secretariat in July and August of 2011. They argued that the national ID isn’t really necessary to reform social security and tax programs, and that human rights and personal privacy will be jeopardized no matter what, since it’s impossible to guarantee 100 percent safety when it comes to technology and the potential for human error or active exploitation. Others argued that statutory protections of personal information are ineffective, and that not enough consideration has been given to the shortcomings of the Ju-ki Net. Some NGOs expressed doubts that the ID system would protect citizens’ rights, and called for a cost-benefit analysis prior to implementing the new program.
The Japan Medical Association has voiced concerns about the idea of linking unique ID numbers to medical records. At a press conference in March, the organization noted that highly sensitive patient information could be leaked.
Osagawara, the Japanese journalist and surveillance scholar, offered a sharp critique of the Juki-net, focusing on the expanding requirements for information sharing. “Even in a short-term observation, Juki-net’s development shows how a computer network inevitably expands for data sharing,” she wrote. “Once it is established, it increases the scope of data, engages in multiple tasks, and escapes from legal constraints and democratic transparency.”
We have concerns that the unique ID proposal seems to be moving Japan in a worrisome direction of expanded information sharing that is more sensitive in nature. As we have seen in places such as the UK, where leaks of everything from medical histories to criminal records were attributed to the very government agents entrusted with overseeing a database administered by the UK government’s Department for Work and Pensions, serious challenges arise when digital records of sensitive personal information are created and incorporated into a national network.
[1] Graham Greenleaf, "Comparitive Study on Different
Approaches to New Privacy Challenges in Particular in the Light of
Technological Developments," Country Studies, B.5 - Japan,
Directorate-General Justice, Freedom and Security, European Commission
[online], available at http://ec.europa.eu/justice/policies/privacy/studies/index_en.htm
[2] Midori Ogasawara, "ID Troubles: The National
Identification Systems in Japan and the (mis) Construction of the
Subject" (Master’s Thesis, Queen’s University, 2008), 103 [online],
available at http://qspace.library.queensu.ca/handle/1974/1222
[3] Ibid.
