Japan’s National ID System Poses Risks & Advantages

In January 2016, Japan will launch the “My Number” National ID system. My Number is Japan’s first national ID system and will be a step towards a “single card society” as declared by Prime Minister Shinzo Abe. As Japan hurries to introduce the system, it is important to look at existing implementations of national ID numbers elsewhere to keep in mind the risks such a system a nation’s economy.

In two years, Japanese citizens will receive a national ID number and identification card, replacing current forms of identification and records for national taxes, pension, local residence, medical history, employment, as well as marital status. In the “Fifth My Number Subcommittee” meeting, there was support for linking “My Number” cards to banking accounts, in order to replace credit, debit, and cash cards using embedded IC chips.

The system is not flawless.

In recent years there has been indications that Japan seemed to be falling behind in IT innovation and implementation, (see the Global Information Technology Report). Despite the implications, development and success of the “My Number” system will bring a significant change to the Internet ecosystem in Japan and will reinsert Japan into the conversation as a global IT leader.

Despite the need for proactive movement by Japan, it is worth looking at current implementations of national ID systems elsewhere such as the South Korean Resident Registration Number (RRN) system. The system is not flawless, prompting greater concern for Japan’s privacy framework. In fact, Korea is working to shift away from RRNs to a new system after unprecedented cyber attacks and misuse of the number.

South Korea began the Resident Registration Numbers system in an attempt to sniff out North Korean spies following an assassination attempt in 1968 on former President Chung-hee Park. RRNs are designed to identify citizens who enter government buildings, apply for financial transactions, and visit South Korean websites.

The significant amount of personal information that is linked to RRNs made the number a target. Between 2011-2012, cyber attacks saw the release of personal information for millions of South Koreans. Public websites such as http://kr.51240.com allow individuals to search names, ID numbers, sex, age, and birthdates for any person whose data had been exposed. As a result, in August 2012, Korea announced that the use of RRNs would be banned for identification purposes. By the end of 2014, Korea expects to scrap all online registrations using RRNs.

Reflecting on these incidents in Korea, Japan must keep in mind the damage that a national ID system may cause. Although the direction is necessary for change in the Japanese cyber landscape, further discussion regarding whether or not Japan is ready for such a system must be intensified.

The report issued by the “My Number Subcommittee”, identified a need for balancing whether successfully deploying national ID numbers must be prioritized over maintaining an environment of security and trust in the “My Number” system.
Although both are important, the Korean RRN case is difficult to ignore. Korean IT infrastructure is strong and highly promoted within its society—the result of the RRN leaks introduced weaknesses in Korea’s personal information policy, leading to the introduction of the Personal Information Protection Act (PIPA) in 2012 as well as the government’s efforts to shift from RRNs to iPIN numbers, a more regulated national ID system.

The “My Number Subcommittee” defined the ideal Internet ecosystem as one that allows seemless and safe access to the Internet for users from any location or device. In order for this environment to exist, learning from the examples set by the Korean RRN, the result of the cyber security strategy must also be examined and penalties for the invasion and leakage of personal information must also be defined through a concrete privacy policy.

Within the current Japanese privacy policy, there is no individual data protection authority overseeing all issues related to data protection in Japan. Following the passage of the ID Number Act in 2013, the Specific Personal Information Protection Commission (SPIPC) was also created. Yet, as with many other Japanese authorities, SPIPC has no power to supervise the broad scale of Japanese data protection needed across ministries and sectors.

The success of “My Numbers” depends on the establishment of a central data protection authority with the power to oversee all acts regarding data protection while having the power met by the standards defined by the International Conference of Data Protection Commissioners.

In the current Japanese data protection system, the lack of a central organization has lead to a lack of flexibility and adaptability in the privacy policy. As the national ID system plans on aggregating different forms of personal information, a central authority that has the ability to watch over all for of data, not just in relation to the “My Number” system, is required in order to respond to events such as those experienced in Korea.

Within current Japanese privacy policy, there is no individual data protection authority overseeing all issues related to data protection.

In the current Japanese data protection system, the lack of a central organization has lead to a lack of flexibility and adaptability in the privacy policy. As the national ID system plans on aggregating different forms of personal information, a central authority that has the ability to watch over all for of data, not just in relation to the “My Number” system, is required in order to respond to events such as those experienced in Korea.

My Number will bring a major change to Japanese society. Japan must take precautions during implementation in order to avoid creating false starts by learning from Korea’s experience and challenges.

Eiichiro Okuyama
Eiichiro Okuyama
Environment and Information Studies
Keio University
Eiichiro Okuyama is a member of the Faculty of Environment and Information Studies' Global Information and Communication Technology and Governance Academic Program (GIGA).

Read more