In January 2016, Japan will launch the “My Number” National ID system. My Number is Japan’s first national ID system and will be a step towards a “single card society” as declared by Prime Minister Shinzo Abe. As Japan hurries to introduce the system, it is important to look at existing implementations of national ID numbers elsewhere to keep in mind the risks such a system a nation’s economy.
In two years, Japanese citizens will receive a national ID number and identification card, replacing current forms of identification and records for national taxes, pension, local residence, medical history, employment, as well as marital status. In the “Fifth My Number Subcommittee” meeting, there was support for linking “My Number” cards to banking accounts, in order to replace credit, debit, and cash cards using embedded IC chips.
The system is not flawless.
In recent years there has been indications that Japan seemed to be falling behind in IT innovation and implementation, (see the Global Information Technology Report). Despite the implications, development and success of the “My Number” system will bring a significant change to the Internet ecosystem in Japan and will reinsert Japan into the conversation as a global IT leader.
Despite the need for proactive movement by Japan, it is worth looking at current implementations of national ID systems elsewhere such as the South Korean Resident Registration Number (RRN) system. The system is not flawless, prompting greater concern for Japan’s privacy framework. In fact, Korea is working to shift away from RRNs to a new system after unprecedented cyber attacks and misuse of the number.
South Korea began the Resident Registration Numbers system in an attempt to sniff out North Korean spies following an assassination attempt in 1968 on former President Chung-hee Park. RRNs are designed to identify citizens who enter government buildings, apply for financial transactions, and visit South Korean websites.
The significant amount of personal information that is linked to RRNs made the number a target. Between 2011-2012, cyber attacks saw the release of personal information for millions of South Koreans. Public websites such as http://kr.51240.com allow individuals to search names, ID numbers, sex, age, and birthdates for any person whose data had been exposed. As a result, in August 2012, Korea announced that the use of RRNs would be banned for identification purposes. By the end of 2014, Korea expects to scrap all online registrations using RRNs.
Reflecting on these incidents in Korea, Japan must keep in mind the damage that a national ID system may cause. Although the direction is necessary for change in the Japanese cyber landscape, further discussion regarding whether or not Japan is ready for such a system must be intensified.
The report issued by the “My Number Subcommittee”, identified a need for balancing whether successfully deploying national ID numbers must be prioritized over maintaining an environment of security and trust in the “My Number” system.
Although both are important, the Korean RRN case is difficult to ignore. Korean IT infrastructure is strong and highly promoted within its society—the result of the RRN leaks introduced weaknesses in Korea’s personal information policy, leading to the introduction of the Personal Information Protection Act (PIPA) in 2012 as well as the government’s efforts to shift from RRNs to iPIN numbers, a more regulated national ID system.
The success of “My Numbers” depends on the establishment of a central data protection authority with the power to oversee all acts regarding data protection while having the power met by the standards defined by the International Conference of Data Protection Commissioners.
My Number will bring a major change to Japanese society. Japan must take precautions during implementation in order to avoid creating false starts by learning from Korea’s experience and challenges.