Today, EFF launched a new campaign against software patents (https://defendinnovation.org). In this campaign, we outline seven proposals that we think will address some of the greatest abuses of the current software patent system, including making sure that folks who independently arrived at an invention can’t be held liable for infringing on a software patent. But our campaign isn't just about our proposals — we also want to hear, and amplify, the views of the technical community. Many engineers, researchers, and entrepreneurs have suggested that reform is not enough and that software should not be patentable, period. We want to record these views, which is why our Defend Innovation campaign is designed to solicit comments from all of the stakeholders. We'll incorporate what we learn into a formal publication that we can take to Congress that reflects the views of innovators, academics, lawyers, CEOs, VCs, and everyone else who is concerned about the software patent system.
People who have been following the software patent space know just how flawed the current system is and how, instead of promoting new inventions, software patents are being turned against everyday inventors. It’s got creators up in arms (and rightly so) and we’ve been working for years to bring attention to this growing crisis. A lot of people want to abolish software patents altogether, while others hold out hope that reforms can help address the situation. Well, here’s the truth of it: neither reforms nor abolition of software patents will be possible unless software patents are treated differently under the law than other types of patents.
In 2008, we fought hard to get the courts to appreciate the difference between physical inventions and software inventions, submitting an amicus brief in the famous Bilski case. Unfortunately, we lost that battle – the Supreme Court wasn’t ready to get rid of software patents altogether (recently, however, the Supreme Court has signaled that it may be uncomfortable with particularly egregious software patents). Congress, too, has failed to really help. Part of the problem is that certain entrenched interests and lobbyists — particularly in pharmaceuticals and biotech, for example — have made fundamental change to the patent system nearly impossible. So it’s time to treat software differently, get those parties out of the equation, and fix the law to reflect the realities of technology and the tech community.
Regardless of whether you think software patents should be abolished altogether or just reformed, the first step is recognizing that a one-size-fits-all patents system doesn’t make sense and that we need to treat software patents differently from other types of patents. Without that, no effort – whether reform or abolition – can be successful.
This is the basis of our Defend Innovation campaign – some proposals to help address the most egregious abuses of the software patent system and a fact-finding mission to hear from concerned individuals about whether or not the system is working at all. Of course, there are many views about the best way to fix the software patent mess. We want to hear those opinions, even (especially) if they are that software patents simply don’t make sense at all. This is a serious problem and overcoming the political obstacles is not easy. That doesn’t mean we can’t and shouldn’t work together to force Congress and the legal system to take these problems seriously.
Bahrain's Minister of State for Information Affairs, Samira Rajab, has announced that the government is preparing to introduce tough new laws to combat the "misuse" of social media. Like many Gulf states, Bahrain is doubling down on state censorship in response to a year of ongoing protests connected to the Arab Spring. In case the target of this upcoming legislation was in any way unclear, Ms. Rajab went on to call out human rights activists:
It is these activists who have labelled drowning victims as those killed by torture. They have labelled sickle cell victims as being killed by security forces and they have used these media to completely distort the true picture of Bahrain. This cannot be tolerated. The rule of law shall prevail."
Ms. Rajab justified the upcoming laws by pointing to sedition laws in the United States, United Kingdom, and France.
Meanwhile, the Bahraini government is already engaging in the kind of crackdown that the new law is supposed to enable. Activist Nabeel Rajab (no relation to the Minister of State for Information Affairs) was detained again on June 6 after complaints that he had made statements “publicly vilifying” pro-government individuals on Twitter. After the Prime Minister visited the small town of Muharraq, Mr. Rajab tweeted that he should step down. He referenced the Prime Minister’s recent visit to Muharraq in his message:
[E]veryone knows you are not popular and if it weren’t for the need for money, [the Muharraq residents] would not have welcomed you.
Mr. Rajab’s attorney notes that his second detention is extraordinary even in Bahrain, since The Bahraini Code of Criminal Procedure limits pretrial detention to exceptional cases. Authorities are not supposed to detain the accused in defamation cases, and the most severe penalty has usually been a fine.
Mr. Rajab had been previously released from jail after posting bail at the end of May. That time, the activist had also been arrested for inflammatory political comments from his Twitter account. The EFF joins other groups such as Human Rights Watch and the European-Bahraini Organization for Human Rights in demanding the immediate and unconditional release of Mr. Rajab, as well as the dismissal of all charges against him. We remain concerned we will see even more cases similar to this one once the new laws are passed.
This week the British government unveiled a bill that has a familiar ring to it. The Communications Data Bill would require all Internet Service Providers (ISPs) and mobile phone network providers in Britain to collect and store information on everyone’s internet and phone activity. Essentially, the bill seeks to publicly require in the UK what EFF and many others have long maintained is happening in the US in secret – and what we have been trying to bring to public and judicial review since 2005. Put simply, it appears that both governments want to shift from surveillance of communications and communications records based on individualized suspicion and probable cause to the mass untargeted collection of communications and communications records of ordinary, non-suspect people.
This shift has profound implications for the UK, the US and any country that claims to be committed to rule of law and the protection of fundamental freedoms.
This isn’t the first time that an Executive has seized the general authority to search through the private communications and papers without individualized suspicion. To the contrary, the United States was founded in large part on the rejection of “general warrants” – papers that gave the Executive (then the King) unchecked power to search colonial Americans without cause. The Fourth Amendment was adopted in part to stop these “hated writs” and to make sure that searches of the papers of Americans required a probable cause showing to a court. Indeed, John Adams noted that “the child Independence was born,” when Boston merchants unsuccessfully sued to stop these unchecked powers, then being used by British customs inspectors seeking to stamp out smuggling.
The current warrantless surveillance programs on both sides of the Atlantic return us to the policies of King George III only with a digital boost. In both, our daily digital “papers” — including intimate information such as who we are communicating with, what websites we visit (which of course includes what we’re reading) and our locations as we travel around with our cell phones — are collected and subjected to some sort of datamining. Then we’re apparently supposed to trust that no one in government will ever misuse this information, that the massive amounts of information about us won’t be subject to leak or attack, and that whatever subsequent measures are put into place to government access to it by various government agencies will be sufficient to protect our privacy and ensure due process, fairness and security.
On that score, at least the UK government is willing to discuss the proposal publicly and allow Parliament to vote on it. But this puts the onus on the British people to tell their representatives to soundly reject it. The message to the Executive should be clear: general warrants were a bad idea in 1760, and they are still a bad idea today.
New Draft of Vietnamese Internet Decree is Still Bad News for Freedom of Expression
The Vietnamese government’s draft of a new, problematic decree to regulate domestic Internet use is expected to become law at the end of the month. The 60-article document is filled with alarmingly vague language, including prohibitions on “abusing the provision and use of the Internet and information on the web” to “oppose the Socialist Republic of Vietnam,” “undermining the grand unity of all people” and “undermining the fine customs and traditions of the nation.” It also requires Internet filtration of all such offensive content, requires real-name identification for all personal websites and profiles, and creates legal liability for intermediaries such as blogs and ISP, for failing to regulate third-party contributors, triggering grave concerns about the decree’s impact on domestic online service providers.
The decree furthermore attempts to require all foreign and domestic companies that provide online services to cooperate with the government to take down prohibited content. For international companies without a business presence in Vietnam, the law would “encourage” them to establish offices or representatives in the country in order to hold them accountable for implementation of the decree. In an earlier draft of the law, foreign businesses would have been required to obtain legal status and set up servers in Vietnam.
In recent years, Vietnam has stepped up its incarceration of bloggers and other alternative media voices. The country is also the third worst on Reporters Without Borders’ list of “Enemies of the Internet,” following only China and Iran.
Wave of Blogger Arrests in Oman
Over a dozen bloggers, activists, and poets have been arrested in Oman over the past couple of weeks. In many cases, the charges have not even been published, although it is commonly believed that they were arrested for having expression controversial views online. Lawyer Bassma Mubarak al-Kayoumi has stated that the arrests are in violation of Omani Basic law, which stipulates that no one can be arrested without a reason, and that an arrested person “has the right to call whomever needs to be alerted about the arrest to provide assistance.”
The latest wave of protests and subsequent arrests largely stems from the Omani government’s backpedaling on legal reforms that the Sultan had announced in the wake of last year’s popular discontent. On June 4, the public prosecutor of capital city Muscat published a statement denouncing “the recent increase in defamatory statements and calls for sedition by some people under the guise of freedom of expression,” and he expressed his intention to “take all necessary legal action against those uttering, circulating, encouraging or contributing to them.” Most recently, police arrested at least 22 protesters at a sit-in in front of the Special Section, the capital’s high-security jail, on June 11. Many of the bloggers and activists who had been arrested earlier are believed to be held in the building.
New HTTP Error Code Proposed to Signal Internet Censorship
Tim Bray, a leading Android developer at Google, has proposed the creation of a new HTTP status code in order to indicate that a webpage is unavailable due to legal restrictions. The suggested HTTP code: 451 is meant to give Internet service providers the ability to serve users with more transparency. The name of the error code 451 is an allusion to the novel Fahrenheit 451 by the late Ray Bradbury, in which all books are supposed to be banned and subsequently burned by state “firemen.”
Bray credits Terence Eden for pointing out the lack of error messages for censorship when he noticed his ISP served an HTTP 403 error when he tried to access The Pirate Bay, which is blocked by government mandate in the UK. However, “the 4xx class of status code is intended for cases in which the client seems to have erred” according to World Wide Web Consortium (W3C) specifications. Currently, the most common HTTP error messages include 404 for web pages that can’t be found, 401 for pages without authorization, and 403 for pages that are supposed to be hidden from most users, such as directories. In the case of ordinary client errors, the server understands the request but refuses to fulfill it. In case of official censorship or website blocking, such as the known Pirate Bay restriction, the server doesn’t even see the request; rather, the ISP may intercept the request and reject it on legal grounds.
Drawing attention to Internet censorship when it takes place is an essential first step in fighting for freedom of expression.
Privacy loomed large as a discussion topic at the 13th Annual Meeting of the Trans Atlantic Consumer Dialogue (TACD), an event held in Washington, D.C. last week that brought together consumer advocacy organizations and regulatory agency heavyweights from both sides of the Atlantic for some in-depth policy discussions. The TACD’s annual meeting helps foster alliances between TACD member organizations (EFF is counted among them) working in the U.S. and the EU. While the overarching group tackles such broad-ranging issues as food policy and financial services, TACD’s Information Society division has been especially concerned with protecting Americans’ and Europeans’ privacy rights in the digital era.
At an overlapping event, the Consumer Federation of America (CFA) hosted a privacy roundtable to bring consumer groups together with representatives from major tech companies and online advertising associations for a frank discussion about emerging issues in online privacy. Both forums yielded some fascinating questions and debate. Here are some of the key takeaways.
Will a Privacy Bill of Rights Move Forward in the U.S.?
Much discussion revolved around the proposed “Consumer Privacy Bill of Rights,” a policy blueprint floated by the Whitehouse this past February that seeks to establish new safeguards to protect consumer data in the digital realm. As a TACD resolution on consumer privacy points out, this issue doesn’t affect Americans alone: “In the absence of legislation, the U.S. cannot offer the EU any assurance that there will be adequate protection for the personal data stored or used by U.S. companies,” TACD noted.
In an age where it’s commonplace for third-party data brokers to buy and sell individuals’ personal information without their knowledge or consent, sound policy is sorely needed. While the Whitehouse proposal could go farther on calling for limiting data collection, it nonetheless contains solid recommendations on transparency, accountability and security and would represent an important step in the right direction. (EFF, meanwhile, has devised its own Privacy Bill of Rights recommendations for mobile users and social network users.)
Unfortunately, questions arose during the TACD meeting about whether the proposal could indeed be expected to move forward as legislation anytime soon, particularly in an election year.
Commissioner Julie Brill, who serves on the FTC, endorsed the idea of converting the Whitehouse blueprint into law during one of the conference plenary sessions. “Such rapid advances in technology and marketing have led us … to conclude we’re facing potentially serious gaps in consumer privacy protection,” she noted.
But in a closed session that followed, representatives of other U.S. government agencies faced tough questions from advocates who voiced concerns that attempts to craft strong policy around consumer privacy would be waylaid and substituted with a multi-stakeholder process that has been launched concurrently to hash out industry best practices on consumer privacy.
Pressed as to whether the Whitehouse policy framework had actually been committed to draft legislative language, agency representatives acknowledged that the administration had not yet taken this step. While they offered assurances that a push for legislation is still on track, they also acknowledged that the effort likely is not going to be realized this election year.
The upshot is that the multi-stakeholder process is on the front burner while the legislative effort simmers in the background. This effort aims to facilitate collaboration with industry and other partners to pin down a code for best practices, and the FTC will be endowed with enforcement powers to hold companies accountable under the voluntary standard that is created.
Speaking of political campaigns: Investigative news outlet ProPublica put some pressure on Yahoo, Microsoft, and President Barack Obama’s reelection campaign this week with an article detailing how the companies are providing user data to political campaigns to facilitate sophisticated online voter targeting.
When Machines Decide
A number of fascinating conversations emerged from the CFA privacy dialogue, a forum held the following day that brought together representatives from industry, government, advocacy organizations and universities. One of the most intriguing (and perhaps chilling) was a presentation delivered by a representative from a prominent tech company who cheerfully described a world in which an "Internet of Things" could assist with decision-making --without any human intervention.
The Internet of Things may be thought of as “intimately networked” devices, people and computers “all talking to each other,” the company representative explained. While at present there are roughly 2 billion “things” (hint: most are smartphones) connected to the Internet, corporate researchers predict that the world will be swamped with a whopping 50 billion Internet-connected things by 2020.
As envisioned, these “things” will be wide-ranging in nature. They might include infrared sensors on doorways to tally the number of people entering a room, for example, or devices tasked with monitoring and controlling the power grid, or mitigating traffic congestion. It could even be a device worn by a patient to monitor blood pressure, equipped to automatically send the data back to a medical care provider. The long-term idea is to use vast amounts of collected data -- sent along largely invisible networks -- to enable these devices to recognize patterns over time and make decisions accordingly.
This scenario obviously raises a slew of thorny questions, but the discussion at the CFA dialogue centered on the privacy implications. Some wondered how consumers could be guaranteed agency in an intensely networked world. Others noted that it would be crucial to require adequate disclosure on who is obtaining the data that is being generated, and for what purposes it is being used. TACD, meanwhile, has also issued a resolution on the Internet of Things, which provides a useful way to think about this future scenario:
“The IoT will reveal much more about consumers’ habits, from the books they read and the medications they take to the types of transportation they use. Implementation of privacy by design will be important for the enforcement of consumer and privacy rights. In addition, the data protection principles (data collection limitations; lawful and fair collection; proportionality; finality; accuracy; transparency; right of access and rectification; confidentiality and security of processing) should be respected and implemented in the technology.”
TACD Recommendations on Consumer Privacy Rights
TACD has also issued a much broader resolution offering a set of detailed recommendations on consumer privacy in general. In it, member organizations urge the U.S. and EU governments to do the following (paraphrased and not a comprehensive list):
Earlier this month, an inmate in Texas was denied access to computers and an electronic messaging system because he ordered a copy of the information security handbook Hacking Exposed. Does simply ordering a copy of an information security handbook render an individual a threat to the safe, secure, and orderly operation of a federal prison? Almost certainly not.
Hacking Exposed was written by three well-respected information security professionals, two of whom work at McAfee, and is intended to educate infosec professionals about the threat landscape. But the warden of the prison, and subsequently a federal district court, found that just by ordering the book, Reginald Green constituted a substantial enough threat to the orderly running of the prison to ban him from accessing the TRULINCS electronic messaging system or using computers for the rest of his incarceration. Could the exploit information contained within Hacking Exposed be misused in the right environment? Sure, but so could lots of other things, like the hammers in the prison workshop or the weights in the prison gym.
This is an unfortunate, aggressive reaction to the social concept of "the hacker," without pausing to consider the facts of the case. If the book had been called "Offensive Information Security" instead of "Hacking Exposed," would it have been confiscated, or Mr. Green deemed a threat? We've seen many examples of security researchers and others calling themselves hackers and falling under undue and aggressive legal scrutiny because their motives and actions were misconstrued. This is in part because the term "hacker" can, in general parlance, mean anything from a DIY enthusiast building portable chargers in Altoids tins to a hardcore cybercriminal selling stolen credit card numbers on a deep web message board. Individuals either calling themselves hackers or dubbed so by the media have been repeatedly targeted for publishing information on how to jailbreak your own devices. For example, Sony sued members of the hacker group fail0verflow after they revealed at CCC that they'd mathematically calculated the keys Sony uses to ensure only approved code runs on the PS3. In the same suit, Sony also sued George Hotz, better known as GeoHot, jailbreaker of theiPhone, for publishing the PS3 root key, even though he made clear he didn't do so to enable people to run pirated games. People have also been targeted for offering jailbreaking services commercially. For instance, prosecutors brougth criminal charges against Matthew Crippenfor modding XBOX 360s to run DRM-free games, which were ultimately dismissed.
Whether you call them hackers, makers, tinkerers, or information security researchers, people on the hacking spectrum have been a boon to society for decades. They power innovation in all sectors and operate as a valuable check on the security and stability of the technology that forms the basis for our modern society. Their curiosity drives our economy and challenges entrenched corporate and governmental interests. However, the word “hacker” has changed since its origins in creative prank culture and innovative computing at MIT, and is now popularly used, more often than not, as a pejorative one that encourages fear-based knee-jerk reactions. Hackers are used as go-to villains by policy makers, who wave the nightmare scenario of rampant cybercrime and imminent cyberwar to justify legislative proposals that threaten to encroach on your digital civil liberties.
What is being attacked here is the ability of individuals to pursue technical knowledge. Rather than evaluating the actual threat posed by Mr. Green having ordered the Hacking Exposed book, the warden in this case appears to have latched onto the word "hacking" and overreacted.
In recent years, online tracking companies have begun to monitor our clicks, searches and reading habits as we move around the Internet. If you are concerned about pervasive online web tracking by behavioral advertisers, then you may want to enable Do Not Track on your web browser. Do Not Track is unique in that it combines both technology (a signal transmitted from a user) as well as a policy framework for how companies that receive the signal should respond. As more and more websites respect the Do Not Track signal from your browser, it becomes a more effective tool for protecting your privacy. EFF is working with privacy advocates and industry representatives through the W3C Tracking Protection Working Group to define standards for how websites that receive the Do Not Track signal ought to response in order to best respect consumer's choices.
The following tutorial walks you through the enabling Do Not Track in the four most popular browsers: Safari, Internet Explorer 9, Firefox, and Chrome.
On the menu bar at the top of your screen, click on Preferences.
Select the Advanced preferences panel, shown in the screenshot below.
Check the box at the bottom of the menu labeled "Show Develop menu in menu bar."
On the menu bar at the top of your screen, click on Develop, shown in the screenshot below.
Click on "Send Do Not Track HTTP Header."
Congratulations. You have enabled Do Not Track on your Safari browser.
Internet Explorer 9
On the menu bar at the top of your screen, click the Tools button, which is shaped like a gear.
Point to Safety, and then click Tracking Protection, shown in the screenshot below.
Go to the Manage Add-on dialog box, shown in the screenshot below.
Click Tracking Protection List, and then click the Enable button in the lower right-hand corner of the box, shown in the screenshot below.
Congratulations. You have enabled Do Not Track on your Microsoft Internet Explorer 9 browser.
On the menu bar at the top of your screen, click on Preferences.
Select the Privacy tab, shown in the screenshot below.
At the top of this menu, check the box labeled "Tell websites I do not want to be tracked."
Congratulations. You have enabled Do Not Track on your Firefox browser.
To enable Do Not Track in Chrome, you will need to install the Do Not Track browser extension.
On the menu bar at the top of your screen, click on Window.
In the Window menu, click on Extensions.
Chrome will display a control panel which shows all of the extensions you have installed on your browser, shown in the screenshot below.
If you do not have any extension installed, click the Browse the gallery, shown above. If you have extensions installed already, scroll to the bottom of the control panel and click the Get more extensions link. These links will take you to the Chrome Web Store, shown in the screenshot below.
In the search box in the upper left hand corner, type "Do not track."
Select the Do Not Track extension. EFF recommends the extension written by Jonathan Mayer and click "Add to Chrome."
In the drop down menu, shown in the screenshot below, click "Add."
Congratulations. You have installed the Do Not Track extension on your Chrome browser.
EFF has been monitoring governmental proposals for national identification schemes, with an eye toward evaluating the privacy implications of these new systems. In Japan, where an existing program issues unique ID numbers to citizens at the municipal level and shares information on a national network, a bill is under consideration that would create a new ID framework. Submitted by the Japanese Cabinet in February of 2012, the “My Number Bill” would issue new unique ID numbers to participating citizens. The stated purpose is to streamline information sharing between governmental bodies administering tax, social security, and disaster mitigation programs. If the law is enacted, the My Number system will begin operating in 2015.
So far, there are no signs that Japan's government will follow the increasingly common trend of requiring citizens to submit biometric data, such as fingerprint or iris scans, in order to enroll. Nevertheless, it’s clear that data submitted by participating citizens will be subject to greater information sharing than under the prior system. This planned expansion gives rise to serious questions about whether individuals’ personally identifiable information will be adequately protected. While the existing ID framework is highly controversial due to privacy concerns, this proposal will disseminate personal data farther and wider, making it even harder for individuals to exercise control their own information.
Japan’s current unique ID system
Under the mandatory Basic Resident Register program, every Japanese citizen must provide his or her name, birthdate, gender and physical address to municipal governments. With the implementation of the Resident Basic Register Network System in 2002, these four types of information began to be fed into a nationwide computer network, the Juki-net, set up to share data between government agencies. The new system combined the resident registration databases of 3,200 municipal governments, and assigned every Japanese citizen an ID number.  Under this framework, citizens may also opt to obtain ID cards, which contain integrated circuit chips.
When an individual moves to a new city, or changes his or her name following marriage or divorce, the informational updates are logged in the Juki-net. The practice of logging such updates afforded government for the first time the ability to instantly obtain information about personal histories and to track individuals' movements over the course of multiple years, according to the analysis of Midori Osagawara, a former journalist who reported on the Juki-net for national Japanese newspaper Asahi Shimbun. “In the past, [a government] official could barely track [an individuals’] data by looking at the paper-based Resident Basic Registry, because the registry was discretely stored in the municipal office,” Osagawara noted in her thesis on Japan ID systems. “By removing the constraint of a stored location, the government could transcend the constraint of time, too. Now, personal data on Juki-net are automatically updated with references to the past.”
The Juki-net became a major source of controversy in Japan when it was launched. A newspaper opinion poll conducted just before implementation found that 86 percent of respondents were afraid of data leakage or improper use of information, while 76 percent thought implementation should be postponed. Several lawsuits challenged the new system, charging that it constituted a violation of the right to privacy guaranteed by Article 13 of the Japanese Constitution. Protests were mounted as well; 70 municipal assemblies and 29 mayors passed resolutions demanding the government postpone Juki-net’s implementation. In one city, whose mayor made it possible for citizens to opt out, 839,539 citizens went to city offices to register for non-participation. Following a Supreme Court ruling that found Juki-net to be constitutional, the citizens who’d requested to opt out were enrolled anyway.
In 2008, the Juki-net withstood a legal challenge when Japan’s Supreme Court ruled that it was constitutional, reversing a lower court’s 2006 ruling that the system violated privacy rights guaranteed by Article 13 of the Japanese Constitution.
Plaintiffs had argued that Juki-net illegally subjected citizens to risks of personal information leakage, and that it infringed upon rights guaranteed under Article 13 of the Japanese Constitution, which states, “all of the people shall be respected as individuals. Their right to life, liberty, and the pursuit of happiness shall, to the extent that it does not interfere with the public welfare, be the supreme consideration in legislation and in other governmental affairs.” Yet the court rejected these arguments when it found the Juki-net system did not violate Article 13.
The court determined that there was a low risk that information could be leaked due to the technical system design, and highlighted the absence of a centralized database that would enable consolidated control over personal information by any single governmental agency. It also found that the nature of the collected data was not highly confidential.
While Japan’s decision to prevent the creation a centralized database places it ahead of the curve on privacy when compared with many other countries that have implemented national ID systems, it’s important to remember that any digital collection of personal information opens the door to potential data breaches. Meanwhile, the court’s assertion that the data is not of a highly sensitive nature fails to take into consideration the fact that reliable inferences can be made about highly sensitive data by building upon multiple categories of non-sensitive data. For instance, Carnegie Mellon researchers Alessandro Acquisti and Ralph Gross published an article in 2009 demonstrating how social security numbers could be easily predicted by combining various kinds of widely available data, such as individuals’ birthdates and places of birth.
Expanded information sharing
The My Number Bill would essentially take the Juki-Net a step farther, by generating new unique ID numbers and allowing information sharing between the agencies that administer social security, tax, and disaster mitigation programs. The newly generated unique ID numbers would be used as a "key" to link records of individuals' income and payments, and benefits for pensions, health care and other services.
The My Number Bill also seems to be envisioned as a first step toward an increasingly networked system that would integrate highly sensitive information and could be opened up to private-sector use.
The bill was drafted based on a policy outline that won Cabinet approval in June of 2011. The policy outline hints at plans to formulate special statutes around highly confidential personal information, such as medical records. It also describes the possibility of linking unique ID numbers to medical data for research purposes, as long as patients’ anonymity is maintained. Yet this sets a dangerous precedent; researchers Arvind Naravayan and Vitaly Shmatikov, among others, have shown that attempts at “de-identification” are not always effective.
Under the bill, the lack of a centralized database is designed to prevent single governmental body from storing personal information, and an independent monitoring body will be created to ensure personal information is adequately protected. Nevertheless, these measures against data leakage can never be guaranteed to be 100 percent effective.
According to the policy framework paper, the program would be launched in January 2015 in the spheres of social security, tax, and disaster mitigation; by around 2018, the government will evaluate progress and consider expansion to other areas, such as the medical field. Taking into account political controversy currently surrounding Japan’s consumption tax increase, which is tangentially linked to the unique ID proposal since the program aims to streamline tax administration and processing, it’s still too early to say whether the My Number Bill will win approval.
Reactions from the Japanese public
The Japan Federation Bar Association has publicly opposed the My Number Bill, criticizing the program for failing to respect the right to control one’s own personal information.
A number of nongovernmental organizations, such as Japan’s Privacy Action and the Anti Ju-Ki Net Association, also came out against Japan’s proposed unique ID system in public comments submitted to the Cabinet Secretariat in July and August of 2011. They argued that the national ID isn’t really necessary to reform social security and tax programs, and that human rights and personal privacy will be jeopardized no matter what, since it’s impossible to guarantee 100 percent safety when it comes to technology and the potential for human error or active exploitation. Others argued that statutory protections of personal information are ineffective, and that not enough consideration has been given to the shortcomings of the Ju-ki Net. Some NGOs expressed doubts that the ID system would protect citizens’ rights, and called for a cost-benefit analysis prior to implementing the new program.
The Japan Medical Association has voiced concerns about the idea of linking unique ID numbers to medical records. At a press conference in March, the organization noted that highly sensitive patient information could be leaked.
Osagawara, the Japanese journalist and surveillance scholar, offered a sharp critique of the Juki-net, focusing on the expanding requirements for information sharing. “Even in a short-term observation, Juki-net’s development shows how a computer network inevitably expands for data sharing,” she wrote. “Once it is established, it increases the scope of data, engages in multiple tasks, and escapes from legal constraints and democratic transparency.”
We have concerns that the unique ID proposal seems to be moving Japan in a worrisome direction of expanded information sharing that is more sensitive in nature. As we have seen in places such as the UK, where leaks of everything from medical histories to criminal records were attributed to the very government agents entrusted with overseeing a database administered by the UK government’s Department for Work and Pensions, serious challenges arise when digital records of sensitive personal information are created and incorporated into a national network.