Grave doubt has been cast on the data management of an information infrastructure used by 86 million people in Japan. Parties concerned must urgently clarify the precise picture of how it happened and make utmost efforts to dispel the concerns of users.
The operating company in Japan of the Line free massaging app has announced that it had given a company in China it entrusted system development to access rights to the personal information of app users. The names, phone numbers and the contents of messages thus could be viewed for a lengthy period of time.
The operator explained that the Chinese company was able to view only the minimum necessary amount of information, thus there was no unauthorized access nor any exposed information. However, concerns over possible information exposure and distrust of the app are prevailing among its users.
Prime Minister Yoshihide Suga has announced that the government will investigate the circumstances regarding how the app is used by government organizations. The Internal Affairs and Communications Ministry and some local governments have decided to halt the use of the app.
China’s national intelligence law obliges companies and citizens in China to cooperate with the government’s intelligence activities. If the Line operator allowed companies that could be forced to provide information to the Chinese government to access users’ personal data, it is only natural if users are hesitant to use the app.
The Line app was developed 10 years ago and has spread rapidly. It also offers cashless payment services, and many local governments are using the app to track the health conditions of people infected with the novel coronavirus. As it is also used by politicians, one expert has pointed out that the recent incident “is posing high security risks.”
Companies in charge of information infrastructure are required to perform particularly strict data management. The Line operator said it had blocked the Chinese company’s access to the data and will sequentially transfer video and image data currently stored in South Korea to Japan. The operator should steadily proceed with this.
A third-party committee to be set up soon will need to investigate problems with the information management and oversight system of the company to which the work was outsourced and promptly disclose the results. The government should also try to grasp the actual situation, rather than leaving it to the operator.
Japan’s Protection of Personal Information Law allows information to be transferred to or viewed from a foreign country with the consent of users. The Line operator said it had provided some clarification in its user guidelines, but there are likely not many people who would closely read the lengthy terms and conditions.
With the implementation of the revised law next year, the government will require entities to specify the name of the country to which information will be transferred. It should probably once again discuss whether personal data should be allowed to be transferred to and viewed from a foreign country with the consent of users.
In the field of information technology, outsourcing of work to overseas companies has been increasing from the aspects of human resources and costs. Some companies may not pay attention to the system in each country and simply entrust the work to firms overseas. The government should expedite efforts to investigate the relevant situation and establish rules.
Users should also raise their awareness of the safety of using information services.
— The original Japanese article appeared in The Yomiuri Shimbun on March 22, 2021.