Japan's LINE was exposed to an information security loophole? Behind the news events, the unspoken details of the lazy bag

On the 17th of this month, the Asahi Shimbun exclusively reported ^{( 1 , 2 , 3 )} that at least 4 Chinese technicians from LINE's related companies in China had invaded Japan's domestic user database 32 times for no reason, causing the Japanese government and the public There was a panic, worried that there would be a problem with LINE's information security management.

According to LINE’s official statement, this incident was not an outflow of personal information, but an information security loophole discovered when LINE strengthened the company’s internal personal information storage procedures. The Chinese technical personnel who had entered the Japanese user database for no reason were employees of the LINE branch and the company entrusted by the LINE branch. According to the internal operating specifications of LINE at that time, they did have the right to enter and exit the Japanese user database. When LINE discovered this vulnerability, it had already blocked the Japanese user database of the Chinese company in February this year to obtain permission.

Therefore, this incident is not an outflow of personal capital (outflow to others who have nothing to do with LINE's business), but a problem with LINE's internal operations. The reason why I say this is because the loopholes found this time are related to the internal business integration of LINE and the recent revision of the "Individual Information Law" in Japan.

The delivery location happens to be in Dalian, China

The problem in this incident lies in the " Digital Technology (Shanghai) Limited (Dalian) ", a subsidiary of LINE's subsidiary LINE Plus Corporation in Dalian, China, and a company commissioned by LINE Fukuoka. A Chinese company that also happens to be located in Dalian, China.

Dalian Branch of Shanghai Lianshi Digital Technology Co., Ltd.

The business of Shanghai Lianshi Digital Technology Co., Ltd. Dalian Branch is mainly responsible for: ① the development of gadgets used within the LINE company, ② AI artificial intelligence, and ③ the functions within the LINE application. In response to LINE's internal strengthening of the information security level, LINE has cancelled the permission of Shanghai Lianshi Digital Technology Co., Ltd. Dalian Branch to obtain the following information for business development:

1. Authorized to develop CMS content management system (content management system, CMS) for LINE investigators
   → After a user reports a message, the system will store the user's name, phone number, e-mail, LINE account number and the content of the reported message in order to notify the search agency. Details about this part can be found here
2. LINE reviews the development authority of the CMS content management system for business personnel (after users report content such as messages, they are responsible for confirming whether the content violates the terms of use)
3. Development authority of customer service mailbox (name, phone number, e-mail)
4. Development rights for the LINE virtual portrait function and the OCR optical text recognition function in the LINE app (by agreeing to use the LINE virtual portrait function, you agree to the internal use of the user-uploaded photo by the LINE company)
5. Permission to develop the KEEP function (text messages, photos, videos, and files stored in the LINE cloud drive when users use the KEEP function)

LINE Fukuoka (Fukuoka), which entrusts a Chinese company to assist in the business

As for the Chinese company entrusted by LINE Fukuoka (the company name has not been announced, only the company is also located in Dalian and is a company established by a well-known Japanese business agency group in China), it does not have the authority to obtain the Japanese user database, but can access the users who report the information material.

LINE Fukuoka's business is mainly responsible for reviewing the content of messages reported by users. LINE Fukuoka entrusts the business of Chinese companies to assist in reviewing the content of messages reported by users. According to LINE, if the encrypted messages of Japanese users are reported, LINE Fukuoka will be responsible for review; but if it is unencrypted messages, or public content such as post strings, the Chinese company commissioned by LINE Fukuoka and LINE Fukuoka will be responsible for the review. common review.

According to LINE, the Chinese company entrusted by LINE Fukuoka is responsible for processing about 18,000 reported post content and about 74,000 reported non-encrypted messages a day.

LINE stated that if it is the content of the LINE@ official account (including: group messages, post strings and homepages, excluding: one-to-one chat content, conversation content through API, and user responses to chatbot robots), all content is from LINE. Fukuoka is responsible for monitoring/censorship.

LINE also has NAVER China in China (Beijing World Link Interactive Network Co., Ltd.)

LINE also emphasized that LINE also has “ Beijing World Union Interactive Network Co., Ltd. ( NAVER China ) ” in Beijing, where NAVER Corporation has established a legal person in China. NAVER China cannot obtain the information of users in Japan, Taiwan, Thailand and Indonesia, and NAVER China is only responsible for Review user information outside of these 4 countries.

Continue reading on the next page: It is not an accident that Yahoo! Japan and LINE are integrated at the same time

Back to the previous page: The delivery location happens to be in Dalian, China

It is not an accident that Yahoo! Japan and LINE are integrated at the same time

Yahoo! Japan and LINE announced their integration in November 2019, and completed their operational integration on March 1 this year to establish Z ホールディングス (Z Holding, ZHD), a super-large Japanese IT company. This incident broke out, and it was only in the context of the integration of Yahoo! Japan and LINE's operations that LINE commissioned an information security expert to investigate the information security situation within LINE, and this loophole was discovered.

Therefore, when the news broke on the 17th, LINE stated that the matter had already been dealt with in February (that is, before Yahoo! Japan and LINE were merged), emphasizing that when they discovered the problem before the end of February, The permission of Chinese technical personnel to obtain Japanese user database has been revoked. LINE's remarks are actually also a shout-out to its partner Yahoo! Japan, emphasizing that it has already dealt with this problem before the integration of bilateral operations.

From LINE’s point of view, this incident is not an outflow of personal information, but LINE’s revision of the company’s internal user privacy policy to strengthen the level of staff who can obtain user rights, so it will delete China, which could have obtained personal information of Japanese users. Authorized technical personnel. This matter can only be an internal specification of LINE, and there is no need to explain it to users. However, it is precisely because of the exclusive report of the Asahi Shimbun that this matter was made public, coupled with the wide popularity of LINE in Japan, not only the public, but also Japanese government units often cooperate with LINE to launch online convenience services. It will make the whole country of Japan tense overnight, worrying about information security loopholes in LINE.

Japan's new personal information law, which will hit the road next year, hits LINE

In addition, Japan's new version of the "Personal Information Protection Law", which will be launched in April next year, stipulates that if companies want to store users' personal data in other countries, they must clearly inform users of the country where the server is located. As a large-scale electronic multinational company in Asia, LINE has a presence in Japan, South Korea, Taiwan, Thailand, China, Indonesia and Vietnam, and is responsible for storing user data.

Data storage location for Japanese users

Taking the database of LINE Japanese users as an example, the personal data of Japanese users are mainly stored on LINE servers in Japan and South Korea. The contents stored in the databases on both sides are as follows:

• LINE's Japanese server:
  Conversation records, LINE accounts, phone numbers, emails, LINE friend relationships, friend lists, location information, address book, LINE Profile+ (LINE's personal page, including name, address and other information), voice call records (excluding call content) , transaction records within the LINE app (eg purchase of stickers)
  
• LINE's Korean server:
  Photos, videos, KEEP (LINE's cloud drive), photo albums, post strings, LINE Pay transaction information (the information that needs to be authenticated, such as name and address, is stored in a server in Japan)

After the incident broke out, the database was moved back to Japan.

Before the outbreak of this incident, LINE only stated in the user terms that "user data may be stored on servers in other countries", and did not clearly tell users what information would be stored where. The above information was only announced on the official website of LINE after the news broke.

After this incident broke out, LINE announced that it would gradually transfer the Japanese user data (photos, videos, files) stored on the Korean server to the server in Japan, which is scheduled to be completed in June 2021. As for the post content of the Japanese LINE@ official account currently stored on the Korean server, it is also scheduled to be fully transferred to the server in Japan by June 2022, and then the Japanese server stored on the Korean server will be gradually transferred. Personal user post string data, moved back to the Japanese database.

One approach, two interpretations

From the perspective of nationalism, LINE chose to move the personal data of Japanese users back to the server in Japan. The personal information was intervened by the forces of other countries. However, the actual situation should be that if LINE does not move the data of all Japanese users back to the server in Japan before the new version of Japan's "Personal Information Protection Act" goes on the road, LINE must list each service in the user terms. The data are stored in which countries' servers. It can be said that LINE should have a plan to move Japanese user data back to Japan, but because of the outbreak of this incident, LINE decided to announce this plan to appease Japanese users, hoping to save Japanese users’ confidence in LINE. .

However, LINE's hemostasis was unsuccessful. The reason is that the Japanese government agency's Personal Information Protection Committee and the Ministry of Internal Affairs and Communications both require LINE to submit relevant reports to the government.

Continue reading on the next page: The Japanese government moves

Back to the previous page: It is not an accident that Yahoo! Japan and LINE are integrated at the same time

Japanese government moves

However, LINE's hemostasis was unsuccessful. The reason is that the Japanese government agency's Personal Information Protection Committee and the Ministry of Internal Affairs and Communications both require LINE to submit relevant reports to the government.

Personal Information Protection Committee: Check whether the current "Individual Information Law" is violated

Based on the current Personal Information Protection Act, the Personal Information Protection Committee requires LINE and parent company Z Holding to submit relevant reports and communication records before the 23rd. According to the current "Personal Information Protection Law", if companies want to store users' personal data overseas, or allow overseas access to user data, they must obtain user consent. The request of the Personal Information Protection Committee is to confirm whether LINE has violated existing laws and regulations.

However, according to LINE's current user terms, because it is written that "personal data may be transferred to a third country without personal information protection law", although the country name is not clearly written, it should comply with the current legal norms (at least Until the amendment to the Personal Information Protection Act hits the road in April next year).

Ministry of Internal Affairs and Communications: Report within one month of the deadline

The Ministry of Internal Affairs and Communications requires LINE to submit a report by the 19th of the next month in accordance with the "Telecomm Communications Business Act" on the 19th. What instructions the user has made, etc., are called "report collection".

LINE is already part of Japan's online service infrastructure

In addition to the central government, many local governments in Japan have cooperated with LINE to launch electronic (e) online convenience services. Especially after the outbreak of COVID-19 last year, government units have actively promoted online operations, hoping that people will no longer have to go to the city or district office to apply for business, so as to reduce the risk of infection.

According to the report, about 900 local governments, large and small, have launched LINE@ official accounts across Japan. LINE has 86 million monthly active users in Japan (accounting for 68% of Japan's total population) . It is the communication software used by most people. For administrative units that want to launch online convenience services, choosing to cooperate with LINE can lower the threshold for public use. (There is no need to be familiar with a new set of software or operation methods), it can be said that LINE is now an indispensable and important platform for the construction of online service infrastructure in the digital age in Japan.

Local governments have polarized practices

In the face of LINE's suspicion that it may be "delivered", local governments have different approaches. For example, Ichikawa City, Chiba Prefecture chose to suspend some businesses that can be applied for through the official LINE@ account of the city government. These suspended online application businesses all require the public to upload their driver's license and other documents in the chat window with photos to compare themselves. For the staff on the other end of the city government's official LINE@ account to confirm whether it is their own administrative work.

In addition to general administration, many local governments are using the official LINE@ account to allow the public to make an appointment for vaccine administration online. There is still a short time before the vaccine is released to the public (at this stage, Japan is only open to medical personnel), such as Kanagawa Prefecture Kankawa Town and Wakayama Prefecture Wakayama City decided to slam on the brakes, before confirming whether LINE has information security problems, Decide to handle it as a traditional web page or phone appointment.

There are also people like Fukuoka City or the Mie Prefecture Board of Education (equivalent to the Mie Prefecture Education Bureau) who believe that the online services jointly launched by the prefectural government and LINE do not have any doubts about "delivery", so they will continue to use the status quo.

Central Government: Services involving personal information should be stopped first

At present, the Ministry of Internal Affairs and Communications has required all local governments to report the use of LINE as an online convenience service by administrative departments to the central government by March 26.

Chief Cabinet Secretary Katsunobu Kato also stated at a press conference on the 29th that if it is necessary to use the personal information of the public, or online convenience services involving classified information must be suspended immediately, until the government holds an internal meeting to discuss and make use of the public sector. LINE will only be open to the public after implementing the guidelines for online convenience services. This does not apply if you simply use the mass messaging function of the LINE@ official account to push or broadcast government ordinance information.

It was also mentioned at the press conference that the COVID-19 vaccine reservation system currently being developed by LINE for local governments, all information is stored in Japan and cannot be accessed from overseas. Worry.

Continue reading on the next page: The trade-offs of administrative norms failing to keep up with changing times

Back to the previous page: The Japanese government moves

Administrative norms cannot keep up with the trade-offs of changing times

As mentioned above, local governments in Japan will actively use LINE as a platform for online convenience services. It is precisely because of the outbreak of COVID-19 last year that it is necessary to reduce the need for people to go out under the condition of " not in a hurry (not important, not urgent) ". And the online operation process of administrative business is accelerated in one go.

The most famous example is the launch of the service “You can apply for a resident’s card by using LINE” in Shibuya Ward, Tokyo last April. This example is famous not only because Shibuya Ward in Tokyo was the first to launch a service that "just use LINE to apply for a resident's card", but more importantly, it was called by the Ministry of Internal Affairs and Communications not long after the service was launched. .

The reason for the Ministry of Internal Affairs and Communications is that the service "You can apply for a resident's card as long as you use LINE" jointly launched by Shibuya-ku, Tokyo and Bot Express does not use electronic signature technology, but the AI artificial intelligence text and face independently developed by LINE. Identification technology LINE eKYC , which does not comply with current regulations. After that (2020.4.3), the Ministry of Internal Affairs and Communications, in accordance with Article 245-4, Item 1 of the Local Self-Government Act, proposed to all local governments that if they want to provide online application services for resident cards, they must use electronic signatures such as My Number. " Technical Advice ".

At present, Bot Express and the government are still in the process of litigation.

References:

1. Yuーザーのpersonal information
2. What is one? Information outflow は『LINE』personal information がReading possibleに
3. The government's personal information protection committee LINE に legal に base づ き report request め る
4. LINE, China's information leaks れ う る 実 cognizant "Major case だ"
5. LINE, China's entrustment first, personal information, read, read, status, and status — please explain
6. LINEでのAdministrative サービス stop the Ministry of Finance
7. Personal Information Protection Commission, Measures for the LINE Law Act
8. Ministry of Civil Affairs LINE に report to ask for the problem of アクセス of China's club
9. The government's personal information protection committee, LINE にログ made a request... "The user agrees" to investigate whether there is a violation
10. Local government, 対応 chase わ れ る LINE personal information issue subject け
11. Domestic サーバーに 32nd episode of アクセスLINE's intelligence protection is not prepared で
12. LINE questions, personal information, leaks, and outflows?
13. Personal Information Protection Committee
14. LINEのpersonal information problem, this should be the "question" はどこにあったのか
15. Confidentiality requires information, government agencies' LINE use いったん stop = Chief Cabinet Secretary
16. 「LINE」をUsing いた resident's card request サービスの legality confirmation request event

This site launches a monthly e-newsletter [Ishikawa Whispering]. On the 15th of each month, it will push the latest content of "Ishikawa カオリ's Japanese current affairs まとめ translation" or follow-up news tracking reports directly to your e-mail!

＞＞＞ Click here to subscribe to the newsletter ＜＜＜

Now you can find "Ishikawa Kaori's Japanese Current Affairs まとめ Translation" on the following platforms.
Facebook Fan Page / Plurk / Twitter Twitter / Medium
Apple Podcasts / Spotify / Google Podcasts / Firstory / SoundOn / KKBOX

The original link is Japanese current affairs まとめ translation by Kaori Ishikawa