First, let's take a look at the following illustration from the Cabinet Secretariat regarding the My Number system. The "number" is the My Number system.
In this picture, the My Number ("number") is stored in multiple places, including information holding institution A and information holding institution B.
This just doesn't feel right, because it makes almost no sense to use the information sharing platform.
Whether to store the My Number or just keep it as a code makes a big difference in terms of privacy and risk management for the holding institution.
If My Number is stored in both Institution A and B, Institution A and B can collude to match the data. Furthermore, if information leaks occur independently from Institution A and B, a (malicious) third party can match the data and form an unwanted self-image of the individual, causing serious privacy damage. Naturally, from the perspective of the administrator, safety management costs will increase, and the possibility of receiving penalties under the direct punishment provision is also a major risk factor.
If only the code was stored, collusion would be impossible, and even if the information was leaked, it would not be possible to match the names, so the damage would be significantly reduced. Penalties would also be lenient. Information sharing would be impossible without going through an information sharing platform, but that is the role of the information sharing platform in the first place. Storing My Numbers in various places is the same as creating backdoors.
Originally, the My Number was meant to be used to obtain something equivalent to a "code," and then discarded once obtained. For example, in the case of the United States, the Department of Defense uses the Social Security Number (SSN) only once as data to link a salary deposit account with an employee number, and then does not use it for that purpose thereafter (discards it). This can be said to be a legitimate use.
Linking with four basic pieces of information?
There is one other thing I am concerned about. This has been pointed out many times by the Information Collaboration Platform Technology Working Group, but it is about how information-holding institutions will link the user number (account number) with the My Number and the code.
This is said to be achieved by each institution preparing the four basic pieces of information (hereinafter referred to as the normalized four basic pieces of information) in the same format as the Resident Registration Network System and sending it to the linkage platform. Moreover, each institution will store the normalized four basic pieces of information and keep it up to date at all times.
This is nonsense, and here's why:
- Even though they are trying to use "codes" to guarantee privacy, they are ruining it by storing another "identifier" that is almost one-to-one with the "My Number" called "normalized basic four pieces of information" as an attribute.
- In the first place, many information-holding organizations do not have the four basic pieces of normalized information, so this is not likely to be a major factor in reducing costs.
The reason why "codes" are used in the first place is that if "numbers" are widely used, it will be easy to match names, which will increase privacy risks. However, if all holding institutions have an "identifier" called "normalized basic four pieces of information," it will have the same result as if "numbers" were widely used. If we were to do this, there would be no need for an information sharing platform or "codes." It would be like throwing tax money down the drain.
Next, many information-holding institutions do not have the four basic pieces of information, so if these institutions want to obtain them, they have to contact the user and ask for the four pieces of information. If that's the case, it's the same as if they were given the My Number. I don't understand why they have to go through the trouble of going through the four basic pieces of information. It just increases costs.
Can the My Number be managed safely?
Under the current proposal, all withholding agents (all companies and some individuals) are required to collect and store the My Number from those who are to pay. This may be okay for large companies, but can it really be safely managed by sole proprietors?
Frankly speaking, I think it's impossible. However, the My Number system is a scary thing because if you don't manage it safely, you will be directly punished. This is a huge inconvenience for companies. They are being given something that is of no use to them, and is dangerous, and they are being told to "manage it properly, even investing in the system with their own money."
So what should we do?
Thinking about it, I feel that the current proposal is designed with people who can only work on paper in mind. There are certainly companies and individuals like that, but the majority can at least use a mobile phone. It is better to leave the exceptions as exceptions rather than lowering the overall security and privacy level to accommodate the exceptions.
Based on that premise, we could do something like this:
- My Number will be distributed to each individual.
- It is forbidden to store the My Number. It is also forbidden to ask about the My Number.
- Two methods will be provided to replace the My Number with a "code."
- (If the individual has access to a mobile phone, etc.) The individual asks for the company code of the withholding agent, accesses a page provided by the government, enters the obtained company code and his/her own My Number, obtains a "code" for that company, and notifies the company. [1]
- (If an individual cannot use a mobile phone, etc.) The individual notifies the company of the three basic pieces of information, name, gender, and date of birth, as well as the last four digits of their My Number. The company then transmits this information to the information sharing platform and obtains a "code." [2]
- Information-holding agencies use the "codes" obtained in this way to share information.
By doing this,
- This will reduce privacy risks as the My Number will no longer be stored in various places.
- Since companies do not store My Number data, security management costs are reduced.
- Information sharing is possible without any problems.
So I think it achieves its purpose, but what do you think?
(San Francisco)
[1] To generate a "code" for a company, the infrastructure can either manage and generate an encryption key for each company, or use a table method. It has been pointed out that the encryption key method would be too long to communicate by hand or orally. For example, even if encrypted with an algorithm with a relatively short key length such as AES128, the code would end up being 64 characters when converted to base24. In terms of this, as well as resistance to changes to the My Number and the compromise of the encryption algorithm, the table method may be better.
[2] Addresses change often, so they are not good identifiers. The three basic pieces of information do not change much, so that is desirable. Ideally, it would be better to use the name at birth, rather than the current name. According to a ranking of people with the same name, the most common name is "Tanaka Minoru," with 2620 people. With the date of birth and the last four digits of the My Number, a unique identification would be possible almost completely.
The image is similar to an OpenID 2.0 implementation that issues a different ID for each realm.
That's the case with the "sign" part.