What "number" design should be - In response to the pension number leak incident

In the pension number leak incident, it seems that "all leaked numbers will be changed."¹Personally, I feel like, "Ahhh."Yesterday's article²However, as I wrote, if it is operated properly, the leakage of the number itself is not a major risk, and since the address, name, and other information that is leaked along with the number cannot be changed, there is not much point in changing only the pension number.

On the other hand, if you want to change an old pension number,When there are things that need to be changed in tandem, they don't change well.It is assumed thatthing isInstead, it causes harmfear.

When designing a "number" (actually it should be called an identifier, but for the sake of convenience we will call it a "number" here), there are various points to consider depending on the expected usage. Therefore, in a sense, "how a "number" should be designed" is a case-by-case matter. However, on the other hand, there are also minimum requirements that must be met.

So, let's make a list of the requirements for ``numbers.''

1. Create a primary key identifier, "Personal Number". This is basically immutable. Since we do not want to change it, we will only use it for internal management of the "number" (hereafter "number"). Of course, it will not be shared with anyone.
2. "Number" refers to the issue date, activation date, suspension date, reactivation date, and abolition date.³and manage it by linking it to the primary key.
3. A unique format will be introduced for the "number." For example, the third digit will be in katakana and the fourth digit will be a checksum. This is to ensure that if data is leaked, this format will not be picked up by search engines.
4. The "number" has an expiration date⁴.
5. The "number" can be changed at any time. The management system has an API for making the change.
6. When the organization receives the "number," it presents the "number," "organization number," and "organization credentials" to the organization-specific "number" issuing API (provided by the "number" management organization) to obtain the "organization-specific number" for that individual. The "number" is immediately discarded.⁵From now on, the organization will use this "organization-specific number."
7. When an organization requests information from another organization, it must provide a "permission number" to obtain that data from the authorization server.⁶The information provider then presents this "permission number" to the authorization server, learns whose data it should provide, and provides the data.
8. In principle, the data will be held only by the main organization, and each organization will acquire and use it as necessary, and then dispose of it promptly.

I guess that's about it.

What's good about this is that

1. If one organization leaks data, that data cannot be combined with data held by other organizations, meaning the privacy impact is low and costs are low.
2. Even if the "organization number" of the leaked organization is changed, it does not affect other organizations, so it can be changed as much as you want. This also leads to lower costs.
3. The leaked data itself can be prevented from being picked up by search engines. It is also easy to retrieve. This is something we can no longer hope for.⁷
4. The "number" changes periodically, so we can use it to link the past and the present in an intertemporal "society of indifference."⁸This also leads to lower costs.
5. In the first place, each organization only holds the data for which it is primarily responsible, so the privacy impact in the event of a data leak is lower than in the current situation where each organization holds a copy of the data.

Wow, there are so many good things about this!

What? "If we do this, will it cause problems for the system? It won't work on a large system that can accommodate 100 million people!" What are you saying? This is the very mechanism that runs the Internet. In that world, "100 million people is a small number." Of course, if you make it a strange mechanism, it won't work.⁹But if you use a JSON/REST architecture like Google or Facebook do, it's fine, if you design it properly.

By the way, this idea is actually quite strong in the "My Number" system. For example, in the information network. The important thing is that the "My Number" itself is "unchanging in principle"...¹⁰This is probably a political issue, and I think there are systems in place that can be changed.

 

1. Nobuo Gohara 『"Is it really okay to change the leaked basic pension number and send the change notice by mail?" (June 2015, 6), Huffington Post, http://www.huffingtonpost.jp/nobuo-gohara/nenkin-number_b_9.html
2. Natsuhiko Sakimura, "Is it dangerous if your 'number' is leaked?" (2015/6/9), @_Nat Zone, http://www.sakimura.org/2015/06/3038/
3. Not days, really, but at least seconds.
4. When Germany issued eID cards, which are thought to be the most recent in the EU, the "number" was a paper number. Therefore, it changes when reissued. This is quite correct.
5. This is also the basic guideline for the use of the US Department of Defense's Social Security Number. Incidentally, if you think it is risky to give the "number" to an organization, there is a method in which an individual obtains an "organization-specific number" and gives it to the organization. SAML's NameIdentifier and OpenID's PPID are mechanisms like that. Since it is automated, individuals will not notice it, though.
6. Technically, it is called an Access Token.
7. However, it would be no good if someone with malicious intent were to change the ``number'' to something else.
8. Natsuhiko Sakimura, "The Heartless Society and the Number System: The Dangers of Name Matching as Seen in Victor Hugo's Les Misérables" (2010/12/13), @_Nat Zone, http://www.sakimura.org/2010/12/686/ It is also published on gihyo.com.
9. Like an enterprise XML/SOAP system. That's a system for around 2 million people at most. If it's XML-based, there's a lot of unnecessary data and calculations. It's going to be hard to run that for 100 million people...
10. Also, it seems a bit strange for each organization (employer, financial institution, etc.) to store the My Number.