Ministry of Internal Affairs and Communications: Request for opinions on the report (draft) on the improvement of the usage environment to address various issues surrounding the use of ICT services (Deadline: August 8)

Table of Contents

About the "Study Group on the Development of an Environment for Using ICT Services"

Ministry of Internal Affairs and Communications"Study Group on Improving the Environment for Using ICT Services"compiled in July 7"Draft report on the improvement of the usage environment to address various issues surrounding the use of ICT services" Public commentsIt depends one-Gov public comment submission siteThe deadline is August 8th. There are no days left. Sorry for the late notice.¹The Parent Association is chaired by our Professor Shishido and consists of the following members:

Member of the Study Group on Improving the Environment for Using ICT Services

(Deputy Chair) Kazuko Otani, Executive Officer and General Manager of Legal Affairs, Japan Research Institute, Limited
Tamayo Kimura, Secretary General of the Housewives' Association
(Chairperson) Tsunehisa Shishido, Professor, Graduate Schools for Law and Politics, The University of Tokyo
Taro Nakahara Professor, Graduate School of Law and Politics, The University of Tokyo
Ryoji Mori Attorney at Law, Eichi Law Office
Tatsuhiko Yamamoto, Professor, Keio University Law School

In addition, there are three working groups: the "Working Group on Measures to Counter Improper Use," the "Working Group on User Information," and the "Working Group on How to Store Communication Logs," each of which is made up of the following members.

Members of the Working Group on Measures against Inappropriate Use

(Chief examiner) Kazuko Otani, Executive Officer and General Manager of Legal Affairs, Japan Research Institute, Limited
Toshiko Sawada, Director, EC Network Foundation
Professor, Faculty of Law, Gakushuin University
Hidenori Tsuji, Representative Director, Digital Identity Promotion Consortium
Ryuta Nakagami, Chair of the Technology Division, Japan Smartphone Security Association
Taro Nakahara Professor, Graduate School of Law and Politics, The University of Tokyo
Shuichiro Hoshi Professor, Faculty of Law, Tokyo Metropolitan University
Yusuke Yamane, Attorney at Law, Kataoka Law Office
【observer】
National Police Agency Criminal Affairs Bureau Investigation Support and Analysis Manager
National Police Agency Cyber Police Bureau Cyber Planning Division

Members of the User Information Working Group

Naoto Ikugai, Professor, Graduate School of Law, Hitotsubashi University
Shohei Eto Professor, Graduate School of Law, Hitotsubashi University
Yuichi Ohta, CEO, DataSign Inc.
Tamayo Kimura, Secretary General of the Housewives' Association
Shinji Terada, Visiting Researcher, Japan Information Economy and Society Promotion Association
Ryoji Mori Attorney at Law, Eichi Law Office
(Chief examiner) Tatsuhiko Yamamoto, Professor, Keio University Law School
Lawyer at Mori Hamada & Matsumoto Law Office
【observer】
Personal Information Protection Commission Secretariat

Member of the Working Group on the Preservation of Communication Logs

(Chief examiner) Masaki Chinme, Professor, Faculty of Law, Gakushuin University
Daisuke Umemoto, Attorney at Law, Eichi Law Office
Hironori Kobayashi, Attorney at Law, TMI Associates
Tsunehisa Shishido, Professor, Graduate Schools for Law and Politics, The University of Tokyo
Masahiro Sogabe, Professor, Graduate School of Law, Kyoto University
Tomohiko Tatsumi Associate Professor, Graduate Schools for Law and Politics, The University of Tokyo
Ryoji Mori Attorney at Law, Eichi Law Office
【observer】
National Police Agency Criminal Affairs Bureau Investigation Support and Analysis Manager
National Police Agency Cyber Police Bureau Cyber Planning Division

There were many people involved with MyDataJapan in attendance. Also, many professors from research groups on platforms presented slides.

Part 2: Rules for mobile phone identity verification

It is no exaggeration to say that readers of this blog are particularly interested in the whole book, but especially Chapter 2. It is "Part XNUMX: Rules for Mobile Phone Identification." It says (the underlined text below is by the author):

1. Preventing unauthorized resale of SIM cards:
○ The government and businesses should further strengthen their efforts to raise awareness among users about the illegality of unauthorized resale (p.14)
Regarding the promotion of initiatives by businesses, measures such as strengthening credit screening at the time of contracting mobile phone contracts and installment contracts for devices to make illegal resale more difficult, and periodic identity verification by businesses (p. 14)

2. Authority to represent a corporation (enrollment verification)
○ It is necessary to revise the necessary regulations (Article 4 of the Enforcement Regulations of the Law Concerning Prevention of Unauthorized Use of Mobile Phones), such as requiring the submission of the minimum necessary documents to clarify the relationship between the person in charge and the corporation.Electronic documents are not excluded (P.15)

3. Reliance on identity verification results from other companies
○ (Considered last year): "The method of relying on past identity verification results should be comprehensively considered, taking into account the balance between the needs of business operators and the assurance level of identity verification (p.16)"
◯ Business proposal 16: Reliance on financial institutions scheme (see Figure XNUMX below) (P.XNUMX)
◯ Carrier Proposal 17: A scheme of reliance between mobile voice carriers - In particular, carriers have recognized specific needs for reliance on mobile voice carriers (see Figure XNUMX below) (p. XNUMX)
○ Relying on the results of identity verification by other companies has led to fraudulent contracts being made by taking advantage of contract formats that allow for simple identity verification using ID/PASS. Reliance on financial institutions requires an industry-wide effort. In addition, with regard to reliance on mobile voice communication carriers, it is important to note that efforts to increase the level of assurance for identity verification are still in the early stages.Identity verification assurance levelIt is possible that the Working Group will further consider this issue with a view to establishing rules after clarifying the requirements for appropriate reliance, such as whether the identity of the person relying on the information is high and up-to-date, and whether the identity of the person relying on the information is properly verified.

4. Identity Verification for Additional Lines
With reference to the Digital Agency's guidelines on identity verification methods, the government will review regulations to make them stricter (mobile
(Article 3, Paragraphs 19 and XNUMX of the Enforcement Regulations for the Law Concerning the Prevention of Unauthorized Use of Mobile Phones, Article XNUMX, Paragraph XNUMX, etc.)

I was also involved in the revision of the Digital Agency's guidelines on identity verification methods, so I have nothing to say about them, but what particularly interested me here was the power of attorney for corporations. In this regard, I think OpenID for Identity Assurance (which will soon become an ISO standard) or G Biz ID, which uses it, could be used effectively.

Regarding the reliance on identity verification results in 3, we can see from overseas examples that the establishment of a trust framework and information (metadata) on how and when the identity was verified are very important for relying parties, and OpenID for Identity Assurance was born out of that need. If it is only expressed numerically as IAL or AAL, it is difficult for the party that is held responsible (the relying party) because it is not clear about freshness, whether the process is running properly, or the audit status of the process.

The diagrams below refer to the ones mentioned above as (Figure 6) and (Figure 7). The word "gateway" makes you think "Hmm, what is that?", but I've included it here for your reference. (I wonder if it would be better to just use OIDC or VC.)

Working Group on the Preservation of Communication Logs

So far, the writing has been along the lines of "it would be appropriate to dig deeper" and "review is necessary," but this WG has put forward a "revision proposal." It says,

2 Amendment proposal
The proposed revisions to these Guidelines (hereinafter referred to as the "Proposed Revisions") are as attached.
The following supplementary information is provided below.
⑴ Overview
Regarding this proposed amendment, CPs and APs will
The communication history necessary for the execution of the business will be stored for at least 3 to 6 months.
It is socially expected that the measures to be taken against illegal and harmful information such as slander should be implemented.
This is the desired response to the above, and communication history will be stored for the same period in order to respond to this request.
The view that this is permissible in relation to the secrecy of communications under the Telecommunications Business Act
This shows that.
(..snip..)
(3) Storage period
The current guidelines are aimed at storing connection authentication logs.
The acceptable period is about six months (if there is a business need to store it for a longer period,
The proposed revision states that the period for storing the information should be about one year if there is a possibility of the information being stored.
This newly indicates the desirable period (at least 3 to 6 months),
Retention beyond the desired period may be necessary for business purposes.
However, if a company is found to have violated the proposed amendments, it will continue to be permitted.
This does not immediately give rise to legal liability.

From here on, we will introduce the specific revisions to the ``Explanation of the Guidelines for the Protection of Personal Information, etc. in Telecommunications Business,'' so if you are interested, we recommend that you read it directly.

Video explanation by NoLang

It's not a very long document, but for those who would like to see a video, I have automatically created a video using NoLang, so I have included it here.

Finally, here is a briefing document created using NotebookLM.

The following briefing materials were compiled in July 7 by the Ministry of Internal Affairs and Communications' "Study Group on the Development of an Environment for Using ICT Services.""Draft report on the improvement of the usage environment to address various issues surrounding the use of ICT services"It introduces the main themes, important ideas, and facts of the textbook using the features of NotebookLM.

1. Introduction: Urgent issues surrounding ICT services and the purpose of this report

This report was created with the aim of examining the various issues that arise with the expansion of ICT services, particularly "inappropriate handling of user information, measures to deal with inappropriate use, and measures against various illegal and harmful information." The damage from property crimes is expected to exceed 2024 billion yen in 4,000, the majority of which is due to fraud, and fraudulent use of communication services in particular is a serious problem. In addition, ensuring privacy, security, and protection of minors in smartphone apps is also considered an urgent issue. It is hoped that this report will "help further efforts by public and private stakeholders in the future" to address these issues.

2. Working Group on Measures to Counteract Inappropriate Use

This working group focuses on measures to combat improper use of telecommunications, and in particular discusses the following changes in the environment and measures to address them:

2.1. Background: The changing crime environment

Increase in "illegal part-time job" crimes: There has been an increase in the number of "illegal part-time jobs" being recruited through social media and internet bulletin boards, and there have been many cases of people being used as perpetrators of fraud and robbery. Telecommunications, especially mobile phone SIM resale and recruitment on social media are being misused.
The worsening of special fraudThe number of reported cases and damages from special fraud in 2024 reached an all-time high of 20,987 cases and 721.5 billion yen in damages. Approximately 8% of contact methods from criminal groups are by telephone, and in recent years, there has been a sharp increase in cases where international calls have been misused.
"Since around July 2023, the number of international telephone numbers has increased sharply."
Increasing sophistication and advancement of criminal activities: Unauthorized access using AI generation and fraudulent line contracts using a large number of ID and password combinations have been discovered, and technological advances are becoming a new threat for crime. In particular, there have been reported cases of abuse of carrier rules that do not require identity verification for additional lines.

2.2. Issues and considerations regarding mobile phone identity verification rules

Although efforts are being made to tighten identity verification under the Act on Prevention of Unauthorized Use of Mobile Phones, the following six issues were raised and discussed.

Illegal resale of SIM cards :
- There has been an increase in cases where young people are involved in illegal SIM resale as a "dark part-time job," and then the resale is diverted to fraud, etc. Although carriers warn people about this and explain important matters in stores, it is difficult to detect because the applications appear to be legitimate.
  - As future directions, the report suggests that "the government and businesses should further strengthen their efforts to raise awareness among users about the illegality of illegal resale," as well as that "as it is difficult for businesses to detect fraud, as a measure that can be taken in the short term from the perspective of crime prevention, the government and businesses should further strengthen their efforts to raise awareness among users about the illegality of illegal resale," and that "businesses should conduct periodic identity verification."
Corporate power of attorney (enrollment verification) :
- When entering into a corporate contract, there is no legal requirement to confirm the authority of attorney to guarantee the relationship between the person visiting the store and the corporation, and each business operator responds differently.
- It is said that "necessary revisions to regulations (Article 4 of the Enforcement Regulations of the Act on Prevention of Unauthorized Use of Mobile Phones) are necessary, such as requiring the submission of the minimum necessary documents to clarify the relationship between the person visiting the store and the corporation."
Reliance on identity verification results from other companies :
- Although relying on the results of identity verification by other companies contributes to increased convenience, there is a risk of fraudulent contracts being made by misusing the simple ID/PASS method.
- "As for future directions, it may be possible to further deepen the discussion in this working group with a view to establishing rules after clarifying the requirements for appropriate reliance, such as ensuring a high level of assurance for the identity verification of the relying party and using the latest identity verification items, and properly verifying the identity of the relying party."
Additional line identity verification :
- A simple identity verification method is permitted for contracts for the second or subsequent lines, but there have been reported cases where this has been the starting point for fraudulent contracts.
- "While simple identity verification methods are recognized to have a certain degree of convenience, given that such methods are in fact the starting point of crimes, it is necessary to review the regulations (Article 3, Paragraphs 19 and XNUMX of the Enforcement Regulations for the Act on Prevention of Unauthorized Use of Mobile Phones, Article XNUMX, Paragraph XNUMX, etc.) to make them stricter, with reference to the Digital Agency's guidelines on identity verification methods, in order to improve the authenticity of the person."
Maximum number of contracts :
- Under current laws and regulations, there is no upper limit on the number of units that can be contracted, but there have been reports of fraudulent large-scale contracts that take advantage of this lack of limit.
- "In light of the fact that some businesses are conducting advance confirmation of the intended use of vehicles in exceptional cases exceeding the five-unit limit, voluntary efforts by businesses should be further strengthened. In addition, going forward, at the very least, the state of application of the rules on voluntary efforts by such businesses should be verified, and these efforts should be further promoted. If necessary, some sort of rule should be considered, taking into account the causal relationship with crime."
Data SIM identity verification :
- Data SIM cards are not subject to the Act on Prevention of Unauthorized Use of Mobile Phones, but there have been numerous reported cases of fraud involving the misuse of data SIM cards with SMS, and there is an urgent need to consider making it mandatory.
- "In light of the fact that abuse has been confirmed, consideration should be given to making it mandatory, in order to ensure that identity verification efforts, which are already being implemented voluntarily by some operators, are carried out. However, when considering making it mandatory, the regulations should also refer to the rules for identity verification at the time of lending, and should take into consideration the actual usage and effectiveness from the perspective of striking a balance with convenience, in order to avoid excessive regulation in an attempt to prevent fraudulent use, with regard to the target SIMs and uses (foreign visitors to Japan and IoT devices)."

2.3. Other measures against special frauds by phone, email, etc.

Fixed line, mobile phone, SMS and email countermeasures :
- There is a need to raise awareness of the International Call Non-Handling Reception Center, improve its operation, and promote public-private cooperation with the Ministry of Internal Affairs and Communications' Nuisance Call Countermeasures Consultation Center. There are also expectations that businesses will further reduce the cost of their anti-nuisance call, SMS, and email services and make them the default settings.
Spoofing :
- It is necessary to raise awareness of spoofed phone number methods and to continually consider effective countermeasures in cooperation with telecommunications carriers.
Scam calls from overseas numbers :
- There is a need to continue raising awareness and understanding of the current situation, where apps that allow users to easily obtain overseas phone numbers from Japan are being misused.

3. Working Group on the Preservation of Communication Logs

This working group considered how long communication histories should be kept, while striking a balance between protecting the confidentiality of communications and criminal investigations and providing relief to victims.

3.1. Current issues and history of consideration

Because communication history is protected as confidentiality of communications, telecommunications companies need to obtain the user's consent or be assured that it is not illegal as a legitimate business activity in order to record and store it.
The current "Guidelines for the Protection of Personal Information in the Telecommunications Business" state that a minimum amount of communication history can be recorded and stored only when necessary to carry out business such as billing, invoicing, and preventing fraudulent use. Connection authentication logs are usually allowed to be stored for six months, with a maximum of one year.
In recent years, there has been an increase in the distribution of illegal information, such as posts recruiting for "illegal part-time jobs," and infringement of rights through slander. From the perspective of requests for disclosure of sender information and criminal investigations, it has been pointed out that the period for which communication history is stored is too short.

3.2. Summary and purpose of the proposed amendments

This proposed amendment indicates to content providers (CPs) and access providers (APs) that "storing such information for at least three to six months is a desirable response that meets societal expectations for measures against illegal and harmful information, such as libel and slander, and that storing communication histories for the same period for such measures is permissible in relation to the secrecy of communications under the Telecommunications Business Act."
In particular, from the perspective of providing relief to victims, it is considered essential to preserve communication history for this period. Although this does not immediately result in legal liability, it is considered a desirable response that meets societal expectations.
Issues to be considered in the future include verifying the effectiveness of the proposed amendments once they are implemented, and, if they do not lead to a solution, "considering methods other than amending these guidelines, including legal guarantees."

4. User Information Working Group

This working group focused on revising the Smartphone Privacy Initiative (SPSI) and examined issues such as proper handling of user information, ensuring security, and protecting minors.

4.1. Background of the study and revision of the SPSI

The Smartphone Privacy Initiative (SPI) was formulated in 2012 to address the issue of inappropriate external transmission of user information via smartphone apps, and has been revised several times.
In this revision, in response to the increasing use of smartphones at younger ages and for longer periods of time, as well as the increase in cases of privacy violations on social media, "protection of young people" has been added to the scope of SPSI.
The positioning of SPSI was also discussed, and the level of effort required of related businesses was organized into four levels: "benchmark items," "desirable items," and "fundamental items," in addition to statutory obligations.
Benchmark matters: "It is expected that..."
Desirable things: "It is desirable to..."
basic matters: "It is strongly recommended that..."
Legal matters: "must" "must not"

4.2. Initiatives to protect young people

In order to ensure the safe and secure use of smartphone apps and related services by minors through the protection of user information and privacy, the SPSI has been updated to include desirable actions that each operator should take.
App Provider: There is a demand for the provision of a function to report inappropriate content, a function to block users, and a mechanism for parental involvement in important decisions (such as providing information and charging).
App store operators: App review, establishment and confirmation of age restriction setting (rating) standards, establishment of a classification specifically for apps aimed at minors, and prompt and appropriate feedback when an app is rejected are required.
OS provider: App store operators are required to check their efforts, provide appropriate explanations and information, and offer parental control functions.

4.3. Website-related research and examination

Previously, SPSI focused on smartphone apps, but given the recognition that the handling of user information on websites is also important, there was consideration of expanding the scope to include websites.
The investigation confirmed that there are no significant differences between the information that can technically be obtained and the purpose of use between the app and the browser.
However, since websites are not reviewed by OS operators or app stores, and many sites are run by small and medium-sized enterprises or individuals, it is believed that there are challenges in applying the broad range of SPSI provisions as they are.
As a future issue, it is stated that "with regard to website issues, including external transmissions, it is appropriate to promptly consider how best practices can be ensured for website operators, including the relationship with SPSIs."
Further consideration will be given to expanding the scope of SPSI to include user information on devices other than smartphones (tablets, smartwatches, etc.).

This report outlines the multifaceted issues and concrete measures to protect users and ensure a safe service environment in a rapidly changing ICT environment. NotebookLM may be inaccurate. Please double-check your answers.

Facebook Tweet Pin

footnote

The public comment period will run from July 7th (Saturday) to August 5th (Monday) of the same year.

@_Nat Zone

Ministry of Internal Affairs and Communications: Call for opinions on the report (draft) on the improvement of the usage environment to address various issues surrounding the use of ICT services (Deadline: August 8)