Evolving Internet Security – Thoughts around the Amendment of the Act on the Protection of Personal Information –

The connection of computers to the outside world via the Internet has drastically improved convenience, but security threats increased proportionally. In particular, it has been pointed out that the greatest problem is the leaking of personal information. The danger of easy infringement of the privacy of individuals by a third person is always present on the Internet.
Given such concerns, public interest in the handling of personal information has mounted, necessitating regulations and leading to the development of a legal institution: the Act on the Protection of Personal Information (hereinafter the “Personal Information Protection Act”) enacted in 2005. “Personal information” means information that can identify an individual, including name, address, gender, and/or date of birth. The Personal Information Protection Act defines business operators that possess personal data of at least 5,000 individuals for business use as “entities handling personal information.” If an entity handling personal information fails to take appropriate measures regarding the personal information, such as fulfilling the duty to report to the competent minister and to make corrections if necessary, a criminal charge is filed against such an entity. What this means is that the Personal Information Protection Act is intended to protect the rights and benefits of an individual. Currently the Act is under review for amendment, and I am participating as one of the working group members. So, what is purpose of the amendment?

The key point of the amendment on the Personal Information Protection Act is “big data.” “Big data” means, as the name implies, a massive collection of digital data sets that grows day by day. The utilization of big data is expected to broadly contribute to the creation of innovative services and business models, as well as new markets, precise management decisions, streamlining of business operations, or the resolution of social issues. Among these, personal data is considered to have high utility value. In the Declaration of being the World’s Most Advanced IT Nation, which has been approved by the Cabinet, the utilization of big data is spelled out as the key to excel in global competition and the strategic utilization of data as a key promoter of economic growth. The Declaration, in particular, hammers out the aim of drawing power from the private sector to its fullest via the utilization of personal data. By actualizing this, the existing Personal Information Protection Act now became a millstone around the neck of innovation. Under the current law, the exchange of big data may be restricted based on third-person regulation based on the Personal Information Protection Act, thus closing the channel to the effective use of big data.
The amendment of the Personal Information Protection Act is under review against the backdrop of this situation. In other words, this amendment can be said to be reform to promote the utilization of personal data. We will provide specifications for “personal data” that will reduce the chances of identifying an individual, and deliberate policies to deregulate the first-person consent principle when providing personal information to a third person. Furthermore, an independent, third-party organization has to be established as part of the structure developed to swiftly and appropriately respond to issues pertaining to the handling of personal data. The bill will be submitted to the ordinary session of the Diet next year.

Legislation and rule development for the safe utilization of big data is clearly a must, but the technical improvement of security should also be pursued at the same time. When utilizing big data, it is necessary to ensure strong data confidentiality. Technology that can provide that is Privacy-preserving Data Mining (PPDM), one of my research themes.
Data mining is the process of analyzing massive amounts of accumulated data and finding correlations and patterns among data items. PPDM enables data mining while keeping personal information confidential by means of encryption. During the demonstration experiment, the lists of Helicobacter pylori carriers and cancer patients, which are personal data, were encrypted and subjected to cross-checking to examine the relative risk of Helicobacter pylori carriers developing cancer. To put it simply, patient names were kept secret during the analysis of the relationship between the disease and the cause. In this experiment, the probability of Helicobacter pylori carriers developing cancer was 9.7 times higher than that of non-carriers, which was closely in agreement with the doctors’ empirical values. There is already a system established for such medical information that allows relatively easy use provided that it is limited to academic purposes, but no rule has been established for general data use. Once PPDM is put into practical use, data collected by enterprises can be utilized with much ease without compromising the confidentiality of personal information, and it is expected to vastly expand the business possibilities.

SSL/TLS, one of the protocols for encrypting and transmitting data over the Internet, is highly reliable and has been adopted by many services. Nevertheless, vulnerability was recently found with SSL/TSL. A recent incident of hacking of Bitcoin (a virtual currency on the Internet) exchanges and causing suspension of the business, followed by bankruptcy, garnered much attention—new services are accompanied by new security threats.
There is an authentication system using IDs and passwords for the secure use of online services, but security vulnerability lurks here as well. Using the same ID and password increases the risk of hacking and other unauthorized access. Once systems such as digital signature and ID federation (a system that allows access to services without the proliferation of passwords by means of a unified ID) are established, the Internet can evolve into a tool that people can use securely and freely. Numerous anti-virus vendors exist to ensure Internet security in today’s world—it is my ultimate dream to see the advent of an Internet society that does not need such vendors.

* The information contained herein is current as of May 2014.
* The contents of articles on M’s Opinion are based on the personal ideas and opinions of the author and do not indicate the official opinion of Meiji University.