As IT is turning to be infrastructure of society, more and more private information is being collected in the background

You can easily imagine that, as IT is turning to be social infrastructure and has more mutual interdependence with various systems, the failures and troubles of IT systems will create serious social problems. This is equivalent to the stoppage of electricity due to accidents or natural disasters disrupting civil life and social functions, creating a panic. To make matters worse, on the computer networks, such troubles can be caused not only by accidents and natural disasters but also by a malicious intention, in a so-called cyberattack. As computers are becoming essential tools for our lives, they can create new vulnerability elements of society and also, for individuals, problems of rights and independence.

One of the cases that reminded us of the reality of such dangers is the so-called Snowden Affair which happened in 2013. This was the affair uncovered by Mr. Edward Snowden, an ex-CIA (Central Intelligence Agency) staff member, that the NSA (National Security Agency) had been monitoring the phone conversations and e-mails of citizens. Although the US government asserted that this was a necessary activity for anti-terrorism measures, it was a serious problem that the government was secretly monitoring the communication of common people, and we also knew that nine major IT related companies were cooperating in this activity, thereby delivering the private communication information to the NSA. This is not just an affair of someone else that happened in a remote country, the USA. For us Japanese, most OSs, application programs, and services we use daily, not to mention smartphones, are the products of these major IT companies. In other words, the essential tools for our daily lives are the tools for someone else to collect our personal information, and if IT companies so wish, they can deliver whatever information to governments or third parties as they desire. Knowing of this situation, European countries are strengthening the move to restrict collection of personal information by IT companies, some inflicting large penalties against such illegal actions.

We have the natural right to reject monitoring of our brain activities

Well-known information collection by IT companies is so-called profiling by Web tracking. This is to continuously track how a user of a smartphone or similar device operates the system and what kind of web pages the user views, collecting these as data. To perform this kind of tracking, one needs to identify the device. For example, when you are browsing a website in Europe, you are sometimes notified that the website is using what are called cookies that identify the individual. In this case, the user has the option to use or not use the cookies. Actually, in the past, common users did not have a way to know if they were being tracked. However, after it was asserted mainly in Europe that people have privacy and the right of not being tracked, you are now sometimes asked for the consent for tracking, which is expected to become stricter in the future. You might wonder if such assertion is heard also in Japan, but actually such voices are seldom heard. Many people here seem to think that tracking is advantageous for users, because they do it to send ads suitable for each user, or everybody is doing such thing and you don’t have to care about it, or it should be OK so long as it is legally correct. It is certainly true that the revised Personal Information Protection law has no restricting clauses on profiling by Web tracking. However, let’s think for a while. Is it ethically correct even if it is legally allowed? I believe that the voice for restriction in Europe was raised from such a question. If we still say that there is no problem about it, then the ethical mind of Japanese society should be considered still being at such a level, and there is no wonder that effective legal restriction has not come about.

Technology to collect personal information is progressing every day

Many people seem to believe that personal information is solely used for advertisement. Is it really the case? Even if companies are saying so, there is no way for us to know how personal information is managed and handled. In fact, this is the most serious point about why we feel it critical. For citizens, a government can be supervised in a way. If there is any problem about the government, the Diet can question them and change the government through election. However, private companies do not have to disclose their commercial activities so long as they are conformant to laws. Specifically, we Japanese do not have control over the overseas companies collecting personal information, and we may be controlled by those companies who fully know about every one of us. Actually, we tend to use IT to obtain information we want to know, goods we want to get, and the way to gain access. Although we feel we decide everything on our own, actually we rely on IT to decide everything, don’t we? You may say it’s because the answer of IT is always correct and useful, but IT companies can give the right direction only because they own your personal information. If that is the case, what is the way forward?

Europe and the US are starting to raise their voices just because they now have a sense of crisis for this situation. Although such voices made the European websites notify the use of cookies as I said earlier, a new technology is being used recently that focuses on the uniqueness of internal condition of each smartphone in which installed applications are all different from those of other smartphones. This technology is called browser fingerprinting, which identifies each device by the variation through collecting a small volume of data of internal condition of device at a time. When this technology is used, each user has no way to know such data are collected for identification of each device, but this enables the individual tracking. Furthermore, while some models of smartphone have a function to indicate that GPS is working, some other recent models have technology realizing collection of position information by tracking the access points of wireless LAN, to a precision of several centimeters. In other words, if you use a smartphone, it is now possible to identify where you are, what operations you are performing, and what application software you are using, and you don’t aware of all. It should be noted here that the tracking technology itself is not a problem, but the real problem is to profile the personal behavior and likes and to exchange such profiling data at somewhere totally uncontrollable to us. We, as the users of devices totally relying on them, should not be unconscious about the situation where IT companies are trying to collect personal information by using their technology, but should at least know such risks.

Cybersecurity countermeasures is one of risk management operations in corporate activities

In fact, I sometimes feel the same faint awareness of risk management in Japan not only with individuals but also with companies and organizations. For sure, the security countermeasures themselves are not money-making operations in general corporate activities but are risk hedging. Although it is understandable to relegate it to the back burner, more attention should be paid to the fact that various companies have been damaged by cyberattacks which caused social problems by such incidents as leakage of customer information. This is no problem of someone else. As the probability of traffic accidents, for example, never goes down to zero when you drive a car, the probability of security accidents or crimes never goes down to zero as long as you use IT. Then what should we do? If your company has a large social responsibility, it would be effective to have security personnel in the company. It is well known among the experts that installing general security software may be effective for existing viruses but cannot be measures for high level cyberattacks. Having internal security personnel is essential also for speedy actions and continuous support for such cyberattacks.

However, in Japan, while companies have developed human resources to build software and systems, they have rarely succeeded in raising staff members who understand security as a part of risk management so far. Because people who don’t know the security have built the systems, they never realized the security holes in the system, thereby allowing the cyberattacks and causing social problems. In the School of Science and Technology to which I belong, we instruct students to have solid knowledge of security once they build systems. To build up such human resources is our responsibility as an educational institution, I believe. And, in the modern times when IT is the infrastructure of corporate activities, I consider it essential to enhance the awareness for cybersecurity as a major management issue and to build countermeasures for it.

Professor Saito is also running a business to provide training mainly for engineers to improve their knowledge and skills of security. For details, visit https://www.rangeforce.jp/.

* The information contained herein is current as of November 2017.
* The contents of articles on M’s Opinion are based on the personal ideas and opinions of the author and do not indicate the official opinion of Meiji University.

Information noted in the articles and videos, such as positions and affiliations, are current at the time of production.