Line’s data access case exposes possible risks of outsourcing overseas

Grave doubt has been cast on the data management of an information infrastructure used by 86 million people in Japan. Parties concerned must urgently clarify the precise picture of how it happened and make utmost efforts to dispel the concerns of users.

The operating company in Japan of the Line free messaging app has announced that it had given a company in China — to which it had entrusted system development work — access rights to the personal information of app users. It said that the names, phone numbers and contents of messages thus could be viewed for a lengthy period of time.

The operator explained that the Chinese company was able to view only the minimum necessary amount of information, thus there was no unauthorized access nor any exposed information. However, concerns over possible information exposure and distrust of the app are prevailing among its users.

Prime Minister Yoshihide Suga has announced that the government will investigate the circumstances regarding how the app is used by government organizations. The Internal Affairs and Communications Ministry and some local governments have decided to halt the use of the app.

China’s National Intelligence Law obliges companies and citizens in China to cooperate with the government’s intelligence activities. As the Line operator allowed a company that could be forced to provide information to the Chinese government to access users’ personal data, it is only natural that users are hesitant to use the app.

The Line app was developed 10 years ago and has spread rapidly. It also offers cashless payment services, and many local governments are using the app to track the health conditions of people infected with the novel coronavirus. As it is also used by politicians, one expert has pointed out that the recent incident “is posing high security risks.”

Companies in charge of information infrastructure are required to perform particularly strict data management. The Line operator said it had blocked the Chinese company’s access to the data and will sequentially transfer video and image data currently stored in South Korea to Japan. The operator should steadily proceed with this.

A third-party committee to be set up soon will need to investigate problems with the information management and oversight system of the company to which the work was outsourced and promptly disclose the results. The government should also try to grasp the actual situation, rather than leaving it to the operator.

Japan’s Protection of Personal Information Law allows entities to transfer information to foreign countries and view it from overseas with the consent of users. The Line operator said it had provided some clarification in its user guidelines, but there are likely not many people who would closely read the lengthy terms and conditions.

With the implementation of the revised law next year, the government said it will require entities to specify the name of the country to which information will be transferred. There should be a renewed debate about whether it is acceptable to allow information to be moved or viewed overseas just because there is the consent of users.

In the field of information technology, outsourcing of work to overseas companies has been increasing in consideration of human resources and costs. Some companies may not pay attention to the system in each country and readily entrust the work to firms overseas. The government should expedite efforts to investigate the relevant situation and establish rules.

Users should also raise their awareness of the safety situation surrounding the use of information services.

— The original Japanese article appeared in The Yomiuri Shimbun on March 22, 2021.