1. How would you describe the primary function of the resident registration number? When was it adopted in Korea, and has there ever been similar instances of private information leak prior to the current case?
It was adopted back in 1968 to cull out North Korean spies. The idea was that, if everyone properly living in the South is given a number, whoever cannot produce it upon demand will be considered a suspect. So, it was first developed as a password of some sort. The problem was that because it was designed to be fool-proof identification, a lot of government agencies and private companies began to ask for it as a condition for providing their services to anyone. In the end, a lot of agencies and companies ended up having the numbers, and consequently losing the numbers to the hackers and identity thieves, which means that it cannot work as a password any longer. If a lot of people have your password, it cannot work as your password, right? However, the agencies and companies continue to rely on it as identification scheme. So the hackers and identity thieves want to have access to the resident number DB and that is why, in Korea, we continue to see massive data breaches almost every year.
2. In your view, what is the main problem with the self identification system here in Korea? Is it the number itself or the way it is employed?
I don’t see any problem with the number itself but the way it is employed. There is nothing wrong with the government trying to cull out North Korean spies or trying to figure out who and how many the proper residents are. However, the companies should stop asking for it as a password. So many people good or bad have it so it cannot function as a password anyway. Furthermore, because so many people have it, it is vulnerable to various forms of identity theft. Companies and agencies should stop asking for it because it will hurt their customers. We already have a good example of banning resident number collection. When Cyworld lost 37 million data sets in 2011, the government changed the law so that all internet companies were banned from asking for resident numbers. In 2014, three card companies lost 100 million data sets. It is very appropriate to ban all financial companies from collecting resident numbers.
3. Some criticize the financial sector’s heavy reliance on resident registration number. Financial authorities, however, argue that the abolishment of the current system would bring about great discomfort and chaos to the public – is this a legitimate concern? What are other available options?
Not at all. Banks in other countries do not rely solely on resident number. Banks there ask for different combinations of personal information. If banks on one side keep asking for the numbers which are later breached, the identity thieves will take the numbers and go to other banks to steal from the people represented by those numbers. I think we should just do what other countries do. Let them ask for other combinations of personal data. Name plus birthday. Name plus phone number. Name plus your school and graduation year. What is more important, what is in the resident numbers? Birthday, gender, birthplace. Banks ask for the component information anyway. Why ask for resident number separately and make it a condition of providing services?
4. This problem, of course, does not solely lie on the financial industry. Thus, alternative identification
methods are currently being discussed, such as to assign a completely new set of random numbers or use a multi-confirmation method. What do you feel is the appropriate solution?
Giving a new set of numbers is a bad idea. The industry will start relying on it and again create this paradox where it will work as a password when everyone has it. Don’t rely one monolithic fool-proof identification. Because once you standardize it, you are simplifying the job for bad people. They can just concentrate their resources into breaking down that system.
with Henry Shinn
– See more at: http://old.opennetkorea.org/en/wp/591#sthash.yABXPRN4.dpuf