Navigation

Collection of personal data under scrutiny

The Yomiuri Shimbun

From left, Ryoji Mori, Tetsuya Sakashita and Yuichi Ota

The Yomiuri ShimbunFacebook’s “Like” button problem (see below) is just one symptom of larger issues with the current state of online advertising. As the data business grows larger and more complex than ever, data is being exploited for purposes that differ greatly from those anticipated by users. With the internet of things (IoT) being more widely used, we can expect to see further utilization of big data. It is questionable, however, as to whether users’ interests are being protected. The Yomiuri Shimbun asked three experts on the issue to give their views. The following are excerpts from the interviews.

(From The Yomiuri Shimbun, March 30, 2018)

===

Data can be personal even without a name attached

Ryoji Mori / Lawyer

Our online activity is made possible by service providers’ abilities to identify individual devices such as computers and smartphones, and applications. However, the information used for such identification purposes is not considered to be personal information under the current Personal Information Protection Law. The logic behind this is that the intended use of this information is to link devices, rather than individual names or identities.

While this information would be protected by law were it considered personal information, because device-identifying information falls outside of this definition, companies are free to use it however they like. Linked information such as browsing and purchase history detailing users’ interests and economic circumstances is freely traded between companies.

However, as the Facebook issue shows, information linked by devices becomes personal information when the holder already has other personal information. The problem is that information that identifies devices is currently not being treated as personal information, despite this.

Information being sent to unknown third parties, who collect data separate from service providers, is representative of the problem involving smartphone applications.

When a user installs an application on a smartphone, data — including location information — is potentially being sent not only to the application’s developers but also to third parties such as advertising agencies. The guidelines issued by the Internal Affairs and Communications Ministry since 2012 identify possible illegality regarding the improper acquisition of information: Not just on the part of advertising agencies collecting the information, but also application developers who embed advertisers’ software into their applications without offering sufficient prior explanation to their users.

If we apply this reasoning, in theory, website administrators who include Facebook “Like” buttons on their websites could be considered to be breaking the law.

Moreover, several companies collect linked information, such as device identification data, and provide it to other companies who already have information on users. The receiving companies are able to combine this information with the personal data they already have to create detailed profiles.

While a user’s consent is required to provide personal information to a third party, so far there has been no debate as to how to apply the requirement when data not considered personal, after being collated by a third-party, becomes personal information. Considering possible infringement of individual’s rights and interests, such cases should be handled in the same way. The current state of affairs — where information is traded without the consent of users — is highly likely to violate the law.

As technology continues to evolve, there is a limit to the conventional definition and categorizing of information as personal when it is linked with a name, and as nonpersonal if it is not. The individual identification numbers, which have been added to the concept of personal information under the revised law enforced last year, became a factor for determining what information is considered personal.

Regardless of whether codes are linked to names and other data, certain codes are regarded as personal information judged by factors that include how difficult it is to change the codes and how easy the code would make it to contact the person. Further consideration is also needed to include device-identifying information as part of the definition.

===

Data-selling businesses rely on individuals’ ignorance

Yuichi Ota / President of DataSign Inc.

While involved in the development of data management systems for the online advertising industry, I became increasingly aware that risks for internet users whose personal data is collected was being overlooked.

The market for data in Japan and the United States is currently estimated at ¥500 billion. While most users are aware that information about the websites they visit is collected and used to show them advertisements tailored to their interests, they are likely unaware of the high prices for which their data is bought and sold.

In the case of Facebook, web browsing information has been compared with personal information held by the social media giant, sparking a debate centered on the Personal Information Protection Law. However, the transmission of web browsing data is commonplace. Many websites allow third-party businesses, such as advertising agencies, to send information from visitors’ browsers to external servers.

The accumulated information then passes through the hands of various businesses, expanding as each of them adds their own information to it. For example, a smartphone user profile may include details like: “Male, lives in Tokyo, has an annual income of around ¥6 million, likes basketball, purchases more than ¥10,000 worth of natural food products each month, awaiting the birth of his second child.”

Because this information is being used to identify a personal computer or smartphone, some argue that it is not possible to identify whose information it is. However, recently there has been an increasing number of cases of such information being linked to users’ registered email addresses or phone numbers and then provided to companies, who combine it with their customer directories, adding to their collections of stored personal information. This means companies may have information on customers that the customers, themselves, had never shared with the companies.

Of course, companies utilizing data to provide customers with better services is a welcome development. However, users have a right to know what kind of information is being provided to whom, and at what price. The reason people are able to use Facebook for free is that the company has collected the personal information of its users to build its advertising business, generating massive profits. In the current online advertising system, companies have exploited profits by taking advantage of the gap between users who are unaware of the value of their data and advertisers finding great value in it. However, it is questionable to maintain such a system, which is based on users’ ignorance.

The same is true of the website administrators. While most administrators willingly install third-party tools on their web servers for the sake of online advertising, they are unaware of vulnerability of information. This is due to the complexity of the systems. If an administrator installs software which has third-party programs embedded, the information will be collected and transmitted to various entities. While there have been cases of information from a single website being sent to as many as 120 different third-party businesses, website administrators may only be aware of a small number of the parties who are receiving the information.

It is hoped they will accept this is not simply a problem of trust for visitors, and it is a matter of data — a precious management resource — simply being handed over to companies for free without a second thought.

===

Companies must proactively explain how they use data

Tetsuya Sakashita / Managing Director of the JIPDEC

Spending on online advertising totaled ¥1.5 trillion in 2017, marking double-digit growth for four consecutive years and accounting for one quarter of all advertising spending. One driving force of this trend is likely to be targeted advertising, which is based on users’ browsing and purchasing history.

This method benefits not just users by providing them with information about products they may be interested in, but also companies by enabling more efficient advertising and improved enticements to attract consumers to their products. Considering Japan’s retail market has been shrinking since it peaked in 1997, it is important to stimulate demand by winning the hearts of consumers.

However, the online world is falling short of something we take for granted in the real world: explanations. This is often overlooked because website administrators do not directly meet with users. However, it is even more important for website administrators to provide sufficient explanations when there is no face-to-face interaction, and failure to do so results in users’ being anxious and increasingly distrustful.

Imagine what reactions would be made if something like the “Like” button problem were to happen in the real world. The website administrators who installed the button were essentially giving their visitors’ data to Facebook, per its request, without obtaining permission from users. At physical stores, you could at least expect to see a sign on the door saying, “Data from visitors to our store will be provided to Facebook.” From a business etiquette perspective, that would be satisfactory.

Companies should have a certain degree of responsibility for visitors to their websites, just like they do for visitors to their stores. Many website administrators involved in the “Like” button problem did not know that including it on their sites would enable them to provide data to Facebook when viewers simply visit them. However, as long as third-party software is being used by site administrators, they should at least understand what functions the tools have.

Nonetheless, today’s rapidly developing and increasingly complex online advertising technology makes it more and more difficult for website administrators to keep up. When developing their own programs, advertising agencies have a responsibility to provide easy-to-understand explanations not just to users whose data is collected, but also to the administrators of websites who use their tools.

I believe relevant entities — such as the Economy, Trade and Industry Ministry, the Internal Affairs and Communications Ministry, and the Consumer Affairs Agency — should jointly compile guidelines to resolve a series of issues that businesses should follow when collecting data online.

Internet users now generate vast amounts of data day by day — not just browsing and purchasing history, but also location and health information in the real world that is being collected by IoT devices. It is vital to use this data to help resolve various challenges facing Japan, such as the shrinking and aging population and environmental issues.

However, it might become difficult to get data from users and take advantage of it unless they have fair understanding and consent. There have been discussions on creating an “information bank” under which companies that receive data from individuals would manage how it is used, while the government has also been considering building a framework to recognize trustworthy companies. For either case, it is key that they consider the perspective of users and create a system that will satisfy them.

— These interviews were conducted by Yomiuri Shimbun Senior Writer Masako Wakae.

■Ryoji Mori

Mori, 52, is a visiting professor at the National Institute of Informatics. He also serves as a member of a government commission on personal data, among other positions.

■Yuichi Ota

Ota, 35, worked on systems development at a securities company before entering the online advertising industry.

■Tetsuya Sakashita

Sakashita, 54, serves as a member of a committee on data utilization and industrialization at the 21st Century Public Policy Institute, a think tank of the Japan Business Federation (Keidanren), among other positions.

■The “Like” button problem

When users visit websites with Facebook “Like” buttons embedded in them, even without clicking the button, the browsing information linked to the users’ device or browser is sent to Facebook. If users register personal information such as their names on Facebook, this constitutes personal information. While Facebook explains its information collection in its user guide, users are not able to know whether a given website has a “Like” button until they actually visit the site. When they do visit, their information is automatically sent to Facebook. Most websites with “Like” buttons do not provide any explanation regarding whether they provide information to Facebook, meaning users are unable to tell which websites they visit will send information to the company.Speech

Click to play

0:00/-:--

+ -

Generating speech. Please wait...

Become a Premium Member to use this service.

Become a Premium Member to use this service.

Offline error: please try again.