Cyber hacking fuels debate over Web portals

Controversy is heating up over South Korean Web portal operators' collection and storage of private data after the country's worst cyber hacking case put over two-thirds of its population at risk of identity theft. The case has also put a question mark on the effectiveness of the country's controversial Internet regulations, such as the real-name verification law, which critics argue provide incentives for online companies to hoard personal information. Last week, SK Communications Co., one of the country's top three Web portal operators, said personal data on its 35 million users had been leaked from its Nate Web portal and Cyworld blogging service. Unidentified hackers stole their real names, resident registration numbers, birthdates, addresses, phone numbers and password information in the latest in a series of online security breaches that have repeatedly hit this self-proclaimed technology powerhouse. In April, a cyber attack paralyzed the computer networks of the National Agricultural Cooperative Federation, known as Nonghyup, disabling nearly 30 million members from conducting financial transactions for days. In the same month, Hyundai Capital Services Inc. said private data and financial records of nearly 2 million members were grabbed by hackers. In the wake of the hacking case at SK Communications, however, users are not just taking issue with the security glitches, they are also challenging the validity of local Internet companies' long-held custom -- demanding too much personal data before joining new Internet services. "While they didn't have the ability to protect private data, they have been excessively collecting it," said Lim Jong-in, dean of the Graduate School of Information Security at Korea University, referring to the country's major Web portals. South Korean Internet users rely heavily on do-it-all, one-stop Web portals. They visit industry leader Naver at least three times for every four Internet uses, according to market research firm Metrix Corp., and the three most-visited Web portals account for more than 90 percent of the country's Web search traffic. These Web portals ask for names, resident registration numbers, birthdates, addresses and phone numbers to join their services, which are accumulated, some of them encrypted, in their servers for at least five years and become attractive "booty" for hackers. "Instead of mere lists of online accounts, (hackers) could steal the full package of real world identities," said Nakho Kim, a media researcher at the University of Wisconsin-Madison. "Due to government policies and industry laziness, many Korean online services tend to collect a lot of personal identity information." Apparently aware of such criticism, SK Communications announced on the heels of the hacking incident that it will no longer store resident registration numbers and addresses. But it did not say it will discard resident registration numbers, a state-given number unchangeable for life that can be misappropriated for identity theft crimes, of its 33 million Nate users and 25 million Cyworld users. NHN Corp., the operator of Naver, said it currently has no plan to destroy personal data and Daum Communications Corp., which operates Daum, did not return calls. Industry watchers say that the South Korean government is providing incentives for Web site operators to accumulate private data without holding them liable for security breaches. Under the controversial real-name verification rule, major operators of bulletin boards and Web portals are required to authenticate online users' identity through resident registration numbers. Critics argue that the measure, which was introduced in 2007 to curb cyber bullying through malicious comments and abusive language, have oiled the wheels of those Web sites that had been accumulating personal information for several years. "Many online sites voluntarily collected resident registration numbers from the time of the Internet bubble because the number of verified users served as a barometer for the Web site's value," said one industry source on condition of anonymity. Although the real-name verification law does not explicitly mandate companies to save identity information of the users, the law is perceived as imposing an obligation on the companies to produce the identity information of users to the police, a law professor argued. "Last year, more than one hundred thousand personal identity requests have been sent and complied with by the companies with no warrant and with no notice to the users, which exceeds the total number of search and seizure warrants issued by all courts in South Korea," Park Kyung-sin, a law professor at Korea University, said in an email response. Daum lists "the collaboration to investigating authorities" as one of the reasons that it saves users' data for at least one year. On defense of their private data-gobbling practice, Web portal operators added because the universe of content on their Web sites include commerce, which requires financial transactions, they are obligated to store the personal and financial data for at least five years. But NHN spokesman Kim Jeong-woo admitted that Naver has been keeping data for users who do not use its online commerce service. Following the hacking, SK Communications revised its policy and will ask users to input their resident registration numbers each time they make an online purchase, instead of retrieving the numbers saved in its servers, an inconvenience it believes Internet users will understand. "We had saved the personal data for users' convenience," said the spokeswoman Koo Ki-hyang. "But now security is our priority," Others, however, say that minimizing the collection of private details or revamping the resident registration number system are fundamental solutions, when the series of hackings show that there is no safe online haven for private data, and 70 percent of South Koreans are already exposed to the risk of identity theft. "It would make much more sense if they could minimize the collection of real world identity along with the legal liabilities that follow," said media researcher Kim.