Naver Recommends Improvements to Prevent ID Exposure in Blog URLs
[Asia Economy Reporter Eunmo Koo] The Personal Information Protection Commission (PIPC) has recommended the destruction of personal information that was collected and provided without legal grounds in relation to the National Intelligence Service's (NIS) alleged illegal surveillance of civilians during the past Four Major Rivers Project. Additionally, it recommended that Naver improve its system so that user account IDs are not exposed in blog URLs.
On the 12th, the PIPC held a plenary meeting at the Government Seoul Office and announced that it deliberated and passed these recommendations.
First, regarding the NIS's violations of personal information protection laws, the PIPC launched an investigation last May following a civil complaint. The investigation revealed that from 2008 to 2010, the NIS collected documents on the activities of opposition groups and individuals related to the Four Major Rivers Project, and some of these documents contained personal details such as names, registered domiciles, educational backgrounds, occupations, and career histories.
The PIPC judged that the creation of these documents did not fall under the NIS's duties related to national security as defined by the then applicable "Act on the Protection of Personal Information Held by Public Agencies," and thus the NIS had collected and provided personal information beyond its official scope of work.
Accordingly, the PIPC urged the NIS to destroy the personal information that was collected and provided without legal grounds in the past and to comply with relevant laws in future operations.
The NIS stated that upon receipt of the resolution from the PIPC, it will review the recommendations and handle the matter lawfully in accordance with the "Personal Information Protection Act," the "Public Records Management Act," and other related laws.
The NIS explained, "Through the full revision of the National Intelligence Service Act on December 15, 2020, the collection, creation, and distribution of domestic security information were removed from the scope of duties to fundamentally prevent any deviation from official duties. Currently, we strictly comply with personal information protection laws across all operational areas and manage personal information with greater rigor."
It further added, "Regarding domestic information and personal information illegally collected in the past, we provide it lawfully upon legitimate information disclosure requests by the concerned parties, based on laws and Supreme Court rulings, and in all other cases, we neither handle nor utilize such information."
Meanwhile, NIS Director Park Jie-won has previously proposed to the National Assembly the enactment of a special law to select and destroy related materials concerning illegally collected domestic information.
At the plenary meeting, a recommendation was also passed to improve Naver blog URLs so that user IDs are not exposed.
The PIPC began an investigation following a complaint filed through the People's Petition Center that user IDs were exposed in Naver blog URLs, leading to spam emails. Upon reviewing the blog URL generation systems, the PIPC found that platforms like Daum Blog and Brunch either allow users to input URLs directly or generate them randomly, whereas Naver blogs expose user IDs directly in the URL.
The PIPC explained, "Although consent for the collection and use of personal information was obtained at account creation, the service design did not consider personal information protection, resulting in user information being exposed. Exposed accounts can be exploited for spam email distribution and unauthorized intrusion (hacking) attacks, so improvements are necessary."
Yang Cheong-sam, Director of the Investigation and Coordination Bureau at the PIPC, stated, "To safely handle personal information in information and communication-based services, it is necessary to carefully consider personal information protection from the service planning and design stages. Through this improvement recommendation, we will strive to establish privacy-centered design as a standard practice to protect service users' personal information."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
