Personal Information Protection Commission, National Health Insurance Service, and Health Insurance Review & Assessment Service Hold Forum on January 16
Addressing Risks and Countermeasures for Data Scraping and Potential Information Leaks
There have been warnings about the risks of "scraping," a practice in which automated programs access websites on behalf of users and collect personal information displayed on the screen.
On January 16, the Personal Information Protection Commission held a forum at the Korea Press Center in Gwanghwamun, Seoul, to discuss ways to respond to scraping and strengthen safety measures for major public healthcare institution websites.
This forum, jointly organized by the Personal Information Protection Commission, the National Health Insurance Service, and the Health Insurance Review & Assessment Service, was held to examine the risks of scraping and the potential for personal information breaches.
Scraping refers to a method in which automated programs obtain a user's ID, password, and authentication information, then access a website on the user's behalf to automatically collect personal information displayed on the screen.
Even if the user's consent is obtained, scraping is known to carry high risks of information leakage and misuse, including excessive data collection, exposure of authentication information such as IDs and passwords, and use beyond the original purpose.
On this day, Kim Dongbeom, a specialist at Seoul National University's College of Innovation and Convergence, delivered a presentation titled "Current Status and Risk Factor Analysis of Data Scraping in the Medical Sector," comparing domestic and international healthcare information laws and service status, as well as analyzing the risk factors and policy trends related to scraping methods.
In the subsequent panel discussion, representatives from government agencies, academia, and industry discussed the risks of scraping personal medical information from public healthcare institution websites and explored ways to establish an alternative information transfer system based on APIs (Application Programming Interfaces).
An API is a method by which data providers securely link and transmit necessary information through authentication and authorization procedures, according to pre-defined standard specifications.
The panelists agreed that it is difficult to distinguish personal information scraping from "credential stuffing," a type of hacking, and that a surge in automated scraping connections can interfere with other users' access to websites. Credential stuffing refers to a hacking technique in which leaked IDs and passwords from the dark web are automatically entered to launch attacks.
The Personal Information Protection Commission emphasized that individuals, as data subjects, should be able to freely download their own information from corporate websites; that it must be possible to verify in advance whether agents acting on behalf of individuals can properly manage personal information; and that corporate website administrators should record the identity of the agent and which personal information was obtained.
To this end, the Commission explained that it plans to promote related institutional improvements in cooperation with the National Health Insurance Service and the Health Insurance Review & Assessment Service.
Ha Seungcheol, Director of the MyData Promotion Team at the Personal Information Protection Commission, said, "Many companies choose scraping because there is no way to obtain data for innovative services that benefit the public," adding, "When public institution website operators receive user requests, they should provide personal information in a secure manner, thereby reducing the risks of scraping and creating a virtuous cycle for the continued provision of innovative services."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
