アノニマスの見解 Ep.21: デジタル庁の夜明け

Hello internet. And welcome back to ANONYMOUS NO KENKAI.

And how are you all enjoying 2021? With special guest appearances by two of the four horsemen…

Thankfully, Japan has managed to avoid some of the worst effects… so far, at least. There aren’t any shortages of fuel or food, and riots aren’t engulfing our cities. To the untrained observer, the worst of Japan’s current worries are wasteful spending on the Olympics and the incompetent bungling of an online vaccine reservation system.

But there’s a bigger threat lurking on the horizon, disguising itself under a layer of boring paperwork and government bureaucracy. The subject of today’s video…the Digital Agency. We’ve mentioned it before, but it deserves its own video for the threat it poses. Because the Digital Agency has the potential to centralize too much government power in too few hands, creating an unaccountable surveillance state. Or even worse, it could covertly place this surveillance apparatus under the control of multinational IT corporations.

But let’s begin with some background. Many in Japan have probably heard of the Digital Agency by now, if not the slogan they use to promote themselves… “Government as a Startup”. Prime Minister Yoshihide Suga made it a central policy of his administration in 2020, with the basic direction decided in November last year. The Agency is set to begin operations on September 1st 2021.
とはいえ、まずは背景についての解説から始めましょう。今まで「デジタル庁」というこれから新設される省庁名について、…もしくはここのキャッチコピーである「Government as a Startup」をお聞きになったことがあるでしょう。2020年に菅総理大臣はデジタル庁を看板政策にしました。そして去年の11月に基本的方向性が定まりました。デジタル庁は今年の9月1日に発足します。

The Digital Agency will be responsible for the administration of government IT on the national as well as the local level, creating a unified standard to replace the current silo approach where each ministry or local government create their own (sometimes mutually incompatible) systems in isolation. To do this, the Agency will have (or at least appears to have) strong supervisory authority over the IT budget and planning for other parts of government.

The Digital Agency will also be in charge of the “digital transformation” of Japan… where the penetration of information technology “changes people’s lives for the better in every way”. To this end, the Agency is to be given control of the MyNumber system from the Ministry of Internal Affairs, and will push to distribute the unpopular MyNumber Card to almost all citizens by the end of 2022.
デジタル庁はさらに、日本のDX(デジタル・トランスフォーメーション)をという分野を担当します…「 ITの浸透が、人々の生活をあらゆる面でより良い方向に変化させる」という概念ですね。そのために、マイナンバーの所管は総務省からデジタル庁の一元的な体制に移行し、2022年度末には全国民にマイナンバーカードが隅々まで行き渡ることを目指すと言われています。

All of these decisions have been made with a speed uncharacteristic of the Japanese government. Only six months after the Agency’s direction was decided, six new bills related its establishment and operation were enacted. Takuya Hirai, current Minister for Digital Reform and future head of the Digital Agency itself, commented that he was surprised at the “unusual speed” of these decisions.

So far this isn’t particularly alarming, though. The government is good at setting up agencies and committees, and most of the time they end up mired in red tape and incompetence. But unfortunately, the story doesn’t end there.

As future head of the Digital Agency, Takuya Hirai had a history with the private sector before his career in politics started. He worked in Japan’s famous (or infamous) advertising agency Dentsu for six years, then worked as the president of “Nishinippon Broadcasting Company”, a regional TV and radio company, for 12 years.

During his political career, he has also been a strong proponent of modernization and digitization. In 2013, he was instrumental in lifting a government ban on using the internet for election campaigning, as well as pushing for other IT and cyber-security related laws.

His history in the private sector may have an influency on his plans to staff the Digital Agency. Of the 500 planned staff, around 100 are to be recruited from private sector IT companies. Which companies exactly is still unknown, but the Agency will operate a “revolving door” policy, where staff move back and forth between the private sector, national government, and local government positions.

So why is this a problem? Are we against modernizing or streamlining government services? Not exactly. It’s true that coordinating policy between different Ministries and levels of government would make it faster and easier to manage the day-to-day bureaucracy of Japan. Unfortunately, this idea also has many drawbacks, most of which the government of Japan either doesn’t care about, or doesn’t want you to think about.

For one, the “digital transformation” of government bureaucracy on every level means that all government paperwork would be stored in “the cloud”…which is to say, government computers that are not only perpetually online, but organized using a single unified system. This creates a single target for attackers to aim at, and one security vulnerability could potentially expose the personal, financial, and medical information of every Japanese citizen to both criminals and foreign governments.

In the past few months alone, multiple failures or breaches of government cybersecurity have made headlines. The Ministry of Defense’s poorly managed vaccine reservation system was found to be rife with vulnerabilities, and unauthorized access to a software tool designed by Fujitsu lead to data leaks from Japan’s national cybersecurity center, two ministries, the Narita International Airport Corp, and the Tokyo Olympic organizing committee.

Given this litany of failure, it seems obvious that the government is incapable of securing the data it already has. Is it really wise, then, to increase the amount of data they hold, or to centralize the way they hold it? When each part of government manages its own IT systems, at least the damage of a single vulnerability is contained to that system. The unified approach espoused by the Digital Agency would allow a single vulnerability to potentially affect the entire country. And when leaked personal information exposes Japanese citizens to fraud, crime, or worse, it doesn’t seem likely that the government will give them any assistance defending themselves, or compensate them for any damage.

But worse than incompetence is malice. The Digital Agency creates vast potential for both the government and private corporations to abuse the information under their control.

The centralization of all government IT systems makes the creation of Chinese style surveillance easier than ever. The “strong supervisory authority” granted to the Digital Agency would allow it access to systems held by other parts of government. One of these may be the National Police Agency or NPA.

In 2013, the NPA was given access to “XKEYSCORE” by the American NSA. XKEYSCORE is a program that collects and analyzes global internet data. Given that the jurisdiction of the NPA is largely domestic, it seems reasonable to assume they’re using XKEYSCORE to monitor the online communication of Japanese citizens.

In 2019, the NPA acquired blockchain surveillance technology to monitor transactions of Bitcoin, Ethereum, and other popular cryptocurrencies.

As IT-based systems, it seems reasonable to assume that the Digital Agency will have some level of access to both systems. And since the Digital Agency operates at the Cabinet level, and answers directly to the Prime Minister, national cybersecurity is hardly outside their jurisdiction.

The Digital Agency’s control over the MyNumber System also means it has access to records from the Ministry of Finance, given the connections to banking information and taxation.

Access to the surveillance powers of XKEYSCORE and blockchain surveillance from the NPA and financial information via MyNumber would allow to Digital Agency to not only collect all this information under one roof, but potentially to aggregate it. Functionally speaking, this is a Panopticon, where every aspect of a citizen’s life is monitored and recorded. Even if the current government doesn’t want to abuse this power, no barrier exists to prevent future administrations from doing so.

But the inclusion of the private sector only makes matters worse. Modern internet companies use surveillance as a source of profit. Google and Facebook are the most famous foreign examples of this, but Japanese IT companies are no different. The data collected under the Digital Agency is valuable to these businesses, and the “revolving door” policy for allowing private sector staff to easily enter and exit government positions creates the potential for backdoor access to this data, and inappropriate relationships with the government staff tasked with guarding it.

Even though only Japanese citizens are allowed to work for government, a Japanese citizen who moves between the Digital Agency and a foreign IT corporation creates a security threat. Limiting this to domestic corporations only doesn’t necessarily reduce the threat either. “Merchants have no country”, as the saying goes. Every company wants money, and valuable data acquired by a Japanese business can still be sold or traded overseas.

But the threat of the private sector isn’t limited to what they can take away from the Digital Agency, but also what they can bring into it. J.Score, for example, is a private company that gathers data on its users to assign them an “AI Score” which can offers rewards or financial lending…worryingly similar to systems like those created by Alibaba or Tencent in China.

J.Score is a joint venture by Mizuho Group and Softbank, two Japanese companies. Staff rotating between those companies and the Digital Agency would make it much easier to incorporate J.Score into a national Social Credit system like China’s. Remember, China initially authorized private companies to trial Social Credit as business ventures before adopting those same systems as a method of population control. There’s no reason to believe the same thing can’t happen to Japan.

As we’ve amply demonstrated, the potential harms of the Digital Agency far outweight any benefits they offer. But of course, this leads us to the question… what can we do about it?

Sadly, when the government is involved, there’s often little we can do to stop it. The Digital Agency will begin operations on September 1st, no matter what the citizens of Japan think or say. And refusing to give information to the government would not only make one’s life difficult, but in many cases is actually illegal.

So if our information is going to be stored in a government cloud where every hacker and corporation will steal it anyway, the very least we can do is attempt to minimize the amount of information they have.

The ability for XKEYSCORE to datamine your communications can be limited by using onion routing software like Tor or Lokinet, or a trusted VPN for daily internet use. On top of that, using software the incorporates End-to-End Encryption without requiring personal information also limits what information can be collected on you. Messenger applications like Session or the Matrix Protocol are good choices here, while mainstream applications like LINE or Facebook Messenger should be avoided at all costs. Software like OnionShare also allows short-term communication and data sharing with greater privacy and anonymity.

For social media and video, remember that companies like Twitter, Facebook, and Google are eager partners in surveillance around the world, including Japan. Using alternatives like Odysee, or federated systems like Pleroma and PeerTube on the Fediverse makes monitoring your online activity a little more difficult.

Operating Systems are no less guilty of cooperating with surveillance. While control over hardware is difficult for most people, there are options for control over software. Using Linux on PC, and either Lineage or Graphene on Android devices makes automated surveillance of your device more difficult. iPhone and Mac users… sadly, there’s little good news for you. You can choose to trust Apple if you wish, but otherwise you might want to look into new hardware.

On the financial side, avoid Cashless systems like PayPay at all costs. No matter how convenient they are, they record and share data on every transaction you make, and in the future they could be used to restrict your ability to spend your own money. Using physical cash for day to day transactions is still the most private way to do business. As long as cash remains popular and well circulated, businesses will be more hesitant to refuse it, and the government will have more difficulty trying to phase it out. India’s disastrous attempt at demonetization in 2016 failed in large part because cash remained so popular among so many. The more we insist on using cash, the harder it is for the government to get rid of it.

To escape blockchain surveillance, use privacy-respecting cryptocurrencies like Monero, Oxen, ZCash, or others. Rather conveniently, Japanese crypto exchanges were pressured into delisting these coins years ago. But fortunately, the decentralized exchange Bisq is available in Japanese. Buying Bitcoin or Ethereum with Japanese yen, and then converting it into privacy coins via Bisq is one path to restoring financial privacy in online, electronic payments.

Lastly, remember that not everybody in Japan is ready or willing to escape the systems of surveillance that are being created. The majority of Japanese citizens either don’t know, or don’t care about the threat of surveillance, and that thought alone makes it easy to fall into despair. But even if only 1% of Japan cares enough to actually do something, that can still be a community if we pull together and support each other.

We may be a small fraction of society, but using and sharing tools that allow us to secure our freedom and privacy creates a viable alternative to the Surveillance State being built by governments and corporations. And when those systems of control become too unbearable for the majority to tolerate any longer, we’ll be ready to grow and push back against the threat of the Digital Agency.

This was ANONYMOUS NO KENKAI… and until next time, MACHIUKENASAI.
これはアノニマスの見解でした… そして次回まで、待ち受けなさい。


アノニマスの見解 Ep 18.5:香川ゲーム条例アップデート

Hello everybody. It’s rare for us to do a follow-up on a previous Anonymous no Kenkai, but in the time since we released our last video on the Kagawa Game Ordinance, some very interesting news has come out that needs to be shared. If you haven’t watched Episode 18 yet, you might want to pause this video and go watch that for the background information to understand what’s going on. But otherwise, let’s begin.

First, on April 16th, the Kagawa Prefectural Government website published an incident report about the loss of a shared computer in their offices. According to the incident report, a staff member reported the computer as missing after checking the equipment on March 17th. Although they searched for it and interviewed staff, they were unable to find it. The cause of the loss was listed as poor management, and the office decided to store shared computers in a locked cabinet in future. Why expensive equipment wasn’t already secured this way remains an unsolved mystery.

This incident doesn’t seem related or particularly important at first glance, but please remember that Kagawa’s Game Ordinance was approved on March 18th…one day after this computer went missing. This will be important later in the story.

Second, on April 13th, local news network “KSB” published a report based on a Freedom of Information request into the Game Ordinance’s Public Comment period. What they found was that of the 2269 supporting comments, many of them were exactly the same, right down to the use of spaces and line breaks. Most were simply one-line answers such as “I agree” or “I agree with the expectation of a bright future with the passage of the ordinance”. The bulk of these identical comments arrived within minutes of each other, one after the other.

The Kagawa Prefectural Office redacted the personal information of commenters, of course, to protect private information. But some of the information they left unredacted led to an even more interesting discovery.

Starting at 8:47am on January 31st and continuing on until 5:25pm on February 5th, the Prefectural Office received a series of one-line public comments supporting the Ordinance through the contact form on their website. Left unredacted was the header information from each submission, including the useragent string and IP address. Dozens of these messages had identical useragents, and all of them seemed to come from the same IP address… For anybody familiar with networks, this is obviously an internal address. In other words, they couldn’t come from the outside internet. They had to come from a device connected to the same internal network as the Prefectural Office’s webserver, which should only be accessible to Prefectural Office staff.

It’s incredibly interesting that a shared computer in that same office would vanish just one day before the Prefecture voted to pass the Game Ordinance. It’s even more interesting that members of the Review Committee would urge a quick vote due to the overwhelming number of supporting comments.

But the even with the stink of corruption hanging so heavily in the air around the Kagawa Prefectural Government, there’s little that can be done now that the Ordinance has passed. It would take a legal challenge in court to stop the Ordinance at this point, ideally on constitutional grounds.

Well, good news…

Just this month, a 17-year old boy in Kagawa Prefecture known only as “Wataru” announced plans to take Kagawa Prefecture to court over the unconstitutionality of and the human rights violations within the Game Ordinance. Namely, that it violates Article 94, the right to self-determination, among a half-dozen other constitutional violations. “Wataru” has retained the services of a well-known lawyer, and plans to crowdfund his legal fees. We’ll provide more information about the crowdfunding campaign as it becomes available.

We hope everybody viewing this can support Wataru’s case, either through crowdfunding or just by spreading the word. The Kagawa Game Ordinance needs to be struck down, and an opportunity like this for the Gamers of Japan, and the world, to Rise Up may never come again. Everybody, let’s make the most of it.


(1) 2018/08電気通信事業法及び国立研究開発法人情報通信研究機構法の一部を改正する法律(平成30年法律第24号)の施行に伴う省令の制定について(NICT法の一部改正に伴う識別符号の基準及び実施計画に関する規定整備関係)

(2) 2018/09/26国立研究開発法人情報通信研究機構の中長期計画の変更案に対するサイバーセキュリティ戦略本部の意見(案)

(3) 2018/11/01国立研究開発法人情報通信研究機構法附則第八条第四項第一号に規定する総務省令で定める基準及び第九条に規定する業務の実施に関する計画に関する省令案に係る意見募集の結果新旧対照表

(4) 2019/01/25国立研究開発法人情報通信研究機構法(平成11年法律第162号)附則第8条第2項に規定する業務の実施に関する計画の認可申請の概要

(5) 2019/02/01IoT機器調査及び利用者への注意喚起の取組「NOTICE」の実施https://www.nict.go.jp/press/2019/02/01-1.html

(6) 2019/02/14IoT機器調査及び利用者への注意喚起の取組「NOTICE」で使用するIPアドレスについて
(7) 2019/06/28IoT機器調査及び注意喚起の実施状況について



ポートスキャンを仕掛けているのは、ポート番号で21(FTP)、22(SSH)、23(TELNET)、80(HTTP)、443(HTTPS)、その他では 8000、8080 です。単発ではなく、短時間に集中的&連続的にスキャンしているようです。

Let’s imagine a scenario together. Imagine a world where, in a crowded urban metropolis, nobody locked their doors. As a result, burglaries are skyrocketing. This problem could easily be solved by everybody just locking their doors, but for some reason they don’t.

Why not? Maybe they’re too lazy, maybe they’re stupid, or maybe their just don’t believe they’ll be targeted. Whatever the reason, the problem isn’t getting better.

The police, of course, are overwhelmed. They put out notices asking people to lock their doors, but it doesn’t have much impact. So finally, they come up with a more extreme plan.

The police hire people to go door to door in every neighborhood, testing each door to see if it’s locked. If they find an unlocked door, they enter the house and leave a warning note. They then write down a list of all the addresses that don’t lock their door and keep it at the police station.

Naturally, this plan has one problem…entering somebody’s house without permission or a warrant is illegal. But the police solve that by having the government pass a law that makes it temporarily legal for the police to perform “specified access” to unlocked houses.

Does this sound like a terrible idea filled with potential for abuse? We agree! Unfortunately, Japan’s NICT does not.

The National Institute of Information and Communications Technology announced a plan in February of this year, called NOTICE…”National Operation Towards IoT Clean Environment”. NOTICE is a plan to improve the national level of IoT security. Unfortunately, many hundreds (if not thousands) of IoT devices are either poorly secured, or not secured at all. Many use default passwords, which makes them easy targets for malicious programs like 2016’s Mirai virus.
情報通信研究機構(NICT)が今年の2月に、「NOTICE」という計画を実行しました…”National Operation Towards IoT Clean Environment”。NOTICEは日本国内のIoTセキュリティーを高めるための計画です。残念ながら、多くのIoTデバイスにはセキュリティ上の脆弱性があり、さらにはセキュリティー対策自体が全く施されていないデバイスすら存在します。多くのデバイスはパスワードがデフォルトのまま設定されており、ウィルスにとっていいカモになっています(例えば2016年のMiraiウィルス)。

The NICT wants to encourage better security practices, which is good. Unfortunately their method of doing this is very bad. Under NOTICE, the NICT plans to run brute-force dictionary attacks on all IoT devices in Japan, testing default passwords to try and access them. If the attack is successful, they will notify the owners and advise them to change their password. It’s also likely they’ll be keeping records of which devices were successfully accessed.

Of course, this plan had one problem…the type of brute-force attack the NICT wants to use under NOTICE is considered unauthorized access, and is illegal under Japanese law. Which is why, in 2018, the Japanese government created amendmends to the Telecommunications Business Law and the National Research and Development Institute of Information and Communications Technology Law. These amendments stipulated a class of “specified access” as an exception to unauthorized access, essentially making it temporarily legal for the NICT to perform unauthorized access to private networks.

There are thankfully some limits on the NICT’s new “specified access” powers…for now. Legal targets are limited to those that meet the criteria set forth by the Ministry of Internal Affairs. The NICT’s brute force attacks will employ only passwords less than 8 characters, those used in past cyber attacks, and those using only identical or consecutive characters. Sadly, these limitations are of little comfort. More on that later.



While the goal of improving Japan’s network security is commendable, the NICT’s plan under NOTICE may have a number of unintended consequences.

Firstly, legalizing government hacking of private networks opens to door to abuse by other branches of government. We already know that CIRO and the Japanese Directorate for Signals Intelligence are monitoring the Japanese internet, and cooperating closely with America’s NSA. There’s potential that they might be tempted to deputize the NICT to perform “specified access” to a private network on their behalf, protected by the legal shield created by the 2018 amendments.

The ability of the NICT to successfully contact the owners of private network to warn them is also an issue, as is the likelihood that those owners might not notice (or might ignore) this contact. As a result, the NICT will end up maintaining a list of unsecure IoT devices in Japan…a list that will itself become a target for hackers, who will have faster and easier access to victims. In this way, the NICT might make Japanese networks less secure rather than more.

Finally, the limits on the “Specified Access” exemption is no guarantee of limited powers. The Japanese government has a long history of creating “temporary” or “limited” powers, and then expanding or extending them after the fact when they find a reason to do so. As far as the Japanese government is concerned, a promise and 100 yen couldn’t buy a can of coffee.

To be clear, the goal of improving IoT security is a good one, and we certainly encourage all users of IoT devices to stop using default passwords. One visit to Insecam-dot-org and you’ll see why it’s dangerous to leave network devices unsecured. But the plan under NOTICE is not a good solution, and will very likely create more problems than it solves.

So what can we do about it? Well, one thing network operators can do is block the NICT from accessing their networks entirely. In fact, the NICT has helpfully provided a list of the IP addresses they’re using under NOTICE, and which ports they intend to scan. If they find some or most of their “specified access” attempts being blocked outright, that might send a message to the NICT about the popularity of NOTICE.

A list of these IP addresses, as well as a timeline of information about NOTICE, are provided above. Please feel free to use this information as you see fit.

And for the love of God, please change the passwords on your IoT shit.