From August 18, websites in Korea will no longer be able to collect national security numbers when users sign up for services. As reported earlier this year, the Korea Communications Commission announced that websites and companies would need to find other ways to authenticate new users once the ban on collecting ID numbers was in place. The law applies to all websites including portals, online games and shopping malls. Additionally, websites that have user data stored already must destroy it within the next two years.
Until now, most Korean sites have required users to provide their personal information including their real name and national security numbers when joining a site, even if just to comment on an article. However, the past few years have seen a string of hacking attacks on several major companies resulting in thousands of users’ information being leaked. Following these incidents, several major portal sites began to provide alternate ways to sign-up for services before the law change was even announced.
Gaining access to users’ ID numbers was a main motivator for many hackers in order to sell off IDs or create new accounts on websites — often used for spam, phishing or identity theft. Websites will also now be required to alert both users and the KCC if any personal information of users is compromised.
While the new law is small victory for many who criticized the collection of ID numbers, essentially the real-name system still remains in place, with users now having to use other methods to authenticate themselves. ID numbers will also still be required for online financial transactions as stipulated by law. According to the KCC, alternative methods are:
- i-PIN: A new standard method offered by the Korea Internet & Security Agency which makes authentication easier. To obtain an i-PIN, users are required to provide their real name and national security number.
- Cellphone: Data containing the user’s phone number, date of birth and name is transferred to the website and authenticated via text message.
- Electronic Authentication Certificate(SN): A file containing a user’s personal information used mostly for internet banking and transactions but also a method of authentication. The user’s SN, date of birth and name are sent to the website and the certificate is verified online.
- Credit Card: Card information, date of birth and names are sent to the website and verified with the card company.
It is likely that the i-PIN will become the mostly popular method for authentication since it is the easiest, although ironically, it still requires users to provide their ID numbers. The i-PIN option is mandatory for websites with over 10,000 visitors on average per day but many websites exceeding this number are still using only ID numbers to authenticate users.
While many large companies may be ready for the revised law, it is uncertain how quickly smaller websites will change their systems. According to MoneyToday, there will be a grace period of six months while websites adjust to the changes, which means that there will be no fines until February 2013 for companies that have not yet updated their systems. This has raised concerns that smaller websites may continue to collect ID numbers until this time.
Image via Shutterstock