Table of Contents

Introduction

Information and communications technologies (ICT), particularly the internet and cloud computing, are becoming the substrate for economies and societies. They allow individuals and organizations worldwide to connect, exchange information, and collaborate. They have had a profound impact on industries, politics, and the media. The coronavirus pandemic has only accelerated the shift of business, education, government, and other core activities to the online world, with potentially lasting effects.

Digital technologies provide many conveniences, but they have also enabled crime; disinformation; the theft of private information, confidential business information, and intellectual property; cyber attacks; and cyber espionage. ICT companies are racing to address vulnerabilities in their hardware and software and trying to keep ahead of malicious hackers who are constantly finding new ways to exploit these vulnerabilities.

It is much harder to establish identity and trust online than in a face-to-face environment, resulting in identity fraud and unauthorized access to computer systems and the data they contain. As in other countries, internet users in the Republic of Korea (hereinafter the ROK or Korea) expect and often demand better and easier methods for online authentication and data access control. As a major economy and one of the most “connected” countries in the world,1 Korea’s experience in delivering these services can provide important lessons, both for peer economies and for other countries searching for models they can learn from.

Online authentication is a crucial security measure for identifying users and for validating the online apps they access. Invariably, there is a trade-off between the conflicting goals of usability, innovation, reliability, standardization, and consumer protection. A successful and broad deployment of authentication tools and techniques can lead to greater trust online, enabling user identification, electronic signatures, and nonrepudiation. However, rigorous online authentication may require additional (and sometimes inconvenient) security measures and information such as multifactor authentication.

In Korea—and everywhere else—data access control is a matter of balancing utilization and data protection. The openness and utilization of data improve access to information across society, creating substantial value, such as transparency and data-driven decisionmaking in government, marketing, healthcare, and other areas. However, the collection and sharing of data will inevitably lead to problems such as the misuse of personal data, infringement of privacy, and loss of control by the users, which should also be considered. In addition, there are fears that data transferred abroad will not be properly protected. This is leading to conflicting goals: international data flows, which enable Koreans to use cloud services from hundreds of different providers, conflict with data localization requirements designed to help Korean companies and the government leverage data about Korean citizens and entities.

In developing its strategy for online authentication and data access, the Korean government and the ICT companies operating in the country have had to make several difficult choices, which reflect their conflicting values. This path to a so-called Korean model has not been smooth. And like elsewhere in the world, Korean decisionmakers and stakeholders have had to learn by trial and error.

This chapter explores how the core policies related to online authentication and data access control have been developed and implemented in Korea, focusing on the major changes and the reasons behind them. The chapter first analyzes the drivers of those policies, such as Korea’s ICT policy, cybersecurity incidents, cybersecurity policies, and the major actors working to improve cybersecurity. The challenges of online authentication are divided into two parts: online identification (user validation) and authentication online (activity validation). The challenges of data access control are likewise divided into two parts: public data and private data.

The Origins and Evolution of a Korean Approach to Online Data

Korea’s approach to online authentication and data access control reflects several unique characteristics of the country’s economy, infrastructure, and development. For one, Korea has invested heavily in ICT infrastructure as a national priority, building broadband networks and extending their reach into almost every home. With an average of more than 200 megabits per second for fixed broadband speed,2 the country’s broadband networks have created a powerful platform for innovation.

Jang GyeHyun
Jang GyeHyun is a research professor at the School of Cybersecurity at Korea University. He earned his PhD in information security and a BE in industrial engineering from Korea University.

Korea has been a divided country for more than sixty years, and the Republic of Korea’s neighbor, North Korea, is known as a major malicious actor online worldwide. This has made ROK’s online authentication and data access control policies and implementation even more important.

Of course, Korea is not alone in facing a hostile external environment. Other countries, like Estonia and Taiwan that face acute cyber threats from threatening neighbors, have also invested heavily in cybersecurity.

However, Korea’s experience is also anchored by historical experiences and practices that are unique to the country’s development trajectory since the 1960s. During that decade, Korea launched its drive for rapid industrialization, which included a national-level personal identification system that became especially important as the country’s economy began to move online in subsequent decades. Moreover, Korea established and enforced a national-level authentication infrastructure superior to many other certificates called the National Public Key Infrastructure-based Authorized Certificate (NPKI-based AC). Unfortunately, several problems have emerged with the certificate because it is difficult to use and dependent upon a single technology platform. As a result, the use of these identification and authentication methods has been limited, and the government has had to introduce alternative methods.

In the main, Korea’s approach to data accessibility has been conservative. Yet, that is changing today due to a clear recognition by government officials, corporate leaders, and citizens alike of the need for a more flexible, open policy to reflect social demands and changes in the business environment.

The Information and Communications Technologies Environment of Korea

Korea is recognized as having one of the most advanced ICT infrastructures in the world,3 and it has become a testing ground for leading-edge applications. The country has consistently ranked first or second among 176 countries on the International Telecommunication Union ICT Development Index since 2009 and also ranked second in 2017, the most recent survey.4 Korea is also among the world’s top in terms of internet and smartphone penetration as of 2020.5 In addition to the ICT infrastructure, it is also top-notch in utilization and service. In the UN E-Government Development Index, Korea is consistently near the top, ranking first three consecutive times (2010, 2012, 2014) and second in the most recent announcement in 2020.6 Moreover, Korea’s proportion of e-commerce transactions has reached 30 percent,7 and the proportion of online banking has reached 66 percent.8

In addition to Korea’s rapid economic growth and so-called “ppalli ppalli” (faster, faster) culture, geographic and demographic advantages and its government-driven policies have been major factors in its ICT development (see table 1). In the 1970s, a national public administration initiative led to the establishment of a resident registration system and computerization of administrative information. In the 1980s, policies for the spread and expansion of telecommunication networks were implemented in earnest. In the 1990s, ultra-high-speed information communication networks were developed. And in the 2000s, the change to an information society led to the development and dissemination of internet-based technologies, laying the foundation for e-government services and improving information security.

Korea’s ICT policy was implemented under a clearly defined, government-driven strategy, which was effective in terms of infrastructure construction and foundation building. However, one limitation of this approach was that technology was often developed according to government specifications rather than market demand. For instance, the WiBro wireless broadband technology that was developed, generously funded, and promoted by the Korean government failed. This technology could not succeed in the market and failed to compete against the LTE (Long-Term Evolution) in 4G network.

Lim Jong-in
Lim Jong-in is a professor at the Graduate School of Information Protection and the Department of Cyber Defense at Korea University. In 2015, he served as the special adviser on cybersecurity to the Korean president.

Korea’s geographic and demographic advantages were also important factors. In evaluating the ICT development environment of states, factors like population, gross domestic product, area, and particularly population density affect the availability of broadband and mobile networks. Korea ranks twenty-third in terms of population density, but fourth among countries with an area of over 2,000 square kilometers and first among the Organisation for Economic Co-operation and Development (OECD) countries. In addition, Korea is highly urbanized: 47.5 million people (91.8 percent of the country’s 51.8 million population) live in cities as of 2020.9 This has clear advantages for ICT development, deploying online services, and addressing the connectivity divide and other types of digital divides.

Entities and Laws Related to Trust in Online Services

A number of government entities have shaped Korea’s efforts to foster trust online (see table 2). An important factor in the study of Korean public administration is the analysis of the relevant ministries and the legal system under their jurisdiction. In Korea, for each issue, the law stipulates in detail which ministries have roles and responsibilities for them, and how they are regulated and responded to. In areas of online authentication and identification, the Ministry of Interior and Safety is a key organization and oversees the Resident Registration Act, the E-Government Act, and the Information Disclosure Act. In the past, it was also in charge of the Personal Information Protection Act, which was changed to the jurisdiction of the Personal Information Protection Commission in 2020. Another major entity is the Ministry of Science and ICT, which is in charge of Korea’s most important security-related law, the ICT and Security Act. It deals with various internet-related issues such as online security, protection of personal information, and countermeasures against illegal information. In addition, the Ministry of Science and ICT is also in charge of the Electronic Signature Act, which is the core of online authentication. In the financial sector, the Financial Services Commission deals with electronic financial transactions and credit information protection.

Major Cyber Incidents

Although Korea has succeeded in deploying a highly developed, digital infrastructure, the country still faces many difficulties in terms of cybersecurity. In particular, North Korea has launched frequent major cyber attacks against both government offices and corporations in ROK. And precisely because Korea is highly dependent on ICT, the resulting damage has amounted to billions of dollars as well as widespread disruption of key services. Microsoft estimates that Korea’s economic loss from cyber threats amounted to $72 billion in 2017 alone.10 And the damage to Korea’s economy caused by a distributed denial-of-service (DDoS) attack in 2009 and the March 20 and June 25 cyber terrorism attacks in 2013 was estimated to $746 million.11

Korea has experienced cyber attacks continuously since 2009, including DDoS attacks and cyber terrorism (see table 3). Most of these cyber attacks are presumed to originate in North Korea, but that is not always the case. For example, in the case of the 2018 PyeongChang Olympics cyber attack, Russia was suspected of retaliating for its punishment by the International Olympic Committee for a national doping scandal. After experiencing such cyber incidents, the Korean government established new policies and countermeasures to identify problems, improve response time, and reduce the damage these attacks cause.

Korea has also experienced several major, personal data breaches in the private sector. After the Auction incident in 2008, when millions of users’ personal data records, including real names and encrypted Resident Registration Numbers (RRNs), were revealed by a security breach,12 efforts to improve protection of personal data and reduce the damage caused by data breaches became a major focus of public and regulatory attention. Since then, Korea has experienced many large-scale incidents, such as breaches of SK Communications in 2011, of major credit card companies in 2014, and of Interpark in 2016. One response was the Personal Information Protection Act, which became a general law in 2012, prohibiting the collection of RRNs online and strengthening the right to self-determination of personal information.

Online Identification

The system of online identification in Korea has centered, in the first instance, around a range of government initiatives.

Resident Registration Number

Korea’s identification online was centered on the RRN until the mid-2000s. The RRN is a unique lifelong identification number given to all Koreans at birth, much like the Social Security number in the United States and is used for a wide range of government and private-sector purposes. The Korean RRN and Resident Registration Card (RRC), a nationally recognized identification card that includes the RRN, were established by the enactment of the Resident Registration Act in 1962 (see table 4).

This act was amended in 1968 to establish a twelve-digit Personal Identification Number (PIN) system, the predecessor of the RRN system. In addition, an RRC was issued to citizens over the age of eighteen. Later, in 1975, this obligation was changed to seventeen years of age, converted to the RRN’s current thirteen-digit number system, and the RRC was updated (see figure 1). The RRC has been maintained until now after the second renewal in 1983 and the third renewal in 1999.

Because the RRN is a unique identification number assigned to each citizen of Korea, it was widely used for identification online in the early 2000s. Private websites that are not legally mandated to collect and verify the RRN also requested the RRN when individuals signed up. They could not verify the legitimacy of the RRN, but they performed verification using the RRN checksum algorithm. Moreover, most of them used the RRN as the key value for identification for their website database.13

After 2004, as the internet was expanding, the problem of excessive collection of RRNs and the theft of personal data increased. A survey conducted by the country’s top certification body, the Korea Internet and Security Agency (KISA), in 2003 found that out of 448 websites, 447 had requested the collection of RRNs.14 This was done to discourage illegal activities, but RRN data was excessive, making them vulnerable to theft and abuse. The National Public Key Infrastructure-based Authorized Certificate was launched in 2004 as a way to enable substitutes for the RRN identification (for example, the I-PIN) and began to be discussed as a way to limit the collection of the RRNs online.

After the 2008 Auction personal data leak, several provisions related to personal information were revised in the Act on Promotion of Information and Communications Network Utilization and Information Protection, and associated legislation. In Article 23-2 of this amendment to the act, a new provision was adopted that obliges Korea’s online service providers with more than a specified number of page views to introduce a means of replacing the RRN.

In August 2012, the collection of the RRNs online was prohibited outright, and in August 2014, the so-called RRN collection legalism was introduced to prohibit collections of RRNs except where specific laws require them to be collected, such as for e-government services, financial transactions, contract signings, and medical information verification.

With the introduction of the RRN collection legalism and the implementation of alternative identification measures, there was a demand for changes in the RRN system itself. Discussions emerged around how to solve chronic problems with the current RRN system, such as the possibility of exposure of personal information and the fact that it is impossible to change a permanent identity number that is meant to be used throughout a citizen’s lifespan. Ultimately, the RRN system was revised to allow for the reissue of a new RRN in cases of possible exposure of personal data and to protect victims of domestic violence and sexual violence. Thus, the RRN, in thirteen-digit form, was revised in 1975 and has been maintained to this day, but it is used today as a means of identification online only in limited circumstances.

I-PIN

Due to the risk of data breaches and the reckless collection and use of RRN data, the Korean government established and distributed an Internet Personal Identification Number (I-PIN) system as an alternative means of identification. The I-PIN is an alternative means to identify individuals on the internet. Credit bureau companies such as the Korea Credit Bureau, National Information and Credit Evaluation, and SCI Information Service were designated by the government in October 2006 as official I-PIN issuing entities. When identification is requested at a specific site, the result is delivered by verification using the information they have, including the RRN.

In June 2010, the Korean government introduced the I-PIN 2.0, which added functions such as connecting information (CI), a connection value of different services, and duplicated joining verification information (DI), to prevent duplicate subscription. The core of the I-PIN 2.0 system is the CI that creates a unique universal key value for online identification, which replaces the RRN for a specific individual. The CI is a unique value that corresponds directly with the RRN. It is made into 88-byte through a SHA-512 hash function of the RRN and several paddings and key values that are shared by the KISA and I-PIN issuing entities (see figure 2). The CI is used not only for the I-PIN but also for the public identification services established later in 2012. And the DI is a 64-byte number generated from the RRN and the information of the internet service provider (ISP), providing a unique value linked to each ISP.

With the implementation of the RRN collection legalism, the demand for I-PINs that can replace it also increased. In addition, MyPin, formed with a thirteen-digit random number derived from the I-PIN (see figure 3), was introduced in the case that identity verification and linkage are required offline.

However, because the I-PIN adopted ID/password-based authentication, it required additional forced security measures, such as CAPTCHA and installation of ActiveX to prevent keylogging. These complementary security measures caused great inconvenience. Despite these security measures, in early 2015, a public I-PIN operated by the Korea Local Information Development Institute was hacked, resulting in 750,000 fraudulent issuances.15 In response to this, in May 2015, all existing I-PINs were reissued, and an expiration date was introduced so that each I-PIN must be renewed every year. Also, it was changed to require an additional authentication measure such as a secondary password, key pattern, and biometric authentication.

These additional security measures made it more inconvenient to use I-PIN compared to private identification services, slowing adoption of I-PIN. According to a survey by the Ministry of Science and ICT and the Korea Internet Promotion Agency, 37.7 percent of websites (2,783 of 7,371 websites surveyed) that provided I-PIN based identification reported that no website visitor had used it in over a year.16 This reduction in the use of I-PIN led to the government’s decision to abolish the I-PIN system. New issuances and renewals were stopped in October 2018, and a decision was made to terminate the program in 2021 when the last public I-PINs, which were valid for three years, will expire.17

Private Identification Services

Since August 2012, online identification through the RRN has been prohibited in Korea, and the government I-PIN and the NPKI were not widely used, so the government considered other alternative means that can be used easily and inexpensively. In August 2012, the government established rules for identity verification agencies, and in December 2012, the Korea Communications Commission (KCC) determined that three mobile network operators (MNOs) could be designated as identity verification agencies in the private sector.18 Identity verification by the MNOs was initially conducted in the form of a challenge and response through text messages.

The online service provider (OSP) handles the user’s request for identity verification through the verification agencies designated by the MNOs. The agency transmits a challenge to the user’s mobile phone using the personal information stored by the MNO, and the user sends a response to the verification entity. The verification entity provides the personal information of the identity verification requester and the CI and DI that were provided by the credit bureau companies to the OSP to verify the identity. As the use of smartphones spread, app-based authentication methods, such as QR code and biometric authentication, were added.

At the end of 2017, the Korea Communications Commission designated seven major credit card companies as new identity verification agencies, and they started their identification operations in April 2018.19 These credit card companies, like MNOs, are allowed to collect and retain personal data, including RRNs. They offer identification in three forms: mobile card application payment, automated response system authentication, and verification through card company website access, providing personal information, CI, and DI to the OSP (see figure 4). These credit card companies are reliable and secure entities, so they could be expanded as identity verification agencies.

Such private identification services will be expanded further when the I-PIN expires. In March 2021, major OSPs, such as Naver, Kakao, and the fintech company Toss, applied for status as identity verification agencies but were rejected by the KCC due to concerns about account and identity theft.

Identity Verification of Users of Online Message Boards

Since 2003, Korean society has discussed the introduction of an internet real-name system to address many problems with internet and online services, and in 2004, an amendment to the Public Official Election Act included a provision for real-name verification for internet media sites to prevent false slander during the election process. As the use of the internet expanded, the former Ministry of Information and Communication (MIC), the agency in charge, worried about how the anonymity of internet users could facilitate defamation, fraud, and doxing—all of which were already happening in Korea, in sometimes highly publicized cases.

In January 2007, the government of Korea proposed an amendment to the ICT and Security Act, which included the so-called limited identity verification provision, which required users of some large online services to verify their real names. Despite some opposition from civic groups and the public, this amendment eventually was enacted by the National Assembly, resulting in the launch of an internet real-name system in Korea in July 2007.

Article 44-5 of ICT and Security Act stipulated that the entity operating an open message board should take measures to verify users’ identities on boards that have a large impact on Korean society. Initially, according to Article 30 of the ICT and Security Act, online service providers such as portal sites and user-generated content service providers with more than 300,000 page views per day and internet media sites exceeding 200,000 page views per day were targeted.20 Later in January 2009, this regulation was revised, and the target was expanded to all websites exceeding 100,000 daily page views (see table 5).21

After the implementation of the limited identity verification rules, malicious content was reduced on internet bulletin boards as well as comment and reply sections, but the effect was not large. According to the results of a 2007 survey led by the MIC and the KISA, the proportion of malicious comments on these boards decreased from 15.8 percent to 13.9 percent.23 In addition, according to a 2010 study by Woo, a professor at Seoul National University, who compared the ten-day periods before and after the implementation of the limited identity verification rules on July 27, 2007, found that slanderous posts decreased slightly from 13.9 percent to 12.2 percent. However, the number of internet protocol addresses significantly decreased from 2,585 to 737 during the same time.24 This suggests that although the regulation had no significant effect on the type of comments posted, it adversely impacted internet participation.

In addition, some overseas service providers refused to abide by the new regulations. In 2009, the YouTube website in Korea recorded more than 100,000 average page views per day and became the target of the identity verification rule. In response, Google, which runs YouTube, decided to bypass the regulation by restricting YouTube video uploads in Korea and closing the comment feature.25 As a result, Korean users had to change their country settings to use YouTube sites of other countries. Since then, the Korea Communications Commission, which oversaw the identity verification system, decided to exempt overseas websites.26 This decision, however, led to complaints of reverse discrimination against domestic sites.

In August 2012, the Constitutional Court of Korea unanimously ruled that the internet real-name system was unconstitutional in a ruling on a lawsuit filed by internet media companies, civic groups, and some users.27 The court ruled that it was not in the public interest to limit freedom of expression, particularly considering that illegal postings did not decrease significantly after the implementation of the internet real-name system. The court also noted adverse side effects, such as users fleeing to overseas sites and reverse discrimination against domestic companies. As a result of this court decision, the limited identity verification was abolished in Korea.

In addition, in January 2021, the Constitutional Court ruled as unconstitutional the provision for real-name verification on internet media sites, which had been enacted to prevent false slander during elections since 2004, under Article 82-6 of the Public Official Election Act. Accordingly, the regulations on websites related to the two major internet real-name systems in Korea have been abolished. As a result, the game shutdown law, which restricts teenagers from accessing online games from midnight to 6 a.m., is the only law in Korea related to the online real-name system.28

Authentication Online

National Public Key Infrastructure-Based Authorized Certificate (NPKI-based AC)

In the late 1990s, with the progress of information technology, it became necessary to prepare an infrastructure to implement social activities in traditional social activities in non-face-to-face electronic environments for e-commerce, e-government, and similar services. These activities included financial transactions, contracts, and identity verification online. In response to this need, internationally, the Working Group on Electronic Commerce of the United Nations Commission on International Trade Law conducted standardization studies related to online authentication.

This was both timely and useful because high-speed communication network technologies such as ISDN and ADSL quickly spread through Korea during the late 1990s, and policymakers recognized the necessity of creating a foundation for e-commerce and other services, which were growing very rapidly. Annual growth of e-commerce-based transactions was 400 percent from 1997 to 1999.29

To meet this growing need, Korea enacted an array of laws, such as the Electronic Signature Act and the Basic Act on Electronic Transactions, promulgated as Act Nos. 5792 and 5834, respectively, in February 1999 and taking effect in July 1999. Subsequent legislation included the Act on Promotion of Electronic Administration for E-Government Realization of 2001 (E-Government Act), ensuring the legal status of electronic signatures, seals, and stamps. Under this provision, an authentication function is provided for electronic signatures to assess the authenticity of documents and electronic transactions.

The institutional basis for digital signatures was established in Korea in 2001, and the NPKI-based AC system has been implemented in earnest since then. Architectures, technical specifications, and so on had already been discussed in 1999, focused on the government and financial sectors separately and were integrated into the current NPKI system in 2001.

Public key infrastructure (PKI) is a technology used for digital certificate implementation or public key encryption in an online environment. In ITU-T, the PKI standard is specified in the X.509 standard and is used for secure sockets layer encryption or the implementation of electronic certificates. PKI is a widely used technology, but Korea built a PKI at the national level to provide a robust authentication technique that could be used in a wide range of situations. It is characterized by mandatory use in electronic financial transactions and e-government-related activities.

Korea’s NPKI system issued certificates through the KISA and five private organizations designated as certificate authorities (CAs).30 In the issuing process, when a user requests certificate issuance to a registration authority (RA), such as a bank that generally performs certificate issuance, the RA makes a request to the CA for validation and certification issuance. The CA verifies whether the user is legitimate based on the personal information it holds. Based on the certificate granted by the root CA to the CA, the user’s authorized certificate is issued by the CA and delivered to the user through the RA. The verification and signing process is undertaken in reverse order. When the OSP requests the user to sign through the RA, the user signs the certificate with a private key and sends it. The RA verifies it by the CA, and the CA verifies it by the root CA (see figure 5).

When the NPKI-based AC is issued, it is saved as files such as signCert.der and SignPri.key in the NPKI folder on the user’s computer. If a site requires an AC, a certificate in the form of these files is loaded through the AC Manager, and authentication is performed through a signature act in which the user inputs a private key. In addition, since the certificate is managed in the form of files, it can be copied and used on other computers or smartphones.

Here, the Korean model provides a lesson for other countries because its authorized certificate system may have several advantages as a national-level infrastructure, and is mandated for use in online transactions, such as online banking, payments over 300,000 Korean won (about $265), and e-government-related services.31 In addition, the AC is widely used as a means of online identification. Thus, by 2010, the AC had come to dominate the online authentication market (see figure 6), and other types of certificates were rarely used in Korea. Still, some problems cropped up that those who seek to emulate Korea’s example can learn from.

Specifically, the idea of establishing an NPKI system and the AC may have several advantages, and there were no issues with designing the architecture and technical specifications. However, in implementing and developing an actual system for specific online applications, several security vulnerabilities or useability problems emerged.

The essence of this problem is that the implementation relied on ActiveX, a plug-in for Internet Explorer (IE) provided by Microsoft. The NPKI system itself is technology neutral, but it was implemented by security companies using ActiveX, which works only in Windows and IE environments. In the early stages of NPKI, Korea’s standard encryption algorithm called SEED was used, and most Korean users at that time used Windows and IE environments. To improve ease of use, the encryption algorithm was changed to one based on AES, but ActiveX continued to be used.

The first problem with this is the dependence on a specific computing environment. In many other operating systems or web browser environments, where ActiveX did not work, AC was impossible to use. This issue became even worse with the advent of the smartphone environment and Microsoft’s decision to remove ActiveX from its browsers in 2015.

The second problem is the security problem of ActiveX itself. To implement ActiveX requires that the certificate authority be granted operating system administrator privileges. This makes it easy to install capabilities, including a keylogging prevention tool, which can be implemented only with ActiveX and was widely adopted and used in Korea. However, this meant that many people at the CAs and solution providers had access to internal computer files, resulting in many security vulnerabilities.

Due to growing antipathy against the NPKI-based AC, in March 2014, then president Park Geun-hye proposed abolishing the mandatory use of AC for payments. Afterward, mandatory AC use for payments over 300,000 Korean won was abolished, and the mandatory provisions for AC in internet banking were also abolished in March 2015. Nevertheless, the NPKI-based AC and the ActiveX-based security measures were used continuously given path dependence and legacy software.

In 2017, presidential candidate Moon Jae-in proposed abolishing NPKI-based AC as part of the ICT pledge, and the majority of the public and relevant civic groups supported the proposal.32 After Moon took office in May 2017, his government promoted the withdrawal of AC, which led to a complete amendment to the Electronic Signature Act, abolishing the mandate for use of the NPKI-based AC.

Mixed Online Certification Environment

In its place, in December 2020, the government adopted a joint certificate environment, enabling various authentication means to be used together (see table 6).

The joint certificate enables secure communications and is also used in identity verification services and provides personal information, such as CI, DI, and birth date, after verification. Although the joint certificates are no longer the sole means of government-endorsed authentication, cases exist in many high-level authentication environments where it is still the only authentication method in use, for example, certificate issuances, such as registration and social insurance verification. Even the private sector still requires the joint certificate, and it is requested often, such as for self-certification of online education.

Financial institutions jointly issued a financial certificate, a cloud-based certificate authenticated with six digits or biometric authentication in device level, which is valid for a three-year period and has an automatic renewal function. In addition, major banks provide their own certificates. Various private individual certifications have also been released, used, and adopted in many services, including e-government services. The MNOs’ Pass service was used as an existing identity verification. Moreover, Kakao and Naver (representative OSPs in Korea) and Payco and Toss (fintech companies) also provide authentication services.

Data Access Control

Korea has also pioneered several methods of access control for public databases under an architecture of open government data policies.

Increasing the accessibility of public data can be advantageous, not least by meeting right-to-know requirements, enabling better analysis, and fostering new services that lead to job creation and add value to the economy. But as Korea, like many countries, has discovered, excessive public information disclosure can have several adverse effects. These include the infringement of rights (such as privacy), fraud, and unfair and deceptive sales techniques. As a robust democracy with extensive platforms for citizen engagement, Korea has had to address such issues as data management, access-related systems, and guaranteeing the availability of data and services when the government put the regulations and policies in place.

Public Data

In the past, public data in Korea was processed and managed by the government, which guaranteed the public’s right to know through information disclosure requests. In 1996, the Act on the Disclosure of Information by Public Organizations was enacted to stipulate the rights and forms of public requests for disclosure of information held by public institutions and stipulated matters necessary for the disclosure obligations of public institutions. This act has aimed to ensure the public’s right to know, citizen participation in national affairs, and government transparency.

Requests for disclosure of information in public institutions were processed by the National Archives of Records starting in 2004, and requests for disclosure of information have increased every year, showing steady growth from 104,024 in 2004 to 756,342 in 2016.34 On average, the information disclosure acceptance rate is maintained at around 95 percent every year.35 However, there are criticisms that this figure is overinflated, since the government agencies often partially disclose information excluding crucial data for reasons such as invasions of privacy or damage to public interests.36

The paradigm of public information also changed dramatically due to the introduction of smartphones in 2010 and the flood of data and new apps that resulted. Restrictions on public information became a problem due to the increase of applications accessing information on a smartphone. For instance, a simple bus location app required real-time government data. To cope with issues like these, Korea established a plan to promote the private use of public information in 2010. In 2011, guidelines for the provision of public information and public data portal services were established, which led to the Government 3.0 Basic Plan and the Act on Providing and Utilizing Public Data in 2013.37

In 2016, the government established the E-Government 2020 Basic Plan, as well as five strategies to reflect the social demands due to the advent of a hyperconnected society.38 Better access to public data was enabled by increased funding for government IT systems and a shift to cloud-based administrative information infrastructure. In February 2021, the government established the Data 119 Project and announced a data strategy to revitalize the digital economy by promoting open data utilization.39 The strategy called for amending and updating the so-called three data laws’ amendments and launching nine new data services and outlined eleven action tasks, including the establishment of a special data committee. The three data laws’ amendments refers to amendments to the Personal Information Protection Act, the ICT and Security Act, and the Credit Information Protection Act. These laws were promoted to meet the needs of industry, by introducing the concept of pseudonymous information and helping certify adequacy with the European Union’s General Data Protection Regulation (EU GDPR).

To implement public data access control, meanwhile, the government has pursued various lines of effort, such as establishing a management system, managing accessibility, and securing availability. In 2002, the E‑Government Special Committee was established to research policies and implementation to establish e-government services. An Innovation Plan for Efficient Operation of the Pan-Government Computer Environment was later selected as one of the thirty-one tasks in the E‑Government Roadmap in 2003. In 2004, a plan for establishing and promoting an integrated computing environment-related ISP project was prepared. In 2005, the Government Integrated Computing Center was established in Daejeon under the Ministry of Information and Communication (MIC). The Government Integrated Computing Center was renamed the National Information Resource Management Service in 2017 and is currently in operation. Since 2007, the Gwangju Center has been the core of this architecture, and a Gongju Center for backup and Daegu Center for Cloud have been under construction since 2019 (see figure 9).

Private Data

The most complex issue regarding data access in the private sector is the use of personal information, and Korea has had to find and adopt a pathway that reflects its national conditions. Today, Korea’s personal data-related regulations are like EU-style regulations emphasizing protection in the form of detailed provisions limiting the collection and unauthorized use of personally identifiable information.

But in the early days of its ICT development, Korea did not have regulations related to personal information protection at all. It addressed the problem in earnest only in 2001 by revising the ICT Promotion Act, which is now called the Act on Promotion of Information and Communications Network Utilization and Information Protection. Chapter 4 of the revision stipulated various provisions related to personal information protection. And in a 2008 revision, after the Auction incident, regulations related to personal information protection were reinforced, by, among other things, introducing the concept of a conforming business operator to stipulate entities other than OSP.

With the enactment of the Personal Information Protection Act (PIPA) in 2011, Korea established a regulatory system for personal information. The PIPA is a general law regulating overall subjects and personal information protection in Korea, and the ICT and Security Act specifically regulates OSPs. The Credit Information Protection Act specifically regulates financial institutions.

The PIPA broadly defined personal information as information that, by itself or in combination with other information, could be used to identify the person linked to the information. Accordingly, various types of information, such as the Internet Protocol address and media access control address, are recognized as personal information; therefore, their use is restricted. Adoption of big data tools by Korea’s companies is only 7.5 percent, putting it fifty-sixth out of sixty-three countries in 2017, according to a study by the International Institute for Management Development.40 Also, according to the Korea Data Industry Promotion Agency, the size of the Korean data markets as of 2017 was $443 million, which was only 0.25 percent of the U.S. market ($177 billion).41

In response to the EU GDPR and in preparation for the Fourth Industrial Revolution, there have been demands for improvements to Korean privacy regulations. Accordingly, in January 2020, the government revised the so-called three data laws’ amendments to improve protection of personal information. By revising these three laws, the government introduced the possibility of using nonidentifying personal information and enabled social access to data with the expectation that new commercial services would be established, such as MyData. This is a one-stop service relying on data portability that was created by an industry-university consortium to provide various financial-related information and is expected to launch by August 2021.

Data Localization

Another major issue regarding personal data access in Korea concerns cross-border access and transfers. Korea had earlier provisions covering personal information abroad in its ICT and Security Act, but this didn’t respond to questions about overseas transfers, and individual consent was required. In the PIPA, Article 17 also only allows transferring personal data outside of Korea in provisional cases.

Due to Korea’s conservative regulatory environment, Article 17 only stipulates that the consent of the data subject must be obtained when transferring data about them to other countries. It does not specify in detail the level of protection that must be provided by data processors in other countries or additional protection measures that must be implemented. This is due to Korea’s conservative regulatory environment. The Asia-Pacific Economic Cooperation forum established the Cross-Border Privacy Rules System in Asia, which is different from the EU’s Adequacy and Safe Harbor (Privacy Shield) provisions established under the GDPR (see table 7).

A gap also exists in the regulations related to cross-border transfer in the revision of the three data-related laws. Discussions on this continue between Korea and other major economies, and the cross-border transfer using a mutual-adequacy approach, such as EU GDPR’s adequacy and other options, will need to be continually reviewed.

Conclusion

The importance of the internet, cloud computing, and other information technologies is increasing rapidly due to the coronavirus crisis and the Fourth Industrial Revolution transformation. As business activities, financial transactions, and education continue to shift online, security measures related to online identification, authentication, and nonrepudiation will become even more important. In addition, access to information is contributing a large part of new value creation in almost every sector of the economy. Furthermore, if Korea is to fully leverage data-centric services developed elsewhere, data localization and cross-border data flow issues will need to be better addressed in a consistent manner.

Korea has one of the most advanced ICT infrastructures in the world. Both government and industry have worked hard to make that infrastructure (and the applications that rely upon it) more secure and reliable. Korean efforts to improve online authentication can provide useful case studies that can inform many other countries facing similar challenges.

Korea has a unique political system characterized by a government-driven, conservative process for making and implementing policy that reflects the peculiar character of its bureaucracy. This resulted in the establishment of national-level infrastructure such as NPKI-based AC in Korea, while other countries entrusted ICT policies and security measures, including online authentication, to the market.

The history of online authentication in Korea began with the use of RRNs, which were used for online authentication without adequate privacy safeguards. As e-commerce and e-government developed, Korea experienced various personal data breaches, leading to limits on the number of cases where RRN collection and processing is allowed. The government introduced the I‑PIN to replace the RRN, but it was not adopted in the market because it was difficult to deploy and use, and it was ultimately abolished. In contrast, online identification through mobile phones and credit cards has become mainstream due to their convenience.

Between 2001 and 2015, online authentication in Korea focused on a government-mandated NPKI-based AC system, a national PKI-based digital signature system. Although it had the advantage of providing a national-level authentication infrastructure, one disadvantage was that the government required use of specific technologies, and that policy probably held back progress of online authentication by five years or more.

In addition, during the implementation process, the contractors and security solution vendors forced a specific technology, the NPKI-based AC system, that did not meet users’ needs. Users thus faced problems such as being reliant on Microsoft Windows and IE or being required to use ActiveX. This resulted in complaints from the public, who wanted more options and flexibility. Eventually, the mandate requiring use of the NPKI-based AC was abolished and changed to a joint certification, and the environment changed to the mixed use of various authentication methods. Unfortunately, the development and introduction of other authentication methods such as browser SSL certificate and FIDO have been relatively delayed in Korea, and they are still not mainstream in the market.

Korea’s data access policy has also changed from the initial conservative approach to a more open, innovative approach. Access to public data was limited in the past by a cumbersome request process, but new approaches have led to the expansion of public data access and an open application programming interface and the establishment of a public data portal service, enabling access to much more data, sometimes on a near-real-time basis. Although it is not as developed as Estonia’s Data Embassy, the Korean government is preparing to move key government resources to a cloud-based data repository, using a national convergence network design and a recovery system through the Daegu and Gwangju centers.

Until just a few years ago, Korea’s online authentication and data access control–related policies and implementations were conservative. New market demands, especially users’ expectation of new online services, and the changing business environment are gradually pushing policy in the direction of increasing usability and openness. This is one of the most important lessons that digital policymakers in other countries can learn from both Korea’s successes and failures.

Another key lesson is that trust is one of the most important ingredients for successful policies for the internet. Developing standards or technologies for securing trust benefits from sustained, consistent, high-level, political leadership. In the early days of internet development, Korea built a platform for online authentication and identification by the government that played a key role in the development of the Korean internet environment, such as e-government services, online transactions, and other services. However, the dissemination of trust-related technologies led by the Korean government also had obvious problems, resulting in an iterative, trial and error process that created the current environment. This history can provide other countries lessons on the merits and limits of government-centered dissemination of trust-related technologies.

The national approach to online authentication demonstrates the clear benefits of economies of scale and rapid adoption. If a well-designed technology or platform is developed by key government agencies, it can accelerate adoption cost-effectively at the national level. In the case of Korea, as the state established an online authentication system and mandated it for many public sector and online transactions, it could quickly enable better authentication for much of the Korean internet environment. However, Korea’s state-led online trust technologies were developed for a unique Korea system, failing to secure interoperability at the international level, and resulting in an isolated system—an example of the so-called Galápagos syndrome.

Even if the policy and architecture are well designed, it is also necessary to carefully monitor issues that may arise in the process of development, implementation, and use. In the case of Korea’s online authentication-related technologies such as NPKI-based AC and I-PIN, the architecture itself did not have any problems, but security issues appeared in the process of implementing and managing them by the responsible agencies or security solution contractors. Therefore, the state should carefully establish the specifications of security- and privacy-related technologies, and continuously supervise (and adjust) the process of implementation and operation.

In the processes of policy and technological decisionmaking, arbitrary government decisions can be dangerous. Although civic groups, industries, and users expressed concerns about NPKI-based AC, RRN, I-PIN, and data access control in Korea, they did not significantly influence decisionmaking. Korea’s internet real-name system is a representative example of a controversial policy that was later restrained when the judiciary ruled it was unconstitutional. Even if the government leads certain policies and technologies, it needs to gather opinions from all stakeholders and address them as much as possible.

A key lesson in Korea’s online authentication is that government-led policies and implementations can be effective, but government mandates can have side effects. In Korea, specific online authentication and identification methods were deployed by the government, mandated in some areas, and therefore given priority over other authentication methods. As a result, the overall online environment depended on the public authentication methods, and development of the authentication industry was stymied. Eventually, a pivot to various authentication methods, including private certifications and a focus on evaluating the security of authentication methods, made government efforts to increase trust online much more effective.

In hindsight, it is clear that the Korean government should have pursued a different path. If, from the beginning, it had distributed and utilized the NPKI-based AC but used it as just one of various authentication methods and allowed users to choose one of several authentication methods, a sounder internet trust environment would have been created. Rather than mandating one solution, it is best practice to set general standards for online authentication, which could be met by various services, giving companies and users options and flexibility.

Key factors to consider in this process are usability and listening to the opinions of all the stakeholders of the internet. No matter how good the security of a specific authentication method, if its usability is poor, it may not be used widely, and technologies dependent on the certain environment, specific operating system, or browser, it may be neglected by users. To avoid this, it is necessary to listen to the opinions of internet service providers who need to introduce these technologies and the security companies that actually implement them. Most importantly, it is necessary to engage with the users themselves and use their feedback to set the direction of security and data related policies and their implementation.

Notes

1 OECD, “Broadband Portal,” last updated July 29,2021, https://www.oecd.org/sti/broadband/broadband-statistics/.

2 Speedtest, “South Korea’s Mobile and Fixed Broadband Internet Speeds,” https://www.speedtest.net/global-index/south-korea#fixed.

3 Economist Intelligence Unit, “The Asian Digital Transformation Index 2018,” http://connectedfuture.economist.com/wp-content/uploads/2018/12/ADTI-whitepaper.pdf.

4 ITU, “ICT Development Index 2017,” https://www.itu.int/net4/ITU-D/idi/2017/index.html.

5 Statista, “Penetration Rate of Smartphones in Selected Countries 2020,” https://www.statista.com/statistics/539395/smartphone-penetration-worldwide-by-country/.

6 UN Department of Economic and Social Affairs, “E-Government Survey 2020,” https://publicadministration.un.org/egovkb/en-us/Reports/UN-E-Government-Survey-2020.

7 Statistics Korea, “Monthly Online Shopping Survey,” http://kostat.go.kr/portal/eng/surveyOutline/2/5/index.static.

8 Kim Jee-Hee, “To Borrow Money, Koreans Go Online,” Korea JoongAng Daily, April 5, 2021, https://koreajoongangdaily.joins.com/2021/04/05/business/finance/bank-of-korea-internet-banking-mobile-banking/20210405163900371.html.

9 Korean Ministry of Land, Infrastructure, and Transport, “Ratio of Population in Urban Areas” (in Korean), Korean National Indicator System, last updated 2020, https://www.index.go.kr/potal/main/EachDtlPageDetail.do?idx_cd=1200.

10 Microsoft News Center, “Microsoft Korea Announces ‘Cyber Security Threat Report’” (in Korean), June 18, 2018, https://news.microsoft.com/ko-kr/2018/06/18/cybersecurity-report/.

11 Yonhap News Agency, “Damage from N.K. Cyber Attacks Estimated at 860 Bln Won: Lawmaker,” October 15, 2013, https://en.yna.co.kr/view/AEN20131015003200315.

12 Korea Times, “It’s Urgent to Wage War on Cyber Terror,” July 8, 2009, http://www.koreatimes.co.kr/www/news/opinon/2009/07/137_48133.html.

13 Sang-hee Han, Eun-Woo Lee, Byeong-il Oh, and Hyun-sik Yoon, “Status of the Usage of Resident Registration Numbers: Research Findings” (in Korean), National Human Rights Commission of Korea, 2005, https://www.humanrights.go.kr/site/inc/file/fileDownload?fileid=1055872&filename=05_78.pdf.

14 Min-ok Han, “12 Percent of Netizens ‘Experienced Resident Registration Number Theft’” (in Koream), Digital Times, December 1, 2003, https://news.naver.com/main/read.naver?mode=LSD&mid=sec&sid1=105&oid=029&aid=0000049852.

15 Lee Kyung-min, “I-PIN Identification System Hacked,” Korea Times, March 5, 2015, https://www.koreatimes.co.kr/www/news/nation/2015/03/116_174690.html.

16 Tae-jin Kim, “I-PIN Usage, 4 Percent Compared to Mobile Phone Authentication” (in Korean) October 9, 2017, ZD Net Korea, https://zdnet.co.kr/view/?no=20171009111654.

17 Public I-PIN, “Notice of Suspension of New Issuance or Renewal Due to Phase Out” (in Korean), October 31, 2018, http://www.gpin.go.kr/center/customer/noticeView.gpin?currentPage=2&no=27420.

18 Korea Communications Commission, “Three Companies Designated as Identity Verification Agencies by the Korea Communications Commission” (in Korean), December 28, 2012, https://kcc.go.kr/download.do?fileSeq=36847.

19 Kyung-ha Kwon, “Credit Card Identity Verification Service Method Policy Direction” (in Korean), Korea Communications Commission, October 20, 2016, https://kcc.go.kr/user.do?boardId=1008&page=A02020600&dc=&boardSeq=44056&mode=view.

20 Ministry of Information and Communication, “Portals With More Than 300 Users Daily…Limited Identity Verification” (in Korean), Korea Policy Briefing, February 23, 2007,

https://www.korea.kr/news/pressReleaseView.do?newsId=155178693.

21 Yeong-ju Kim, “Businesses Subject to Limited Identity Verification System in 2009” (in Korean), Korea Communications Commission, January 30, 2009, https://kcc.go.kr/user.do?mode=view&page=A05030000&dc=&boardId=1113&cp=376&boardSeq=15512.

22 Jeong-hoon Lee, “Impact of the Decision on the Unconstitutionality of the Identity Verification System on Internet Regulation” (in Korean), Korea Internet and Security Agency, 2013, https://www.kisa.or.kr/uploadfile/201306/201306101706190871.pdf.

23 Kyeong-shin Park, “Constitutional Review of Anonymity Regulation and Review of 2015 Constitutionality Decision on Election Internet Real Name Law” (in Korean), Republic of Korea National Election Commission Election Studies 7, no. 1 (2016), https://www.nec.go.kr/common/board/Download.do?bcIdx=15433&cbIdx=1133&streFileNm=BBS_201701160247379835.pdf.

24 Ji-sook Woo, Hyeon-soo Na, Jeong-min Choi, “Empirical Study of the Effect of Using Real Names on Internet Bulletin Boards” (in Korean), Korean Journal of Public administration 48, no. 1 (2010), https://s-space.snu.ac.kr/bitstream/10371/69064/1/48-1_04%EC%9A%B0%EC%A7%80%EC%88%99_%EB%82%98%ED%98%84%EC%88%98_%EC%B5%9C%EC%A0%95%EB%AF%BC.pdf.

25 Hankyoreh, “Google Refuses South Korean Government’s Real-Name System,” April 10, 2009, http://english.hani.co.kr/arti/english_edition/e_international/349076.html.

26 Hankyoreh, “YouTube Korea Now Exempt From Real Name System,” April 7, 2010, http://english.hani.co.kr/arti/english_edition/e_national/414784.html.

27 Constitutional Court of Korea, Decision on case number 2010 Heon Ma 47, 252 (consolidated). Hosted by Open Net Korea. See: http://opennetkorea.org/en/wp/wp-content/uploads/2014/03/Korean-real-name-law-decision-english.pdf.

28 Kyung-Sin Park, “Establishing Game Users’ Constitutional Right in Light of the Constitutional Court’s Recent Decisions on Game Shutdown Case and Game Real Name Case,” Korea Citation Index, 2020, https://www.kci.go.kr/kciportal/ci/sereArticleSearch/ciSereArtiView.kci?sereArticleSearchBean.artiId=ART002561011.

29 IT Find, “Market Trends by E-Commerce Business Type” (in Korean), https://www.itfind.or.kr/WZIN/jugidong/933/93303.html.

30 Korea Internet Security Agency, “Authorization Practices” (in Korean), https://www.rootca.or.kr/kor/accredited/accredited01.jsp.

31 Yeong-Kwan Song, “2016 Modularization of Korea’s Development Experience: Korea’s E-Commerce Policy Experiences,” Knowledge Sharing Program, 2016, https://www.ksp.go.kr/api/file/download/11457?downloadFilename=Korea%E2%80%99s%20E-commerce%20Policy%20Experiences%20(English).pdf.

32 Joon-kyung Geum, “Moon Jae-in Highlights the Core of His Promise to Abolish Authorized Certificates” (in Korean), Media Today, http://www.mediatoday.co.kr/news/articleView.html?idxno=135414.

33 Financial Services Commission of Korea, “(Q&A) After Abolishing the Authorized Certification System on December 10, How Will Financial Transactions Be Different?” (in Korean), Korea Policy Briefing, December 11, 2020, https://www.korea.kr/news/visualNewsView.do?newsId=148880842.

34 Information Disclosure Center, “When Will the Continuous Omission of Target Organizations in the Information Disclosure Annual Report Be Improved?” (in Korean), February 5, 2018, https://www.opengirok.or.kr/4555.

35 Bong-su Kim, “In the Government 3.0 Era, the Trap of ‘Information Disclosure Rate of 95%’” (in Korean), Asian Economy, July 8, 2013, https://cm.asiae.co.kr/article/2013070810494738241.

36 Information Disclosure Center, “When Will the Continuous Omission of Target Organizations in the Information Disclosure Annual Report Be Improved?”

37 Ministry of Interior and Safety, “Government 3.0 Basic Plan” (in Korean), June 19, 2013, https://mois.go.kr/cmm/fms/FileDown.do?atchFileId=FILE_000000000027748&fileSn=0.

38 Ministry of Government Administration and Home Affairs, “2020 E-Government Basic Plan” (in Korean), 2016, https://www.mois.go.kr/cmm/fms/FileDown.do?atchFileId=FILE_000791371GzYtix&fileSn=0.

39 Korea Data 119 Project, “Presidential Committee on the Fourth Industrial Revolution of Korea,” 2021, https://www.4th-ir.go.kr/article/download/757.

40 IMD, “IMD World Digital Competitiveness Ranking 2017,” https://www1.imd.org/globalassets/wcc/docs/release-2017/world_digital_competitiveness_yearbook_2017.pdf?MRK_CMPG_SOURCE=sm_lk_pp_wall_sv_exp.

41 Korea Data Industry, “2017 Data Industry White Paper” (in Korean), July 12, 2017, https://www.kdata.or.kr/info/info_02_download.html?dbnum=224.

42 Kyung-hwan Kim, “Issues of Cross-Border Data Transfer and the Countermeasures” (in Korean), PIS Fair, 2013, https://www.slideshare.net/ssuserbd0159/l-49862245.