Nexus

Korea’s Online Clash

The Quest for a DMZ Between Privacy and Security

hacker_koreasonlineclash-613x408

South Korea is among the world’s most wired places. Seoul metro passengers stream KBO baseball games on their tablet PCs while native search companies Naver and Daum provide high-quality street views that outmatch the Google equivalent. High technology is at the heart of Korean industry and society; the country is renowned for its high-speed fiber-optic Internet connections, ubiquitous Wi-Fi networks, and relatively cheap unlimited data plans. And few nations have grappled as forcefully with the trade-offs between online security and online anonymity, having ditched the latter to strengthen the former. At least that was the theory before the bargain backfired spectacularly over the summer.

In late July, a malicious code infiltrated South Korea’s major portal site Nate and the social networking service Cyworld, the “Facebook of Korea,” granting cyber attackers with an IP address originating in China access to some 35 million netizens’ personal information. The attack, allegedly directed by North Korea, was the largest in the South’s history, more severe than the hacks in April that exposed the personal information of 425,000 Hyundai Capital users and paralyzed Nonghup’s banking system for days.

The attack on Cyworld shocked Koreans in a way that no online security breach has ever shocked Americans. This was not akin to a case of hackers gaining access to your embarrassing Facebook Chat conversations with an ex-girlfriend or tagged photos of you at last year’s New Year’s Eve party, or someone stumbling upon discrete information about one firm’s customers. No, thanks to Korea’s Real Name Verification and Cyber Insult Laws, enacted in 2008, those hacking Korea from outside made off with a treasure chest of critical information. July’s hackers accessed 35 million Internet users’ names, cellphone numbers, e-mail addresses, social security numbers, passwords, occupations, office numbers, and blood types. In a country of 48 million that is still technically at war, the idea that nearly 100 percent of the online population’s private data is now in the hands of the enemy is more than a little disconcerting.

You can blame bullies–and not solely the ones in Pyongyang–for this turn of events. It was “cyber bullying,” after all, that catalyzed the ratification of South Korea’s “real name” verification system and Cyber Insult Law after the beloved actress Choi Jin-sil, a victim of malicious online gossip, hung herself in her bathroom in October 2008. Leading politicians from the ruling Grand National Party–no fans themselves of nasty, anonymous online commentary–rushed to limit unfettered, unattributed online speech. This was not a dissent-crushing despotic regime looking to control access to information, but rather one of Asia’s most vibrant democracies turning the nature of the Internet on its head.

The “real name” verification policy requires extensive personal data as a prerequisite to accessing Web sites that receive more than 300,000 daily views on average. As a foreigner living in Seoul, the effects of this policy are immediately apparent. First, I have difficulty accessing Korean Web sites. This can be partially attributed to my use of an Apple computer with Chrome, Firefox, and Safari browsers (Korean Web sites are made for Internet Explorer, an odd quirk for such a high-tech society). My Korean language skills are also limited. But the key reason I was unable to purchase tickets for the Harry Potter finale online was my lack of a social security number and other essential personal information. It’s like being unable to get on a plane back home, for lack of identification.

With verified names attached to every online movement on all the major Korean sites, the government’s approach to the online universe is unusual. Could its national policy influence what is essentially a borderless medium? Could Korea’s clampdown on online anonymity spread?

It is too soon to tell for sure where the Korean experiment will end up, but there are reasons to believe that what Seoul imposes on its netizens is unlikely to undermine online users’ privacy in Los Angeles. For one thing, Korea is a self-contained online cul-de-sac, with a deeply entrenched language that is hard on outsiders. Second, Korea has an extensive online business culture of its own. Facebook and Google face formidable homegrown competition from the likes of Cyworld and Naver. Google commands only 2 percent market share, compared to Naver (68 percent), Daum (20 percent), and Nate (7 percent). Other online businesses beyond search are similarly dominated by domestic players. With users sticking to Korean Web sites instead of foreign-controlled ones, the government has more leverage to govern the online space.

Still, the brief history of the RNVL makes clear the limitations of centralized approaches to Internet policy in general, and of the Korean government’s specific efforts to affect the relationship between governments and the Web. Regulating content on the Web has proven difficult in open societies, if not seemingly impossible, and Korea is hardly alone in attempting to do so. The U.S. government still struggles to prevent illegal file-sharing within its borders, a decade after the landmark Napster vs. A&M Records court case. Anyone proficient in Googling can figure out how to download a Bob Dylan box set in 15 minutes.

Governments seek to maintain order online for a number of reasons. In 1996, President Bill Clinton pushed forward the Communications Decency Act aiming to regulate Internet obscenity, although the Supreme Court would rule it unconstitutional. American regulators tie themselves into knots chasing online gamblers and their online dealers. In the Internet’s early stages, the French government took Yahoo to court because the Web site allowed a user to advertise the sale of Nazi memorabilia, a crime in the European state. In the midst of trade negotiations, including the current Korea-U.S. free trade agreement sitting in Congress and the National Assembly, upholding copyright standards is a critical pillar of bilateral business, prompting agencies to block domain names and pressure search engines.

But in open societies, governments have generally been careful not to encroach on the right to remain anonymous online. There are ways to track down who is behind online activity, when necessary, and these digital footprints are becoming easier to detect. But for the most part people feel they can preserve their anonymity online if they so desire–a prerogative that is both a blessing and a curse. The comments pages under any semi-controversial YouTube video reveal the discouraging reality of Internet anonymity. Yes, there may be dissident and whistle-blower bloggers unveiling corrupt practices under pseudonyms here and there, but there are also plenty of intolerant seventh graders availing themselves of such anonymity to harass Facebook pages devoted to celebrating Ramadan.

Korea’s attempt to chisel away at the sanctity of online privacy would not be as effective in nations that are more reliant on outside Internet businesses integrated into a global community. Facebook’s enormous presence in Indonesia, for example, affords that country’s government less latitude to dictate how Indonesians engage social media than if it were dealing primarily with Indonesian sites.

But even the Korean experience has proven the limits of centralized Internet control. As the government requires real names for major Korean Web sites, young users flock easily to foreign-based sites where they can remain anonymous. YouTube Korea prohibits users from uploading or commenting on videos while their location is set on YouTube settings. However, anyone in South Korea can click on the “geography” tab on the U.S.-based Web site and change their location to California. Cyworld’s strict policies are noted as a major cause of Facebook’s increasing market share.

The latest cyber attacks have magnified the problems inherent in a real name verification system. Last month, Cyworld’s parent, SK Communications, became the first Korean Internet company to declare it will no longer require extensive information to open accounts, and said it plans to destroy its current database that was accessed by the July hackers. While trends suggest greater corporate and governmental control of the Internet in the 21st century, the Korean experience will make future policy makers think twice about eliminating anonymity from the Web.

Maxwell Coll, a New Delhi-born Washingtonian/New Orleanian, works for the Korea JoongAng Daily in association with the International Herald Tribune.

*Photo courtesy of powtac.