AFP and Yomiuri: How to get around J border fingerprinting: tape!

mytest

Handbook for Newcomers, Migrants, and Immigrants to Japan\Foreign Residents and Naturalized Citizens Association forming NGO\「ジャパニーズ・オンリー 小樽入浴拒否問題と人種差別」(明石書店)JAPANESE ONLY:  The Otaru Hot Springs Case and Racial Discrimination in Japan
Hi Blog. Here’s an update about that old fingerprinting at the border thingie “to prevent terrorism, infectious diseases, and foreign crime”. Here’s one way how you get around it: special tape on your fingers! Two articles on this below.

Also, just so that people are aware that your fingerprints are NOT cross-checked immediately within the database: I have a friend who always uses different fingers when he comes back into Japan (index fingers one time, middle fingers the next, alternating; Immigration can’t see), and he has NEVER been snagged (on the spot or later) for having different fingerprints from one time to the next. Try it yourself and see. Anyway, if people are getting caught, it’s for passports, not fingerprints.  Arudou Debito
===========================

SKorean fools finger printing system at Japan airport: reports

TOKYO (AFP) – A South Korean woman barred from entering Japan last year passed through its immigration screening system by using tape on her fingers to fool a fingerprint reading machine, reports said Thursday.

The biometric system was installed in 30 airports in 2007 to improve security and prevent terrorists from entering into Japan, the Yomiuri Shimbun said.

The woman, who has a deportation record, told investigators that she placed special tapes on her fingers to pass through a fingerprint reader, according to Kyodo News.

Japan spent more than four billion yen (44 million dollars) to install the system, which reads the index fingerprints of visitors and instantly cross-checks them with a database of international fugitives and foreigners with deportation records, the Yomiuri Shimbun said.

The South Korean woman was deported in July 2007 for illegally staying in Japan after she worked as a bar hostess in Nagano in central Japan, Kyodo said, citing justice ministry sources.

She was not allowed to re-enter Japan for five years after deportation but the Tokyo immigration bureau found her in August 2008 again in Nagano, Kyodo said.

A South Korean broker is believed to have supplied her with the tapes and a fake passport, the Yomiuri said, adding that officials believe many more foreigners might have entered Japan using the same technique.

=============================

The abovementioned Yomiuri article, courtesy of Jeff K and Tony K:

S. Korean woman ‘tricked’ airport fingerprint scan

A South Korean woman entered Japan on a fake passport in April 2008 by slipping through a state-of-the-art biometric immigration control system using special tape on her fingers to alter her fingerprints, it was learned Wednesday.

According to sources, the woman, 51, was deported from Japan in 2007 for staying illegally. However, she was found in August 2008 to have reentered the country and was detained by the Tokyo Regional Immigration Bureau.

The woman was quoted as telling the immigration bureau that she put special tape on her index fingers to cheat the fingerprint scanner at immigration.

The biometric system was introduced at 30 airports around the country in November 2007, and was aimed mainly at preventing entry by international terrorists. A scanner reads the index fingerprints of both hands and instantly crosschecks these with a database of international fugitives and foreigners with deportation records.

The sources said the fact that the woman was so easily able to beat the sophisticated computer system will force the government into a drastic review of its counterterrorist measures and the current screening immigration system.

The immigration bureau reported to the Justice Ministry that a considerable number of South Koreans might have entered Japan illegally using the same technique, as a South Korean broker is believed to have helped the woman enter Japan. The ministry also has begun an investigation into the case.

According to immigration officials, the bureau held the woman in mid-July 2007 for working illegally in the city of Nagano as a hostess after her tourist visa expired. She was banned from reentering Japan for five years and deported to South Korea from Narita Airport.

However, the bureau was tipped off by an anonymous source in early August last year that the woman had been seen again in Nagano. The bureau found she was living in an apartment in the city and detained her again on suspicion of violating the Immigration Control and Refugee Recognition Law.

According to the immigration officials, the woman had a forged passport stating that she had passed immigration checks at Aomori Airport in Aomori Prefecture at the end of April last year.

During questioning, the woman allegedly told the immigration bureau that she had bought a forged passport from a South Korean broker who told her to purchase an air ticket for Aomori Airport.

The woman also was quoted as saying that the broker gave her the special tape with someone else’s fingerprints on, and that she slipped past the biometric recognition system by holding her taped index fingers over the scanner.

According to an analysis by the bureau, regular adhesive tape does not work, as the scanner fails to read any prints. The results have led the immigration bureau to suspect that the woman might have used a special tape bearing someone else’s fingerprints.

Although the bureau detained the woman at an immigration facility for further questioning, she did not provide information that pinpointed what the tape is made of or the South Korean broker before she was deported again in mid-September.

The bureau has compiled a report based on her statements and submitted it to the Justice Ministry. The report says it is conceivable such tape exists and that the South Korean broker might have helped a considerable number of foreigners enter Japan using it.

According to the ministry, the immigration section at Aomori Airport kept images of the woman’s fingerprints, but they were imperfect and did not match the genuine fingerprints of the woman.

(Jan. 1, 2009)
ends

15 comments on “AFP and Yomiuri: How to get around J border fingerprinting: tape!

  • What a farce this “criminal” fingerprinting scheme is. Apart from the tape, I wonder just how many other ways are being utilised right now to beat these joke fingerprinting machines. And why to hell are PRs still lumped in with the term “visitors”? This moronic government equates a 50 year PR with a 1 day tourist.

    Reply
  • If you’ve seen the mythbusters episode on fingerprint locks, it’s not a surprise to hear about this. The Mythbusters were easily able to fool these supposedly secure locks (the same supplier as to governmental agencies) using a photocopied fingerprint! (they try some more complicated methods using latex, etc. first, which also work) http://www.youtube.com/watch?v=LA4Xx5Noxyo

    Reply
  • Why do I get the feeling this will lead to something uttery absurd, like every person must present their hands for inspection before the scanning process? Oh the humanity…

    Reply
  • “”Why do I get the feeling this will lead to something uttery absurd, like every person must present their hands for inspection before the scanning process? Oh the humanity…””

    I thought they DO do that. I mean it makes sense that the first thing they would do before taking your fingerprints is to check to see if your fingers are clean/wrapped in tape.

    Reply
  • We are told the finger printing is for counter terrorism measures. Well, she is a hostess of some kind, perhaps, not a terrorist, so why all the fuss..?? 😉

    Reply
  • Another John says:

    I gotta agree with Tony D…I have a feeling that this will lead to something even more absurd (and that is the proper word!) come 2010 or so. On a quick sidebar, it was funny – in a pathetic way – that, during a family trip to the US last month, my (J-national) wife had to give her prints and was incensed at that (as in, “Why do they think I’m a terrorist? This is discrimination!”), but, when I complained that the J Gov lumps perm residents and 1 day tourists together because I had to break out and go through the re-entry line, she failed to see the problem. After rejoining the family in baggage claim, she said to me, “The US discriminates against foreigners. Japan is just trying to make their borders safer.”

    Ah. Of course. Silly me. I should have known.

    Reply
  • Johns, permit me to join the club. My japanese wife has said something very similar too. When we went on a trip to the US, she complained about the fingerprinting saying “why do they fingerprint even Japanese?” But when I complained to her about the fingerprinting farce here even for PRs, she said “you shouldn’t complain, you’re not Japanese!!”

    Reply
  • A Man In Japan says:

    How long is this double standard gonna go on for? Japanese people moan when THEY have to give their fingerprints and they give us the excuse of the nice, non corrupt Japanese government of “protecting” the borders. I always ask my self if theres any point in saying anything any more…

    Reply
  • Andrew Smallacombe says:

    Johna, Snowman, A man in Japan,
    It looks like another case of Japanese being unable to consider themselves as “foreigners”.

    Reply
  • Well, I’m a bit more lucky in my partner, she understands that there is no basic distinction and you either have to allow all or condemn all…
    But to comment on the topic. I don’t think there’s any professional in security that can be surprised at what happened, or they have been acting like as many ostriches. This weakness has been public since at least 2002. That this time it’s tape and not gummy or wood glue doesn’t make any meaningful difference.
    The question is what to do about it. This is not just something for some Korean lady who pursues her love. If those prints are stolen, innocent people get hurt for a lifetime. Even if those prints happen to look too much like those of others and the machines fail to keep them apart, innocent people get hurt for a lifetime.
    The author Cory Doctorow wrote in the UK newspaper The Guardian a statement that is all too true: “We should treat personal electronic data with the same care and respect as weapons-grade plutonium – it is dangerous, long-lasting and once it has leaked there’s no getting it back.” (http://www.guardian.co.uk/technology/2008/jan/15/data.security/print) And that goes double for fingerprints, when (not if) they’re squandered or get wound up in some administrative error, then what? And how well is this information protected anyway? And just as importantly, how to get some decent answers?

    Reply
  • >The question is what to do about it. This is not just something for some Korean lady who pursues her love. If those prints are stolen, innocent people get hurt for a lifetime. Even if those prints happen to look too much like those of others and the machines fail to keep them apart, innocent people get hurt for a lifetime. [further unsubstantiated assertions deleted]

    Reply
  • Hmmm, I see a misunderstanding here, but it’s understandable, and the point is valid, not enough explanation.
    It seems you too have had your share of conspiracy theorists. I can imagine the irritation when you think you see one.
    My concern is a different one, simple machine failure (in the form of false positives and failures to enroll) and identity fraud. To a lesser extent, I am concerned about individual members of staff putting their own personal agenda’s, preferences and prejudices before their job, which by nature prescibes impartiality, but that’s a different concern.
    The problems mentioned are not unsolvable. Let’s understand each other, it is impossible to build a perfect machine and the failures will happen. But, it is possible, with the right procedures, to ensure that the problems are less likely to cause harm to innocent people. And if as an organisation, you’re open about that, it is also possible to reassure those people who are concerned. In a way, these measures together form an example what is sometimes called Due Care (http://www.answers.com/topic/due-care). For the record, I use the term due care here from an ethical perspective, not a legal one.
    Information in the case of the Immigration Bureau is sketchy at best. The only visible sign is on their FAQ (http://www.moj.go.jp/NYUKAN/nyukan64-2-1.pdf), which states: “The personally identifying information which you provide to us (fingerprints and photographs) is important personal data. As such, we will properly store and protect your data, according to the basic law for the protection of personal data, the Act for the Protection of Personal Information Retained by Administrative Institutions. All necessary measures will be put in place to ensure the safety and security of your data.” That makes it difficult to judge their care. But we can state for ourselves what due care in this case would mean. Personally, I’d say due care starts with the following principles:
    1) First and foremost, acknowledgement that the above problems exist and will happen. Without that, you’re creating a system that is an accident waiting to happen and can not possibly hope to claim to excercise due care.
    2) Accept that in the case of such incidents, the burden and cost of setting things right should rest on your organisation. If not, the temptation to treat such damage as people suffer as an external cost (http://en.wikipedia.org/wiki/Externality) is just too great.
    3) Accept that setting things right should be done in such a way to cause the least burden and problems for innocent people. It will not be possible to get to a situation where there will be no hassle at all, but at least it can be brought back to a minimum.
    4) Open communication. The concern for such eventualities can be a greater problem than the actual problem itself (compare fear of flying). Besides, as a matter of principle, personal information is the property of the person it’s about, no matter who uses it. If the owner of something starts questioning you about your way of keeping her property safe, you answer as good as you can.
    That being said, let us take a look at what particular measures, large and small, could be taken by the Immigration Bureau.
    1) If there is a positive (a match on fingerprints), the fingerprint should be manually checked and rechecked by different members of sufficiently trained staff. This should considerably decrease the chance of damage from a false positive.
    2) In the case of a match, it is important to verify the identity of the person by other means. This will often involve the help of the person himself.
    3) It is important right from the moment a problem arises, to treat such a person with the utmost courtesy. This again is to minimise damage, and forms the reason behind the concept of being innocent until proven guilty. Keep in mind that incidents do happen, and that a victim of such an incident is subject to all kinds of burden, including probably serious concern, confusion, and possibly concerned people waiting for her. Therefore all staff involved should be trained to be able to put people at ease and to offer such help as needed (for instance inform concerned friends/relatives and possibly allowing them with the person).
    4) Do not store full fingerprints. Fingerprint hashes (http://www.cedar.buffalo.edu/~govind/fingerprint_hash_icapr05_ver2.pdf) do the same job, and prevent theft from your database. Note, this is probably done. There is no evidence, but it is difficult to find fingerprint readers that do not hash.
    5) If either a false positive occurs, or someone has become the victim of identity fraud, the fingerprints should be considered as compromised. Note that if there is a false positive, it makes sense that there is a good reason for it, one that is likely to cause the re-occurrence of the same problem. The first rule of a compromised means of access is: “never use it again”. This can cause serious problems. Just some of the ways fingerprints are used today involve visiting two countries, applying for VISA in several more, access to certain buildings and computers (ranging in use from certain jobs/careers to the local cafe), and occasionally payment in shops. It would be unacceptable if a compromose would mean any of those kinds of impact for a victim. Therefore that person needs ready access to information confirming the status of being the victim of compromised fingerprints.
    6) In the case of identity fraud, the stolen prints may turn up first without knowing the owner. Therefore all possible effort should be done to trace the owner and inform her.
    7) In any case, a data breach notification policy is a must have.
    8) Create a good privacy policy, publish it and follow it. Do not fall for the temptation that Enron’s board fell to, when they realized that one of its financial maneuvers violated its Code of Ethics, it made compliance possible by changing the Code (http://www.ethicsscoreboard.com/rb_fallacies.html). The OECD guidelines on which Japan’s privacy laws are based offer a good starting point. But act in the spirit, do not fall for the compliance dodge (see the link above).
    9) With all the above in mind, excellent complaint mechanisms are an absolute must have, with well-trained staff and a mindset based on helping th victims of incidents without having them jumping through the usual endless series of bureaucratic hoops.
    10) Explain what you are doing. Remember the air travel example, at least some people are reassured of the safety by the way the airlines are very open about the many safety features, procedures and training in the airline industry. Do not fall for the trap of claiming that it is necessary to keep such things secret for the security of the system. Remember the first part of the second principle of Kerckhoffs: “The design of a system should not require secrecy.” Kerckhoffs spoke about cryptography, but his principle has proven equally valid for security system. If a system does require security through obscurity, especially to the owners of the information you feed into it, it’s a bad design.
    11) Publish your sources. In the case of the quoted statement, it is a no-no not to offer either a download of the law in question or a link to the correct site. (Note, this might also prevent the gaffe that this site speaks of the “Act for the Protection of Personal Information Retained by Administrative Institutions”, while the Japanese Act on the Protection of Personal Information (http://www5.cao.go.jp/seikatsu/kojin/foreign/act.pdf), which, I think is fair to say holds the official translation, names it the “Act on the Protection of Personal Information Held by Independent Administrative Agencies”.
    12) Especially not answering is an absolute no-no, as is burying good questions under nice-looking pictures and other answers that do not give full justice to the guestion. Give answers, and give good answers where this is needed to breed confidence. Also keep in mind that individual persons may not be able to formulate their reactions in precisely the right way, first try.
    13) Be accessible. In a situation where questions from all over the world are inevitable, this must inevitably mean that communication is possible via email (with ease the way of communication offering the fastest speed and lowest cost, and therefore causing the least burden to the persons involved) and in English.
    With the above in mind, it is possible to make statement of opinion if the Immigration Department is excercising due care, and also suggest ways of trying to find out about other points.
    1) At the moment, there is no clue about the various minimising measures suggested. One can, however, write a letter to the address in the mentioned FAQ. If no answer is given, non-adherence to Kerckhoffs principle can be proven, and one can safely say that the chances any such measures are good enough are painfully low.
    2) There is no published data breach notification policy and no published privacy policy, other than the stated compliance to the privacy laws. The latter statement has all the look and feel of a classic compliance dodge. Organisations that do excercise due care generally have published privacy policies that exceed their countries’ privacy legistlation by a wide margin.
    With regards to the law, there is another thing that can be done, which is to look up the law itself. Most privacy laws allow for options to keep an eye on organisations, for instance the rights to see and correct your own information.
    3) There is no visible explanation of the procedures and safeguards to protect the interests of the innocent.
    4) For communication, only a post address is offered. With some difficulty, one can also find phone numbers. But the Immigration Department does not offer communication by email. They used to do so, but only in Japanese. Now the email option seems to have been removed altogether. In an international setting, where correspondence can take excessive time and communication by phone means excessive costs, this is not an acceptable situation anymore in 2009.
    With these four points as a small summary, there is some justification to feel that the Immigration Bureau is failing to excercise due care.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>