DistantNews
Support us
๐Ÿ‡ฐ๐Ÿ‡ท South Korea /Technology

CI, Once an Alternative to Resident IDs, Now a Personal Data Risk

From Hankyoreh · () Korean

Translated from Korean, summarized and contextualized by DistantNews.

At a glance

News Sources not specified Context piece
  • South Korea is reconsidering the use of CI (Connecting Information) for online identity verification due to recent data breaches at TVING and Woori Bank.
  • CI, introduced as an alternative to resident registration numbers, has become a fixed identifier, making it vulnerable to leaks.
  • The government plans to advance the mandatory separation of resident registration numbers and CI storage, while civic groups are challenging the CI system itself through a constitutional appeal.

South Korea is facing renewed scrutiny over its use of Connecting Information (CI) for online identity verification, following recent personal data leaks at streaming service TVING and Woori Bank. The CI system, introduced in 2010 as an alternative to resident registration numbers and often used with i-PIN authentication, has become a de facto permanent identifier, similar to the resident registration number it was meant to replace.

CI is a unique 88-byte identifier generated by authentication agencies like NICE Information Service and the three major mobile carriers. It is created by applying a complex algorithm to a person's resident registration number and is linked one-to-one. While it's designed to be non-traceable to the original resident registration number through its private algorithm and secret key, its immutability poses a significant risk.

The system itself needs a fundamental re-evaluation.

โ€” Civic GroupsReferring to the CI system and its role in recent data breaches.

Initially, CI was conceived as a changeable identifier to mitigate the risks of identity theft associated with the fixed resident registration number. However, its widespread adoption across online services has made it practically impossible to change. While authentication agencies can technically issue new CIs, service providers would also need to update their user databases simultaneously to maintain user identification. This technical hurdle means CI, once generated, effectively becomes a lifelong identifier.

A complete overhaul of the CI system could be as complex as the Y2K bug.

โ€” Yeom Heung-yeolHonorary Professor at Soonchunhyang University's Department of Information Security, commenting on the difficulty of changing the CI system.

In response to the growing concerns, the government has decided to expedite the mandatory separation of resident registration numbers and CI storage from May next year to January 1, 2025. However, civic groups argue that the system itself needs a fundamental re-evaluation. Organizations like the Lawyers for a Democratic Society's Digital Information Committee and the Digital Justice Network have filed a constitutional appeal against the law governing the creation and use of CI, arguing it infringes on citizens' rights.

Experts suggest that a complete overhaul of the CI system could be as complex as the Y2K bug. One proposed approach is to prioritize replacing CIs only in cases where they have been compromised in data breaches. A more comprehensive solution would require a collaborative effort between the Korea Communications Commission, authentication agencies, and service providers to develop a thorough transition plan.

We can consider prioritizing the replacement of CIs that have been leaked in personal information infringement incidents.

โ€” Yeom Heung-yeolSuggesting a phased approach to replacing compromised CIs.
DistantNews Editorial

Originally published by Hankyoreh in Korean. Translated, summarized, and contextualized by our editorial team with added local perspective. Read our editorial standards.