Hatena is a Kyoto-based company that has run several web services since 2001. Similar to Digg, Delicious or Reddit, it has grown a web-savvy, tech-oriented community around a Q&A service (from which its name, Japanese for “question mark,” is gleaned), free blog-hosting, and so on.
While its user base is not huge, it offers some much-loved tools. Hatena Bookmark, with which users may record favorite web pages with a short memo, is the most popular online bookmarking service. Because a news story that is bookmarked by a large number of Hatena users attracts more attention, websites of Japanese media outlets such as Nikkei and Asahi display a Hatena Bookmark button on every single news page and have done so for years — even before similar buttons for Twitter, mixi and Facebook were introduced.
However, earlier this month, some bloggers discovered that these external bookmark buttons have been sending site visitors’ access information to MicroAd, a web advertising company that runs behavioral targeting advertising programs. This has been happening since last September, when Hatena modified its button program with very little fanfare.
Behavioral targeting is an advertising technology that tracks users over several different websites, collecting and analyzing their tastes and preferences in order to offer more effective ads. If you’ve ever noticed that you repeatedly see a certain type of product ad in your browser, you may already have been targeted by this program.
When Hatena changed its policy, it appears that major news sites were given the chance to opt out. However, many bloggers and small site owners did not notice the change, and thus their users have been tracked, with their information sold by Hatena to MicroAd over the last six months. While Facebook and Google are often criticized over privacy issues, their social-media buttons (such as Facebook “likes”) are not used to enable behavioral targeting.
When this news came to light, many bloggers removed the Hatena button, or replaced it with the tracking-free version, which was quietly made available at the time of the policy change.
On March 13, about a week after the scandal broke, Hatena CEO Junya Kondo announced it would stop selling user information to MicroAd and apologized.
Ninja Tools, a company that offers a free traffic-counter program to bloggers, did something similar, and with the same outcome.
On March 14, MicroAd announced that it would make it obligatory for partners to disclose the collecting of behavioral data to the end-user.
But perhaps the biggest shock of all was that Hatena’s users, who might regard themselves as knowledgeable web users, were duped into distributing the behavior of visitors to their blogs for half a year.
Pasmo is a prepaid e-money system used by most railway and bus companies in the Greater Tokyo Area. As it is interconnected with Japan Railway’s Suica, it works with most trains and buses in the Kanto region, and 19.5 million Pasmo cards have been issued.
Each Pasmo card has a serial number on it, so users can check their fare history online, entering as ID their name, date of birth and phone number.
But on Feb. 26, security researcher Hiromitsu Takagi wrote on his blog that he had pointed out to Pasmo’s support center that those three pieces of information could be quite easy to get hold of. If you know someone’s name, date of birth and phone number — maybe a friend, colleague or acquaintance, or simply an eagle-eyed Facebook friend — all you need to spot is their Pasmo number and you’ll have access to their every past move, between which stations on what dates. Tips have long been online for suspicious minds to track their spouse’s moves via their Pasmo activity.
The support center’s initial response to Takagi was that keeping the card number secret is the user’s responsibility, but on March 2, Pasmo announced it would suspend the history-browsing service, to investigate whether a security risk exists.
Internet Watch reported that similar e-money cards Sapica in Sapporo and nimoca in Fukuoka had the same problem only worse — all you needed to log on to those accounts was the card number and date of birth. Suica had been careful enough to not provide such a service.
Even if you know about this issue and keep your card hidden, over 100 transport companies store and share the serial number, and affiliate chain stores that enable payment by Pasmo have access to the number and could possibly have your basic details as well.
“Big Data” is a recent buzzword for the practice of web-service companies collecting and utilizing users’ information to maximize performance. But while we may appreciate better-targeted ads, there’s always a risk of security holes. Often it falls to individual users to spot potential risks and blow the whistle — if only the mainstream media paid such close attention.
Akky Akimoto writes for Asiajin.com, an English blog on the Japanese Web scene. You can follow him @akky on Twitter.