A Japanese-language input program — potentially installed on millions of computers, including those used at government agencies — sends every character typed to the software provider’s server without the user’s consent.
The Baidu IME program for Windows computers is distributed for free on the Internet by Baidu Japan Inc., the Japanese arm of China’s Baidu Inc., operator of China’s most popular Internet search engine.
Baidu Japan says the program, often installed with other downloadable software, is used by 4 million people.
The program is an input method editor (IME), which is required on a computer when entering Japanese characters. Baidu IME has cloud functionality that makes use of resources on the Internet in converting keystrokes into kanji, hiragana and other characters used in Japanese text.
The government’s National Information Security Center has warned all government agencies not to use IMEs with Internet connection functionality when creating confidential documents, or at least take the computer offline, according to Yuji Mizuta, a counselor at the Cabinet Secretariat.
“We are aware some IMEs send out entered characters over the Net,” Mizuta said. “We are alarmed by the risk of information leakage through users failing to turn off Internet connection functions.”
The NISC has confirmed that Baidu IME was installed on five computers belonging to the Foreign Ministry, but no information was sent out over the Internet, according to Mizuta. He also said there has been no report that any confidential information has leaked from any government agency through an IME.
According to NetAgent Co., a Tokyo information security company that analyzed Baidu IME, all Japanese characters entered via the program are sent to Baidu’s server located in Japan even when the application’s cloud function is turned off.
NetAgent meanwhile confirmed that Simeji, another Japanese input program from Baidu Japan used on Android smartphones, also sends Japanese characters even when the cloud function is off.