Incoming Administration Does About-Turn on LINE Policy - New Minister of Economic Affairs Directed t

2016/04/29

Is LINE secure or not? LINE is actually intended for general users. Though a one-to-one encryption mode was released earlier, there is still no encrypted mode available for LINE groups. Juiker was developed as an enterprise-grade communications software with AD integrated to provide chat room access control. 

There is less than a month to go before a change in administration takes place on May 20. To boost the speed and quality of internal communication, the incoming Executive Yuan spokesperson Chen-yuan Tung announced that a LINE group has already been set up for the 32 members of the new administration. The use of LINE for administrative communication by top government officials led to widespread concerns over information security. However, Chuan Lin, the incoming premier, eventually decided that the Juiker instant messaging software developed by the Industrial Technology Research Institute (ITRI) will be used instead. The incoming Minister of Economic Affairs Shih-kuang Li who had previously been the vice president of ITRI will also coordinate the development of custom instant messaging functions required by the Cabinet.  


LINE encrypts one-to-one conversations by default but not Group chat  

LINE enjoys a very high rate of penetration in Taiwan. Many members of the incoming cabinet therefore use LINE to communicate with each other as well. If top government officials use LINE to discuss national issues, ensuring that the conversations remain secure and no secrets are leaked becomes particularly important.

LINE is a 100%-owned subsidiary of the Korean NAVER company. In other words, it is a Korean company in a Japanese shell. The company's LINE software currently enjoys a very high penetrate rate in Japan and Taiwan. In July, 2013, a program to steal accounts and software was installed by unknown persons on the LINE server in Japan, creating a risk of personal details being compromised. Around 1,690,000 personal records from the membership database of NAVER's portal website may have been compromised. This however did not include the user accounts, password and details of Japanese and international LINE users. Investigations at the time found that the stolen personal information included account ID, e-mail, hashed password, and nickname. LINE Japan sent e-mails out to customers whose details may have been compromised asking them to change their password as soon as possible to prevent unauthorized use by third-parties.


In June 2014, the Japanese media outlet FACTA Online reported that Korea's National Intelligence Service (NIS) (formerly KCIA) can tap into the content of sent messages. While this practice is legal in Korea, Japan felt that this could not be allowed to continue. FACTA online's investigations revealed that NIS had previously used this method to collect data for analysis in Europe. Information from Japanese LINE accounts may have therefore been leaked to Tencent in China.

Akira Morikawa, the president of LINE, rebutted this accusation however. LINE engineers also stated on their blog that all communications use RSA 2048-bit encryption. All data transmitted over Wi-Fi, 3G, or LTE are ecrypted as well.

LINE had previously released functions such as hidden chat, time-limited messages, password lock and 4-digit security PIN. These functions must however be activated from a different chat interface so aren't commonly used. The new version of LINE released in October 2015, enabled advanced encryption by default for one-to-one conversations. The chat history can be encrypted and the encryption key stored on the user device. This function is enabled by default on Android phones but on iOS phones both parties must activate the Letter Sealing function in order to encrypt their mutual chat history and messages.

The new LINE version released at the end of 2015 reportedly enables Letter Sealing by default. All one-to-one conversations can now be automatically encrypted. End-to-end encryption is however still not possible for group chat sessions. Further testing is necessary before it will be ready for release.


The top five IT security issues facing the use of LINE by government agencies

While the LINE app now offers partial security, the security of communications is the top priority for government users. One of the early examples was Telegram which became famous for claiming that its encrypted messages cannot even be intercepted by the company itself. Apple's iMessage, WhatsApp, and the more recent Viber all subsequently provided end-to-end encryption. As for LINE, its end-to-end encryption is only available for one-to-one conversations and cannot yet encrypt group chats.

The location of the real-time messaging software server must also be taken into account. Yu-min Lin, the chief technology officer of ForceShield, said that since LINE servers are all located overseas this means the Taiwanese government has no control over the servers. In other words, there is no way for the Taiwanese government to take immediate action on compromised accounts or other problems in the terminal device.

All user details and chat history are stored on the operator's overseas servers as well. Lin said that LINE is unable to provide log files. If there is a security incident or data leak, this makes tracking and investigation by the government's security agencies very difficult.

Fourthly, Lambert Lin, the vice president of Docutek Solutions, said that there messaging software like LINE also suffers from a critical flaw – the security of the mobile phone. The open platform of Android phones, or jail-broken Apple phones are particularly vulnerable to the insertion of malware through SMS messages or the clicking of malicious links in instant messages. IT security expert Lightwind Wong also said that the loss of the mobile phone poses the greatest IT security threat. No existing messaging app can ensure that their chat history is not compromised when the mobile phone is lost.

Finally, GasGas, an IT security expert with more than 20 years of experience in the field, said that the biggest criticism of the incoming administration's use of LINE as a communication tool is actually the lack of awareness on information security, and a process to properly evaluate what 3C tools should be used. He noted that there is no such thing as perfect software. Users must however be aware of this fact and have a comprehensive evaluation process in place for deciding what tools to use. An administration that is conscious of information security should follow such a process rather than making decisions based out of habit or assumptions.

Yu-min Lin felt that if the Taiwanese government wants to make use of such real-time messaging software then it should not only make sure there is end-to-end encryption but also provide a logging function. This will improve the security of such instant messaging software when it is used by the Taiwanese government.


New Team Changes Tack and Switches to Homegrown Juiker

After the incoming administration announced its plan to adopt LINE as its communication tool, criticism over IT security fears from all fields also reached the administration's ears as well. Tsung-tsong Wu, the incoming Minister of Technology, became the first to publicly acknowledge outside fears on the administration's use of LINE. Shih-kuang Li, the incoming Minister of Economic Affairs, suggested that the Juiker messaging software developed by ITRI should be considered as a replacement for LINE.

The Juiker development team at ITRI had also been spun off through a technology transfer as the independent company LOFTech. Chao-chia Huang, the president of LOFTech, said that the incoming administration asked the company to provide a presentation. Whether the administration has any special instant messaging requirements will not be known until the presentation is made.

Huang said discussions on whether to develop a homegrown version of the instant messaging software commenced back in mid-2012. The threat posed by overseas instant messengers such as WhatsApp and Viber was already know and they knew that these types of software app will have a tremendous impact on the Taiwanese software industry as well. When the decision was made to develop this type of instant messaging software, Huang said: "To distinguish ourselves from other competitors, we decided to bring telecom operators on-board to provide Voice OTT (Over The Top) services."

Juiker's also took a different approach from B2C with its emphasis on user experience. Huang noted that there are a number of different ways that B2B enterprise instant messaging is currently implemented. CISCO approaches it from a network perspective, Microsoft approaches it from a system perspective, LINE is based on mobile phones, and SKYPE is based on computers. Juiker however approaches it from an information flow perspective. A federated cloud setup was also developed so that computer signals can be transmitted anywhere. The data is however separated from the signal so that it can be localized and retained in each country.

Research and development commenced at ITRI in January, 2013, and development was completed in November of the same year. In the interests of security, Huang said that Juiker used the HTTPS/TLS1.0~1.2 encryption algorithm. The ITRI was itself among the first batch of testers for Juiker. The ITRI had 8,000 employees so there were 8,000 terminals. Constant personnel changes meant that printed paper was often too slow. An enterprise directory function was therefore developed by Juiker with all contact methods placed online. Any changes could be updated directly on the cloud platform. This also made it easy for users to query contact details then message or call the other person directly.Also, Huang noted that the cloud corporate directory partially hides mobile number displayed on the terminal display to protect privacy. Users can therefore make calls direct but cannot see all of the user details. This not only ensures that the caller is authorized to make the call but also reduces the risk of information being leaked.

Thirdly, Huang considered the biggest advantage of Juiker to be its enterprise-grade chat room access control. It can not only specify who has the right to enter certain chat rooms, but also knows who has or has not read what information. When files are exchanged, it can also track whether the file has been read or printed.

Huang said that most chat rooms are public but in an enterprise setting they may also involve the exchange or discussion of sensitive information. Juiker therefore not only maintains tight control over individual permissions and records all chat history. When an employee leaves the company, their access permissions can also be directly removed from the cloud platform. The system will also automatically remove that employee from related chat rooms as well to ensure the security of the chat platform.

Fourthly, to reduce the risk from malicious links in messages that are common on LINE, Huang said Juiker partnered with Trend Micro to use their cloud-based anti-virus platform to automatically scan any links that appear in the chat room. This provides further protection of user safety.

Finally, Huang noted that Juiker provides numerous APIs that businesses can use to interface with internal systems. It also provides a cloud control platform for integration with internal AD or LDAP.