Why You Can’t Buy Anything On-Line in Korea, Mr. Foreigner

by Brendon Carr

Feeling frisky after my success fixing the housing policy problem, I contributed this piece to my firm’s “Law Talk” series in the Korea Herald today.

I’m not completely happy with the final piece, after the “editorial process”, nor the headline supplied by editors—which I think misuses the word “crimp”—but within the 550-word limit allowed by the paper, it’s not all that bad.

Encryption standards crimp Korean internet from globalizing
Korea Herald, March 26, 2008

President Lee Myung-bak’s new administration promises deregulation to improve transparency and the harmonization of Korean practices to so-called global standards. He has his work cut out for him as regulatory choices made around 10 years ago have resulted in Korea’s IT environment being isolated from practices used in the rest of the world. Rather than leading the global community, Korea’s government-led choices have often erected barriers and stagnated development.

Web browsers offer a fine example. In 1998 it was recognized that 40-bit Secure Sockets Layer encryption was insufficient security for internet-based financial transactions. More bits make codes harder to crack. But the United States at that time barred the export of encryption algorithms using more than 40 bits.

In other countries, the U.S. ban on the export of strong encryption created market opportunities. South African entrepreneur Mark Shuttleworth became a billionaire offering the rest of the world 128-bit SSL encryption from Cape Town, outside the reach of U.S. law.

Rather than leave this function to the market, the Korean government instead led the development of official 128-bit encryption based on a homegrown standard called SEED, which uses digital signature certificates issued by a Korean government-approved institute and requires users to install a downloadable ActiveX control into the Windows Internet Explorer browser.

Ten years later, we’re stuck with it. Under the Electronic Financial Transactions Act, SEED encryption is required for most credit-card transactions, despite the fact that all other banks around the world find 128-bit SSL security strong enough.

Korea’s SEED does not work on Apple’s Mac OS X (nobody in Korea has developed a SEED implementation that doesn’t require Windows), nor does it work on the Mozilla Firefox and Opera browsers. Neither does SEED work on Linux.

Only Microsoft Windows users may use the Korean-standard security system for internet transactions. Macintosh and Linux users are cut off from such transactions—by official government policy.

Many of the SEED implementations are sloppy. Programmers assume that whoever downloads SEED must be using a Korean version of Windows, and therefore don’t need any instructions in other languages. English Windows versions also display the Korean-font download controls as gibberish, thereby preventing installation.

In 1999, the U.S. government allowed export of strong encryption. But by that point it was too late for Korea. Since 1999, government officers charged with enforcement of the only-in-Korea SEED standard have not relented and accepted the global dominance of SSL, which is built into all browsers.

SEED locks foreigners and users of other computer operating systems and non-Microsoft browsers out of the Korean market. It prevents Korean online merchants from selling to nonresidents of the country, who are not likely to have obtained Korean government digital signature certificates or to run a Korean-language version of Windows.

Outside Korea, Mac OS X and Linux comprise nearly 10 percent of the worldwide operating system market. Non-Microsoft Web browsers approach 45 percent of the worldwide market. The SEED encryption requirement locks Koreans out of wider trends and forces them to use Microsoft Windows and Microsoft Internet Explorer.

Both are fine software programs, but the government should not be in the practice of forcing users to choose them by the Electronic Financial Transactions Act, especially when equivalent functions are available.

If President Lee’s team wants to move Korea closer to global standards and internationalize Korean practices, amending the Electronic Financial Transactions Act to dump SEED in favor of the already-existing SSL standard would be a good start.

There are, of course, other reasons you can’t buy anything on-line, Mr. Foreigner. They include the ubiquitous foreigners’ registration number, which doesn’t work with most of the ID-checking algorithms in use, and sloppy coding practices for the HTML to be displayed in your browser. A lot of Korean websites simply won’t show anything to a Firefox or Safari user, which tends to keep us away from the payment-processing stage where SEED would be required.

UPDATE: A Korea Herald reader wrote me this morning with the following comment:

Congratulations on a finely argued piece. I’d add just one other point - it is not in Korea’s national interests (or any other small country’s) to promote a foreign monopoly in a key component of technological infrastructure.

Good point. Five hundred words precludes a writer from getting every point into the newspaper—which is why the availability of unlimited Internet space, and the interactive opportunities of blog comments, makes this the place to add more. To the reader (and all readers): If you think other points are important, leave a comment here at Korea Law Blog.

March 26, 2008 | Filed Under Hub of Hubs

Comments

15 Responses to This Entry

  1. Ut videam on

    Excellent article. Hopefully you’ll submit it to the Korean-language press as well, so that people in government will actually read it. wink

  2. Julian Stoev on

    The article is really nice. I hope somebody in Korea has brain to understand that isolation from rest of the world made Korea an easy target for Japan colonization some time ago. This same isolationist mentality exist today and will lead to bad results sooner or later.

    The other problem is that technical issues in Korea are not solved for long term. That’s why even now many web sites in Korea insist of installing all kind of ActiveX rubbish and Microsoft in Korea was blamed for restricting ActiveX in Vista, while congratulated for this in the rest of the civilized world. This leads also to very, very sloppy coding of web pages. Unfortunately not only web pages in Korea are coded in sloppy manner. Many mobile phones produced in Korea even nowadays have lots of software bugs. As a result, most of my friends abroad have decided to boycott any mobile phone produced by Korean companies.

    Actually another example on isolationist mentality in Korea is the locking of SIM cards in new WCDMA phones in Korea, thus restricting competition in the Korean market. And low competition leads to low quality…

  3. Hoo Kang on

    Anyone have any bets when they will wake up from their stupor and dump SEED - or perhaps even their unnecessary paradoxes?

    Until then we have to use creative resources like Korean friends. Which makes me feel a bit childish asking for help, but hey you have got to do what you got to do.

  4. Brendon Carr on

    Actually another example on isolationist mentality in Korea is the locking of SIM cards in new WCDMA phones in Korea, thus restricting competition in the Korean market. And low competition leads to low quality…

    SIM locking is an issue that is current in my practice right now. SIM locking is not all bad. For example, in the case that a carrier offers the consumer a subsidy for purchase of a phone, the carrier ought to be able to contract with the consumer for an earn-out period on the subsidy. Without the SIM lock possibility, there is probably less economic incentive for the carrier to offer consumers subsidies.

    As you know, Julian, I blame Roh Moo Hyun for this technical-standards mess, plus the recent cold snap.

    Oh, and good news for you: Effective tomorrow, the 27th, SK Telecom and KTF will be opening their phones to allow exchangeable SIMs from the same carrier (i.e., if you bought the phone from SK, you can swap another SK SIM into it), and later in the summer to allow SIMs from different carriers.

  5. Julian Stoev on

    Brendon, I hope you can forget about the Roh Moo Hyun nightmare soon ... wink

    The subsidies given by phone companies in Korea were restricted until recently. In my opinion it should be forbidden to the service providers to subsidize the sale of phones. This is anti-competitive and will bite again and again the Korean consumers.

    All the good news in Korea is good news mostly for you, much less for me… I am currently evaluating mobile offers in Germany and having a huge choice of service providers, phones, plans… Have a look here http://www.verivox.de/. Wish you to have also more choice in Korea.

  6. Brendon Carr on

    I think consumers should have choice of a subsidized phone with a fixed service commitment, or an unsubsidized phone with an unlocked SIM. One size does not fit all: The subsidy makes the phone more affordable at the time of entry to the relationship with the carrier, while the unsubsidized phones (presumably ones which can be easily switched by SIM replacement) allow competitive rate-shopping.

    What Korea really needs is more mobile-phone carriers. The current three have it too comfy.

  7. It's actually worse on

    Another pernicious aspect of the Korean SEED standard is that it works on only one computer at a time. So if your home computer is registered for online transactions but you want to buy something using your office computer during your lunch break, then you must register your office computer for that single transaction and reregister your home computer the next time you use it.

    This incredibly onerous procedure is mandated in the name of consumer protection. Meanwhile, most receipts from credit card purchases at retail establishments include the full credit card number on the receipt. Isn’t that a far greater security risk to consumers than using SSL?

  8. Brendon Carr on

    As a Mac user I’m not at all experienced with SEED in its day-to-day usage. I found the whole thing so frustrating in my occasional use of IE 6 under VMware Fusion that I’ve not tried on-line banking from two locations.

    But it doesn’t surprise me. Government tends to favor stupid solutions.

  9. Korea Beat on

    The gibberish problem also comes up because of poorly handled language encoding. If you’re on Windows and all see is “???? ?? ???? ????” you can fix it by adjusting the preferred language. But if it’s garbage characters or nonsense hangul I don’t think there is anything to be done.

    I’ll add to the chorus than Korean web sites are poorly made. I like to browse in Firefox with several open tabs, and very often a Flash animation on a Korean site will slow things down and make it very difficult to switch tabs. This doesn’t happen with CNN and other sites that actually use more complicated Flash ads.

  10. Mallorio on

    Great article. It annoys the hell out of me that I can’t even get on Naver Cafe from the States without a national ID number, which of course I don’t have. If KORUS miraculously passed, wouldn’t this have to change?

  11. You've hit a nerve on

    Brendon, I’m impressed that you’ve received so many comments in such a short time. This article has apparently hit a nerve. Do your referral logs indicate that anyone from the Blue House or a relevant Korean government agency is paying attention, or is it just foreigners talking to each other?

  12. ecorn on

    #7 - You can actually get around the registration limitation by downloading your certificate to a USB memory card rather than your hard drive. Like Brendon, however, it doesn’t do me a lot of good on my Mac at home.

  13. It's actually worse on

    As another Mac user in Korea, I’m in the same situation as Brendon and Ecorn. I just hope we won’t have to wait long for 2MB’s administration to permit Korea’s online transaction system to join the 21st Century.

  14. Stafford on

    Good news on the mobile front with the ability to change USIMs- should be good when the iPhone finally gets to KTF. Oh wait - The government mandates that a certain piece of software (actually middleware) has to be on EVERY internet enabled phone sold in Korea… No iPhone for you!

  15. Tero on

    A bit late for commenting here, but… As a linux user I totally agree on your complaints. The current standards implemented in Korea are incredibly short and narrow sighted.

    If you are using non-Korean Windows, however, you can mostly fix the problems with gibberish characters.

    For web pages, you can set the character encoding to ‘Korean (EUC-KR)’ temporarily.

    For applications (including those pesky active-x “anti-hacking” apps), go to control panel -> language options -> advanced, and set the language for applications that do not support unicode to “Korean”.

    As for online shopping, I only use sites that let me pay with a bank account transfer.

Comments Policy: Comments to Korea Law Blog are moderated. This means abusive, or just plain stupid comments will be deleted. So don't be a jerk. It also means there may be some delay from the time you post a comment to the time it shows up here. If your comment wasn't against the policy, it will show up in a little bit.




XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Please enter the word you see in the image below: