Initial Disclosure Date: Dec 18, 2013
Last Update: Jan 16, 2014

Some of recent IMEs (Input Method Editor) have Sync Dictionary and Cloud Conversion functions to enhance typing efficiency and they require persistent Internet connection. Good examples are Baidu IME and Simeji. Simeji is a smartphone application to input Japanese, provided by Baidu. According to Baidu Japan Inc., the number of Baidu IME users was approximately two million in Japan as of January 2012. ^(footnote:1)

However, this also has two cybersecurity issues. First, when users have personal identifiable information or login credentials in their user dictionary, that sensitive information is saved on an external server unless they disable the Sync Dictionary function. Second, Cloud Conversion is similar to keylogger. Users send out all the information they type up. When they confirm their input, the name of the input application and their security identifier (SID) are also sent out. Baidu IME uses recommended setting to activate Cloud Conversion automatically when installed. ^(footnote:2)

The National Information Security Center (NISC) and Ministry of Education, Culture, Sports, Science and Technology sent out an alert to about 140 organizations including agencies, ministries, research institutes, and universities to stop using Baidu IME. According to Yomiuri Shimbun’s survey, at least twelve universities including the University of Tokyo use Baidu IME in some of their computers. Also, 23 prefectural governments and six municipal governments in Japan use 1,124 computers with Baidu IME in total. Although Ministry of Internal Affairs and Communications’ guideline requires local governments to obtain permission from their information security officer before they install free software, ISOs are the head of each office or department and they are not necessarily cybersecurity experts. Moreover, there is no information security system to check the security of embedded software in computers. ^(footnote:3)

In a press release dated December 26th, Baidu Japan Inc. acknowledged that Baidu IME and Simeji send users’ information to its servers and save the data for a while and explained that the company is keen to make their term easier to understand and assure users. The company released Simeji 6.6.2 on December 27 and a new version of Baidu IME in early January 2014. ^(footnote:4)

Sources:

1. Yomiuri Shimbun, “Chugoku ‘Baidu’ sei sohuto, nyuryoku no Nihon-go wo mudan soshin [Baidu IME forward input information without users’ consent],” December 26, 2013,
   http://www.yomiuri.co.jp/net/news0/national/20131225-OYT1T01536.htm
2. IIJ-SECT, “Security Diary: IME no online kino riyo ni okeru chui nitsuite [Security Diary: warning about IME’s online functions],” December 17, 2013,
   https://sect.iij.ad.jp/d/2013/12/104971.html
3. Yomiuri Shimbun, “Chugoku ‘Baidu’ sei sohuto, nyuryoku no Nihon-go wo mudan soshin [Baidu IME forward input information without users’ consent],” December 26, 2013,
   http://www.yomiuri.co.jp/net/news0/national/20131225-OYT1T01536.htm
   NHK News, “Chugoku-sei no Nihon-go nyuryoku sohuto nyuryoku joho wo mudan soshin [PRC-made free IME to input Japanese sends users’ information without their consent],” December 26, 2013,
   http://www3.nhk.or.jp/news/html/20131226/k10014117561000.html
   Yomiuri Shimbun, “Baidu IME shiyo, 29 hukenshi… PC 1 sen dai cho [29 local Japanese governments use more than 1,000 PCs with Baidu IME],” January 13, 2014,
   http://www.yomiuri.co.jp/net/news0/national/20140113-OYT1T00164.htm
   Yomiuri Shimbun, “Mudan shoshin sofuto, ‘Ireta oboenai’ to shokuin konwaku [Local governments official are puzzled about why Baidu IME is in their computers although they have never installed the softwre],” January 13, 2014,
   http://www.yomiuri.co.jp/net/news0/national/20140113-OYT1T00384.htm
4. Baidu.jp, “Press release: ichibu no hodo ni taisuru heisha no kenkai [Press release: our perspective regarding recent media reports],” December 26, 2013,
   http://www.baidu.jp/info/press/jp/131226.html
   Baidu.jp, “Simeji shin bajon 6.6.2 wo ririsu [New version of Simeji 6.6.2 is released],” December 27, 2013,
   http://www.baidu.jp/info/press/jp/131227.html
   ITmedia, “’BaiduIME’ bajon apu ‘kuraudo henkan’ deforuto de ofu ni [BaiduIME’s version is up to take off the function of cloud conversion],” January 6, 2014,
   http://www.itmedia.co.jp/news/articles/1401/06/news047.html

• * Each company name, an organization name, and a brand name are a trade name of each company and each organization, or a registered trademark.