 Thank you for recommending the conference with Tainan last time. That was, should I wear a mask? I mean it's up to you. I'm going to wear one. I'll wear a mask. That was fun. I got a lot of good ideas for the products that I work with. Excellent. So last time we spoke, I mentioned I was working on a project where I wanted to visualize hiking safety data. That's right. And you recommended that I make a data request to deliver that website. Well that request was rejected. Oh really? Yeah, and maybe I can just send you... Is there a reason for it? There is, but I'm not sure I completely understand it. Maybe, can I just forward you the... Sure, sure, sure. The case number. Actually, all I need is the case number. The case number. I just have the email saying it was rejected. Can I just forward that? Sure, sure, sure. Okay, that should be... Which ministry responded to the interior? It was the Ministry of Interior fire department. Fire department? Wow. Okay. Alright, that should be sent out. Okay, let's see what the firefighters have to say. It looks like it's a legal issue. Okay, I get to receive the email saying I'm waiting for a busy postal worker essentially. Running, running. Yeah, I know. IP over carrier pigeons. I got it. Okay. So let's look at it. There's actually, it's a partial yes. It's a partial yes, okay. It really is a partial yes. That's not promising. And basically it says we're not sure if just by simply removing the names, we can completely de-identify the individuals involved in accidents. That's what they're saying. And they have the data. And they have the capacity to de-identify the data. It's just they're not sure how much the identification is required. Okay, so how do they become sure how much identification is required? For example, if you limit your request to a year and a longitude and latitude, I'm sure that they can say yes right away. Because there's no way that using just these three fields, you can re-identify anyone. But you said age, injury, costs. Now they're not quite sure if publishing those and hiding the name. There's no possibility of re-identifying the name. I see. Because if you happen to be a medical worker in your nearby hospital, that probably is sufficient for them to learn that, oh, it's a hiking accident. Yeah. Okay, so if I submit another request and I say just by month, summarize the data, that should maybe go through. Exactly, exactly. And there's also a link. It's basically a part of that email that says you can score, right? Score the response. Okay. So if you score two star or one star, then they are required to follow up. Really? Yes. It's Cecil. It's Cecil. If you read the email, there's a link to the user's score suggest. Oh, that's awesome. Yeah, and that says if within seven days you rated two star or one star with a good enough reason, then they're required to respond as fast as possible. Okay. I think seven days is fast, but I can just submit another one as well. Yeah, sure. That's great. Okay, thank you for that. So maybe you can make a new one because, yeah, it's not December 15th now, right? It's past December 15th now. Otherwise, I mean, but next time you'll know. Okay. If you receive a response of this shape, if you respond within a week, then the same person is required to reply to the response. Okay. That's good to know. I'll keep that in mind. Okay. Great. I'll try that one again. The other thing I wanted to talk about today is I am concerned about the ARC ID number format change happening next month. Okay. That's because I feel like it's going to create problems. To what? I feel like it's going to create problems. Okay. Okay. So basically, you know, the idea is that. Is that each of you now have two numbers? Yeah. But you know, they're replacing the letter with an eight or a nine, right? Okay. And the reason they give for this is they're saying it makes it easier to use online services because it's the same as the Taiwan ID number. But the thing is that it's not exactly the same, right? The Taiwan ID number has a one or a two for the second digit. Yeah. But the checksum would be the same number? The checksum would be the same. But basically, I went through and I looked at all the libraries on GitHub that deal with. Yeah. We're quite aware of that. ID validation. We are quite aware of that. Okay. Yes. And it just, it doesn't, it doesn't look good for now. So I guess my question is, like, when the decision for this policy change happened, like, were people in technology involved? Were people in the foreign community involved? Yes. And they expressed these concerns. Yes. Okay. They said a few things. One, that in schema.gov.tw, there should be exclusively a regular expression. That recognizes the ODE as well as the new NRC numbers. But because at this very moment, schema.gov.tw, there's this. Yeah. And so everybody codes following this. Right? That this is actually the root of the problem. Yeah. Because if you just code toward these, neither the ODE or the new NRC numbers are going to work. I see. And this schema.gov.tw, is this, is this something that, like, government websites are required to follow? Yeah, it's binding. It's binding. It's binding. Ah. Okay. So the contractors are supposed to follow. And if they don't, it's actually discrimination. Wow. Okay. That's, that's interesting. So I'm, I'm still a little bit confused as to, like, some government services still do not accept ARC numbers. Like, for instance, like the, the highway police. Yeah. So we, you know, if they're legally required to follow these formats. Because this hasn't been updated. Okay. If you check the regular expression. I see. There's no eight or nine. Here. I'm talking about even the old ARC numbers. I know, I know. But, but, but neither is the old ARC number here. So how does something get added to that schema? I see. As far as I understood, they filed it. And the NDC is now working on it. Okay. Yeah. Okay. So soon as this is updated. And we had an internal discussion. And the MOI decided to also recognize the old one. Because it's voluntary, right? Yeah. You, you can choose to keep the old one. So, so both need to be added to schema of TW. And it's a, it's an opportunity for the library makers to update, to accommodate both versions. It's missing by it beats the old way, which is like legally they're not required to recognize the ARC holders at all. Okay. That's, that's, that's good to know. As far as like private industry. But then it's not binding. It's not binding. So it's not binding. So what kind of, you know, tools, I don't know if there's a way to enforce it or if there's just a way to encourage private companies to get on board. Or you know, you can keep an award or something. Give an award for it. Yeah. Or the other side, social sanction or something. Well, here's what I've done. So I created this website called identity dot TW. And it has, it has three things on it. It has an API that recognizes all ID formats that is free to use for anybody. And it's, you know, it's, it's basically on like a cloud player node. So it's massively scalable. Anybody can use it. And then also libraries for all the major software languages that, that recognize all three forms. And then also like a transparency report that if someone finds a site that doesn't accept a certain ID number from that, or somehow doesn't offer the same services based on your ID number, they can report it. It gets published here. Right. So anyway. That's not quite what it is. Yeah. What do you mean? Because you're, you're, let's see. I see. So you're, you're basically saying there may be the second digit, maybe zero or seven or five. I guess that's fine. It's, yeah. It's more inclusive. It's right. Yeah. I mean, yeah. I don't, yeah. I mean, like I'm, I'm, I'm not really sure to begin with why all these companies do ID number validation to begin with. Like when I buy groceries online, why do I have to type in my ID number to do that? Yeah. Of course. Um, so I, I, I'm not really sure. I'm not really sure. I'm not really sure. I'm not really sure. I'm not really sure. I'm not really sure. I'm not really sure. I'm not really sure. Yeah. Of course. Um, so, so, you know, so like the goal is to like score companies based on how they can go ID numbers. And if you don't use ID numbers, you can automatically, because why, why do you need to use ID numbers? And that's why I totally support that position. Of cases. Um, yeah. So I mean, do you think this would be useful, um, for, I don't know, like encouraging companies, shaming companies that don't, that don't, you know, accept certain people to use their services. Um, if there's any way I can make it more visible to people. I mean, I have, I have plans to translate this into Chinese and, and you know, have a community of sex workers submit their own cases and things like that. Um, but is this something that, you know, the government will be interested in picking up and publicizing? Well, um, first of all, um, I think this, uh, need to um, like be tested for security stuff. Uh, like the JavaScript implementation. Probably you want to turn ID into a string before pulling to uppercase. Sure. Yeah. I mean, I'm open to, yeah. For some other objects calling to uppercase may launch a missile or something. Never mind. Sure. Yeah. I mean, like, like it's, it's all open source. It's on GitHub. Anybody who sees issues with it can. Sure. Sure. Sure. Sure. Yeah. Yeah. But, but on the other hand, the PHP one doesn't suffer from this because the expression match works on anything in PHP. Right? So, so for it to actually be referenced implementation, there needs to be a essentially separate security audit. Okay. Yeah. Okay. Um, yeah. I mean, it's just a community project right now. If any auditing is happening, it's going to be coming from users. Also for this to be a online service, of course, you're going to log the IP address of each requester. And so you will have a digital trail of which people access which e-commerce services. Uh-huh. Uh-huh. And that puts the personal data protection burden sign. Okay. What do you mean I have to log the IP? Because currently is V identity TW, right? Yeah. And, uh, from my, uh, knowledge, there is actually a back end here. It's not completely serverless. Uh, like you're not using a, a, um, pound sign. And you're using a custom mock, which means that there is a back end. Yeah. There is a back end. Yeah. But then- It's running JavaScript. Uh-huh. In which case you will have a log of the timestamp IP as well as the ID number of the person accessing the service. Uh-huh. These two combined, you can find out which person purchased which e-commerce services. Okay. Right. So this is not still posted as what I'm saying. This is not something that runs in the airplane mode. Yeah. And so therefore you, you become subject to the non-protection law. Uh-huh. Uh-huh. And, uh, ideally, of course, everyone can request a copy of, uh, whichever log entries that contain their ID number two. It's, according to our, uh, actually if they also is a EU citizen, then they can also request, uh, more times under GDPR. All right. All right. Yeah. That makes, that makes sense. Um, even if you don't capture any logs, you, you can- You can always request. Yeah. And then you must answer, again, within reasonable amount of like seven days. Yeah. Saying I'm not doing logs or something like that. But then, but then you have a duty to respond because we can prove that you're collecting this data. Uh-huh. Yeah. How can you prove it's being collected? Uh, because it's sent to you. Oh. But if it's not being stored, then- Who knows, right? So they force upon you to, to prove it's not stored. To prove that it's not being stored. You'd have to submit your source code and everything. Exactly. It's a lot of work. Okay. I see. Okay. Maybe it's best that it just kind of remains a community project for now. Yes. Yes. I, I, I'm all for reverse procurement. Yeah. It's just that, uh, this is a very sensitive topic right now. Okay. Because people are, for example, pushing against OCSP. And for CRI for precisely the same reason. Uh-huh. Because within OCSP, you're essentially tracking people's movements across websites, but for CRL, like the revoke list of the HTTBS credentials are things like that, then it's basically a certificate authorities pushing out their revocations, right? So the certificate authority learns nothing about your behavior. If it's online, if it's OCSP, then they learn everything about your behavior. And this is also why Cloudflare is now working on what they call oblivious DNS over HTTPS. Again, because they don't want to know your IP, but they can't prove it. So they have to work with a partner that will never collude with them. How does that work? So basically you encrypt a DNS query to Cloudflare through a proxy. So the proxy knows your IP, but not the payload. Cloudflare knows the payload, but not your IP. So if the two of them never colludes, then they don't have your identifiable information. Wow. Okay. That's a lot of investment. Yes, a lot of investment. Yeah. No, I mean, these are all good things to think about. I didn't realize it was such a thorny issue. It's a really thorny issue. Yeah. If you Google for, well, search for CRLite, C-R-L-I-P-E, you'll see some really creative ways to fix these sort of problems. It's now in Mozilla Nightly. I'm using it. Okay. Yeah, I'll do some reading about this. Sure. Okay. Yeah, so I guess for now I'll just keep this community project. And then if it proves to be useful, then that's great for people. What else? Yeah, I guess like really my biggest concern is that there's no enforcement mechanism for private companies. It's just, it can be really frustrating sometimes. I know. Are there, you know, like plans to legislate, you know, like... But legislate what, record expressions? Or just, you know, you can't discriminate services based on the formative system. But I mean, the ID number, really, the law defines ID number as something that the state agency interacts with citizenry. It really is. It's not supposed to be used up by the private sector if you look at the wording of the law. Yeah. But on the other hand, we didn't punish people using the ID number either because there's no law against that. So there's no law for that and there's no law against that. That's our current situation. Okay. And so what you're saying is essentially making the use of ID numbers a kind of license operation. But that will make, I don't know, all businesses? Subject to. Subject to a license application process? Yeah. I'm not sure how that works. Yeah, no, that seems, that seems overly... That seems excessive. I mean, it just seems like a form, it just seems like a form of discrimination. It really is a form of discrimination. It should be protected by inside. Right. So on the other hand, maybe it's not in the laws of ID numbers. Maybe it should be in the law of consumer protection, right? Like class actions or something like that. And there is, there is actually a forumosa post where I raised this argument that you can use the complaint and mediation process in the Consumer Protection Act. I'm sending that to you. Okay. Now, we wait for the pageants. Pageants are here. Consumer Protection Act. And there's a complaint process for the Consumer Protection Act. Is that something that's available online or is it actually available? Yeah, sure. We have the Consumer Protection Authority for that. And in a sense, I mean, you're doing business, so you are a consumer. What we don't have is, for example, when you are entering a building and they require you to show the ID number, you're not in a strict sense a consumer to that building. And so there's like very little what the existing legal process can do to that building's owner or to the guard guarding the building. On the other hand, you're talking about electronic transactions. In which case, you're probably a consumer. And in which case, you're entitled for the Consumer Protection Act. Okay. Can you point me to where you file complaints? Under this act? Of course. I'm actually surprised that this hasn't been more popular as a way of handling. On the other hand, what we are doing now is new to the Consumer Protection Authority too. Because before, we had no schema.tw. You can't even say you're being discriminated against. And now, when schema.tw is going to be updated like real soon now, then once you have that, you have evidence saying the state protects three forms of ID numbers. They are equally good. And so you're obviously discriminating against the other two kinds of numbers. And then you can go through the CPC. That's perfect. That sounds great. And then hopefully they can set a precedent of actually enforcing these cases as well. Yeah, but the CPC is quite, quite rapid. They're really good at doing a real time response. Okay, that's great. Maybe I'll submit one just to see. Yeah, yeah, yeah. The schema is updated. It should be like real soon now. Once it's updated, I'll let you know. Pretty soon. Yeah, within the next month or so. Yeah, of course. And we'll see how CPC views about cases. If they're okay with enforcing online, because I'm pretty sure that the other businesses will follow suit quite quickly. That's great. Okay, that's that's that's really promising. I'll give this a shot. That's I mean, that's really what I wanted to talk to about today. Yeah, sure. So sure. I mean, that the foremost after it is is a gold mine. There's all sorts of different perspectives on this sort of thing. So yeah, to work with the community. That's the first time I've ever heard anyone refer to foremost as a gold mine. Okay. I mean, there are people holding good cards, making it the gold mine. That's true. That's true. Okay, okay. Okay, great. Well, then I'll I'll wrap things up. Awesome. Thank you so much. And enjoy the rest of your day. Yep. Have a good time.