contents of kakao Privacy Philosophy

Technical Measures

KakaoTalk Secret Chat Mode

Kakao introduced the “Secret Chat” feature as part of our effort to enhance privacy options. Our regular chat and Secret Chat functions both exchange users’ messages in an encrypted state.
An end-to-end encryption, a technology that saves a key that can decrypt the encryption in the user’s smart phone, has been applied to Secret Chat. Since Kakao’s server is unable to decrypt the encryption, only the users engaging in a conversation can check the contents of the message, which blocks the message from being viewed by any unwanted eyes. Secret Chat was first applied to the one-on-one chatrooms in December 2014, and applied to group chatrooms in March, 2015. Regular Chat >Device> Encrypted Communication>Server>Secret Chat *Secret keys of the individual devices are exchanged through public key encryption

Privacy Impact Assessment
A privacy impact assessment, which is conducted in the service planning and development stages to identify whether the service conforms to related laws and analyze the privacy impact the service has, helps eliminate possible risks in advance. An expert on privacy is directly involved in all stages to assist in the overall privacy risk management by consulting with the service managers on all aspects of the service and providing plans for improvement.
  1. Prior to Launch Personal information lifecycle and personal information management system is reviewed from service planning through the service's release.
  2. Live Services Services that post-launch collect, use or provide personal information are subject to review.
  3. Discontinued Services Before destroying personal information: - Time of destruction is considered - Securest method of destroying information is considered
* Requirements
  • 1. Collection of personal information - User consent acquired - Only the most necessary information is collected
  • 2. Transfer and storage of personal information - Safe transfer of information is ensured - Password, financial information and location information encrypted and stored
  • 3. Use of personal information - Methods in place to prevent misuse or abuse of personal information
  • 4. Provision of personal information - Only the most necessary information is provided - Safe transfer of information is ensured
  • 5. Personal information management system - History of handled personal information is checked - Access of handling personal information is reviewed - Controls in place for unecessary exposure of personal information - Processed personal information is monitored
Infringement Prevention Activities

Kakao has established and implemented various preventive inspection procedures, including a vulnerability scan, secure coding and code reviews, in order to develop and provide safe services. Vulnerability scans are conducted regularly from before the service is launched up until the service is terminated, so that suitable security measures are applied to a Kakao service at a level that exceeds legal requirements. Kakao’s vulnerability scan is conducted with a checklist and risk model that has been created with data and expertise we have accumulated through our experience of many years of service providing. Secure coding is ensured through a code review process, which is applied to the development stages to resolve any technological vulnerability. Vulnerabilities in security evolve with technological development. Therefore, we at Kakao make efforts to respond to the new vulnerabilities in advance by applying new trends and technology in our services.

Strict External/Internal Access Restrictions

Kakao’s personal information processing system and user information database has an access control process that grants access to only a small number of system operators who have acquired authority in advance. When authorities are granted, the employee granting authorities clearly identifies tasks that require the authority along with the usage of the authority, and grants the authorities only to those who need it. In addition, the logs of employees who have been granted authorities are monitored regularly and access to unauthorized information is blocked. All unauthorized access attempts are monitored and blocked by an intrusion prevention system. A server firewall is installed, managed and operated to protect important information. Employees who access personal information are required to work in a network-separated work environment where Internet is blocked, fundamentally preventing any leaks of personal information and inflow of malicious codes.

Employee Regulations

Logs related to employee’s access and use of users’ personal information is analyzed and monitored, and any employee’s requests, modifications or deletion of authority owned by employees are recorded and stored. Employee’s authorities are reviewed on a regular basis and unnecessary authorities are deleted. Employees are required to participate in personal information security training more than two (2) times a year and sign a privacy and confidentiality agreement to strengthen their awareness on privacy protection. Programs that detect and eliminate malicious codes are embedded in all employees’ personal computers. The company’s network monitors programs that access users’ personal information, as well as usage pattern of programs that manage major functions, such as customer services.

24-hour Security Measures

Kakao built a Security Control Center and currently monitors any abnormalities or hacking threats 24 hours a day, 365 days a year. This process includes a dual monitoring system, where experts from outside the company assist in the monitoring process to prepare for any unexpected threats. Any detection of abnormalities, including excessive attempts to access the service from a certain country or an overload in traffic from a specific IP, is attended to immediately by identifying the abnormality and confirming the influence it has on the service. Logs that are created during the process of operating numerous services are also analyzed from multiple angles.

Countermeasures against Personal Information Leaks

When Kakao becomes aware of personal information leaks, the fact is notified to the concerned user(s) through email or other means in principle in accordance with applicable laws. In addition to the details of the incident and actions to be taken by Kakao, a contact information for the users to make inquiries about the incident will be provided. Kakao will also provide additional information such as the relief procedure for users whose personal information has been leaked, to minimize losses occurred. Kakao has an internal procedure in place to report personal information leaks to relevant authorities in accordance with applicable laws. By discussing the scale and details of the incident with relevant authorities, Kakao is committed to finding the best solution to minimize any loss occurred to users.