Japan has long been a quiet outlier in Asia-Pacific telecommunications policy. While China required facial scans for every SIM activation, Singapore capped ownership at three SIMs per person with biometric checks, and India tied new contracts to Aadhaar biometrics, Japan drew a narrower boundary: voice-capable SIM cards required identity verification; data-only SIMs and eSIMs did not. That gap closed on April 1, 2026.
What the Amendment Actually Does
Under a revision to the Enforcement Regulations of the Act on Prevention of Unauthorized Use of Mobile Phones, Japan's Ministry of Internal Affairs and Communications (MIC) extended mandatory identity verification to every category of mobile subscription — including data-only physical SIMs and eSIMs. All purchasers, whether Japanese nationals, long-term residents, or passing tourists, must now present a recognised identity document before activation.
The verification standard has simultaneously been upgraded. The older approach — uploading a document photograph alongside a face photo — was discontinued on March 24, 2026. Carriers must now use one of two biometric methods: the JPKI approach (scanning a My Number Card IC chip with PIN entry) or an IC chip reading combined with real-time facial recognition using a driver's licence, residence card, or My Number Card. KDDI's povo2.0 service notified customers on March 25, 2026, citing the ministerial ordinance directly. Every major carrier — NTT Docomo, SoftBank, Rakuten Mobile, and au — updated its registration processes accordingly.
This upgrade follows a June 2024 decision by Japan's Ministerial Conference on Crime Measures, which directed that non-face-to-face identity verification under the Mobile Phone Fraud Prevention Act be integrated with the My Number Card's public key infrastructure, and that IC chip reading become the default even for in-person transactions.
The Fraud Emergency Behind the Policy
The security case for the measure rests on documented, not manufactured, harm. Data published by Japan's National Police Agency shows that specialised fraud (tokushu sagi) — the category covering phone impersonation scams, fake police calls, and phone-mediated investment schemes — reached ¥142.3 billion (approximately $950 million) in losses in 2025, a 98 percent increase over 2024's ¥71.8 billion. Reported cases climbed 32 percent to 27,832.
Police impersonation scams were the sharpest driver: 11,014 cases in 2025 accounted for ¥100.5 billion in losses alone. The script for these calls almost always involves anonymous phone numbers — callers claim a victim's identity has been used to open a fraudulent mobile contract, then pressure transfers to "safe" accounts. Data-only SIMs, purchasable without documentation until April 2026, were a preferred operational tool for such schemes.
Before treating the measure as purely surveillance-motivated, observers should acknowledge these numbers honestly. A ¥142 billion annual fraud loss — concentrated disproportionately among elderly victims — constitutes a genuine public-safety failure that had outpaced Japan's existing countermeasures. The regulation addresses a real, documented vulnerability.
A Thickening Surveillance Architecture
That acknowledgement made, the SIM registration amendment does not stand alone. Japan's telecommunications surveillance framework has expanded considerably over the past year, and the cumulative picture warrants scrutiny.
On May 16, 2025, the Diet passed the Active Cyber Defense Act, authorising the government to collect communication data — IP addresses, command strings, timestamps, and traffic logs — held by telecommunications providers when cyberattack-related traffic is suspected, subject to approval from an independent cyber communications supervisory board. The law explicitly limits access to metadata rather than communication content, and Article 21 of Japan's Constitution guarantees the secrecy of communications as a hard constitutional floor. But the distinction between metadata and content is less precise in practice: traffic metadata can reveal the fact, timing, counterparty, and frequency of every call or message a subscriber makes.
MIC also amended ISP data-retention guidelines in October 2025, allowing carriers and platforms to retain user identity information for three to six months to support identification of posters of illegal content.
The aggregate effect is significant. Japanese law now requires every SIM to be tied to a verifiable biometric identity, grants government access to communications metadata upon oversight approval, and extends data-retention obligations across the telecoms stack. Assessed individually, each step carries a defensible security rationale. Assessed cumulatively, they represent a material shift in Japan's default posture — from a relatively permissive baseline to one where every mobile session is attributable to a named individual.
Japan in APAC Context
The April 2026 move brings Japan into alignment with most of the region. Before the amendment, Comparitech's global SIM registration survey listed Japan as requiring registration only for voice-enabled cards — making its data-SIM exception one of the largest carve-outs in Asia-Pacific. China, India, Singapore, South Korea, the Philippines, Thailand, and Vietnam had all already required identity verification for all SIM types.
The evidence that mandatory registration actually disrupts criminal networks, however, is weaker than its proponents suggest. A 2012 European Commission review examined registration requirements across multiple jurisdictions and concluded there was no demonstrable benefit — either to criminal investigations or to the public interest more broadly. Privacy International's longitudinal analysis of global SIM registration laws reached a similar verdict: the laws are "costly, intrusive, and not the solution," and their primary measurable effect in several countries has been enabling state surveillance of legitimate users while criminal actors adapt by purchasing SIMs through intermediaries or exploiting leaked registration databases.
The Proportionality Test Japan Still Has to Pass
Japan's registration extension is a genuine, if uncertain, anti-fraud intervention. The biometric upgrade — replacing simple image uploads with IC chip scanning and live facial recognition — meaningfully raises the cost of using fraudulent identities to satisfy registration requirements. These are not cosmetic changes.
The proportionality concern is less about this specific measure and more about the architecture it completes. Japan's constitutional guarantees, anchored in Article 21, provide a real floor. But floors require active enforcement, and the cyber communications supervisory board established under the Active Cyber Defense Act has yet to demonstrate operational independence from the executive agencies it oversees. Its track record over the next two years will determine whether Japan's surveillance architecture remains a narrow-purpose anti-fraud and anti-cyberattack tool — or evolves into something broader.