Why would anyone ever be okay with this? Regardless of the country or soft the culture is - this should never be seen as "okay" or "passive" in any way.
It's a difficult choice. In a way, you can see it as a free pen-test on your network.
I don't even think it's a case of trusting them, because if they get access to webcam data or something else that they shouldn't, assume someone with less well-meaning intentions can and has also done so.
Yeah - this is exactly the root of what I'm getting at. Nobody really know's who "the government" really is. They're so bad at keeping their own secrets secure and in the right place - I sure as hell don't trust the least common denominator among gov't employees when it comes to privacy and ethics to have anywhere near the kind of observation into my life they already have from a squad car filled with feds and a telephoto lens...
Well, in this case, it's the NIICT (National Institute of Information and Communications Technology) and it sounds like their efforts will stop at rainbow-tabling the devices such as IP cameras etc, to see which have default credentials or weak credentials.
The problem is that the normal, every day people who run these devices, on the most part, don't understand that not only are they open to the internet, most manufacturers provide Dynamic DNS making it painfully easy to search for them. Further still, these manufacturers set the same default password for every device. Some have been known to leave the "empty" credential slots usable. Due to poor programming, you could simply login with no credentials at all.
I have to agree, I'd be hard pressed to decide whether I would or wouldn't accept this "survey", but, with notice, like people are being given here, you can mitigate the risks (cover the cameras, remove the data etc) and be told there are weaknesses in your system, or alternatively, not know and have some unknown accessing them at any point they wish, for any reason they wish.
Sure, it's one rule for them, and another for everyone else.
But, lets be reasonable for a second, Japan is concerned that if people's networks aren't secured before the Olympic games, these vulnerable devices will be used to disrupt systems by outside attackers and potentially costing the country significantly.
It's well known that IoT devices on the market are poorly implemented and poorly secured and rarely-to-never updated by the manufacturer.
Note that Shodan doesn't try to authenticate with the devices - not even using default credentials. This is different than what Japan is proposing; they want to try various default credentials to identify devices that could be used for various attacks (ex. Mirai).
So what's the alternative? No one does pen testing and then any government (or motivated individual) can access your data? I'd rather my own government do it than no one at all.
It is particularly hairy, and I don't think there's a perfect solution for the average person.
Most people who care about such things have already come to terms with the fact devices they expose to the internet are scanned by botnets/hackers several times an hour.
Once the avalanche is in progress, a government plan to add an extra snowflake scarcely matters.
I don't even think it's a case of trusting them, because if they get access to webcam data or something else that they shouldn't, assume someone with less well-meaning intentions can and has also done so.