Month: August 2014

I know it’s been a bit quiet here lately, but I’ve been testing LinkedIn publications service. I’ve published 5 articles, and its quite okay. The tools are a quite rudimentary, so the finished result is not quite the same quality as with WordPress. You have the potential to reach a wider audience. BUT, after much deliberation I prefer my privacy blog. It is more satisfying, I get my faithful followers returning day after day. Also it feels more like I have control. I can at least take a backup onto my Mac.

The problem with WordPress is more difficult to Comment if you don’t have an account. I need to check this out.

Okay, so I’m back 🙂

64 thousand Swedish identities were hijacked in 2013. Population of Sweden is today around 9,5 million. This means that the crime of identity fraud impacted around 0,8 percent of the Swedish population.

“So what, that’s nothing?” You are thinking….

Nevertheless this is almost 1 in a 100 of Swedish residents who have been a victim to identity fraud in 2013 alone. Hence Sweden is not exempt from the growing trend of identity fraud globally.

However in Sweden it’s going to increase exponentially if Swedish law is not changed. What we can expect is that subsequent years will welcome an influx of fresh victims; that could be you if you are one of the 9.5 million residents or/and citizens of Sweden, your friends, or even your children.

Identity fraud in Sweden will increase exponentially if Swedish law is not changed!

First a little history on how we got to where we are. Sweden is one of the few countries globally that is organized enough to have implemented a comprehensive personal identity numbering scheme. It was first introduced in 1947 and was probably the first of its kind globally that included every Swedish resident. Unfortunately, the fact that Swedish identities are organized with the use of a uniform identifier, i.e. YYMMDD-xxxx (YYMMDD = date of birth) makes their personal id much more vulnerable to hacking and fraud than a more random generated id. It is easy for an identity fraudster to work out a Swedish identity number using some simple data mining techniques.

For those of you that want a quick summary of how the Swedish ID number is created… here we go..

1. The personal identity number consists of 10 digits and a hyphen.
2. The first six correspond to the person’s birthday, in YYMMDD form.
3. They are followed by a hyphen.
4. The seventh through ninth are a serial number.
5. An odd ninth number is assigned to males, and an even ninth number is assigned to females.
7. The tenth digit is a checksum which was introduced in 1967 when the system was computerised.

Up to 1990, the seventh and eighth digits were correlated with the county where the bearer of the number was born or (if born before 1947) where he/she had been living, according to tax records, on January 1, 1947, with a special code (usually 9 as 7th digit) for immigrants.

To get the last 4 digits, easiest is to call the Swedish Tax Authority and ask, they are very helpful, since the personal identity number is public information

But what does it really mean to have your identity stolen, or hijacked as more often referred to in Swedish popular press? So here is how a Swedish identity could be stolen starting with a name to find the personal id number:

1. Google the name of the victim, from here the fraudster will find date of birth (ratsit.se, birthdays.se), home address on a cute map, and other information (hitta.se);
2. To get the last 4 digits the fraudster can ring up the Swedish Tax Authority direct and ask them, it is after all public information, and they are very helpful.
3. Now the identity thief can go online and order a fraudulent ID card and/or a fake passport using the stolen personal id number. Hence since the personal number is a vital specific identification number to identify an individual is correct but the photo on the ID card or passport is that of the fraudster.
4. He/she is ready to go on a spending spree at the victim’s expense! If they have no access to the victim’s credit/debit card, they could buy electronic goods on credit with a small down payment (avbetalning). The victim, get to foot the rest of the bill.
5. A shop assistant when checking the id card, would feel that the details are correct and process the transaction.

And this is just the beginning of the nightmare for the victim. The fraudster can take out additional loans in their name, buy a car, a house, and default on payments in their name. The victim will be blacklisted by credit companies. Cleaning up this mess will not be easy. It will take a lot of energy and time to clear their name. The victim can forget about trying to get a loan or any type of credit at this time.

I guess after all this excitement that the victim will want to remove their personal information from the public domain? Sorry but there is more bad news. It’s quite impossible! Swedish residents have no legal right to protect their personal identifying information in Sweden. In fact credit reporting agencies have permission from the Data Inspectorate (Datainspektionen) to publish your personal information. They get something called an utgivningsbevis that gives them exemption from Personalupplysningslagen (PuL), that costs a couple of thousand Swedish kronor. On the date of this publication there were 913 companies that have been granted an utgivningsbevis. So in Sweden the Personal Identifying Information (PII) of data subjects is public information. Although the data subjects do have some say over the integrity of PII that is published, this is driven by the Kreditupplysningslagen. The Credit Information Act (Kreditupplysningslagen) are required to make changes in their database to correct faults, but the data subjects have no right to be omitted from the register unless they have a ‘protected identity’. Hence all residents in Sweden who are over the age of 16 are included and public.

All of this is despite the Personal Data Law (PuL) that is here to protect personal information of Swedish residents and citizens. In fact in this context the PuL is impotent. The Swedish codification of the European Union Directive on Data Protection just does not work. The source of the problem is that the Personal Data Act (PuL) does not apply if its application is in contrary to the Fundamental Law on Freedom of Expression (1991).

So what this means is that the Fundamental Law on Freedom of Expression is being abused by companies making money from the identities of Swedish subjects. It is a Mad Hatters Party for 931 companies abusing this right at the cost of Swedish citizens/residents!

As a Swedish citizen, I have nothing against companies making money from identities so long as:

1. I’ve given active consent to this;
2. I have the choice to have it removed;
3. and if I have permitted my personal information to be used commercially, I should also be a beneficiary from sharing my personal information.

To summarise. If you are a Swedish citizen/resident your personal information is public information and is being exploited commercially. This exploitation makes you vulnerable to identity theft. You have no control over who publishes your personal information.

It is about time this problem was fixed don’t you think?

Further reading

http://www.datainspektionen.se/press/nyheter/2014/datainspektionen-kan-inte-ingripa-mot-sajt-som-hanger-ut-domda/

http://www.riksdagen.se/en/How-the-Riksdag-works/Democracy/The-Constitution/The-Fundamental-Law-on-Freedom-of-Expression/

http://www.radioochtv.se/en/Licensing/Internet/

http://sverigesradio.se/sida/avsnitt/404038?programid=2778&playchannel=132

I think therefore I am

Let us first get clear definition on what is an identity. Let us keep it simple and not get dragged too much into the social sciences and philosophical meanings behind identity, although from these disciplines what we could probably agree on without too much debate is that it is your identity[i]: which makes you definable and recognisable; that is your comprehension of yourself as a discrete, separate unit.

Be what you desire to appear

The way to gain a good reputation is to endeavour to be what you desire to appear. Socrates 470 BC-399 BC

If you don’t control your digital identity, you don’t control either your reputation

Protecting your identity

Your identity and anything that links to you, including the digital residue (digital footprint) you leave in your wake, is a gold mine for gold diggers. Gold diggers can come in many forms; there are those that you share your personal information with because:

• You have to, i.e. you have no choice with government authorities including law enforcement, health authorities, those you want to borrow money from, etc.,
• You choose to, i.e. you are a participant in one or more loyalty card schemes where you allow them to track your purchasing habits;
• You are unaware that a cookie has been downloaded onto your PC that tracks your activities;
• You are aware that a cookie has been downloaded onto your PC that provides your favourites, shopping basket, etc., when shopping online, e.g. Amazon.com
• Identity thieves steal/borrow and use your identity for fraudulent purposes.

There are loads of resources online, and books published on how to protect your identity, such as: keep a paper shredder handy at home, don’t take out loyalty cards, avoid accepting cookies (that is if you know they are being downloaded), install the most stringent privacy settings on your browser, use strong passwords and change them often, etc.; a diverse compilation of security procedures aimed to protect your identity, but at the same time, collectively are not altogether practical.

It is impossible to protect your identity in its entirety, and most people do not even try. One could roughly categorise the efforts that people take at three levels:

1. Those that are not aware, or concerned about threats to their personal privacy and do not see identity theft as something that can happen to them;
2. Those that are aware but feel that the benefits received from those interested in their identity, i.e. loyalty card schemes, outweigh any supposed costs to their privacy, however this group does appreciate the threat of identity theft;
3. Those that are very concerned about the threat of personal privacy: they avoid loyalty card schemes, have software installed on their PC to inform them of any threats (i.e. cookies at the lowest level), and have a paper shredder at home.

You can do yourself a service by identifying yourself within one of these three categories, and then be conscious about what you are, or are not doing to protect your identity. Search online for “protecting identity”, you will be offered a rich collection of advice in the form of: tips, articles, videos, etc., then you can make a choice on what works for you.

Nurturing your reputation

Your reputation is worth nurturing. You can use your online reputation to create a type of personal branding. Once you have separated your reputation from your identity it becomes quite straightforward to take it and manage it. Your reputation could possibly, be divided into three phases:

1. What you did before,
2. What you are doing now and in your lifetime, and finally
3. What happens after you die.

It takes skill to manage your reputation effectively.

Taking control of your past reputation

The consequences of what you have done before today, can be positive or negative. It is positive if it reaffirms what you have stated about yourself. If it does not, for example, there are photos of you half naked and drunk on your MySpace profile, then this information has the potential to be damaging to what you want to achieve today or tomorrow and doubtless in your professional life, both online and offline. As already stated, digital information has a persistence value i.e. it never goes away.

There are companies around that are providing services to help us manage our digital footprint are:

• Reputation Defender that offers to cleans up any digital residue that has the potential to negatively impact your (and your children’s) reputation. They offer a one-off cleaning service, and continuous, e.g. checking what your children have been doing online on a monthly basis and sending reports, cleaning up, etc.;
• Services such as ZoomInfo, which empowers you to have some control on what you want people to find on you first, and if you are lucky, maybe they will not look any further. These types of services deliver unstructured information in a structured way. For instance it searches the Internet for occurrences of your name in newspapers published around the world. If instances are returned you are given the option to claim them as linked to your identity. To prove your identity you need to provide your credit-card details. Once you have claimed your identity, any person that Googles you will be returned with your ZoomInfo profile near the top of the search ranking.

Taking control of your reputation – today and in the future

LinkedIn, Spoke, and similar online professional networking tools are a perfect median for creating a personal online brand that reflects who you are today and the vision of what you want to be in the future. Your online brand can be enhanced by requesting personal recommendations for your work from existing, or ex-colleagues. Be aware that everything in your profile is searchable, so encourage those recommending you to use words that will return as key word searches that persons such as head-hunters will use when looking for candidates, e.g. visionary, a leader. The most powerful statements about your capabilities come from others, not you. These will make you into a powerful online brand.Other ways to strengthen your brand is: to show active participation in online forums; host or partake in a professional blog; twitter; volunteer for work in charities that give you an opportunity to practice skills that are not possible in your present role; take part in sporting events; publish, or think about becoming a speaker. All of these activities will be recorded somewhere online and will return in a search against your name.

Finally to maintain a clean online reputation you need to be wary of cross-feeding, i.e. contaminating your professional reputation with your social activities, possible by allowing feeds between your social and professional profiles and accepting friend requests in Facebook from your professional network. Google yourself and see what it returns. It is also advisable to make your privacy settings on Facebook or whatever social median you use as stringent as is possible. Beware that your friends may not do the same. They can tag you, link you and describe activities that include you that could be public domain.

Rest in virtual peace (RIVP)

Do you really care about what happens to the virtual you after you die? Well it seems that many do. In fact this space is becoming so important that a new and growing business has appeared on the landscape in the shape of the ‘virtual mortuary’. Just as a mortuary takes care of your physical remains after your death, the virtual mortuary takes care of your virtual self.

A virtual mortuary is in effect a third party assigned to take care of a person’s online identity and reputation after they have died. I have seen a couple of companies popping up online to offer these services a couple of years ago, although they don’t look very active today. Even though clearly this type of effort could be done by some person near and dear to the deceased, by using an objective third-party, you can in effect leave a ‘will’ on how you would like to be seen by your children, grand-children etc., in your online persona after you have moved on to the other not so physical or virtual world. A virtual mortuary could offer services that can keep some communications active after death, so you are twittering in the afterlife, and this type of service could theoretically even organise your virtual funeral in Second Life or in some other virtual world where you virtually existed in life.

Finally…

Your identity needs to be protected and your reputation needs nurturing, both plusdigital transactions left in the wake of your identity comprises your digital footprint. If you don’t control your identity, you are at risk of losing control over your reputation which is a part of your digital footprint.

There are new ways emerging to enforce your identity, so that you, the identity owner has control. I call this identity control. More about this is written in other articles that I have published, and plan to publish during the following weeks….

Think about this… it is not what you say about yourself that makes your identity strong, it is what other people say. Clearly you have some influences, but it is not you that makes your identity strong, one could say its your reputation that is the backbone for your identity strength. Or is it?

I’ve been thinking about this for a long time now, because you know it really doesn’t matter whether you have a good or a bad reputation. So long as you have one, and people are talking about you, your identity is strong. Your identity cannot be stolen. Persons with strongest identities are prominent figures nationally and internationally. A good President or a bad President, doesn’t matter, their identities are strong.

The fact is the more references, i.e. people that refer to you, the stronger is your identity. Hence your identity is strengthened by exposure, and then by others pointing back at you, and saying that you are who you say you are. This is not reputation, this is your personal ecosystem. It is what they say that makes your personal ecosystem vibrant with positive or negative energy, i.e. your reputation.

Now what about your digital identity? Today in our digitised society your digitalidentity is quite simply an entry in a database, an object in duplicate, triplicate and much more, copied over numerous disparate directories scattered across the globe. Hence your digital identity is not an identity at all. You don’t own it, and you don’t know where it is! The consequences are that your digital identity is easy to steal and use fraudulently, weakening with exposure, the inverse of what happens with your physical identity.

So what could make your digital identity strong?

The problem at the moment is that your digital identities are organised around the information that they need to access, not around you, the identity owner. Pretty weird really, but not so when one understands that the need for information security, i.e. protection of the confidentiality and integrity of information did not happen until after information silos were created. So what happened is that authentication credentials (your digital identities) were added and given access commiserate with what was needed and approved by the information owners. As the silos continued to populate the world, so did your digital identities. So it’s a bit of a mess really.

Security pertaining to a digital identity should be organised around the identity, not the information!

Is there a solution? Yes we need to completely rethink how we do identity control. Note, I call this identity control and not identity management. It is my opinion that security pertaining to an identity should be organised around the identity, not the information. It should be the identity owner that controls their digital identity and whatever is created in its wake (i.e. digital footprint). Now, if the creation of digital identities were to mirror how it works in the physical world, i.e. strength of digital identities grows through referencing, which means the digital identity becomes stronger with exposure, then we have a solution!

There is a good write-up on discussions The Right to be Forgotten (RTBF) following the ruling at: Debate Write-Up: Rewriting History.

Christopher Graham the Information Commissioner gives a good explanation of what it really means, but unfortunately it is lost in the panicked crys of other participants in the debate.

It is very straight-forward: There is claimed to be a the conflict between the Freedom of Speech and Personal Privacy, i.e. in this case the RTBF. However there is not, it is as Graham states:

1) There are two types of parties here: a) the data controller, and b) the journalist;
2) The ruling pertains to the data controller the RTBF, not journalists, so in UK for example, this does not impact s.32 of the Data Protection Act;
3) Just that the search results are not returned by the search engine of the data controller, does not mean that the data does not exist. It is just that is is not searchable;
4) This information pertaining to an individual is still on the website of the newspapers, and should be searchable directly on the website.

So this cannot be likened to ‘burning of books’ or ‘re-writing history’ as in George Orwell’s 1984. It basically means that if, for example an individual defrauded the Inland Revenue 10 years ago:

– If you search for this person by name, it will not return this name in the result;

– However if you search for ‘Inland Revenue fraud’ it could return this person’s name in one of the related articles.

What I see is that the main challenge is from a technical perspective. At the moment the onus is on the data controllers to receive requests, to decide if the requester has a valid request for removal from their search engines. However, I believe that this should be done as default by websites of newspapers. This could be difficult because on a technical level it is only possible, that I am aware of today, to exclude whole webpages from Google, not names or specific words.

I love ticking boxes, makes me feel as though I’ve achieved something. Each tick-box is a step closer to completing my list of ‘things to do’. It’s kind of satisfying. It is even more so when I get paid a good hourly fee for ticking boxes 😉

Okay, so I’m joking a little. Preparing an organisation for ISO2700x certification is a little more complex than purely completing a checklist. Yet, however simple or complex it is, even when your organisation passes its audit, it does not prove it is secure. It does prove that you tried your best, i.e. demonstrated ‘due diligence’. Then if something does go terribly wrong, i.e. one of your user accounts is used to hack into the organisation, that if made public can ruin your business. Well you tried your best within the boundaries of your capabilities, so I guess that’s okay? Or is it? I guess not, if you go out of business, or end up spending the subsequent 12 months in a crisis mitigation mode!

The problem as I see it is multidimensional and not limited to this list:

1. Reactive security – We are so focused on doing the security stuff that we understand, i.e. ticking boxes, doing just enough to get compliant, that we don’t get to the core of the problem.

2. Product-focused security – Even if we think it can be solved with a product, there are so many security product vendors out there touting the ‘magic bullet’, nobody knows who or what to believe anymore.

3. Mis-alignment of security spend with LoB – Every security product implemented often does not address the fundamental business need. Evidence of this is when new security products/services come out of the IT budget, not from the Line of Business (LoB)

4. BandAid security – Due to point (3), lack of LoB ownership for security spend means no sponsorship. This can result that even if security spend is approved, e.g. security mitigation effort needed to meet compliance requirements, the effort can be likened to a ‘BandAid’ approach to fixing what needs fixing.

5. Non-contigious defense-in-depth security – Due to all of the above your security infrastructure is not contiguous. The ‘defense-in-depth’ approach to your security programme recommended by security experts maybe deep, but full of holes.

6. Information that moves – Our digitised society has changed the parameters on how we should be doing security, however in our organisations we are still thinking as though information is static and can be contained. It cannot.

Fixing all of the above is pretty daunting, and it has become generally acknowledged today that no way can it be guaranteed that the confidentiality and integrity of information assets owned by your organisation are fully protected. So what’s my view on this?

Well it is fun ticking boxes, and I’ve made a lot of money during my career in this activity. But I guess you’ve figured that I feel that it is not quite as satisfying as I made out at the beginning of this post. To try and simplify things I see roughly 2 tracks in my head. The first is business security, and the linkage from business needs right through to scoping. The second is how to do this from a technology perspective, and this I’ve grouped as: people-centric, device-centric, and information-centric.This is to reflect the fluid nature of information today, that cannot be contained by building a fortress around it.

BUSINESS Security

B1. LoB – What is the need? Firstly security needs and spend must come direct from the LoB. They know best their business, and know what needs protecting more than I do as the security expert and your IT department. The most important question to be asked is: 1) “What can ruin your business?”; 2) and, “What do you need to be compliant with?”.

Clearly security spend should be commiserate with what you want to achieve. For example if a vendor wants to sell you a DLP product across your whole company, think twice, and ask this question what is it needed for (to protect from ruin, or to be compliant)?

B2. Keep it small – Take one business process at a time and fix it using the following 3 principles.

TECHNICAL Security

T1.People-centric security – How we do identity control today is the weakest link in the security chain. I call it identity control not identity management, because it is about control and traceability. I will write more about this over the next weeks. For your organisation, and for the identity holders. Your organisation and your employees are continually a part of digital interactions, and all of those that you share together, belong to your organisation!

T2. Device-centric security – Take a look at what the Trusted Computing Group is doing with the chip. I normally refer it to putting “security at the ‘chip’ level”. This is not technically accurate, but it confers a meaning around that the security is at the microprocessor level of the device rather than at the Application layer. If you liken it to a house, it means that you have walled in all your windows (Application layer), and the only way in is through the door (ground-level) with high-level security controls linked intimately to your digital identity -that of course follows the people-centric approach to identity control 😉

T3. Information-centric security – This is all about protecting and adding traceability to your information, wherever it is stored. Examples include your mobile workforce and their mobile devices. Then where is your critical information when at rest, in a public or shared cloud? Well this information should be encrypted using a key-fragment approach. This means, 1) your cloud provider cannot see the contents of your information in the cloud, 2) you hold the key, and 3) a fragment must be collected from a key-fragment central store, that could be owned by yourself, so you have traceability on who is accessing what information in the cloud through key-access patterns.

Now that I’ve finished with my little ‘brain-dump’ on you guys, I guess I should get back to earning some money and ticking boxes 😉