For those of you that want a quick summary of how the Swedish ID number is created… here we go..
1. The personal identity number consists of 10 digits and a hyphen.
2. The first six correspond to the person’s birthday, in YYMMDD form.
3. They are followed by a hyphen.
4. The seventh through ninth are a serial number.
5. An odd ninth number is assigned to males
6. and an even ninth number is assigned to females.
7. The tenth digit is a checksum which was introduced in 1967 when the system was computerised.
Up to 1990, the seventh and eighth digits were correlated with the county where the bearer of the number was born or (if born before 1947) where he/she had been living, according to tax records, on January 1, 1947, with a special code (usually 9 as 7th digit) for immigrants.
Everyone however keeps their number and it is not hard to find out someone’s number if you know the birth date, the birth county and the checksum algorithm. Even easier is to call the tax authority and ask, since the personal identity number is public information.
This makes you vulnerable to identity theft. Swedish residents have no legal right to protect their personal identifying information (PII) which includes the first 6 digits of the 10 digits (AAMMDD-xxxx) of Swedish IDs. Except is if you have a protected identity. Following is the response I received from one of the credit reporting agencies that I contacted.
“We are a credit reporting agency with permission from the Data Inspectorate (Datainspektionen). The data in our database are and should be a reflection of public databases retrieved from authorities such as tax authorities (Skattemyndigheten), payment remarks and debt collecting agencies (Kronofogdemyndigheten), and the bureau of statistics (SCB). Public data means that anyone can contact the respective government authority and get the same information there. We are by the Credit Information Act (Kreditupplysningslagen) required to make changes in our database to correct faults, but you have no right to be omitted from the register. All residents in Sweden who are over the age of 16 are included.
Protected Identity is the only way to hide the address and other personal information with the authorities, and thus also with us, and it may be issued through the tax or police authorities. Once an identity has been protected the data is hidden automatically in our system.”
This was in response to the following request I made.
I would like to kindly request that you do NOT share my personal information with third parties that make money from my personal identifying information, an example is ‘birthday.se”. Due to the sharing of my PII the first 6 digits of my Swedish ID is public, consequences are that it makes me vulnerable to identity fraud.
Can you please confirm that this is done. If not would be be kind enough to give me enough information to understand why not?
I need a Swedish lawyer that wants to change the world, to find a way to protect Swedish citizens personal identifying information. Someone who feels passionate for the right to ‘personalintegritet’.
I do not have any money, so you need to be driven by this passion 😉
Hopping mad you should be if you are a Swedish resident, after taking a visit here http://www.ratsit.se, and search for your name. This is against the Data Protection directive, of which Personuppgiftslagen (PUL) is the legal enactment of. I am so bored of asking to have my name removed, only for it to pop up again later, and now I see that it is impossible to remove your personal identifying information (PII) (http://www.ratsit.se/Content/FaqSearch.aspx)… it is PUBLIC for all to see forever! What a smorgasbord for identity thieves!
I can see how old you are, where you live and the first 6 digits of 10 digits from your Swedish ID!
It seems to be that the Kreditupplysningslagen (KuL) has priority over PuL. In PuL you have a right to personal privacy. You should be informed who has had access, or even viewed your personal information. Now KuL does inform you when a request is made for your creditworthiness, but it doesn’t tell you about who has viewed your Personal Identifying Information (PII) through www.ratsit.se who they share your PII with, for example. Your PII includes your date of birth, where you live, etc…
I am going to make an official compliant to the Datainspektion. If you are interested to add yourself to a petition to support me in this, please Like this Post here on the blog direct, or on LinkedIn or FB status update, wherever you happen to pick this up.
I loved this article from ZDNet on Garner’s prediction on identity management.
“Protected resources in the enterprise aren’t where they use to be and the move to the cloud has stressed and fractured identity and access management (IAM) to the point where it needs to be re-architected, according to Gartner.”
How true! There needs to be a way forward that is scalable to 6 billion persons worldwide! There is even mentioned “people-centric” approach. One prediction was that by 2020, over 80% of enterprises will allow unrestricted access to non-critical assets, up from <5% today, reducing spending on IAM by 25%. This is aligned to how transparency will have a new place in the society of the future.
I've been thinking and talking a lot about how we must turn how we do security upside-down, re-architec, do it different. The present approach is not working, and hasn't for a long time. I am referring to "people-centric", "device-centric", "information-centric" and a future with increased transparency. There is nothing new with the information-centric, this after all was drafted by the Jericho forum in 2002, their 10 commandments basically stated de-peremiterization of security controls, i.e. put the security as close to the information as is possible.
You should check out what Lequa is doing in the space of IAM. I am 😉