The new EU Regulation for Data Protection changes everything…. or does it?

I was having lunch with an old colleague today who was convinced that the new EU Regulation due to come effective in 2015 or 2016 was going to change everything! What’s more nothing is decided, so everything is floating in the air….

Don’t panic. First the EU Regulation will be based on a foundation of what exists today, i.e. the Directive. The problem with the Directive is that it is not enforced effectively in member states, and the local laws are not a direct interpretation of the Directive. For example each country has interpreted the laws as they understand the directive…now just think about the language challenges, cultural challenges. Each country has their own interpretation of the Directive. What is more is that each member state may have legislation that has been around for a long time that has priority over any data protection law that is enacted, this creates all sorts of issues. For example in Sweden the personal ids of citizens are considered as public records, so they are not protected by the data protection law.

When it comes to enforcement and fines for misalignment with the Directive, some member states have been more active than others. Now this will change with the new Regulation.

Clearly there are aspects that we don’t know. Basically the member states cannot come to an agreement. However what you should focus on is what we know, and that is the incumbent Directive. Use that is your baseline, leave the unknown aspects until later. Believe me you have enough work already!

Getting deep with identity

I was about to write an email to someone I respect deeply about how my thinking on information security had changed since we last met in the summer of 2013. Then I wondered if I’d actually written a blog post on this? I searched and found nothing, so surprised that it is not here. It is pretty straight-forward, on the verge of  “obvious my dear Watson” 😉

Clearly security is broken, however hard we work, our security programs interlaced with security technologies are not effective. Our security programs are not watertight.

So here we go:

1. Security is only as strong as the weakest link – an obvious deduction even for the non-security geeks amongst us 😉

2. The weakest link in the chain is the Human Factor of Information Security, something David Lacey wrote a whole book on in 2009.

3. If the identity thing, you know the technology aspect of ‘the human aspect of information security’ had been architected correctly from the start, we wouldn’t be in the shit that we are today when it comes to a water-tight security programmes!

How much do you earn?

I want to know how much you earn because you are applying for a job with my company and I want to check what your present employer thinks you are worth.

extrakollpng

This is easy to do in Sweden, and you as the data subject have no idea that this has happened. It is possible for any person to go online and request anonymously your earnings for 2 completed tax years in Sweden at http://www.extrakoll.se/, and the requester to get the information by SMS.

How do you do this is:

  1. Visit www.extrakoll.se and search for the name of the individual you are investigating;
  2. Then you will be requested to send an SMS to number 72323 with word INKOMST+code or/and STORKOLL+code;
  3. You are given choices of payment methods, 20kr or 40kr, depending on which option you choose;
  4. The earnings for the targeted person for 2 of the previously reported tax years will be sent to your mobile telephone!

There is no way you can prevent others from requesting this information on yourself.

Nevertheless, it is against the EU Directive on Data Protection because you, the data subject are not informed that this information has been requested, and your Personal Identifying Information (PII) is public domain. I am sure identity thieves find extrakoll.se a useful tool to research their victims. I just hope it’s not you!

Privacy and Integrity of Patient data is HOT!

steth_keyb1There has been quite some debate over the replacement of the patient journal system in Region Skåne in Sweden. I’ve been thinking about patient journal systems in general and the challenges with patient confidentiality.

How important is it that patient data is secured and its confidentiality enforced? I guess it depends how sick you are, and who you are, or what you have been treated for. Nevertheless, I feel that not enough debate is ongoing in Sweden concerning the lack of privacy controls on patient data.

It is really more than confidentiality which is an issue here. There is also integrity of patient data… life and death depend on this.

What’s more is that there is a growing trend in America for something called ‘medical identity theft’. This is where your medical insurance is used by fraudsters to get treatment at the expense of the victim. There is more than this, their treatment could cause incorrect diagnosis and/or decisions on treatment by the doctor on the victim, because medical decisions made on the fraudster are included in the victim’s patient journal. This can lead to life and death situation for the victim!

Coming back to Sweden and risks. Medical identity theft I don’t see as a significant risk. Medical care in general is almost free in Sweden, we pay through our taxes, and all regardless to level of income have a right to medical care, thank goodness! So Swedes you can relax for now, and focus can be on enforcing privacy and integrity of your sensitive information 😉

Lots to talk about here, but not now, I’ll pick this up again later!

Nordic Security Summit 2014

There is a great conference coming up in Stockholm on 5th November. Apart from the fact I am speaking there, I will be in the company of a great speaker lineup. Last year was very good!

If you want to go, you can register here (http://www.nordicitsecurity.com).
Look forward to seeing you there. I will probably be posting more on this later!

An idiots guide on how Swedish ID is created

For those of you that want a quick summary of how the Swedish ID number is created… here we go..

1. The personal identity number consists of 10 digits and a hyphen.
2. The first six correspond to the person’s birthday, in YYMMDD form.
3. They are followed by a hyphen.
4. The seventh through ninth are a serial number.
5. An odd ninth number is assigned to males
6. and an even ninth number is assigned to females.
7. The tenth digit is a checksum which was introduced in 1967 when the system was computerised.

Up to 1990, the seventh and eighth digits were correlated with the county where the bearer of the number was born or (if born before 1947) where he/she had been living, according to tax records, on January 1, 1947, with a special code (usually 9 as 7th digit) for immigrants.

Everyone however keeps their number and it is not hard to find out someone’s number if you know the birth date, the birth county and the checksum algorithm. Even easier is to call the tax authority and ask, since the personal identity number is public information.

The rights of Swedish residents should override the rights of the data controller

I took this from Panopticon Blog concerning the outcome of the Google order. Now what if the rights of the Swedish citizen was to be escalated to the EU courts, would the outcome be the same?

“The first question for the CJEU was whether Google was a data controller for the purposes of Directive 95/46. Going against the opinion of the Advocate General (see earlier post), the Court held that the collation, retrieval, storage, organisation and disclosure of data undertaken by a search engine when a search is performed amounted to “processing” within the meaning of the Directive; and that as Google determined the purpose and means of that processing, it was indeed the controller. This is so regardless of the fact that such data is already published on the internet and is not altered by Google in any way.

The Court went on to find that the activity of search engines makes it easy for any internet user to obtain a structured overview of the information available about an individual thereby enabling them to establish a detailed profile of that person involving a vast number of aspects of his private life. This entails a significant interference with rights to privacy and to data protection, which could not be justified by the economic interests of the search engine operator. In a further remark that will send shockwaves through many commercial operators providing search services, it was said that as a “general rule” the data subject’s rights in this regard will override “not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s name” (at paras 81 and 97).”

In Sweden 6 of 10 digits of personal ID is public by law

This makes you vulnerable to identity theft. Swedish residents have no legal right to protect their personal identifying information (PII) which includes the first 6 digits of the 10 digits (AAMMDD-xxxx) of Swedish IDs. Except is if you have a protected identity. Following is the response I received from one of the credit reporting agencies that I contacted.

“We are a credit reporting agency with permission from the Data Inspectorate (Datainspektionen). The data in our database are and should be a reflection of public databases retrieved from authorities such as tax authorities (Skattemyndigheten), payment remarks and debt collecting agencies (Kronofogdemyndigheten), and the bureau of statistics (SCB). Public data means that anyone can contact the respective government authority and get the same information there. We are by the Credit Information Act (Kreditupplysningslagen) required to make changes in our database to correct faults, but you have no right to be omitted from the register. All residents in Sweden who are over the age of 16 are included.

Protected Identity is the only way to hide the address and other personal information with the authorities, and thus also with us, and it may be issued through the tax or police authorities. Once an identity has been protected the data is hidden automatically in our system.”

This was in response to the following request I made.

I would like to kindly request that you do NOT share my personal information with third parties that make money from my personal identifying information, an example is ‘birthday.se”. Due to the sharing of my PII the first 6 digits of my Swedish ID is public, consequences are that it makes me vulnerable to identity fraud.

Can you please confirm that this is done. If not would be be kind enough to give me enough information to understand why not?