Surprise! 10 more years of PII exposure in Sweden….

It seems that many of the utgivningsbevis that were granted in 2004 are due to expire this year in 2014, and in 2014 it is still legal in Sweden for those holding this exemption certificate can share your personal information, if you are a Swedish resident, or/and Swedish citizen….here is information on this.

So how many companies have been granted an utgivningsbevis, and have the right to publish your personal information public? Well 917 is what I found, and you have not a legal leg to stand on to get your personal information removed.

This includes ratsit.se and birthday.se. Here you can type in the name of the target and search, bingo! Happy hunting!

ratsit

How much do you earn?

I want to know how much you earn because you are applying for a job with my company and I want to check what your present employer thinks you are worth.

extrakollpng

This is easy to do in Sweden, and you as the data subject have no idea that this has happened. It is possible for any person to go online and request anonymously your earnings for 2 completed tax years in Sweden at http://www.extrakoll.se/, and the requester to get the information by SMS.

How do you do this is:

  1. Visit www.extrakoll.se and search for the name of the individual you are investigating;
  2. Then you will be requested to send an SMS to number 72323 with word INKOMST+code or/and STORKOLL+code;
  3. You are given choices of payment methods, 20kr or 40kr, depending on which option you choose;
  4. The earnings for the targeted person for 2 of the previously reported tax years will be sent to your mobile telephone!

There is no way you can prevent others from requesting this information on yourself.

Nevertheless, it is against the EU Directive on Data Protection because you, the data subject are not informed that this information has been requested, and your Personal Identifying Information (PII) is public domain. I am sure identity thieves find extrakoll.se a useful tool to research their victims. I just hope it’s not you!

Nordic Security Summit 2014

There is a great conference coming up in Stockholm on 5th November. Apart from the fact I am speaking there, I will be in the company of a great speaker lineup. Last year was very good!

If you want to go, you can register here (http://www.nordicitsecurity.com).
Look forward to seeing you there. I will probably be posting more on this later!

Fill the holes in RIPA with DRIP ;-)

IDripping Tap love what UK is doing to keep alive the data retention directive that died an untimely death recently with DRIP 😉

Some debate that it ‘extends’ the powers of RIPA. UK government officials claim it is just to cover the loss of the EU data retention requirements temporarily until they think of some new that is more manageable. Read what Panopticon blog is saying and decide for yourself?

The rights of Swedish residents should override the rights of the data controller

I took this from Panopticon Blog concerning the outcome of the Google order. Now what if the rights of the Swedish citizen was to be escalated to the EU courts, would the outcome be the same?

“The first question for the CJEU was whether Google was a data controller for the purposes of Directive 95/46. Going against the opinion of the Advocate General (see earlier post), the Court held that the collation, retrieval, storage, organisation and disclosure of data undertaken by a search engine when a search is performed amounted to “processing” within the meaning of the Directive; and that as Google determined the purpose and means of that processing, it was indeed the controller. This is so regardless of the fact that such data is already published on the internet and is not altered by Google in any way.

The Court went on to find that the activity of search engines makes it easy for any internet user to obtain a structured overview of the information available about an individual thereby enabling them to establish a detailed profile of that person involving a vast number of aspects of his private life. This entails a significant interference with rights to privacy and to data protection, which could not be justified by the economic interests of the search engine operator. In a further remark that will send shockwaves through many commercial operators providing search services, it was said that as a “general rule” the data subject’s rights in this regard will override “not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s name” (at paras 81 and 97).”

In Sweden 6 of 10 digits of personal ID is public by law

This makes you vulnerable to identity theft. Swedish residents have no legal right to protect their personal identifying information (PII) which includes the first 6 digits of the 10 digits (AAMMDD-xxxx) of Swedish IDs. Except is if you have a protected identity. Following is the response I received from one of the credit reporting agencies that I contacted.

“We are a credit reporting agency with permission from the Data Inspectorate (Datainspektionen). The data in our database are and should be a reflection of public databases retrieved from authorities such as tax authorities (Skattemyndigheten), payment remarks and debt collecting agencies (Kronofogdemyndigheten), and the bureau of statistics (SCB). Public data means that anyone can contact the respective government authority and get the same information there. We are by the Credit Information Act (Kreditupplysningslagen) required to make changes in our database to correct faults, but you have no right to be omitted from the register. All residents in Sweden who are over the age of 16 are included.

Protected Identity is the only way to hide the address and other personal information with the authorities, and thus also with us, and it may be issued through the tax or police authorities. Once an identity has been protected the data is hidden automatically in our system.”

This was in response to the following request I made.

I would like to kindly request that you do NOT share my personal information with third parties that make money from my personal identifying information, an example is ‘birthday.se”. Due to the sharing of my PII the first 6 digits of my Swedish ID is public, consequences are that it makes me vulnerable to identity fraud.

Can you please confirm that this is done. If not would be be kind enough to give me enough information to understand why not?

The Right to be Forgotten is respected by the EU Courts

Google officesI love this, the EU Court has confirmed that we have the right to be forgotten. Google and other internet search engines face a new world where they must remove links to websites containing certain types of personal data when individuals ask them to do so. The European Union says you have “a right to be forgotten” digitally online. This is great news for every citizen of the EU, including our children!

Read more in English and Swedish.