Where is your id…..your Swedish identity?

64 thousand Swedish identities were hijacked in 2013. Population of Sweden is today around 9,5 million. This means that the crime of identity fraud impacted around 0,8 percent of the Swedish population.

“So what, that’s nothing?” You are thinking….

Nevertheless this is almost 1 in a 100 of Swedish residents who have been a victim to identity fraud in 2013 alone. Hence Sweden is not exempt from the growing trend of identity fraud globally.

However in Sweden it’s going to increase exponentially if Swedish law is not changed. What we can expect is that subsequent years will welcome an influx of fresh victims; that could be you if you are one of the 9.5 million residents or/and citizens of Sweden, your friends, or even your children.

Identity fraud in Sweden will increase exponentially if Swedish law is not changed!

identity-theftFirst a little history on how we got to where we are. Sweden is one of the few countries globally that is organized enough to have implemented a comprehensive personal identity numbering scheme. It was first introduced in 1947 and was probably the first of its kind globally that included every Swedish resident. Unfortunately, the fact that Swedish identities are organized with the use of a uniform identifier, i.e. YYMMDD-xxxx (YYMMDD = date of birth) makes their personal id much more vulnerable to hacking and fraud than a more random generated id. It is easy for an identity fraudster to work out a Swedish identity number using some simple data mining techniques.

For those of you that want a quick summary of how the Swedish ID number is created… here we go..

1. The personal identity number consists of 10 digits and a hyphen.
2. The first six correspond to the person’s birthday, in YYMMDD form.
3. They are followed by a hyphen.
4. The seventh through ninth are a serial number.
5. An odd ninth number is assigned to males, and an even ninth number is assigned to females.
7. The tenth digit is a checksum which was introduced in 1967 when the system was computerised.

Up to 1990, the seventh and eighth digits were correlated with the county where the bearer of the number was born or (if born before 1947) where he/she had been living, according to tax records, on January 1, 1947, with a special code (usually 9 as 7th digit) for immigrants.

To get the last 4 digits, easiest is to call the Swedish Tax Authority and ask, they are very helpful, since the personal identity number is public information

But what does it really mean to have your identity stolen, or hijacked as more often referred to in Swedish popular press? So here is how a Swedish identity could be stolen starting with a name to find the personal id number:

  1. Google the name of the victim, from here the fraudster will find date of birth (ratsit.sebirthdays.se), home address on a cute map, and other information (hitta.se);
  2. To get the last 4 digits the fraudster can ring up the Swedish Tax Authority direct and ask them, it is after all public information, and they are very helpful.
  3. Now the identity thief can go online and order a fraudulent ID card and/or a fake passport using the stolen personal id number. Hence since the personal number is a vital specific identification number to identify an individual is correct but the photo on the ID card or passport is that of the fraudster.
  4. He/she is ready to go on a spending spree at the victim’s expense! If they have no access to the victim’s credit/debit card, they could buy electronic goods on credit with a small down payment (avbetalning). The victim, get to foot the rest of the bill.
  5. A shop assistant when checking the id card, would feel that the details are correct and process the transaction.

And this is just the beginning of the nightmare for the victim. The fraudster can take out additional loans in their name, buy a car, a house, and default on payments in their name. The victim will be blacklisted by credit companies. Cleaning up this mess will not be easy. It will take a lot of energy and time to clear their name. The victim can forget about trying to get a loan or any type of credit at this time.

I guess after all this excitement that the victim will want to remove their personal information from the public domain? Sorry but there is more bad news. It’s quite impossible! Swedish residents have no legal right to protect their personal identifying information in Sweden. In fact credit reporting agencies have permission from the Data Inspectorate (Datainspektionen) to publish your personal information. They get something called an utgivningsbevis that gives them exemption from Personalupplysningslagen (PuL), that costs a couple of thousand Swedish kronor. On the date of this publication there were 913 companies that have been granted an utgivningsbevis. So in Sweden the Personal Identifying Information (PII) of data subjects is public information. Although the data subjects do have some say over the integrity of PII that is published, this is driven by the Kreditupplysningslagen. The Credit Information Act (Kreditupplysningslagen) are required to make changes in their database to correct faults, but the data subjects have no right to be omitted from the register unless they have a ‘protected identity’. Hence all residents in Sweden who are over the age of 16 are included and public.

All of this is despite the Personal Data Law (PuL) that is here to protect personal information of Swedish residents and citizens. In fact in this context the PuL is impotent. The Swedish codification of the European Union Directive on Data Protection just does not work. The source of the problem is that the Personal Data Act (PuL) does not apply if its application is in contrary to the Fundamental Law on Freedom of Expression (1991).

So what this means is that the Fundamental Law on Freedom of Expression is being abused by companies making money from the identities of Swedish subjects. It is a Mad Hatters Party for 931 companies abusing this right at the cost of Swedish citizens/residents!

As a Swedish citizen, I have nothing against companies making money from identities so long as:

  1. I’ve given active consent to this;
  2. I have the choice to have it removed;
  3. and if I have permitted my personal information to be used commercially, I should also be a beneficiary from sharing my personal information.

To summarise. If you are a Swedish citizen/resident your personal information is public information and is being exploited commercially. This exploitation makes you vulnerable to identity theft. You have no control over who publishes your personal information.

It is about time this problem was fixed don’t you think?

Further reading

http://www.datainspektionen.se/press/nyheter/2014/datainspektionen-kan-inte-ingripa-mot-sajt-som-hanger-ut-domda/

http://www.riksdagen.se/en/How-the-Riksdag-works/Democracy/The-Constitution/The-Fundamental-Law-on-Freedom-of-Expression/

http://www.radioochtv.se/en/Licensing/Internet/

http://sverigesradio.se/sida/avsnitt/404038?programid=2778&playchannel=132

Kapade Spotify-grundarens identitet

imagesI am amazed at how little publicity there was on Daniel Eks, founder of Spotify that had his identity stolen. The identity fraudster purchased goods of nearly 1 million kronor in his name and has now been indicted to 2 years in prison. A small price to pay for 1 million kronor don’t you think?

I have talked a lot on how easy it is to steal someone’s identity in Sweden, so this should come as no surprise I would expect to virtualshadows blog followers 😉

Krafttag krävs mot id-kapning I Sverige

The rapid increase in identity fraud in Sweden is gaining some media attention (http://www.svd.se/opinion/brannpunkt/krafttag-kravs-mot-id-kapning_3767990.svd). However they are missing the point. The solution is not to purely simplify the ‘clean-up process, but to change the law. And changing the law is not purely about criminalizing the crime but to enforce an individual’s basic fundamental right to information privacy. You should have the right to remove your personal information from websites making money from it! For example I have tried removing my date of birth from www.birthdays.se (see previous posts) and request was refused. The problem I have with my date of birth being public is that:

1) it is my personal information, and;
2) it is the first 6 digits of my Swedish personal id (YYMMDD-xxxx).

The root of the problem is that although the Personal Data Law (PuL) is here to protect our personal information, in this context the PuL is impotent. The Swedish codification of the European Union Directive on Data Protection just does not work. The source of the problem is that the Personal Data Act (PuL) does not apply if its application is in contrary to the Fundamental Law on Freedom of Expression (1991).

So what this means is that the Fundamental Law on Freedom of Expression is being abused by companies making money from our identities. And I think that It is about time that this abuse is stopped!

Identity Management is DEAD!

2518864-8236474736-tombsIt’s all about CONTROL….

You CONTROL your identity
Organisations CONTROL their identity
Countries CONTROL their identity

This is the future of ‘identity management’ or ‘IDM’ or ‘IAM’. Scalability comes from bottom-up, not top-down. You CONTROL what is yours, your identity. Nothing else will work in this highly connected, growing and verbose world that we are all a part of today. That is if we, the identity owners are at all interested in owning and controlling what is fundamentally ours, our identity and our digital footprint.

Identity Fraud

Seems identity fraud is on the up in the U.S., at least as regards to tax fraud. In 2008 there were 52,000 cases and in 2010 reported were 245,000 cases!

However a significant number was due to mistaken flagging of dead projects using social security numbers. Actual known victims of fraud are 56,000, but that is still a lot, and significant if you happen to be one of them.

What is interesting is how a person’s social security number is stolen, full list is here at blog reuters. The list includes dishonest employees with access to personal records, hacking, dumpster diving, etc.

In Sweden your personal ID is often handed out when you purchase something, or to get membership, whatever, it is used everywhere and this means that just about anyone can get hold of your ID number, which is not so complicated to work out either as includes your date of birth as first 6 digits. This in theory would make identity fraud easy in Sweden, although I haven’t seen much said about it yet. It could be that much is tightly tied in to a central authority, but normally I would have seen this as a core weakness.

Maybe I am missing something in the local news? Comments from my Swedish friends?

UK national ID card scheme to be scrapped!

Wow, I love this news that UK’scoalition government will be keeping their promises to “reverse and restrain many of the surveillance systems that have marked its citizens out as the most watched in the world,” THINQ.co.uk reports. Plans include scrapping the National Identity Register and ID card, as well as biometric passports, and expanding the Freedom of Information Act. Other coalition commitments include removing innocent people’s records from the DNA database, regulating the use of CCTV and halting the prior government’s plan to retain national records of e-mail and communications data.

This will include a proposal to “outlaw” the finger-printing of children at school “without parental permission”. It will be interesting to see how they pan out in the statistics department for Privacy International “Most surveyed countries report” in a couple of years 🙂

One month today since Ivy joined us!

You know today is a pretty special day. It is exactly one month since my daughter Ivy checked-out and joined us, pappa and myself in this exciting world. Exciting because it feels today as though we have come over a challenging and most beautiful month and feel a real achievement. We are learning how Ivy likes things and Ivy is getting quite at home with the way we run things.

Other things linked to privacy have been interesting since Ivy’s birth.

1. I have during the pregnancy and afterwards needed to provide blood tests on many occasions and each time need to remember to ‘opt-out’ of them holding my blood in a blood bank somewhere. I am sure I forgot to do the opt-out once, and I need to check this. This was quite annoying.

2. In my book Virtual Shadows I said that all new-borns in Sweden provide a ‘blood-spot’ that is used in research for PKU. My experience now shows that this is the case although what I didn’t know before is that you can opt-out. This is what we did with Ivy.

3. Ivy got a personal ID number assigned which arosed a conflict of emotions both as a parent and privacy avocate. As a parent a sense of pride that my Ivy really existed as a Swedish citizen in the system, as a privacy avocate.. well no explanation needed there.

4. We bought a ‘child-alarm’ as we live in a big house and we could chose between audio or audio/video. I am dismayed that I chose the latter option. My need for Ivy’s safety in the case of Ivy seems to have overriden her need for privacy. Having said that the video stores nothing, and in practice I think it was a waste of money, we normally hear her crying before the video switches itself on anyhow triggered by the noise. I still think an audio version is a good choice. The video just gives a false sense of security.

5. Sweden has centralised their health records a little like what the U.K. has been trying to do against massive public resistance. I am in principle against this, but it does have its benefits so long as you trust the data holding authorities. The benefits became apparent when access to my medical records were needed urgently when I became very ill (that led to an early arrival for my daughter :-)). Again I am faced with the conflict of my safety vs. the right for privacy, and the need to trust those holding my private information. I have no choice but to trust the Swedish authorities, but I am not sure I would trust the British authorities centralisation efforts. Here we are looking at consolidation of 64m (living) health records not just 9 million as in Sweden. Even if you did trust the British authorities to have the right intentions, in practice if the business processes are not working today, how can technologies applied to flawed business processes be expected to protect the confidentality and integrity of your personal data?

Personal IDs in Sweden

You know it has felt pretty wierd to be a new parent in Sweden. When I am presenting at conferences I often joke that in Sweden not only are babies born with 5 fingers, toes and those vital organs needed to survive but also with a personal number. In fact it is difficult to survive in Sweden without this although it is not compulsory.

The personal number is not so difficult to guess with date of birth followed by 4 random numbers, even if it is a girl and odd if it is a boy: YYMMDD-xxxx.

I have mixed feelings about this as although from a privacy perspective it goes against what I believe in. Regardless it is very convenient! What’s more I was surprised by my reaction as a new parent when Ivy’s personal ID arrived. I rushed over to Ivy’s pappa as a proud parent to share that Ivy now officially existed…in the system. It felt kind of good. Human nature can be somewhat wierd and is a part of the dilemma we all face when it comes to our privacy. …

The feeling of wanting to belong and feel safe versus our privacy.