Watch out for your identity – if you live in Sweden

Hopping mad you should be if you are a Swedish resident, after taking a visit here http://www.ratsit.se, and search for your name. This is against the Data Protection directive, of which Personuppgiftslagen (PUL) is the legal enactment of. I am so bored of asking to have my name removed, only for it to pop up again later, and now I see that it is impossible to remove your personal identifying information (PII) (http://www.ratsit.se/Content/FaqSearch.aspx)… it is PUBLIC for all to see forever! What a smorgasbord for identity thieves!

I can see how old you are, where you live and the first 6 digits of 10 digits from your Swedish ID!

It seems to be that the Kreditupplysningslagen (KuL) has priority over PuL. In PuL you have a right to personal privacy. You should be informed who has had access, or even viewed your personal information. Now KuL does inform you when a request is made for your creditworthiness, but it doesn’t tell you about who has viewed your Personal Identifying Information (PII) through www.ratsit.se who they share your PII with, for example. Your PII includes your date of birth, where you live, etc…

Identity Theft
I am going to make an official compliant to the Datainspektion. If you are interested to add yourself to a petition to support me in this, please Like this Post here on the blog direct, or on LinkedIn or FB status update, wherever you happen to pick this up.

Zoombie cookies

David S. Misell asked me to share the privacy issues of html5, and I thought that no better place to do this than by creating a post.

Html5 is really about these zoombie cookies, cookies that keep coming back from the dead, even after you’ve deleted them…. scarey or what?

According to Wikipedia “Zombie cookies were first documented at UC Berkeley, where it was noticed that cookies kept coming back after they were deleted over and over again. This was cited as a serious privacy breach. If you delete a cookie, it should remain deleted. Since most users are barely aware of these storage methods, it’s unlikely that users will ever delete all of them. From the Berkeley report, “few websites disclose their use of Flash in privacy policies, and many companies using Flash are privacy certified by TRUSTe.

Ringleader Digital made an effort to keep a persistent user ID even when the user deleted cookies and their HTML5 databases (RLDGUID). The only way to opt out of the tracking was to use the company’s opt-out link which gives no confirmation.”

To read more techie stuff on how this annoying cookie is working go here where ars technia has written an insightful article on this.

Ringleader Digital claim on its privacy page that it only collects “non-personally identifiable information, such as browser identifiers, session information, device type, carrier provider, IP addresses, unique device ID, carrier user ID and web sites visited. Now the question is what happens when you link this information together?

Now according to the UK for example an IP address in isolation is not personal data under the Data Protection Act, according to the Information Commissioner. But an IP address can become personal data when combined with other information or when used to build a profile of an individual, even if that individual’s name is unknown.

And there is significant discussion on this around the world. In Seattle a Federal judge ruled that IP address is not personal information, however in the EU it is understood how easily an IP address can become an element of PII.

As to my personal opinion, it’s simple… I want visibility, i.e. if I delete a cookie on my PC or mobile device, I want it deleted. I don’t want a zoombie. It could be that I like the convenience of having a cookie there, but I want the choice to delete, and when deleted I don’t want any zoombies rooming around on my devices… my devices, yes, they are linked to my very person, and have become a part of my DNA..

So you want to know how much your colleagues earn?

This is easy in Sweden. First even when I came to Sweden in 2003 it was possible to go to the tax office and request directly a person’s earnings during the previous tax year. Potential employers often do this to check that what you have stated on your present earnings is true. You as the data subject have no idea that this has happened. Although if an organisation makes a formal request for your earnings, credit status etc., you will be informed of this by a letter in the post.

Well a development has occured. It is now possible for any person to go online and request anonymously your earnings for the previous tax year in Sweden at http://www.extrakoll.se/, and you get the information by SMS.

extrakoll.se 1

So you just type in the name of the person that you want to know their earnings. The image below states (in Swedish) that you should send an SMS to number 72550 with word INKOMST. The earnings for the person will be sent anonymously to your mobile telephone!

extrakoll.se 2

I tested this and it works! The SMS arrived in a matter of seconds.

I really need to look more into this from the EU data privacy perspective. Or anyone else, can you comment on this? Surely your earnings should be classified as ‘sensitve’ information as it can discrimate against you no matter how you look at it. The only positive aspect is that you can ascertain if you are earning a similar level of earnings as colleagues doing the same work particularly important for women… but still I don’t like this aspect of not being able to choose myself to remove myself from this register!

Thanks to May for coming across this!