I took this from Panopticon Blog concerning the outcome of the Google order. Now what if the rights of the Swedish citizen was to be escalated to the EU courts, would the outcome be the same?
“The first question for the CJEU was whether Google was a data controller for the purposes of Directive 95/46. Going against the opinion of the Advocate General (see earlier post), the Court held that the collation, retrieval, storage, organisation and disclosure of data undertaken by a search engine when a search is performed amounted to “processing” within the meaning of the Directive; and that as Google determined the purpose and means of that processing, it was indeed the controller. This is so regardless of the fact that such data is already published on the internet and is not altered by Google in any way.
The Court went on to find that the activity of search engines makes it easy for any internet user to obtain a structured overview of the information available about an individual thereby enabling them to establish a detailed profile of that person involving a vast number of aspects of his private life. This entails a significant interference with rights to privacy and to data protection, which could not be justified by the economic interests of the search engine operator. In a further remark that will send shockwaves through many commercial operators providing search services, it was said that as a “general rule” the data subject’s rights in this regard will override “not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s name” (at paras 81 and 97).”
This makes you vulnerable to identity theft. Swedish residents have no legal right to protect their personal identifying information (PII) which includes the first 6 digits of the 10 digits (AAMMDD-xxxx) of Swedish IDs. Except is if you have a protected identity. Following is the response I received from one of the credit reporting agencies that I contacted.
“We are a credit reporting agency with permission from the Data Inspectorate (Datainspektionen). The data in our database are and should be a reflection of public databases retrieved from authorities such as tax authorities (Skattemyndigheten), payment remarks and debt collecting agencies (Kronofogdemyndigheten), and the bureau of statistics (SCB). Public data means that anyone can contact the respective government authority and get the same information there. We are by the Credit Information Act (Kreditupplysningslagen) required to make changes in our database to correct faults, but you have no right to be omitted from the register. All residents in Sweden who are over the age of 16 are included.
Protected Identity is the only way to hide the address and other personal information with the authorities, and thus also with us, and it may be issued through the tax or police authorities. Once an identity has been protected the data is hidden automatically in our system.”
This was in response to the following request I made.
I would like to kindly request that you do NOT share my personal information with third parties that make money from my personal identifying information, an example is ‘birthday.se”. Due to the sharing of my PII the first 6 digits of my Swedish ID is public, consequences are that it makes me vulnerable to identity fraud.
Can you please confirm that this is done. If not would be be kind enough to give me enough information to understand why not?
If you are Swedish, are you not concerned who maybe using your identity to purchase something online and then pick up your purchase with a false id-card? You should be, di.se is reporting on this, read more here.
Why do I claim that Sweden is easy picking for identity thieves? Look at yesterdays post. If you are a Swedish resident, the first 6 digits of the 10 digits that comprise your personal id number is public domain in Sweden. Doesn’t that make you just a weeny-teeny little bit uncomfortable?
This is as claimed by Johan Staël von Holstein. Do you believe that everything you are digitally, and do online should belong to you? This includes your “digital identity” and all data/information you create online associated with your identity?
I placed “digital identity” in quotes because today it is not your digital identity, it is in fact not a digital identity at all. It is purely some fields in a database somewhere, in many databases. In fact you have no idea where you exist digitally. You may know that you exist in social networking tools such as Facebook, but not where your information has propagated to. Social networking tools have enabled you to add contextual information to your identity name, or your ‘digital identity’, i.e. your digital footprint, but you do not own this. These rich corporations makes loads of money from your digital footprint, but it should be you who is making money from this. It is, after all, your intellectual property!
YOUR IDENTITY – YOUR DIGITAL FOOTPRINT IS YOUR INTELLECTUAL PROPERTY!
Everything you create online should belong to you. All user-generated content should be the intellectual property of the individual, user, who created this content. You should have control over your digital identity, and your digital footprint. Organisation should have control over their corporate identity, but not yours! I call this not identity management (IAM/IDM), the term used in organisations, but IDENTITY CONTROL. This is the future!
Listen to a recent podcast released 07 May 2014, where Johan talks about these things, like when and why will Google and Facebook die? The future of identity control. Listen to it all, the real cool stuff comes in the second half of the podcast, so hang in there!
Do you have any of these in your organisation? Maybe you have become attached to the old practices, and anyhow who wants change really?
So what would I define as a ‘stupid loop’? It’s pretty straightforward, it is when something strange happens to the integrity of the information, after INPUT and before OUTPUT. Effectively integrity is compromised during PROCESSING. An example could look as follows:
1. Information submitted by paper (INPUT), by snail-mail, take your tax returns, or your company financial statements, for example;
2. These statements are converted (PROCESSING) into some picture format for digital storage, i.e. .gif, tif;
3. Then the picture files are converted back to text/numbers (PROCESSING), as they are unusable as pictures, no indexing (impossible to search);
4. OUTPUT is distributed to end consumers, e.g. banks.
5. End consumers use OUTPUT to make lending and other financial decisions.
Okay, this brings us to the integrity part. How much of the information INPUT has become misinterpreted during PROCESSING? The answer is that based on work done using software that translates graphics to text and numbers, that the risk to information integrity is at least 15%. So this means that of the information INPUT, information OUTPUT will not mirror INPUT exactly by 15%.
XBRL for Transparency
This brings us to XBRL (eXtensible Business Reporting Language). XBRL is a global industry standard and is the standard of financial reporting in Basel III (CRD IV). You could liken it to a universal language that everyone understands, hence there is nothing lost in translation after capture. XBRL gives some protection from accidental risks to information integrity. This gives true transparency and improved traceability, because it is easy during any audit process to see the original information at capture and how it has been processed or/and changed from capture through to when it is consumed; by a human or a system because it is all using the same language. If you’ve ever dabbled with XML, you will recognise XBRL like an old friend 😉
Securing XBRL for Traceabiltiy
This is where we get to the security part. XBRL is not secure, and in order to weave legality into submitted digital financial reports, their submission must to be intimately coupled to the individual and ultimately role of the initiated digital interaction. One could liken digitalised financial reports i.e. XBRL instances, to an information vehicle, programmed to get from A to B quickly and without hindrance. In securing digital reports, you have handed over a sealed package to the vehicle. The seal is unique and is watermarked by your signature that encapsulates not only your identity but also your appointed role. This package can only be opened by the intended recipient, and in his/her appointed role.
More CONTROL Less SPEND
No need to ‘teach your grandma to suck eggs’ as I am sure that you’ve worked out yourself by now that secured financial INPUT in XBRL-format should facilitate cost reductions because there is no longer any need to send paper reports by snail-mail, to convert to some strange format, only to be converted back again…. a ‘stupid loop’ indeed 😉
(en) Securing XBRL – the next challenge (2014)
(en) Improved Business Process Through XBRL: A Use Case for Business Reporting (2006)
All these identity products, or what they prefer to be called ‘solutions’ in every organisation, connecting up… if lucky- disparate applications with their own authentication, authorisation systems, and maybe Single Sign-on.. the security nightmare, but necessary in order for any sane individual to survive in this identity crisis era.
But this is IDENTITY security built around applications, instead of people, how WEIRD!
PROVENANCE is rather a nice word. I hadn’t really come across it before a month or two ago, which is weird considering I am English. It means protecting our word, here is wikipedia better definition. I see it like this because it is to do with saving the truth. George Orwell’s 1984 was all about re-writing history, living a lie. Provenance is about preserving history.
So why the interest from my side? Well everything we do online is written digitally somewhere, and I think it would be good if our word is protected, its integrity is protected, even after we die.
I heard a funny story last night. Imagine you are at the bank, and decide to change banks. You don’t like your bank anymore. So you say to them “can I take my identity with me please?”. Of course the bank refuses. Quite rightly in a way, because they may have your details in a database, but don’t have your identity. Your identity, or your digital identity, is scattered in databases, directories, excel and word files across the globe. You have no control, you cannot claim back your digital identity, because it is not an identity. Your identity is what you have in the physical world. You only have a digital identity if you own it and control it. This of course is not possible… or is it?