Sweden


I’ve been publishing on the subject of personal privacy since 2007, and finally, now, in 2015 I decided to take my CIPP/E. The CIPP credential says you know privacy laws and regulations and how to apply them according to the International Association of Privacy Professionals (IAPP).

Why did I take this certification? After all I have a Masters Degree in Information Security in supposedly the most famous (in this subject) globally, with the Royal Holloway University of London (RHUL). I also have an MBA with Henley Management School (University of Reading). On top of 20 years of rich experience in IT and IS, it looks as though I am in the league of ‘over-qualified’ and then ‘what next?’. Or am I?

No! I am driven by a desire to ‘fix the Swedish ID promiscuity problem’. (There is more on this in my blog, lots of posts.) I took CIPP/E to get a toolkit that I could use to stop, my and your Swedish ID, being publicly sold online without my or your consent! So now I finally understand what the problem is, and I believe I can solve this, to finally squash this conflict between ‘freedom of information’ laws and ‘PuL’. Watch this space…..

Yes I know, I’m here again complaining about the Swedish law protecting personal information that has no teeth! Now it seems that there is another loophole in the law following a new ruling that enables foreign companies to extract and use PII of Swedish residents/citizens, any persons associated with a Swedish ID#. Read more in this article which is in Swedish, but I’ve done an English translation below.


In previous posts I’ve discussed the weaknesses in Swedish law pertaining to the protection of personal information. Basically there is a conflict between the PUL (Personal Data Act) and the Freedom of Expression Act; which present a loophole for companies wanted to make money from PII. Both laws have good intentions, but the latter is being abused.

 

TRANSLATION
Foreign companies can bypass Personal Data Act (PUL)
Foreign companies can get information on Swedes denied to domestic companies with reference to the Personal Data Act (PUL) . A judgment of the Supreme Administrative Court states that a Norwegian agency workers are entitled to get information about all Swedish nurses from the National Board despite the fact that the authorities first denied because it would violate the PUL . But as the law is written, it can not be denied information because PUL is not applicable abroad , reports P3 News . The ruling means that it is now free for foreign companies to request public documents from Swedish authorities and that Swedish companies can open subsidiaries abroad in order thereby to request information , says Dennis Töllborg , professor of jurisprudence.
– There is a remarkable gap in the law.

It was fun… look for yourself 🙂

Since the rather public display of identity fraud via Telia’s e-leg a couple of weeks ago, it is interesting to do some more digging, and what a better place to start than with the Swedish e-leg? Apparently the architecture will be using SAML federation, i.e. they have a relationship that they trust each other. Every ticket includes an identity (a SAML assertion) it is digitally signed but the signing is not embedded in the SAML assertion.  The YouTube video below describes this specific inherent weaknesses in SAML, but clearly (and hopefully) these issues have now been fixed. However according to the speaker (questions at the end) the signature signing standard in SAML is very complex, and there are not many that really understand it fully enough to implement properly. The main problem seems to be the way the signature is separate from the SAML assertion. If the vulnerabilities mentioned from 2012 have been fixed, there is in any case potentially integrity issues for customers with the Swedish e-leg implementation, namely: You can’t see what you are signing!

  • What you will see in the web-browser has a very weak connection to what you are signing. What this means is that your digital signature is not encapsulated with the text you are signing online, i.e. your signature and text are not married. I could leave the rest to your imagination, but I’ll give you one risk just to start with, and that is a Man-in-the-browser (MitB) trojan changes the content in the browser.

What you do maybe not be exactly what you expect!

  • This is exactly it, the customer… well that could be you, can potentially be ‘lured’ into signing something that you were not expecting to sign.  It is likely that the e-leg service works so that the identification of a user leads to a legitmate transaction. However this could be a logon to a service or digital signing of a transaction. There are other services available today that differentiate a signing transaction from a logon request. Swedish e-leg does not differentiate these two different transactions.

However, now the Myndigheten för samhällsskydd och beredskap (MSB) has published a summary report “Analys av informationssäkerheten i Svensk e-legitimation” (link broken, 2015-05-21). The detailed reports has been labelled as Secret.  However I guess that they are fixing all the potential security flaws, of just a couple I have named above. The thing that bothers me still is that even in the recommendations they are still fixated on using SAML for the infrastructure. Funny that this report came out though in the wake of the Telia e-leg identity fraud fiasco 😉 Have fun reading!

Introduction presentation from Ulf Bergund, M.Sc, CISM, President, Cloud Security Alliance Sweden fro Nordic IT Security 2014. More information http://www.nordicitsecurity.com/

14:00 Future Trends and Innovation at the Nordic IT Security Conference on 5th November in Stockholm. This is what I am going to talk about…

“I dare to challenge: that what you state as your digital identity today, is not a digital identity at all! This is why information security programs do not work. Your so called ‘digital identity’ is the weakest link in the chain; in a verbose, connected and dynamic digital society. What’s more is that your digital identity can be stolen. Identity fraud is on the rise, even in Sweden. So how did we get into such a mess and what is the future for our digital identities?”

Next Page »