Identity


For those of you that want a quick summary of how the Swedish ID number is created… here we go..

1. The personal identity number consists of 10 digits and a hyphen.
2. The first six correspond to the person’s birthday, in YYMMDD form.
3. They are followed by a hyphen.
4. The seventh through ninth are a serial number.
5. An odd ninth number is assigned to males
6. and an even ninth number is assigned to females.
7. The tenth digit is a checksum which was introduced in 1967 when the system was computerised.

Up to 1990, the seventh and eighth digits were correlated with the county where the bearer of the number was born or (if born before 1947) where he/she had been living, according to tax records, on January 1, 1947, with a special code (usually 9 as 7th digit) for immigrants.

Everyone however keeps their number and it is not hard to find out someone’s number if you know the birth date, the birth county and the checksum algorithm. Even easier is to call the tax authority and ask, since the personal identity number is public information.

This makes you vulnerable to identity theft. Swedish residents have no legal right to protect their personal identifying information (PII) which includes the first 6 digits of the 10 digits (AAMMDD-xxxx) of Swedish IDs. Except is if you have a protected identity. Following is the response I received from one of the credit reporting agencies that I contacted.

“We are a credit reporting agency with permission from the Data Inspectorate (Datainspektionen). The data in our database are and should be a reflection of public databases retrieved from authorities such as tax authorities (Skattemyndigheten), payment remarks and debt collecting agencies (Kronofogdemyndigheten), and the bureau of statistics (SCB). Public data means that anyone can contact the respective government authority and get the same information there. We are by the Credit Information Act (Kreditupplysningslagen) required to make changes in our database to correct faults, but you have no right to be omitted from the register. All residents in Sweden who are over the age of 16 are included.

Protected Identity is the only way to hide the address and other personal information with the authorities, and thus also with us, and it may be issued through the tax or police authorities. Once an identity has been protected the data is hidden automatically in our system.”

This was in response to the following request I made.

I would like to kindly request that you do NOT share my personal information with third parties that make money from my personal identifying information, an example is ‘birthday.se”. Due to the sharing of my PII the first 6 digits of my Swedish ID is public, consequences are that it makes me vulnerable to identity fraud.

Can you please confirm that this is done. If not would be be kind enough to give me enough information to understand why not?

I need a Swedish lawyer that wants to change the world, to find a way to protect Swedish citizens personal identifying information. Someone who feels passionate for the right to ‘personalintegritet’.

I do not have any money, so you need to be driven by this passion 😉

Hopping mad you should be if you are a Swedish resident, after taking a visit here http://www.ratsit.se, and search for your name. This is against the Data Protection directive, of which Personuppgiftslagen (PUL) is the legal enactment of. I am so bored of asking to have my name removed, only for it to pop up again later, and now I see that it is impossible to remove your personal identifying information (PII) (http://www.ratsit.se/Content/FaqSearch.aspx)… it is PUBLIC for all to see forever! What a smorgasbord for identity thieves!

I can see how old you are, where you live and the first 6 digits of 10 digits from your Swedish ID!

It seems to be that the Kreditupplysningslagen (KuL) has priority over PuL. In PuL you have a right to personal privacy. You should be informed who has had access, or even viewed your personal information. Now KuL does inform you when a request is made for your creditworthiness, but it doesn’t tell you about who has viewed your Personal Identifying Information (PII) through http://www.ratsit.se who they share your PII with, for example. Your PII includes your date of birth, where you live, etc…

Identity Theft
I am going to make an official compliant to the Datainspektion. If you are interested to add yourself to a petition to support me in this, please Like this Post here on the blog direct, or on LinkedIn or FB status update, wherever you happen to pick this up.

So does identity equal reputation? After all this is the claim made by some identity practitioners such as Dick Hardt (Hardt, 2006). The simple answer is no. Does it matter? And the answer is yes, it matters a lot.

Today in our digitised society your digital identity is quite simply an entry in a database, an object in duplicate, triplicate and much more, copied over numerous disparate directories scattered across the globe. Conversely your reputation is worth significant value to you but to others nothing, unless they use your reputation to add value to their own. To all intents and purposes your identity is worth a piece of gold to those motivated to collect, use and abuse identities. For your reputation, everything you publish online has most likely been copied and replicated to another server or indexed and cached by some search engine. For this reason your reputation has a persistence value that it did not have before.

Your digital identity and anything that links to you, including the digital residue you leave in your wake, is a gold mine for gold diggers. However your digital reputation is not worth stealing. Yet it is worth nurturing. In essence your online reputation can attain a value that may not reflect accurately the person sitting behind. It is by using your reputation that you can online create a type of personal branding. Once you have separated your reputation from your identity it becomes quite straightforward to take it and manage it. Your reputation could possibly, be divided into three phases: (1) what you did before, (2) what you are doing now and in your lifetime, and finally (3) what happens after you die. It takes skill to manage your digital reputation effectively.

Your identity needs to be protected and your reputation needs nurturing. What’s more is that your identity can make money for “gold diggers”, whereas your reputation is of no value except for what you make of it; and then its subjective value is of worth only to yourself.

But how can you protect your digital identity and nurture your digital reputation, if you do not own them, or even control them? I will be posting more on this in following weeks 😉

I loved this article from ZDNet on Garner’s prediction on identity management.

“Protected resources in the enterprise aren’t where they use to be and the move to the cloud has stressed and fractured identity and access management (IAM) to the point where it needs to be re-architected, according to Gartner.”

How true! There needs to be a way forward that is scalable to 6 billion persons worldwide! There is even mentioned “people-centric” approach. One prediction was that by 2020, over 80% of enterprises will allow unrestricted access to non-critical assets, up from <5% today, reducing spending on IAM by 25%. This is aligned to how transparency will have a new place in the society of the future.

I've been thinking and talking a lot about how we must turn how we do security upside-down, re-architec, do it different. The present approach is not working, and hasn't for a long time. I am referring to "people-centric", "device-centric", "information-centric" and a future with increased transparency. There is nothing new with the information-centric, this after all was drafted by the Jericho forum in 2002, their 10 commandments basically stated de-peremiterization of security controls, i.e. put the security as close to the information as is possible.

You should check out what Lequa is doing in the space of IAM. I am 😉

I was surprised when taking a coffee with one of my colleagues in the office. She received an SMS thanks from another of our colleagues her for the birthday greeting. When I asked her, how did she know, she said she found it online at http://www.birthday.se/kontakta-oss/Default.aspx. She then told me when my birthday was and even a map to where I lived (although they did get this wrong). Nevertheless surprise became horror. I had already removed my details from www.hitta.se only to find myself at another site. So I checked with a previous colleague of mine (Martin Da Fonseca) that studied security law in Sweden if this was in fact legal? And this was his response.

“It is legal. The service provided by Upplysning.se is regulated in Kreditupplysningslagen (credit information legislation) (1973:1173).

I believe the service provided by birthday.se is using (or exploiting) the fact that this information is considered “public information” (allmän handling), because it is stored at a goverment agency. As part of Tryckfrihetsförordningen (“freedom of press”, sort of) (1949:105) 2:1 it says that every Swedish citizen shall have the right to access to public documents. All documented information that a goverment agency has is to be considered public. This is also regulated by Sekretesslagen (official secrets legislation) (1980:100), which states when information is to be considered secret and not part of public documentation. Personuppgiftslagen (1998:204) is also in effect here; it is applied on the actual agencies storing the information. And perhaps to some extent on companies like Birthday.se, depending on what they do with the information (if they store it).”

Should I really be surprised? Not really, as mentioned it’s not the first time in Sweden I’ve needed to remove my personal information from some public register. And getting it removed is a pain, many phone calls, and then like magic it pops up again a year or two later! I believe that this is in direct contravention of the EU directive on Data Privacy. Am I wrong here? Surely I must be? Although Sweden is quite ‘transparent’ in how it operates, there there is much trust between the government and its citizens that makes Sweden quite unique. Transparency is a part of the EU directive, although we should give our consent to sharing personal data. Maybe i have done this automatically by becoming a resident of Sweden. The personal ID is not compulsory in Sweden but its just about imposssible to operate without it. Just try taking out a prescription at the chemist without this ID, you can when they realise that they have no choice, like what happened when I lost my ID, but it takes time and is very annoying if you end up with someone that insists on following the rules. This ID is shared everywhere and is really easy to get hold of. It is composed of date-of-birth (which you can find on http://www.birthday.se) yymmdd-xxxx and four digits, that are even if you are female and odd if you are mail.

There are cases in the U.S. whereby the addresses of car drivers were public until some celebrity was murdered due to the availability of this information. This is evidence that placing this type of information in public domain is dangerous! Does this mean that Sweden has worse data privacy for their citizens than what is found in the U.S.? Is this possible for a country of the EU?