law-legislationOr is it?  Not really, it was an id fraud just waiting to happen, so if it is no surprise than it is not embarrassing really….. except it was top Swedish profiles that had their e-leg used fraudulently. That was pretty awkward for Telia, SBAB, Avanza and the Swedish Tax Authority ….and the party poppers were out this weekend for Swedish press.

SBAB and Avanza immediately issued a statement saying that they had stopped using the Telia e-leg. However the Swedish Tax Authority are waiting to see how things develop…..

But why do I say it was an id fraud waiting to happen? The problem is pretty straightforward. All credentials pertaining to access to information that we as natural and legal persons need to access/process is organised with the information, what I call ‘information silos’, not with the natural person. An ‘information silo’ can be financial information, i.e. your money in the bank, it could be your tax returns, or it could be your health information, your children’s information held by government authorities. In fact every ‘information silo’ has your logon credentials, i.e. your so called ‘digital identity’ or as was the case in this rather embarrassing crime, your e-leg. If you were to add to this list your credentials on LinkedIn, Facebook, your store cards, and loyalty schemes… you have potentially 100s of ‘digital identities’ that are fair game to identity fraud. Although I said this wrong… you don’t have 100s of ‘digital identities’, because they don’t belong to you. You have no control over your so called ‘digital identities’ whether these are in the form of e-leg or not. Well e-leg is yours, right? No it is not, it’s not controlled by you. In this example of id fraud, your digital id is created by a third party, and they even send the secret codes for access to information through the post.

I don’t know anyone that knows exactly how many ‘digital identities’ they have, because all so called ‘digital identities’ are owned and managed by the owners of the ‘information silos’. Clearly if you trust the 100s of information owners to be doing their job right, and to care about you and your personal privacy, then I guess it’s not a problem, but I don’t. I am sure that I care more about my digital identity than anyone else out there controlling my access to their information silos.

I don’t know anyone that has complete control over their digital identity or their digital footprint. What is more is that if anything bad happened to any of these identities, you would have no idea… even if you check your bank account daily, it doesn’t matter, because this is only one of many opportunities for identity fraudsters to take over and cause temporary chaos (for just a year or two) in your, and your family’s life.

So what’s the future? What I visualise is a world whereby I own my digital identity. I control my digital identity. I have only a single digital identity that is a digital and legal representative of my natural self. The fact that I own my digital identity, all transactions pertaining to my digital self will be mine.   This means that if I have a 100 places that I conduct digital interactions, that regardless of which legal entity has been agreed to own the content of the interaction, both parties will receive details of all transactions pertaining to the digital interactions. This would give me, as the identity owner, absolute transparency, and legal traceability.

It is how it should work after all. One digital identity for each natural/legal person. It’s pretty obvious really, isan’t it?

64 thousand Swedish identities were hijacked in 2013. Population of Sweden is today around 9,5 million. This means that the crime of identity fraud impacted around 0,8 percent of the Swedish population.

“So what, that’s nothing?” You are thinking….

Nevertheless this is almost 1 in a 100 of Swedish residents who have been a victim to identity fraud in 2013 alone. Hence Sweden is not exempt from the growing trend of identity fraud globally.

However in Sweden it’s going to increase exponentially if Swedish law is not changed. What we can expect is that subsequent years will welcome an influx of fresh victims; that could be you if you are one of the 9.5 million residents or/and citizens of Sweden, your friends, or even your children.

Identity fraud in Sweden will increase exponentially if Swedish law is not changed!

identity-theftFirst a little history on how we got to where we are. Sweden is one of the few countries globally that is organized enough to have implemented a comprehensive personal identity numbering scheme. It was first introduced in 1947 and was probably the first of its kind globally that included every Swedish resident. Unfortunately, the fact that Swedish identities are organized with the use of a uniform identifier, i.e. YYMMDD-xxxx (YYMMDD = date of birth) makes their personal id much more vulnerable to hacking and fraud than a more random generated id. It is easy for an identity fraudster to work out a Swedish identity number using some simple data mining techniques.

For those of you that want a quick summary of how the Swedish ID number is created… here we go..

1. The personal identity number consists of 10 digits and a hyphen.
2. The first six correspond to the person’s birthday, in YYMMDD form.
3. They are followed by a hyphen.
4. The seventh through ninth are a serial number.
5. An odd ninth number is assigned to males, and an even ninth number is assigned to females.
7. The tenth digit is a checksum which was introduced in 1967 when the system was computerised.

Up to 1990, the seventh and eighth digits were correlated with the county where the bearer of the number was born or (if born before 1947) where he/she had been living, according to tax records, on January 1, 1947, with a special code (usually 9 as 7th digit) for immigrants.

To get the last 4 digits, easiest is to call the Swedish Tax Authority and ask, they are very helpful, since the personal identity number is public information

But what does it really mean to have your identity stolen, or hijacked as more often referred to in Swedish popular press? So here is how a Swedish identity could be stolen starting with a name to find the personal id number:

  1. Google the name of the victim, from here the fraudster will find date of birth (ratsit.sebirthdays.se), home address on a cute map, and other information (hitta.se);
  2. To get the last 4 digits the fraudster can ring up the Swedish Tax Authority direct and ask them, it is after all public information, and they are very helpful.
  3. Now the identity thief can go online and order a fraudulent ID card and/or a fake passport using the stolen personal id number. Hence since the personal number is a vital specific identification number to identify an individual is correct but the photo on the ID card or passport is that of the fraudster.
  4. He/she is ready to go on a spending spree at the victim’s expense! If they have no access to the victim’s credit/debit card, they could buy electronic goods on credit with a small down payment (avbetalning). The victim, get to foot the rest of the bill.
  5. A shop assistant when checking the id card, would feel that the details are correct and process the transaction.

And this is just the beginning of the nightmare for the victim. The fraudster can take out additional loans in their name, buy a car, a house, and default on payments in their name. The victim will be blacklisted by credit companies. Cleaning up this mess will not be easy. It will take a lot of energy and time to clear their name. The victim can forget about trying to get a loan or any type of credit at this time.

I guess after all this excitement that the victim will want to remove their personal information from the public domain? Sorry but there is more bad news. It’s quite impossible! Swedish residents have no legal right to protect their personal identifying information in Sweden. In fact credit reporting agencies have permission from the Data Inspectorate (Datainspektionen) to publish your personal information. They get something called an utgivningsbevis that gives them exemption from Personalupplysningslagen (PuL), that costs a couple of thousand Swedish kronor. On the date of this publication there were 913 companies that have been granted an utgivningsbevis. So in Sweden the Personal Identifying Information (PII) of data subjects is public information. Although the data subjects do have some say over the integrity of PII that is published, this is driven by the Kreditupplysningslagen. The Credit Information Act (Kreditupplysningslagen) are required to make changes in their database to correct faults, but the data subjects have no right to be omitted from the register unless they have a ‘protected identity’. Hence all residents in Sweden who are over the age of 16 are included and public.

All of this is despite the Personal Data Law (PuL) that is here to protect personal information of Swedish residents and citizens. In fact in this context the PuL is impotent. The Swedish codification of the European Union Directive on Data Protection just does not work. The source of the problem is that the Personal Data Act (PuL) does not apply if its application is in contrary to the Fundamental Law on Freedom of Expression (1991).

So what this means is that the Fundamental Law on Freedom of Expression is being abused by companies making money from the identities of Swedish subjects. It is a Mad Hatters Party for 931 companies abusing this right at the cost of Swedish citizens/residents!

As a Swedish citizen, I have nothing against companies making money from identities so long as:

  1. I’ve given active consent to this;
  2. I have the choice to have it removed;
  3. and if I have permitted my personal information to be used commercially, I should also be a beneficiary from sharing my personal information.

To summarise. If you are a Swedish citizen/resident your personal information is public information and is being exploited commercially. This exploitation makes you vulnerable to identity theft. You have no control over who publishes your personal information.

It is about time this problem was fixed don’t you think?

Further reading

http://www.datainspektionen.se/press/nyheter/2014/datainspektionen-kan-inte-ingripa-mot-sajt-som-hanger-ut-domda/

http://www.riksdagen.se/en/How-the-Riksdag-works/Democracy/The-Constitution/The-Fundamental-Law-on-Freedom-of-Expression/

http://www.radioochtv.se/en/Licensing/Internet/

http://sverigesradio.se/sida/avsnitt/404038?programid=2778&playchannel=132

imagesI am amazed at how little publicity there was on Daniel Eks, founder of Spotify that had his identity stolen. The identity fraudster purchased goods of nearly 1 million kronor in his name and has now been indicted to 2 years in prison. A small price to pay for 1 million kronor don’t you think?

I have talked a lot on how easy it is to steal someone’s identity in Sweden, so this should come as no surprise I would expect to virtualshadows blog followers 😉

The rapid increase in identity fraud in Sweden is gaining some media attention (http://www.svd.se/opinion/brannpunkt/krafttag-kravs-mot-id-kapning_3767990.svd). However they are missing the point. The solution is not to purely simplify the ‘clean-up process, but to change the law. And changing the law is not purely about criminalizing the crime but to enforce an individual’s basic fundamental right to information privacy. You should have the right to remove your personal information from websites making money from it! For example I have tried removing my date of birth from http://www.birthdays.se (see previous posts) and request was refused. The problem I have with my date of birth being public is that:

1) it is my personal information, and;
2) it is the first 6 digits of my Swedish personal id (YYMMDD-xxxx).

The root of the problem is that although the Personal Data Law (PuL) is here to protect our personal information, in this context the PuL is impotent. The Swedish codification of the European Union Directive on Data Protection just does not work. The source of the problem is that the Personal Data Act (PuL) does not apply if its application is in contrary to the Fundamental Law on Freedom of Expression (1991).

So what this means is that the Fundamental Law on Freedom of Expression is being abused by companies making money from our identities. And I think that It is about time that this abuse is stopped!

Well quite a lot according to some sources. I found a Child Identity Theft Education Kit that you may find useful. I am looking around for more on this subject. I have not heard that there is so much of a problem here in the Nordics, but in the United States there seems to be quite significant, and is growing because a child’s identity is a ‘clean-slate’ and perfect target for identity fraud.

200px-SwedishIDcard2012
Well the identity-thief collects the ID information of an unsuspecting person, previous articles on this blog give a background on how easy it is to steal a Swedish resident’s personal ID.

One way is that the identity thief then goes on line, and orders a fraudulent ID card and/or a fake passport.

Hence since the personal number, a vital specific identification number used in Sweden to identify an individual is correct but the photo on the ID card or passport is that of the identity thief, the identity thief can go on a shopping spree! Easiest is to buy electronic goods on credit with a small down payment (avbetalning). The real identity owner gets to foot the rest of the bill. It’s easy to find your address online in hitta.se. A shop assistant would feel that the details are correct and process the transaction.

So if you thought identity theft was purely about fraudulent use of your credit card, for which normally the bank foots the bill… then you could have an unpleasant surprise in store…

This makes you vulnerable to identity theft. Swedish residents have no legal right to protect their personal identifying information (PII) which includes the first 6 digits of the 10 digits (AAMMDD-xxxx) of Swedish IDs. Except is if you have a protected identity. Following is the response I received from one of the credit reporting agencies that I contacted.

“We are a credit reporting agency with permission from the Data Inspectorate (Datainspektionen). The data in our database are and should be a reflection of public databases retrieved from authorities such as tax authorities (Skattemyndigheten), payment remarks and debt collecting agencies (Kronofogdemyndigheten), and the bureau of statistics (SCB). Public data means that anyone can contact the respective government authority and get the same information there. We are by the Credit Information Act (Kreditupplysningslagen) required to make changes in our database to correct faults, but you have no right to be omitted from the register. All residents in Sweden who are over the age of 16 are included.

Protected Identity is the only way to hide the address and other personal information with the authorities, and thus also with us, and it may be issued through the tax or police authorities. Once an identity has been protected the data is hidden automatically in our system.”

This was in response to the following request I made.

I would like to kindly request that you do NOT share my personal information with third parties that make money from my personal identifying information, an example is ‘birthday.se”. Due to the sharing of my PII the first 6 digits of my Swedish ID is public, consequences are that it makes me vulnerable to identity fraud.

Can you please confirm that this is done. If not would be be kind enough to give me enough information to understand why not?