
Sweden Leaks the Personal Information of Millions of Its Own Citizens - brainpool
http://gizmodo.com/sweden-leaks-the-personal-information-of-millions-of-it-1797208092
======
jeremynixon
> “Any governmental assurances to keep your data safe have as much value as a
> truckload of dead rats in a tampon factory.”

Remember this. I expect every piece of data given out to the government or to
private organizations to sit in the databases of every major intelligence
agency, and will not be surprise if it's all exposed to the public domain
through data aggregation companies in near future.

~~~
HillaryBriss
also an aspect of a single-payer healthcare plan?

i don't expect _corporate_ databases to be secure. but, if/when single-payer
healthcare is implemented in the US, data leaks and breaches will occur often.

i guess the difference is optical: instead of blaming the evil corporations,
we'll blame the evil government.

~~~
Panino
> also an aspect of a single-payer healthcare plan?

Note: single payer healthcare systems are about who _pays_ , not who
_provides_ \-- it's even in the name. So here, hospitals and clinics provide
healthcare while the government pays those hospitals and clinics. There's no
reason for the government to know John Doe's enlarged prostate medication
because that's between the doctor and patient.

> if/when single-payer healthcare is implemented in the US, data leaks and
> breaches will occur often

Can you provide numerous links to stories about Medicare and Medicaid personal
data being exposed to the public? And if so, do those breaches outweigh the
cost of (in the single payer case) millions of people without healthcare,
increased costs, and worse health outcomes?

~~~
leereeves
> There's no reason for the government to know John Doe's enlarged prostate
> medication because that's between the doctor and patient.

Unless the government is paying for it and expects to know exactly what it's
paying for.

~~~
JumpCrisscross
> _the government is paying for it and expects to know exactly what it 's
> paying for_

To embellish on this point, if you have a system where the government doesn't
know what John Doe's healthcare providers are billing for and blindly cuts a
cheque, expect to have lots of John Does having lots of very-expensive
procedures.

~~~
walshemj
no in that case you have something like NICE in the Uk

------
sedeki
One guy working in IT at the department in question apparently lost his job
for refusing to implement this. He was also the one whom informed SÄPO about
this.

~~~
brainpool
Would be really interesting to hear more about this. Without too much details
of course.

------
danieka
The thing that really gets to me is that I have no way of opting out of having
my personal details in the governments databases. Compared to a private
company which if I don't trust I simply avoid. It can't leak data it doesn't
have. But I'm completetly defenseless against my goverment.

And I know of no serious politician (I'm Swedish) that talks about these
issues. Which means I can't vote for better policies. Society is so far behind
on understanding privacy issues and the impact of these shoddy practices.

~~~
macintux
> Compared to a private company which if I don't trust I simply avoid.

Good luck avoiding Google.

~~~
zwarag
Well thats not to difficult. And besides, the main point is that you can opt
to not use Google services.

~~~
macintux
I don't use most Google services, and when I do they're sandboxed, but Google
cookies are omnipresent. I have no faith that my incognito efforts are all
that incognito.

~~~
gruez
>I have no faith that my incognito efforts are all that incognito.

But incognito cookies are isolated from normal browsing cookies?

also, [https://addons.mozilla.org/en-US/firefox/addon/self-
destruct...](https://addons.mozilla.org/en-US/firefox/addon/self-destructing-
cookies/)

~~~
macintux
Wasn't referring to any particular technology when I referred to "incognito",
just my attempts to keep Google out of my life.

------
Entalpi
TLDR: Databases shipped to foreign soil, used by consultants without security
clearance.

This seems to get a bit bigger by the day. We usually do not have scandals and
such high profile activities but this is pretty huge tbh. :(

~~~
kuschku
This is happening more and more recently, because the US is only signing
treaties (even unrelated ones) if they require that countries allow
governmental data to be outsourced into the US.

This is getting very scary, and I’m starting to feel like we should stop doing
any interaction with the US here in Europe.

------
baalimago
No one has been reported of using the data, at least so far. The head of
security went out and said this publicly, also that the military forces
vehicles aren't registered there, just giving away even more information about
national security for free. _sigh_

Some more trivia: the one responsible for the leak didn't even tell the the
prime minister for _over a year_. And the security issues weren't even
discussed by the team who hired IBM, they got a report from some people (some
sort of service desk or something, who have nothing to do with security) that
this was a bad idea and that building a cloud in Sweden would be a lot safer,
the report they gave "mysteriously disappeared"

------
coldcode
I think the US losing all the data for everyone who ever got a security
clearance is worse (thankfully mine was before they were stored in a modern
system). But this is pretty much beyond stupid. When you outsourced control of
your information, assume it will become public.

~~~
snerbles
Worse, but swept under the rug. I wasn't officially notified of the OPM breach
until a year after it hit the news.

[https://en.wikipedia.org/wiki/Office_of_Personnel_Management...](https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach)

------
sexydefinesher
Once again Sweden is leading in transparency

~~~
arossse
Best comment I read this year

------
basicplus2
What is the point of a government if it outsources its own work, this is
exactly the sort of work governments should be doing.

~~~
mk89
I asked myself the same. Besides reduced costs, I can't see any real
benefits...

------
sabujp
no one ever got fired for hiring IBM

~~~
kpil
No one is fired yet. Failed agency directors are traditionally sent to 'the
elephant graveyard' ie doing some nonsense work in a government department.

A fine has been handed out - the case was handled in a court without any
fanfare and it must have been the smallest possible amount for a crime against
the security of the state - half a month's salary. This can not be overruled.

Due to the verdict, the employment status is now under consideration in a
special governmental body - basically the HR department.

If this seems like a banana republic without bananas but with a monarch, it's
because it is.

------
danso
Blog posts from Rick Falkvinge (Head of Privacy at Private Internet Access,
and a founder of Sweden's first Pirate Party):

\-
[https://www.privateinternetaccess.com/blog/2017/07/swedish-a...](https://www.privateinternetaccess.com/blog/2017/07/swedish-
administration-tried-glossing-leaking-eus-secure-stesta-intranet-russia/)

\-
[https://www.privateinternetaccess.com/blog/2017/07/swedish-t...](https://www.privateinternetaccess.com/blog/2017/07/swedish-
transport-agency-worst-known-governmental-leak-ever-is-slowly-coming-to-
light/)

(edit: for some reason, the above blog post URLs weren't showing up for me...)

If I'm reading his blog post correctly, Sweden's transport agency sloppily
handled the nation's vehicle registry, which does contain data subject to
freedom of information laws, but contains confidential data that is not
supposed to be out in the wild:

> _Last March, the entire register of vehicles was sent to marketers
> subscribing to it. This is normal in itself, as the vehicle register is
> public information, and therefore subject to Freedom-of-Information
> excerpts. What was not normal were two things: first, that people in the
> witness protection program and similar programs were included in the
> register distributed outside the Agency, and second, when this fatal mistake
> was discovered, a new version without the sensitive identities was not
> distributed with instructions to destroy the old copy. Instead, the
> sensitive identities were pointed out and named in a second distribution
> with a request for all subscribers to remove these records themselves. This
> took place in open cleartext e-mail._

Since Sweden is 10 million citizens, about the size of a U.S. state, this
sounds like a state DMV (Department of Motor Vehicles) accidentally exposing
the licensed drivers and registered vehicles database (part of which is public
record). But the difference seems to be that Sweden's transport agency also
handles aircraft and military vehicles using the same database, hence the
exposure of secret military info?

Ignoring the current fuckup, it seems like a bad idea to have one national
data system for personal and govt/military vehicles, even if it is efficient
for a nation of Sweden's size. The Gizmodo article notes that this database
was accessible to all of the Sweden transport agency IT workers to access and
download willy-nilly, which is a problem independent of the issue of it being
accidentally leaked. In the United States, it's a common scandal for state law
enforcement to lookup driver information without proper authorization, but at
least it's just civilian driver information for their state, not the Humvees
registered to SEAL Team 6: [http://www.nbc-2.com/story/25334275/deputy-fired-
for-imprope...](http://www.nbc-2.com/story/25334275/deputy-fired-for-
improperly-accessing-info-about-governor-nbc2-anchors-others)

~~~
jaclaz
>But the difference seems to be that Sweden's transport agency also handles
aircraft and military vehicles using the same database, hence the exposure of
secret military info?

No, according from an article linked to in your reference (via google
translate):
[https://translate.google.com/translate?hl=en&sl=auto&tl=en&u...](https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http://www.expressen.se/nyheter/svenska-
stridspiloters-adresser-hotade-i-lackan/)

The "Swedish DMV" is competent also for civil aviation licenses, the risk is
that seemingly in the civil pilot license application form there is the
information "working in the army as pilot" or something to the same effect.

So it is a bit "stretched", but surely with a database where you can find is
someone has a civil airplane pilot license, possibly a helicopter one, his/her
employer is the Army or Defense, is in the "right" age range, to find
"probable military pilots" doesn't seem like very difficult.

~~~
danso
Ah you're correct. The sensitive military identities that were purportedly
revealed are described in the PIA blog post as this:

> _Names, photos, and home addresses of all operators in the military’s most
> secret units – equivalent to the SAS or SEAL teams;_

But the translated story that is linked --
[https://translate.google.com/translate?hl=en&sl=auto&tl=en&u...](https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fcornucopia.cornubot.se%2F2017%2F07%2Fbreaking-
transportstyrelsen-lackte.html) \-- says this:

> _In Sweden there is a fairly unknown term called qualified protection
> identities. Or, if you want, personal data, such as false names. These are
> issued to special personnel within the police, Säpo and Armed Forces. Thus,
> in practice, secret operators, including employees of the military
> intelligence service 's top secret office for special retrieval._

There is mention of a separate military vehicle registry:

[https://translate.google.com/translate?hl=en&sl=auto&tl=en&u...](https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fwww.svt.se%2Fnyheter%2Finrikes%2Fsvt-
avslojar-hela-det-militara-fordonsregistret-lamnades-till-utlandet)

> _SVT has taken note of documents from the Armed Forces which show that data
> from the Swedish Military Vehicle Register were included in the data that
> the Transport Agency let technicians abroad who were not security-tested
> take care of. The Armed Forces now confirm on Friday afternoon to SVT News
> that parts of the registry are included in the data provided._

~~~
jaclaz
Good, though - I believe - the military registry (for vehicles) is not much an
issue (at least not for individual privacy).

I mean, in normal "civil" register, you look for a license plate and find who
owns the car, or viceversa you look for a name and check whether he/she owns a
vehicle and find which one(s), in the "military" registry you look for a plate
and find out that the owner is either the Army, the Aviation or the Marine (or
similar) and that's it.

I guess that the most you can do with the military registry is to get to know
how many vehicles per type are registered.

The "qualified protection identities" seem much more troublesome, but - I
don't of course know anything about that - common sense tells me that they
must be very few people, it seems - at least from the translation - like it is
an "exceptional" measure, taken or a case by case basis, like for selected
Police officer employed in particularly risky undercover operations and some
really-really secret-secret service operators.

------
ngneer
This has happened in Israel in the past :(

~~~
yuvadam
Correct, the entire Israeli census database has leaked and is now freely
available for anyone who knows where to look for it.

I gave a short talk about this leak at 28c3 [1], if anyone's interested in
more details.

[1] -
[https://www.youtube.com/watch?v=ow7cvZOzp6w](https://www.youtube.com/watch?v=ow7cvZOzp6w)

~~~
pbhjpbhj
Aren't censuses usually published?

~~~
ngneer
This one had addresses, phone numbers and dates of birth.

------
throwawaymanbot
we can assume that all data given over to the cloud has been copied and
siphoned off to govt "intel" agencies.

Welcome to the modern world. on one hand is digital services that deliver to
people, the other hand is all your base belong to everyone.

------
baalimago
UPDATE:

The entire Swedish government has now been reorganized as a result of this IT-
scandal.

------
synicalx
Got one thing to say.

I - I've

B - Been

M - Molested

