More on kids, and Sweden is ahead of the trend as is normal on children’s rights.
There is a new law (barnkonventionen svensk lag) being discussed which looks as though it will be effective in 2020 which basically means that parents are not permitted to post pictures of their children online without their permission.
This came to my notice following a Post I made on a private group on Facebook informing that it was against human rights and a right to a private life to Post pictures of children and any individual should not be posted without their permission. I made this Post because I was horrified (although not surprised) to find that someone had posted a video of a couple of teenagers on mopeds on the island (where I live) driving too fast, and was asking who they were. The culprits were uncovered. In main she was praised for stopping them, names were mentioned, until the mother popped up in the thread.
This reminded me of something which happens in China, a practice called ‘cyber manhunt‘. An individual does something bad, and a hunt is initiated to find him/her via social networks and other connected means, once found their life is made a misery.
In this closed group there were almost a 1000 members. So the 2 teenagers were publicly exposed. They did something wrong, but it doesn’t matter, they didn’t deserve public humiliation. I also wonder that if adults are posting these kind of videos online of kids, then clearly kids will not hesitate to do the same.. consequences can be fatal -if a child takes their life due to something posted on them to which they have not agreed to.
It is therefore, a delightful development, the new law which protects kids in the digital age, connected age. How this will work in practice, we will see. From a practical perspective, just wondering how an under 5 will be able to consent to their pictures being posted online. But I’m sure there is something in the legal text which covers this…
The question is that sometimes it is VERY useful to use tracking technologies, for example in order to protect vulnerable persons, i.e. small children, and old people (who tend to wander). So the decision by Norrköping kindergarten was a bad one IMHO to not allow the use of tracking – use of armband- of toddlers/small children.
As a parent it would give me peace of mind. Human rights states that we have a ‘right to feel safe’ and ‘a right to a private life’. These rights can often conflict with each other which results in the wrong decisions being made. Hence in fear of breaking the GDPR a school has made a rather incorrect decision which has so many benefits for all. What’s more is that RFID/sensors are not biometrics, so have no relation to the other decision. Sensors do not even need to be linked to an identity. All the school needs to know is if they have lost a child, not which one… that they can work out pretty quickly by seeing which they have.
This presents another problem in that decisions are made by persons who are are not able to take this careful balancing act and really identify the potential risk of harm to the natural person. In the case of Norrköping school I can see none which outweigh the benefits on a ‘right to feel safe’.
Thanks to Inge Frisk for bringing this decision in Norrköping to my attention.
The ruling is in Swedish, but to summarise the school was using facial recognition on its students. Facial recognition is biometric data, hence sensitive (special categories of data in the GDPR). They used consent as the legal basis but this was considered as unlawful due to the imbalance of relationship between the controller (school) and the data subject (student of 16+ yrs). Basically the student had no choice.
But there is more. The Swedish data protection authority based their decision on the following:
Art 5 – personal data collected was intrusive and more was collected that was needed for the purpose
Art 9 – the school did not have a legal exception to handle sensitive data. It is forbidden to collect sensitive data unless this is the case.
Art 35-36 – seems that a DPIA was not done.
What does this mean to other schools or even any public or private entity looking to use intrusive biometrics? Do a data protection impact assessment (DPIA), from here you will be able to get a clean picture on the potential risk of harm to the rights and freedoms of the data subject.
For me personally and professionally, I’m just happy that China’s big brother approach has been nipped in the bud here in Sweden 🙂
I’ve been publishing on the subject of personal privacy since 2007, and finally, now, in 2015 I decided to take my CIPP/E. The CIPP credential says you know privacy laws and regulations and how to apply them according to the International Association of Privacy Professionals (IAPP).
Why did I take this certification? After all I have a Masters Degree in Information Security in supposedly the most famous (in this subject) globally, with the Royal Holloway University of London (RHUL). I also have an MBA with Henley Management School (University of Reading). On top of 20 years of rich experience in IT and IS, it looks as though I am in the league of ‘over-qualified’ and then ‘what next?’. Or am I?
No! I am driven by a desire to ‘fix the Swedish ID promiscuity problem’. (There is more on this in my blog, lots of posts.) I took CIPP/E to get a toolkit that I could use to stop, my and your Swedish ID, being publicly sold online without my or your consent! So now I finally understand what the problem is, and I believe I can solve this, to finally squash this conflict between ‘freedom of information’ laws and ‘PuL’. Watch this space…..
Yes I know, I’m here again complaining about the Swedish law protecting personal information that has no teeth! Now it seems that there is another loophole in the law following a new ruling that enables foreign companies to extract and use PII of Swedish residents/citizens, any persons associated with a Swedish ID#. Read more in this article which is in Swedish, but I’ve done an English translation below.
In previous posts I’ve discussed the weaknesses in Swedish law pertaining to the protection of personal information. Basically there is a conflict between the PUL (Personal Data Act) and the Freedom of Expression Act; which present a loophole for companies wanted to make money from PII. Both laws have good intentions, but the latter is being abused.
Foreign companies can bypass Personal Data Act (PUL)
Foreign companies can get information on Swedes denied to domestic companies with reference to the Personal Data Act (PUL) . A judgment of the Supreme Administrative Court states that a Norwegian agency workers are entitled to get information about all Swedish nurses from the National Board despite the fact that the authorities first denied because it would violate the PUL . But as the law is written, it can not be denied information because PUL is not applicable abroad , reports P3 News . The ruling means that it is now free for foreign companies to request public documents from Swedish authorities and that Swedish companies can open subsidiaries abroad in order thereby to request information , says Dennis Töllborg , professor of jurisprudence.
Since the rather public display of identity fraud via Telia’s e-leg a couple of weeks ago, it is interesting to do some more digging, and what a better place to start than with the Swedish e-leg? Apparently the architecture will be using SAML federation, i.e. they have a relationship that they trust each other. Every ticket includes an identity (a SAML assertion) it is digitally signed but the signing is not embedded in the SAML assertion. The YouTube video below describes this specific inherent weaknesses in SAML, but clearly (and hopefully) these issues have now been fixed. However according to the speaker (questions at the end) the signature signing standard in SAML is very complex, and there are not many that really understand it fully enough to implement properly. The main problem seems to be the way the signature is separate from the SAML assertion.
If the vulnerabilities mentioned from 2012 have been fixed, there is in any case potentially integrity issues for customers with the Swedish e-leg implementation, namely: You can’t see what you are signing!
What you will see in the web-browser has a very weak connection to what you are signing. What this means is that your digital signature is not encapsulated with the text you are signing online, i.e. your signature and text are not married. I could leave the rest to your imagination, but I’ll give you one risk just to start with, and that is a Man-in-the-browser (MitB) trojan changes the content in the browser.
What you do maybe not be exactly what you expect!
This is exactly it, the customer… well that could be you, can potentially be ‘lured’ into signing something that you were not expecting to sign. It is likely that the e-leg service works so that the identification of a user leads to a legitmate transaction. However this could be a logon to a service or digital signing of a transaction. There are other services available today that differentiate a signing transaction from a logon request. Swedish e-leg does not differentiate these two different transactions.
However, now the Myndigheten för samhällsskydd och beredskap (MSB) has published a summary report “Analys av informationssäkerheten i Svensk e-legitimation” (link broken, 2015-05-21). The detailed reports has been labelled as Secret. However I guess that they are fixing all the potential security flaws, of just a couple I have named above. The thing that bothers me still is that even in the recommendations they are still fixated on using SAML for the infrastructure. Funny that this report came out though in the wake of the Telia e-leg identity fraud fiasco 😉 Have fun reading!