(edit: for some reason, the above blog post URLs weren't showing up for me...)
If I'm reading his blog post correctly, Sweden's transport agency sloppily handled the nation's vehicle registry, which does contain data subject to freedom of information laws, but contains confidential data that is not supposed to be out in the wild:
> Last March, the entire register of vehicles was sent to marketers subscribing to it. This is normal in itself, as the vehicle register is public information, and therefore subject to Freedom-of-Information excerpts. What was not normal were two things: first, that people in the witness protection program and similar programs were included in the register distributed outside the Agency, and second, when this fatal mistake was discovered, a new version without the sensitive identities was not distributed with instructions to destroy the old copy. Instead, the sensitive identities were pointed out and named in a second distribution with a request for all subscribers to remove these records themselves. This took place in open cleartext e-mail.
Since Sweden is 10 million citizens, about the size of a U.S. state, this sounds like a state DMV (Department of Motor Vehicles) accidentally exposing the licensed drivers and registered vehicles database (part of which is public record). But the difference seems to be that Sweden's transport agency also handles aircraft and military vehicles using the same database, hence the exposure of secret military info?
Ignoring the current fuckup, it seems like a bad idea to have one national data system for personal and govt/military vehicles, even if it is efficient for a nation of Sweden's size. The Gizmodo article notes that this database was accessible to all of the Sweden transport agency IT workers to access and download willy-nilly, which is a problem independent of the issue of it being accidentally leaked. In the United States, it's a common scandal for state law enforcement to lookup driver information without proper authorization, but at least it's just civilian driver information for their state, not the Humvees registered to SEAL Team 6: http://www.nbc-2.com/story/25334275/deputy-fired-for-imprope...
>But the difference seems to be that Sweden's transport agency also handles aircraft and military vehicles using the same database, hence the exposure of secret military info?
The "Swedish DMV" is competent also for civil aviation licenses, the risk is that seemingly in the civil pilot license application form there is the information "working in the army as pilot" or something to the same effect.
So it is a bit "stretched", but surely with a database where you can find is someone has a civil airplane pilot license, possibly a helicopter one, his/her employer is the Army or Defense, is in the "right" age range, to find "probable military pilots" doesn't seem like very difficult.
> In Sweden there is a fairly unknown term called qualified protection identities. Or, if you want, personal data, such as false names. These are issued to special personnel within the police, Säpo and Armed Forces. Thus, in practice, secret operators, including employees of the military intelligence service's top secret office for special retrieval.
There is mention of a separate military vehicle registry:
> SVT has taken note of documents from the Armed Forces which show that data from the Swedish Military Vehicle Register were included in the data that the Transport Agency let technicians abroad who were not security-tested take care of. The Armed Forces now confirm on Friday afternoon to SVT News that parts of the registry are included in the data provided.
Good, though - I believe - the military registry (for vehicles) is not much an issue (at least not for individual privacy).
I mean, in normal "civil" register, you look for a license plate and find who owns the car, or viceversa you look for a name and check whether he/she owns a vehicle and find which one(s), in the "military" registry you look for a plate and find out that the owner is either the Army, the Aviation or the Marine (or similar) and that's it.
I guess that the most you can do with the military registry is to get to know how many vehicles per type are registered.
The "qualified protection identities" seem much more troublesome, but - I don't of course know anything about that - common sense tells me that they must be very few people, it seems - at least from the translation - like it is an "exceptional" measure, taken or a case by case basis, like for selected Police officer employed in particularly risky undercover operations and some really-really secret-secret service operators.
> Instead, the sensitive identities were pointed out and named in a second distribution with a request for all subscribers to remove these records themselves. This took place in open cleartext e-mail.
You could diff those lists and you would know which names disappeared, but you wouldn't know WHY. They could have thought of some excuse like: "we mixed in fake, test data" or "we forgot to remove some recently deceased people", not just say "you need to remove those records because they are top secret" :)
- https://www.privateinternetaccess.com/blog/2017/07/swedish-a...
- https://www.privateinternetaccess.com/blog/2017/07/swedish-t...
(edit: for some reason, the above blog post URLs weren't showing up for me...)
If I'm reading his blog post correctly, Sweden's transport agency sloppily handled the nation's vehicle registry, which does contain data subject to freedom of information laws, but contains confidential data that is not supposed to be out in the wild:
> Last March, the entire register of vehicles was sent to marketers subscribing to it. This is normal in itself, as the vehicle register is public information, and therefore subject to Freedom-of-Information excerpts. What was not normal were two things: first, that people in the witness protection program and similar programs were included in the register distributed outside the Agency, and second, when this fatal mistake was discovered, a new version without the sensitive identities was not distributed with instructions to destroy the old copy. Instead, the sensitive identities were pointed out and named in a second distribution with a request for all subscribers to remove these records themselves. This took place in open cleartext e-mail.
Since Sweden is 10 million citizens, about the size of a U.S. state, this sounds like a state DMV (Department of Motor Vehicles) accidentally exposing the licensed drivers and registered vehicles database (part of which is public record). But the difference seems to be that Sweden's transport agency also handles aircraft and military vehicles using the same database, hence the exposure of secret military info?
Ignoring the current fuckup, it seems like a bad idea to have one national data system for personal and govt/military vehicles, even if it is efficient for a nation of Sweden's size. The Gizmodo article notes that this database was accessible to all of the Sweden transport agency IT workers to access and download willy-nilly, which is a problem independent of the issue of it being accidentally leaked. In the United States, it's a common scandal for state law enforcement to lookup driver information without proper authorization, but at least it's just civilian driver information for their state, not the Humvees registered to SEAL Team 6: http://www.nbc-2.com/story/25334275/deputy-fired-for-imprope...