Uff, COBOL written in Norwegian, talk about a narrow target to hit for hiring :)

There used to be a lot more of that, but a system was put in place where you have to identify yourself with electronic ID to access the information, and the information is logged so the other party can see it.

Nowadays I think mostly journalists use it to pull up information about politicians and other people that are in the public spotlight. There are of course the yearly "richest people in Norway" lists in various categories.

Yes and no. You get notified if someone else actually asks for your revenue info and so in practice nobody actually does it.

Making snark comments about that sounds very unlikely. More likely they'd have respect for someone living frugally and not showing off. See https://en.wikipedia.org/wiki/Law_of_Jante

We don't talk to our neighbours.

What is the harm in this case? Shit people are shit even without information. They would be snark about something else then.

Yep, that tracks.

There's also the underlying current of Jantelagen (Law of Jante) https://en.wikipedia.org/wiki/Law_of_Jante

The root cause of identity theft in USA and some other places is the lack of "proper" national identity and the associated use of various personal "secrets" (not that secret) for identity verification because there are no good easy other ways.

Businesses in Scandinavia and many other countries would not treat someone knowing your personal information as any evidence of identity (because it's not); having all that information is not sufficient to impersonate you there - identity theft does happen but it would require stealing or forging physical documents or actual credentials to things like bank accounts; knowing all of what your mother or spouse would know is not enough to e.g. get credit or get valuable goods in your name.

"Identity theft" is newspeak right up there with "intellectual property". It serves the sole purpose of diminishing real theft. If someone says "we gave all your money to this other guy, but it's not our fault because he had stolen your identity" doesn't make it so. There are cases of mistaken identity, and with criminal intentions, but there is also an enormous majority of not checking identity because someone was lazy.

Just knowing someone's name, address, and ID number isn't enough to like, open a bank account in their name or such. You'd need a proper ID card or passport for that. Similar thing with most businesses if you try to pay for some product with credit, they won't accept just a few digits and a pinky promise, you'll need to identify yourself properly (the BankID app for instance).

We just change our identity every three years or so.

https://www.youtube.com/watch?v=BK2gKuqbOHo

> How do they handle identity thefts

By just accepting it as a normal fact of life that you will have some random stuff ordered in your name sooner or later with an invoice you'll have to dispute. Happened to a relative of mine, police do not care unless they order things above a certain value, without a police report you cannot get free ID protection, and then you'll have to sit for a long time in phone queues trying to cancel a subscription for a streaming service or whatever they ordered while get thrown around by support reps who go "you SURE you or someone in your family didn't order this?"

It's just a unique ID of a person, it's not a password. I don't see how you can be confused by this.

Just a few years ago this was about to change in Sweden.

But they didn't change it, because "women should be able to look up the men that they date".

public information if they signed an agreement with the Swedish government?

It's something akin to a service provider in SAML parlance, if we are to believe reporting. How can it be air-gapped?

And if we are to believe the hacked company, it is a development environment with test data in it. That remains to be seen, but is a risky thing to lie about. If there is production data in the leak, we will surely know about it.

The point of a system like this is specifically that it’s accessible and not air gapped.

Being able to validate that a citizen is a citizen and their ID is valid inherently requires the system be accessible

If you need the data, you cannot have it air gapped. And if it is air gapped, it is still easy to make misstakes.

In Aftonbladet comments from CGI they seem to think that no production related data has been leaked:

https://www.aftonbladet.se/nyheter/a/ArvG0E/cgi-sverige-uppg...

some report it's basically the code and certs responsible for BankID SSO

No. CGI has nothing to do with BankID.

IMO the most credible reports suggest that the source code and data involved are related to these four services:

https://www.cgi.com/se/sv/business-process-services/e-tjanst... "Mina engagemang offers a user-friendly and flexible solution that allows your customers to manage their cases directly through a personal portal. Here, users can view, track, and interact with their ongoing cases, which enhances both transparency and efficiency in the communication process." -- some kind of ticket/case management system for gov't agencies

https://www.cgi.com/se/sv/business-process-services/elektron... "With our secure end-to-end e-ID and eSign services, we can help you streamline document and contract management, gain access to all desired e-ID issuers, and improve cost efficiency." -- this sounds like a bad thing to compromise, but is to the best of my understanding a system for digital signatures on documents, and has no relation to BankID

https://www.cgi.com/se/sv/business-process-services/e-tjanst... "Gain better control over your organization’s representatives with our easy-to-use representative registry. By automating the identification and verification of representatives, you’ll gain a clear overview and enhance the security of your processes." -- sounds like some bullshit CRUD app for managing who can "represent" a gov't agency

https://www.cgi.com/se/sv/business-process-services/e-tjanst... "SHS is Sweden’s common standard for information exchange, enabling secure and efficient communication between government agencies, businesses, and organizations." -- this might be bad if real data was leaked

These are services used by various Swedish government agencies and it's pretty bad to have even a test instance of them hacked, but let's calm down. The entire Swedish state has not been compromised here.

So if no data was leaked from the tax agency or from the users, then the leaked "digital signing documents" must have belonged to the only remaining party, which is CGI, so perhaps they were just some marketing documents about the benefits of their digital signing service?

I apparently didn't phrase that very well. If what is the case? I was trying to ask which case was the case, not trying to claim that something specific was the case.

I'm familiar with electronic signatures, and I know what documents are, but I have never heard the phrase "electronic signing documents" and don't know what that is supposed to mean. What kind of documents? Documents about signing, documents that were signed, documents in the sense that files containing keys could be considered documents, or what?

We might've lucked out here, there is some signature data on ID cards today and official _plans_ to make a government backed signing service, but practically _nobody_ uses them in practice to just revoking all those keys will be a minor issue.

Currently most Swede's use a private bank consortisum controlled ID solution for most logins and signatures.

The private keys in BankID are stored in users phones, not centrally.

Yes, nothing and the facts that these are government services, they use BankID and they updated their websites with "maintenance work" announcements for tomorrow, Saturday. For kronofogden.se there was no maintenance planned just half an hour ago. Knowing swedish tendency to plan things months ahead I would _guess_ that this maintenance work has been rushed due to some circumstances.

The good news is you can keep offline, offsite digital copies, which is much more convenient than offsite paper copies.

I think what the comment meant was that it's harder for an individual to lose their paper documents compared to losing the electronic ones. It just shifts who's responsible for keeping them safe

That depends entirely on what the records hold and who is interpreting the event.

Then add “earthquake” to the list, or “domestic terrorists or foreign country bombing the building”. Steelman the argument. The point isn’t “just fire and water specifically”, we’re not playing Pokémon.

We have several historic examples of records being lost in disasters, and way more recent than 100 years ago.

https://en.wikipedia.org/wiki/National_Personnel_Records_Cen...

It makes no difference that we could’ve prevented that with better building construction. We didn’t, and hindsight does not bring the records back. We should plan for the world we want but cannot ignore the world we have.

I’m not defending digital as always better or criticising physical. Like I said, different tradeoffs, meaning there are advantages and disadvantages to both, there’s no solution which is better in all situations.

The total number of people working on the project might remain similar no matter if it's one company or many smaller companies. Writing clear documentation and API, well thought from the start is harder the larger the project.

Maybe there would be a benefit from having less layers of management, but multiple small companies or one big could have the same structure.

I don't think that's a particularly novel idea, the question is how do you get people who care in an organization that has hundreds of thousands of employees (the public sector)?

> You have to have people who care about this stuff.

What?! Preposterous! How could you even make money out of that? No no no, that will not do. You will ask your AI agent some vague question, commit the result without review and push it to the client. And you’ll like it. If there’s any trouble, call Timothy, he’ll be on vacation with his family in Thailand. Some resort, “Lotus” something or other.