by Lia Johansen and Karl Lallerstedt
In July, Alf Göransson declared himself bankrupt. He was consequently automatically de-registered as the President and CEO of Securitas, a leading global cyber-security company.
What Göransson proved in court, however, is that the declaration of bankruptcy a malicious act by someone who hacked his identity five months earlier carried out without his knowledge. The hacker used the CEO’s identity to seek a loan of an undisclosed amount in March and later filed for bankruptcy.
The unfortunate irony of the CEO of a security company falling victim to identity theft on such a scale notwithstanding, Göransson’s experience is becoming increasingly common in Sweden.
Sweden has an open data policy, which prioritises transparency of information for government, corporations and individuals. There are only a few reasons for which documents can be kept secret, relating to national security and diplomacy. This has been a source of great pride for those who tout the benefits of an open and transparent culture of information, but with Swedish citizen’s left with no legal right to remove their personal information from the public domain.
The FGJ (Association of Investigative Journalists) have an entire tool dedicated to discovering information about members of the public, their “personresearchguiden”. The openness which governs Swedish information laws has allowed for investigative journalists to freely question and scrutinise possible wrongdoing, but, as Lars Minnedal, also from the Swedish Police Fraud Department, recognized in one interview that “people have started using [Sweden’s] principle of freedom of information as a tool to commit crime.”
Sweden is currently considered one of the world’s leaders when it comes to replacing cash with digital transactions, and when, in 2011, the country extended their identification system to include a digital ID for use in relation to a citizen’s bank or telecommunication provider, the opportunities for electronic identity theft and transaction fraud became exorbitant. Hackers often hijack credit cards to purchase goods or readdress a victim’s mail, thus gaining access to all of a person’s government communications.
Since 2011, the number of reported cases of falsified IDs in Sweden has been rapidly accelerating. 20,000 people reporting identity theft in Stockholm alone in 2012; in 2014, roughly 67,000 people reported that their identities or personal information had been stolen, or that someone had hijacked their credit card and used it to order goods in their name. In 2016, it had more than doubled to 120,000 cases.
Sweden now ranks 10th in data security group Symantec’s global list of identity theft prevalence, and Swedes are three times more likely to be victims of identity theft than home burglary.
Add to this the fact that Sweden did not officially criminalise identity fraud until 2016, with Justice Minister Morgan Johansson admitting that “[the Swedish] legal system has not kept up with the development” of identity theft. Moreover, under Swedish law, unlike other crimes, the burden of proof for identity fraud is on the victim, whether it be an individual or a business- in the Securitas case, their CEO had to step down whilst waiting or the reversal of the bankruptcy claim.
But there have also been some positive developments. Increased checks and security when purchasing goods online, introduced by banks, appear to have had some success reducing debit card fraud, which decreased by 13% decrease over the preceding year. But increasing security on online purchases is only the first step in the right direction.
Arguably, Sweden’s approach to public access needs to be rethought in the digital age, not just to prevent crime, but also to make it more difficult for foreign entities to gather data about individuals. It seems the country is yet learn how to walk the fine line between their laudable principles of freedom of information and the protection of individuals’ data.