That is all.

"According to the tax authorities, the documents can only be opened by using a secret code and so damage may be limited"

He means it's a bunch of Excel files protected with a "pa55word"...

So UK.gov has been advising Norway on how to maintain the privacy of its citizens, eh?

"The latest tax blooper happened on the eve of a historic transatlantic pact between Norway and the US to share data about the private lives of its citizens. Travel plans, email addresses, mobile telephone numbers and even surfing habits will be made available to American security services in an effort to combat terrorism."

That's two countries I won't visit, then.

Plus, time to get a VPN to a foreign nation.

I'm actually sat in a meeting room with a load of Norwegians at the moment. I mentioned it to them, and to be honest, they don't really seem that bothered... Very odd. Very odd country though :)

It sounds like this information was given to a large number of people.

So do they know how many copies were sent out and did they get all of them back ? Also could the information have been copied before the the information was returned ?

If not then its only a matter of time before this becomes public! Remember encription is only of use if it can keep the information safe untill its of no use and I would not bet against all the existing encription being broken before I die!

How long do useually use a NI number for, I intend to use mine for the rest of my life.

"...the documents can only be opened by using a secret code and so damage may be limited"

What's the Norwegian for "Password"?

Oi. Oi. Oi!

By " Secret Code", does he mean they're encrypted, or is he just referring to a "password", what do you think?

Given the average politico's grasp of tech, that'll be fine then.

In the coverage I read, a variant of the old Norwegian excuse came out: it was a glitch/slip-up. The other variant when someone blatantly and royally screws up big-time (or does something criminally negligent) in Norway is, "Oh, there must have been a flaw in our procedures! We'll have to review them!" If the country had nukes and someone let one off for a fireworks display, the same excuses would quite probably get trotted out to the nodding media.

What is also screwed up about this case is that if there was a certain amount of sharing going on in the media companies concerned before the discs were returned, meaning that details may be "in the wild", unless very rich people get targeted by any subsequent, related identity theft, the investigations will probably get shelved within days because even though the perpetrators would be relatively easy to trace - the police would at least know where to start looking - I doubt that the law enforcement authorities will actually be bothered to even consider it worth their time getting any convictions. It's a bit like the Seinfeld episode where Jerry notes that unless the perp is actually on the distribution list for the police report, no-one is likely to get picked up for the crime.

The Norwegians are going to take all this private information and hand it over to the United States which is going to put it on an unsecure system that Gary McKinnon can hack into and see if there's UFO information, but all he's going to find is private info about Norwegians and any other country foolish enough to let the US have it.

that's about it, innit?

"Although tax statements have been open to public scrutiny in Norway since 1863, the social security number of each citizen remains highly confidential."

Stop right there! Nothing assigned *by* the system *to* the punter should ever be "highly confidential". If they want a highly confidential thingummy, call it a *password* and let the citizen choose it. If you can't bring yourself to do both of those things, then don't use it for any security-sensitive purpose.

Out of interest, do the authorities have the ability to revoke those "highly sensitive" items? Will they, for all affected people? Thought not. Highly sensitive indeed! Still, they aren't highly sensitive anymore and so they will have to fix the system. Some good may come of this after all.

Its easy to judge this based on our own anti-privacy, super secret & totally incompetent government. However Norway is much more transparent than the UK, almost all this information is available on line anyway. Including the prime minister's tax return, including details of his summer house and how much he spent at IKEA when he popped to Sweden.

Having their NI number aswell adds little value to this as if you steal someone's identity in Norway then you just as likely to be lumbered with their tax bill too!

The sheer idiocy of the "accidental" dispersal of sensitive personal information aside. What struck me was "to share data about the private lives of its citizens. Travel plans, email addresses, mobile telephone numbers and even surfing habits will be made available to American security services in an effort to combat terrorism".

So let me get this straight, dubya and his daddys farm boys are gathering information on Norwegians???? And Norway became a terrorist nation when??? I'd really like to know how on earth any of the twats in our (US) government can even begin to justify this kind of bull shit.

On behalf of sane and reasonable Americans every where I'd like to apologize on behalf of our government to the countries and their citizens who are being caught up in spectacularly misguided, over zealous, self serving, power grab they are disguising as a "war on terrorism".

Mine is the one with bulls eye on the back for when dubya sends his goons after me.

They plough the database fields and scatter, the good seed across the lands. And IT is fed and watered by GOD.s* almighty hands.

Ah the month of September, rolling (in?) the hay with the corn dollys and the delayed offering of gifts before the altar.

And I would have thought that Norway was more than capable of looking after its self / own, with it's fine array of Rich Natural Resources and Relational Databases.

*Global Operating Devices.

Hi,

The core idea here is that your income (after deductions) is should be publicly available. Before it was available in thick books found at your local tax office. The officially legaly published list contains name, year of birth, postal code, income after deductions, tax amount paid.

At the day of publishing the news media would invade the offices and note down the numbers for the rich (?) and famous. Typically leading to news-stories like "rich oil tanker mogul does not pay more than 10 kroners in tax".

With the advent of the internet it was decided that the media could receive the lists by CD. The CD is encrypted with a 30-char password, which the media could download from a website.

The problem this time was that an additional field (social security number) was on the CD as well. (The news media discovered this when their import modules failed as the text file had a different layout.) When the government found out they took down the website distributing the key (protected by username and password). Problem is... the key has been the same since 2006...

In the end the 8 news media that received the CD has apparently given their CDs back and claim they have deleted all copies. They are naturally afraid that the contents will be disseminated as that would most likely result in a change in the law... which is definitively not what they want...

Paris due to the Paris-style-quality-assurance!

Why keep ANYTHING secret?

The social security number in Norway really isn't more than a unique ID. It is printed on every credit card, driver's lisence etc, and you have to give it up everywhere. The actual problem here is that some people actually think it still is a secret. By people I mean certain banks, most of the government etc. The simple solution is to make it public information. A unique static ID for every person in a country is a good thing, a unqiue static password that you can more or less guess isn't. Here is how it is calculated:

The number is 11 digits long, the first six are your birthdate. The last five are the oh so super secret number. The last two of those are nothing more than a checksum thingie, fairly simple calculation done with among other things a modulus 11 operation. There is no problem to that calculation on your own. The first three digits in the oh so secret part are running numbers on the people born on that exact date. The even numbers reserved for girls, the odd numbers reserved for boys. In addition it helps to know what century you are born in, 0-499 are reserved for people born in the 20th century, 500-750 are for people in the 19th century and 500-999 are for people born in the 21th century. (and yes, there is an overlap). So basically you are left with 250 numbers to choose from once you know the birthdate and gender.

Yes, it was a major cock up, but the harm done is really minimal. Perhaps the security now will increase since it can not be regared a secret anymore.

For those that wondered:

1. The norwegian word for password is passord.

2. The tax return lists have usually been published in the local newspaper for all citizens before the internet. The problem that occured when it was first published on the internet is that it was very easy to construct lists of it, thus make databases of it. So now it has been restricted a bit.

3. The CDs had everybody on it, with the exception of children that have not yet paid tax on their own.

4. Where is my coat? Has somebody taken my coat? It had printed my social security number on the back. It is 08..., ah, just ask any newspaper in Norway if you want to know.(or any US official)

"Perhaps the security now will increase since it can not be regared a secret anymore."

Indeed. Perhaps people will stop regarding the 11 digit code as full verification of an individual's identity when someone whispers it to them over the telephone.

Other hopes also include the Norwegian banks actually using properly exercised authentication mechanisms so that people don't have to publish academic papers describing "cryptographic weaknesses that may indicate security problems, protocol flaws facilitating man-in-the-middle attacks, and implementation errors facilitating strong insider attacks" as well as "severe privacy problems", and the aforementioned banks not lobbying for such mechanisms to become the national standard.