Ok, some important context for non-Swedes.
Anyone can get access to all Swedish (non-protected but those are a very VERY small subset) personal identification numbers by simply signing an agreement with SPAR[1] (the Swedish national people database). Identification numbers per se are not particularly useful or hard to get, they are effectively public information. Using SPAR you can also get the home (and any additional) addresses of individuals
A Swedish citizen database is... you know. fun. But not exactly hard to get hold of.
I think this is good to highlight for non-Scandinavians.
Scandinavian countries are extremely open and transparent in a way that might be shocking for Americans. For example, in Norway, I can check nearly anyone's brokerage account holdings, addresses, phone numbers, etc. on public websites. I can in theory look up anyone's tax filings.
Personal identification numbers do not tend to be considered private in the same way that social security numbers in the US are.
> This system was one of the oldest IT systems in NAV, and ran in production for 51 years, from when the National Insurance Scheme was introduced in 1967. In January 2018, Presys was put into production, which together with Pesys became the successor to DSF. At that point, DSF was also shut down.
The system is written in PL/I.
It's like the Apollo 11 code, but for social services.
Who needs a Jones Act when you can have processes like these?
Saline95155 hours ago
What's the point of making public how much each person owns? Aside from making you a prime target for kidnappings and targeted advertising?
Epa0956 minutes ago
Because tax is not your bill from 'government Corp ', its your contribution to the community, to your tribe. And we have explicit goals for this, besides bringing revenue (like the strongest back should carry the heaviest burden).
When we have communal contributions in other settings, your contribution is usually not a secret.
It is meant to give the tax system more legitimacy, that you don't gave to wonder if people sneak out of their contribution, you can check. It also leads to yearly debates about the tax system as the list of the richest(usually inherited) is published together with what they pay in income tax vs wealth tax.
Previously you could check up anyone anonymous. These days you have to log inn, and they get a notification. But the list of the richest and their tax contribution gets published in the newspaper.
kalleboo5 hours ago
Tax data is government data. Government data is public data. Instead of asking "what's the reason for making something public" the question is "what's the reason for making a carveout for some specific data to make it secret"
Saline95154 hours ago
Government data about private individuals can be considered as private, for privacy reasons. If the government knows that I have a mental disability, should everyone know about it, so they can discriminate me accordingly? What kind of dystopian view of the world is this?
Or, if I own crypto, why should the government facilitate the work for criminals?
slim17 minutes ago
why would anyone kidnap you if they own as much as you ?
analyst744 hours ago
People in safe countries generally do not worry about kidnappings.
whynotmaybe19 hours ago
I heard a rumor that some people use this to check their neighbour's revenue and sometimes make snark comments if one of them has a high revenue but lives in a "average revenue" part of town.
They'd say that if you earn a lot, you shouldn't take a cheap housing.
Any truth to that?
kivle18 hours ago
There used to be a lot more of that, but a system was put in place where you have to identify yourself with electronic ID to access the information, and the information is logged so the other party can see it.
Nowadays I think mostly journalists use it to pull up information about politicians and other people that are in the public spotlight. There are of course the yearly "richest people in Norway" lists in various categories.
embedding-shape15 hours ago
> There used to be a lot more of that, but a system was put in place where you have to identify yourself with electronic ID to access the information, and the information is logged so the other party can see it.
Yeah, kind of a fake solution, request it via Ratsit or whatever and all they get to see is that someone used Ratsit, but not who actually requested it.
Same goes for criminal cases, using Krimfup or whatever just leads to the service's name "leaking", while you can use fake details to sign up for both Ratsit and Krimfup.
Epa0953 minutes ago
I don't think there's anything like ratsit in Norway which would let you do this query anonymously.
embedding-shape15 hours ago
> They'd say that if you earn a lot, you shouldn't take a cheap housing.
I think a lot of "humbleness" is also enforced this way, in the US seems normal (or even some European countries) to flaunt your wealth, and others seem more or less OK with it, while in Sweden it's much more socially unacceptable to in any sort of way brag about being rich, or showing that off. Humble-richness is OK and tolerated, but flagrantly displaying your wealth among the public is generally frowned upon.
So together with that, living in a average neighborhood but have a house that sticks out as clearly "rich person's house" will gain you evil looks from your neighbors, as you're "supposed to" live in a different neighborhood where neighbors look more equal, otherwise you again stick out, which is cause for friction culturally.
Lots of culture in Sweden is less about "lets correctly solve the problem" and more "lets ensure the gaping holes aren't so visible for everyone, so we can ignore it properly".
torginus10 hours ago
I have a friend who has moved to Sweden a while ago, and she told me a lot about the Swedish housing situation, and admittedly most if it went over my head, but in short, apparently very few places would even allow you to build even somewhat freely.
Apparently she was in a situation where she 'owned' her house, but still paid a monthly maintenance fee to some agency. and she wasn't allowed to repaint the rooms or do any sort of repairs, but had to go through some agency, who would do it for her.
Apparently that was a neighborhood thing, but she told me of epic (and apparently fruitless) struggles of her friends' who wanted to repaint their house in a different color and install some circular windows.
patall9 hours ago
Probably just didn't really buy the house. Many houses are part of an association (BRF). When you buy one, you practically only buy the right to live in the house plus a share of the entire association. The fee that she paid was towards that association for things like maintainance, managment, trash-fees, internet, parking, likely heating and water, and possibly interest on the associations loan. It's just a different structure that many countries have for flats in a building, in this case applied to single family houses.
skissane4 hours ago
Here in Australia, I’ve seen what we call “strata title” applied to “single family homes” before (American terminology, we’d say “detached houses”) - it is uncommon, much more common with apartment buildings or townhouses/villas/semidetached (you share walls and maybe the roof with your neighbours, but there is no one above or below you)-but not completely unheard of
lysace10 hours ago
[flagged]
torginus10 hours ago
Hold on, I was sharing an anecdote from a friend living in a foreign country, and somehow you're somehow connecting this to a dastardly geopolitical plot by a league of evil nations?
Also may I ask who the heck you are to call my story uninformed? As far as I recall, there's nothing inaccurate about what I said, I might be missing some context or nuance, but there's no disinformation in there, and there's certainly no hidden motive (what would even that be?) you seem to imply.
lysace10 hours ago
”and admittedly most if it went over my head”
”Apparently she was in a situation where she 'owned' her house, but still paid a monthly maintenance fee to some agency.”
(This is not the norm. I can go into a lot more detail if you want to.)
I am not accusing you of disinformation. I am saying that are writing completely irrelevant stuff in a story that is, as far as I can see is mostly false and has a high probability of being propaganda related to current conflicts.
And yes, dozens of other people did the same.
mikkupikku5 hours ago
Seek help.
alentodorov10 hours ago
what
lysace10 hours ago
Yup
internet_points18 hours ago
Making snark comments about that sounds very unlikely. More likely they'd have respect for someone living frugally and not showing off. See https://en.wikipedia.org/wiki/Law_of_Jante
daneel_w11 hours ago
Making snarky comments about it, no, not really. Will some people snoop around? Yes, nosy people can be found everywhere.
ale18 hours ago
Yes and no. You get notified if someone else actually asks for your revenue info and so in practice nobody actually does it.
arcticfox18 hours ago
Is this not trivial to get a random person to check stuff for you in exchange for making requests for them (on people they are interested in)? Or is that illegal?
vodkapump17 hours ago
There's paid services that pull it for you, most charging around 100nok (10eur) per lookup.[1]
Media is also allowed to pull "top" lists like the 100 people with the most income in a city, 100 people with the most wealth in a city, etc.
What is the harm in this case? Shit people are shit even without information. They would be snark about something else then.
whynotmaybe17 hours ago
I think it was covered during a discussion about immigrants that are easily rejected - because they're immigrants.
The points was that it added another layer of issues for immigrants because they didn't understand the neighbourhood they "should be living in" with their revenue.
ruszki16 hours ago
Why is this not the “shit people do shit things” category? This happens even without being immigrants. Large part of my family lives in a way poorer neighborhood than what we can afford, because we don’t care to move. People who have problem with this had other problems even before we got richer. There is exactly zero difference. The exact same people are snark as before, just for something else now. They were and would be snark even without this.
This seems to me a very bad attempt to hide xenophobia.
The US used to be more this way. Not brokerage accounts as far as I recall, but whether you own a house, how much you paid for it, your address, phone number, even your SSN didn't used to be considered very private, people had it printed on their personal checks, and schools used it as a student ID number.
Newspapers used to publish hospital admissions and discharges, nothing medical but names and dates. Probably a lot of other stuff I'm forgetting.
romanhn2 hours ago
Let's not forget white pages, those door stopper telephone books containing everyone's name, phone and address that everyone had (along with yellow pages for business listings).
designerarvid9 hours ago
All email conversations in Swedish public institutions are basically a public act and any citizen can request an extract of them.
gwerbin7 hours ago
Out of curiosity how do you authenticate yourself with government services and finance companies and such? The reason the SSN is considered private is because it's used for authentication. Usually an SSN + one or two pieces of trivially obtainable information is enough to sign up for just about anything in somebody else's name, unless physical documents are required as in the case of a passport.
modin7 hours ago
With cryptographic keys, normally stored on a smartphone. BankID[0] is the most common solution, but there are others. I personally use biometric 2fa to log in, and PIN to sign contracts or pay.
Is this due to how high-trust societies work, or is it something else?
ROllerozxa19 hours ago
And then there are widespread amounts of identity theft and mapping out of minorities, but you may sleep well as everyone knowing where you do so is an important step in making sure corruption is no more, don't think too much about it.
Batman867530919 hours ago
Just a few years ago this was about to change in Sweden.
But they didn't change it, because "women should be able to look up the men that they date".
ROllerozxa18 hours ago
Oh yes. I'm Swedish and I do have to admit I have looked up quite a lot of people on these kinds of sites. It's become so normalised to do this even though I also feel like it would be better as a whole if they just did not exist in the first place.
Last update I heard about something being done about it was this:
> You criticize these websites when they affect minorities, but you use them yourself to look up men. That seems inconsistent.
This is very close to the "Yet you participate in society, how curious" mean, especially since they're implying they would vote in favor of a law that changes it so that the data is no longer public in the same manner.
But then your comment history reveals enough about your intent.
heraldgeezer15 hours ago
I live here so I can add my experience, thank you.
Speak clearly, what do you have an issue with exactly in my comment history?
Hikikomori13 hours ago
>Why are minorities so protected? :)
Because it's the law, and it's a good thing as governments and people tend to use violence against minorities. Don't like it? Move to a more racist country like Israel.
heraldgeezer12 hours ago
[flagged]
Hikikomori12 hours ago
Svensk, anti Zionist, and proudly so. I'm not anti west, though I see all the bad shit we do to the world.
weirdmantis6912 hours ago
[flagged]
heraldgeezer12 hours ago
Yes, sadly, and a lot of it is MENA migrants. But that should be no surprise if you have any experience of the world and Sweden.
I think you are trying to be funny, but I am serious.
>“First, before 2015 it was not acceptable to talk about antisemitism which came from immigrant groups from the Middle-East. This made members of the Jewish community feel abandoned. Sweden has now changed and it’s now possible to talk about it and deal with the problem”, Kahn Nord says
> “antisemitism has long been a weapon of regimes in the Middle East, where it is deeply rooted, openly expressed, and legitimized. The spread of this type of propaganda via the internet by regimes such as Iran has contributed to the globalization of this hatred. Recently, it was revealed that the Iranian regime is suspected of having planned to murder Swedish Jews, among them Aron Verständig, the chair of the Official Council of Swedish Jewish Communities (Judiska Centralrådet). According to the Swedish Security Services (Säpo), Iran has also recruited Swedish criminal networks to carry out attacks against Israeli and Jewish targets. The Swedish National Centre for Terrorist Threat Assessment (NCT) has reported that the biggest terror threats in Sweden come from violent Islamists and right-wing extremists, which both have Jews and Jewish institutions as some of their primary targets”.
Official Swedish statistics from the National Council for Crime Prevention (Brå) show a clear rise in antisemitic hate crimes, increasing from 111 cases in 2022 to 217 in 2024 (doubling their share of all hate crimes to 8%), with a sharp surge (>450%) to 110 reports in late 2023 following the October 7 Hamas attack. This increase correlates with large-scale immigration from Arab and Middle Eastern countries, where antisemitic attitudes are significantly higher (e.g., ADL surveys show ~74% prevalence in MENA vs. low native Swedish levels). Multiple studies and reports, including Brå analyses and victim perceptions, indicate that perpetrators are often from Middle Eastern immigrant backgrounds, with spikes tied to Israel-related conflicts and imported attitudes, though not all immigrants are involved.
Various analyses linking to immigration (e.g., Wikipedia summary, JCPA articles, US State Dept reports citing surveys).
pear0110 hours ago
People like you are somewhat amusing. You keep going on and on about how you are Swedish when the right-wing playbook is global, this could easily be a post from any of your ilk anywhere on the European continent or the United States.
Let's even grant you the premise that these statistics are accurate. What do you want to do about it? Deprive people of their rights extrajudicially because of where they come from? Should we treat people from MENA differently before the law? What about a native Swede who is antisemitic? Should they lose some rights? Should we deport people based on place of origin? Is that what the West is based on to you, increasingly arbitrary or national/ethnic access to rights vs a universalist conception of human rights? Or would that be a "third world" degeneration?
What is the West? Are Jewish people synonymous with the West? Was that always the case? You talk about minority protections are Jewish people a majority in Sweden? If not, why do you advocate protections for some minorities and not others? Do you think Jewish people have suffered in the "first world" West? Where does antisemitism come from? Was the Weimar Republic the third world? How about the regime that followed? Should European antisemites be allowed into Sweden? Maybe everyone who enters Sweden should have to pass an ideological test to prove they are sufficiently non antisemitic and appropriately Western? Or maybe you let them in but they have to walk around in special outfits or with a special lapel or label on them so we can be vigilant regarding their whereabouts? Perhaps anyone who commits a crime in Sweden should be deported, as only an anti-western person would exhibit criminal behavior?
What do you want to do about it? Highlighting crime tells us nothing. Every society deals with crime. Most societies have minorities. What separates societies is how they deal with it. So tell us, warden of the West, what you seek to do.
I should know better than to wade into a debate with someone who argues like you. Your comment history does indeed speak for itself. But I will try to debate you in good faith. I look forward to your answers.
heraldgeezer7 hours ago
You are already poisoning the well before I answer, so I feel like my answer will not matter to you, but I will absolutely answer in good faith as I always do.
Not sure if you are American or not, but European migration policy seems especially harsh compared to yours, but we have our reasons. (2015 aware, wir shiffen das)
I voted for Moderaterna, to be clear. You can look them up.
>Let's even grant you the premise that these statistics are accurate.
BRÅ is a state beauru and they are accurate.
>What do you want to do about it?
Vote for the party that has policy on this I agree with.
>Deprive people of their rights extrajudicially because of where they come from?
Yes! We already do this. Everyone in the EU can freely migrate to another EU country in the Schengen zone. If you are outside EU you need Visa or Asylum. Thus, we treat people differently based on where they are from. We do not have "open borders", nor should we.
We see this also with the Ukraine war. Who do we feel closest to? Someone fleeing war in Somalia or Afghanistan or someone fleeing from Russia's invasion in Ukraine?
You know the answer even if you do not want to admit it, you maybe feel the same way.
Also, "rights" was never to be allowed to migrate anywhere. Never was, never will.
>Should we treat people from MENA differently before the law?
Yes! We already do. See above.
>What about a native Swede who is antisemitic?
That is bad and I reject any type of neo-nazi conspiracies. I also fight these online and there is a perplexing unity on neo-nazis and Hamas etc and their ilk on this. They always revert to "well jews control the media, usa etc". Ridicolous.
>Should they lose some rights?
Yes! We have a law called "hets mot folkgrupp". If convicted, you lose rights.
>Should we deport people based on place of origin?
No, we base it on behaviour such as crime etc. Then they should be deported.
The policy now is prevention also.
>Is that what the West is based on to you, increasingly arbitrary or national/ethnic access to rights vs a universalist conception of human rights?
Human rights does not mean to let everyone who wants in. It never did.
>Or would that be a "third world" degeneration?
That would be one of many criteria. See Pol Pot etc.
>What is the West?
Europe, with a line towards Russia, generally. Ukraine and Georgia I consider the west for example. This is based on behaviours. To the South, Mediterranian is a border. Greece Cyprus is part of the West, not Turkey.
UK is the West also. And Canada and USA. And Israel.
>Are Jewish people synonymous with the West?
Yes, Israel and its population have shown to be our steadfast partners.
>Was that always the case?
Sadly no, it was only Napoleon who started to let Jews in so to say.
>You talk about minority protections are Jewish people a majority in Sweden?
Yes!
The national minorities in Sweden have long historical ties to the country. In 2000, Sweden officially recognised the following minorities and minority languages: the Jews and Yiddish, the Roma and Romani Chib, the Sami and the Sami language, the Swedish Finns and Finnish, as well as the Tornedalians and Meänkieli (sometimes called Torne Valley Finnish).
>If not, why do you advocate protections for some minorities and not others?
See the official recognition above.
>Do you think Jewish people have suffered in the "first world" West?
Sadly yes. See my articles above. I also assume you mean Nazi Germany as some kind of "gotcha".
>Where does antisemitism come from?
Right now? MENA countries, see my articles above. Antisemitism has a long and sordid history.
ADL surveys consistently show antisemitic attitudes in the 74–97% range across much of the region. It's not fringe, its normal there. Nazi propaganda made it worse, but it didn't create it.
>Was the Weimar Republic the third world?
No? Nobody thinks this.
>How about the regime that followed?
No? Nobody thinks this. Antisemitism is not the only requirement to be third world.
>Should European antisemites be allowed into Sweden?
Yes! We are in Schengen after all.
>Maybe everyone who enters Sweden should have to pass an ideological test to prove they are sufficiently non antisemitic and appropriately Western?
There is no "test" for "entering Sweden". But there is one to be a Swedish citizen. And even before you are a Swedish citizen, you can now be deported based on your bad conduct.
Sweden has introduced or is in the process of implementing stricter requirements and assessments in migration law, particularly around good conduct ("god vandel"), self-sufficiency, and in some cases language/knowledge.
This allows the Swedish Migration Agency (Migrationsverket) to deny entry, refuse a residence permit, or revoke/withdraw one based on a holistic assessment of the person's conduct.
Not following laws, court decisions, or authority orders (e.g., unpaid fines, ignored decisions).
Unwillingness to pay debts (to individuals or the state).
Repeated minor offenses.
Welfare system abuse (e.g., fraud).
Associations with criminal/extremist networks.
Serious addiction or a grossly irresponsible lifestyle.
This is not a moral philosophy test or quiz — it's a discretionary evaluation based on evidence (police records, debt registers, authority reports, etc.). It's broader than just criminal convictions.
For permanent residence or extensions in some categories, there are discussions of tightening rules (e.g., basic Swedish proficiency like A2/B1 level mentioned in policy contexts), but as of now, it's not a universal entry barrier.
For Swedish citizenship (medborgarskap), stricter rules are rolling out from June 2026:
Knowledge test in Swedish language (reading/listening comprehension at functional level) — planned start around October 2027.
Test on Swedish society/knowledge about Sweden.
Higher "hederligt levnadssätt" (honest way of life) requirement, similar to vandel.
Self-sufficiency requirement (no long-term welfare dependency).
>Or maybe you let them in but they have to walk around in special outfits or with a special lapel or label on them so we can be vigilant regarding their whereabouts?
I understand that you are trying to equivocate the current Swedish government to Nazi Germany, but the above is not done.
>Perhaps anyone who commits a crime in Sweden should be deported, as only an anti-western person would exhibit criminal behavior?
You have 2 parts here. We indeed should deport more foreign born criminals, and we are.
The new government have passed the "bristande vandel" or "poor conduct" addendum to the deportation law.
The concept was revived in the Tidö Agreement (2022). It called for investigating ways to deport or deny permits to non-citizens showing "bristande vandel," including things like association with criminal gangs, extremism, drug abuse, prostitution, or general non-compliance with rules.
It applies mainly to non-EU/EEA citizens and certain residence permits (not fully EU-law protected ones, though some security-based revocations are possible).
This does not directly apply to Swedish citizens (citizenship revocation has separate, stricter rules and constitutional hurdles).
>What do you want to do about it?
See above, all policy I voted for and agree with.
>Highlighting crime tells us nothing.
It does! It tells us who did it, who is responsible. And steps to avoid and correct it. Swedish National Council for Crime Prevention (BRÅ), continue to produce and release reports that analyze crime data by immigrant background or foreign background (typically defined by whether a person is born in Sweden to two Swedish-born parents, born in Sweden to one or two foreign-born parents, or born abroad). They did this in 1995, 2005 and again in 2025. If these stats offend you, maybe it says something about you.
>Every society deals with crime
Yes, but some more then others. Do you not want to live in a society with less crime or more crime? Every country has garbage and trash. Do you want less or more? Every country has electricity outages sometimes, do you want less or more?
>Most societies have minorities. What separates societies is how they deal with it.
Is that really the defining variable? It reads like something I'd have written in high school, the kind of line that sounds profound but dissolves under pressure. What about living conditions, quality of life, infrastructure, longevity, happiness? Those seem at least as relevant, if not more so.
>So tell us, warden of the West, what you seek to do.
See above, all policy I voted for and agree with.
pear016 hours ago
I'm not offended. I actually appreciate you answering the questions and attempting a good faith reply.
I have some follow-ups.
> Yes! We already do this. Everyone in the EU can freely migrate to another EU country in the Schengen zone.
How about any other ways? When they are in the country? How about vs other non EU immigrants? Should people from MENA be treated differently than people from Israel? From the United States?
You say open borders are not human rights... but you said European antisemites should be allowed to come into Sweden. If you care about open borders and antisemitism so much, would you support a Swedish brexit? You seem to indicate you voted for a party that changed migration laws. Would you also support a party that banned European antisemites? Why is schengen inviolate but not your prior rules on migration or crime?
> The policy now is prevention also.
Meaning what? And on what basis?
> Yes, Israel and its population have shown to be our steadfast partners.
How is Israel a partner to Sweden? So a partner to Sweden is what makes a country Western? Earlier you seemed to suggest it was based on geography but also "behaviors". What behaviors would those be?
Lastly, I understand you think the Nazi analogies are gotchas. You'll have to forgive me. After all, while you take great care in your prior reply to be sensible, your other replies did not convey the same tone. Focusing exclusively on one minority group makes one look very suspicious. It's not like the thought of Nazis comes from nowhere.
You should know it was only last year your "Moderate" minister for migration Johan Forssell was involved in a scandal where his teenage son was pictured giving a Nazi salute, having attended neo Nazi gatherings. This is the same man that blames cultural degradation and parents for the actions of other teenagers, who wants to lower protections for young people and their parents accused of crimes or misconduct... do you not see an irony here?
Do you think he should have resigned? Do you not see any nexus between focusing on crime through a racial or ethnic lens and fascism? Do you take the responsibility of any criminal justice system to prove guilt and treat defendants of equal status equally before the law regardless of race, ethnicity, country of origin, .etc seriously?
Are you as surprised as he was, given his rhetoric, that the security services of your country had to inform him his own son was involved in such a group?
It seems to me someone who wants to make broad associations based on neighboring conduct and loosen protections before the law in the name of Swedish values and public safety should at the very least have the decency to resign in such a circumstance. It is deeply ironic to me and I think perfectly captures how I personally feel about the right, from Europe to the United States to Israel...
So in summary, is your position if a MENA teen in Sweden does a Nazi salute, you want them and their family deported? But if the Minister of Migration's son does it, that's fine? You agree with your party it's not a big deal?
Remind me again where antisemitism comes from?
You asked if I want less garbage and trash in my country. I'll settle for less Nazis.
heraldgeezer12 hours ago
Tidö have been going strong and are just starting to clean up our country. I hope they win again but I fear we have another disaster government next election.
I have a job and money so I will not be personally affected but if the left wins MP and V will dictate and it will be 2015 all over again. I do hope their voters take the brunt of the damage up close and personal that is to come from their own votes to this country.
Hikikomori10 hours ago
Going strong on what exactly?
heraldgeezer8 hours ago
NATO status acquired. S was controlled by V and MP on this and was so-so. We see it now with S complaining about the governments talks with France over their nuclear umbrella.
Redirected grants from lesser nations to Ukraine with the biggest aid package ever to Ukraine explicitly stating that it is a top priority. So overall, prioritizing EU and Europe.
Inflation was 12% now down to 3%
Largest increase in military spending since the Cold War, this is the new Europa.
A paradigm shift against organised crime, with tougher penalties, substantial resource increases for the justice system, and expanded tools for police and prosecutors.
Shootings especially have decreased, there was 0 in January 2026 (or maybe they just stay inside because of the weather xD)
Another paradigm shift but in Migration: They have implemented the strictest migration reforms in Swedish history, leading to the lowest asylum-related immigration since 1985.
Implemented a sharp tightening of migration policy in the first 100 days: increased internal checks on foreigners by about 25%, intensified work on returning people without residence rights, expanded detention capacity, and launched information and analysis efforts on voluntary return.
Cut the annual refugee quota from around 5,000–6,400 to 900, presented by the government as delivering on the promised “paradigm shift” in asylum and migration policy.
Reddit is crying about this ofc. But again, 100% support from me on this.
Hikikomori6 hours ago
We already had a deal with Finland. Would have happened no matter was in power in Sweden. Though now with trump back it's not looking like the best idea.
>A paradigm shift against organised crime
Keep doing the same thing, ask cops how to solve the problem, more cops is always the answer. The war on drugs is a massive failure.
About to get a lot more refugees to Europe thanks to Trump.
ivell18 hours ago
How do they have handle identity thefts, spams, etc.?
There are so many ways to misuse these data. Are the residents not concerned about this?
PeterisP18 hours ago
The root cause of identity theft in USA and some other places is the lack of "proper" national identity and the associated use of various personal "secrets" (not that secret) for identity verification because there are no good easy other ways.
Businesses in Scandinavia and many other countries would not treat someone knowing your personal information as any evidence of identity (because it's not); having all that information is not sufficient to impersonate you there - identity theft does happen but it would require stealing or forging physical documents or actual credentials to things like bank accounts; knowing all of what your mother or spouse would know is not enough to e.g. get credit or get valuable goods in your name.
miki12321116 hours ago
The US has no single national photo + chip ID card that is available to everybody, for free, including illegal and semi-illegal immigrants and homeless people with no access to their birth certificate and such.
It's completely crazy to me that you can be "out of status" with the USCIS and still get a social security card and a bank account, for example.
eitland10 hours ago
It absolutely isn't free here in Norway either, around $86 is what I'd have to pay now to get an id card as an adult (same price as a passport but easier to carry).
xorcist16 hours ago
"Identity theft" is newspeak right up there with "intellectual property". It serves the sole purpose of diminishing real theft. If someone says "we gave all your money to this other guy, but it's not our fault because he had stolen your identity" doesn't make it so. There are cases of mistaken identity, and with criminal intentions, but there is also an enormous majority of not checking identity because someone was lazy.
"Identity theft" is a term invented to push the responsibility for fraud back on the person who is being impersonated rather than on the person or organization that failed to properly identify the impersonator.
jamesrr392 hours ago
Just knowing the personal number is not enough to do much with. To get access to services, verify who you are on when talking to companies there is a verification step, most commonly with the BankID app.
Identity theft and spam still happens, just not through knowing the personal number.
concats17 hours ago
Just knowing someone's name, address, and ID number isn't enough to like, open a bank account in their name or such. You'd need a proper ID card or passport for that. Similar thing with most businesses if you try to pay for some product with credit, they won't accept just a few digits and a pinky promise, you'll need to identify yourself properly (the BankID app for instance).
guenthert17 hours ago
We just change our identity every three years or so.
Unlike American SSNs, which are secret and wield certain authoritative powers, a Scandinavian "person number" is neither secret nor authoritative. Common misconception.
victorbjorklund9 hours ago
Of course ID theft happens but I think one thing that differs is that in Sweden it is harder to get a loan without verification that you are who you are (for example by Swedish BankID wish is an electronic id) while in US it seems you can take a loan if you just know someone’s social security number
boxed18 hours ago
It's just a unique ID of a person, it's not a password. I don't see how you can be confused by this.
bondarchuk18 hours ago
It's also "anyone's brokerage account holdings, addresses, phone numbers" according to the comment that this subthread of the conversation is about.
SiempreViernes17 hours ago
It only gives read permissions, to make any changes requires a password.
dworks8 hours ago
they don't handle it at all. they let it go on. you for example have hundreds of people falsely registering their place of residence as somebody else's home, which causes massive problems for that home owner or apartment resident, and there is nothing done about it at all.
These types of laws are designed for the 1950s where there were natural barriers to acquiring and disseminating information. There is no attempt whatsoever to update them and to reduce harm caused to the average citizen today.
ROllerozxa18 hours ago
> How do they handle identity thefts
By just accepting it as a normal fact of life that you will have some random stuff ordered in your name sooner or later with an invoice you'll have to dispute. Happened to a relative of mine, police do not care unless they order things above a certain value, without a police report you cannot get free ID protection, and then you'll have to sit for a long time in phone queues trying to cancel a subscription for a streaming service or whatever they ordered while get thrown around by support reps who go "you SURE you or someone in your family didn't order this?"
daneel_w11 hours ago
That is absolutely not a normal fact of Scandinavian life. Gross exaggeration and misrepresentation.
heraldgeezer17 hours ago
I am Swedish and never had this happen to me. Never had random things show up or ordered for me at all. What would the point be, you have to pay or get an invoice? For Klarna they use BankID so only I can order an invoice for myself in reputable shops.
I am in my 30s btw so I was alive before BankID and it was a worse time. Remember my parents paid bills with paper.
Saline95155 hours ago
There are plenty of reports online about how identity theft is becoming widespread in Sweden. The fact that something didn't happen to you is not evidence.
The OP didn't claim it had happened to you. What they said is that it is possible to use the information about regular individuals that is publicly available to cause harm, and there are no attempts to stop this.
heraldgeezer7 hours ago
It is possible but it is not widespread.
dworks7 hours ago
Go back and edit your original comment because it is irrelevant and misleading.
heraldgeezer7 hours ago
No, I don't think I will.
PowerElectronix17 hours ago
That sounds rather unacceptable.
maest16 hours ago
It basically never happens. I don't know where the GP got their story from.
ROllerozxa17 hours ago
Yes, I don't think anyone truly wants it to be like this. But it's just what happens.
You of course cannot access and empty out someone's bank account this way, you're safe in that regard. But you need to dispute the invoices as soon as possible to show that it is fradulent, so you don't end up needing to actually pay for it. Or get debt collectors after you.
heraldgeezer14 hours ago
^ Never had this happen in my 30 years here so YMMW
So don't take this poster by their word.
Not saying it DOES NOT happen as it is a system not made for the internet. But widespread? It is not.
Hikikomori14 hours ago
Never happened to anyone I know either.
ahoka19 hours ago
Not open but stupid, IMHO.
einr19 hours ago
Identification numbers per se are not particularly useful or hard to get, they are effectively public information
They are absolutely trivial to get. One click on mrkoll.se.
petcat19 hours ago
> by simply signing an agreement with SPAR
But that seems like a completely different thing than a nefarious and anonymous person or group having access to the entire database.
wayfwdmachine19 hours ago
Yeah, nefarious or anonymous people have never used the internet so they could never find out that this was all public information.
petcat19 hours ago
public information if they signed an agreement with the Swedish government?
einr19 hours ago
No, public information for anyone. You realize that if it's public information, then it's public, and anyone can re-publish it online? There are websites for that. I can get the complete identification number, home address, phone number, etc for any Swedish citizen (that does not have a protected identity) in less than a minute.
petcat19 hours ago
You can get all of that one-by-one? Or can you get the whole database at once?
einr19 hours ago
I cannot trivially get the whole database, no. But I kind of fail to see what a malicious actor would do with a large database of public information that they couldn’t otherwise do. The system is designed such that you can’t really do a lot of malicious stuff with just public data, and the stuff you can do (scam calls, etc) is probably not meaningfully more effective if you have the whole database than if you do manual lookups or web scraping. I’m open to being proved wrong about that however.
Basically: obviously it's not desirable to have that full database in the hands of a malicious actor but I'm not sure it's such a big deal either. Again, it's public data by design.
Saline95155 hours ago
Identity theft and scams are widespread in Sweden and the most increasing crime currently.
I will say that the open and transparent design of Nordic society has some obvious issues when colliding with the hostile Internet we have today.
The issue here though was whether having a full database is materially worse than relying on existing public resources. I can do identity theft all day with public resources; I don’t need a full database dump.
hrimfaxi16 hours ago
In the US, property tax records are public by design. However, historically the records were physical and hard to search through. Now that these records are digitized and published online, it is trivial to find out where someone resides by searching through these records. So while public by design, at scale data aggregation changes the threat model.
kevin_thibedeau7 hours ago
Phone books gave out most people's home address. There were data brokers transcribing them (before reliable OCR) to build their databases.
dworks8 hours ago
You can trivially purchase the data from Bisnode Dun & Bradstreet Sverige.
dworks8 hours ago
Yes, you can buy the database for the entire population. There are commercial vendors for this, one of them is Dun & Bradstreet (Bisnode Dun & Bradstreet Sverige).
lysace10 hours ago
That might be interesting but it’s also completely irrelevant since no PII was actually leaked.
Also, no source code of ”Swedish e-government services” was leaked since that is not a thing:
Swedish news has some quotes from authorities that nothing of value has been leaked, and a quote from the service CGI that it only concerns test servers.[1][2]
I dont know nothing about this particular leak, but I have worked at Skatteverket.
Let me just say, the likelihood that CGI would have any _actual_ real personal data is close to 0%, at least on servers outside of Skatteverket. I had access to absolutely nothing even working inside. I have never worked in a more closed-down system, maybe excepting the swedish military "complex". No, actually that was less locked down in a way, at least once you were "inside" the system.
magicalhippo14 minutes ago
> Let me just say, the likelihood that CGI would have any _actual_ real personal data is close to 0%, at least on servers outside of Skatteverket.
Here in Norway our company was denied access to the Norwegian private person database API test environment, despite it containing 100% fully non-real synthetic data, on the grounds that they deemed we didn't need it.
We were writing an integration against it for a large customer which did have access. The API was run by Skatteetaten.
So, locked down over here too.
whizzter19 hours ago
As a Swede this is giving me shudders, the statements reeks of paper-pushers and certification-chasers that don't seem to understand fundamental risks of how how threat actors can move around once having established footholds, hopefully there's more competent people down in the trenches.
cactusplant737419 hours ago
Are we allowed to vibe code some positive changes and submit them for review?
robertlagrant21 hours ago
The source code is the least of it! From the article:
> citizen PII databases and electronic signing documents were also collected but are being sold separately
AdamN21 hours ago
Yeah the source code isn't really such a big deal aside from helping to find vulnerabilities. The PII is a real disgrace.
embedding-shape15 hours ago
Seeming by other sources, it wasn't really information considered PII in Sweden (but would in other places), I'm not sure this is as a big deal as people try to make it out to be.
simonklitj21 hours ago
Man, you've got to be a real low-life to sell all of that.
blell21 hours ago
You've got to be a real low-life to collect all of that and put it in a database that is not air-gapped.
xorcist21 hours ago
It's something akin to a service provider in SAML parlance, if we are to believe reporting. How can it be air-gapped?
And if we are to believe the hacked company, it is a development environment with test data in it. That remains to be seen, but is a risky thing to lie about. If there is production data in the leak, we will surely know about it.
UltraSane20 hours ago
At the high end you can use data diodes to isolate critical data.
dijit20 hours ago
The point of a system like this is specifically that it’s accessible and not air gapped.
Being able to validate that a citizen is a citizen and their ID is valid inherently requires the system be accessible
fc417fc80220 hours ago
If you can't implement it securely then perhaps such an undertaking wasn't a good idea? In the vast majority of cases I don't see why PII ever needs to be available over the network for remote queries. For the purpose of verification isn't it sufficient to verify hashes or better yet to attest via smartcard?
dijit20 hours ago
You can, they didn't; big difference.
fc417fc8029 hours ago
By "can't" I mean "not capable" or "not going to in practice".
lukan21 hours ago
If you need the data, you cannot have it air gapped. And if it is air gapped, it is still easy to make misstakes.
jjgreen19 hours ago
"misstakes", love it, almost peotic
dns_snek20 hours ago
> it is still easy to make misstakes.
That's not an excuse though, any system handling data like that should be continuously reviewed and pentested by professionals. Hopefully they can show that this has been done otherwise it's just negligence.
lukan20 hours ago
It was mainly an explanation, that "airgapping" does not magically provides better security, or is required (or possible) to use at all here.
dns_snek19 hours ago
And it's pretty clear to me that they were criticizing storage of sensitive data in a database that isn't properly secured and they simply misused the term "airgapped". The database in question was easily accessible from poorly maintained development infrastructure.
> Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize
fc417fc80220 hours ago
Imagine if the bank took such a cavalier attitude with the contents of my account.
jetsetman19221 hours ago
Encryption keys are mentioned as well.
worldsayshi21 hours ago
I wonder if the focus on source code makes Swedish news slower to jump on this. I haven't seen it in domestic news yet. (Haven't looked too wide though)
ACS_Solver21 hours ago
I saw it on SVT a few hours ago. DN and Expressen have also reported. The details about what exactly it is that got leaked are unclear (some report it's basically the code and certs responsible for BankID SSO) but this is certainly being reported domestically.
worldsayshi21 hours ago
In Aftonbladet comments from CGI they seem to think that no production related data has been leaked:
But a copy of production data in the test environment isn't production data... It's test data! :)
yaris20 hours ago
As if it ever happened that a breached company admitted immediately that they've just been fucked.
einr19 hours ago
some report it's basically the code and certs responsible for BankID SSO
No. CGI has nothing to do with BankID.
IMO the most credible reports suggest that the source code and data involved are related to these four services:
https://www.cgi.com/se/sv/business-process-services/e-tjanst...
"Mina engagemang offers a user-friendly and flexible solution that allows your customers to manage their cases directly through a personal portal. Here, users can view, track, and interact with their ongoing cases, which enhances both transparency and efficiency in the communication process." -- some kind of ticket/case management system for gov't agencies
https://www.cgi.com/se/sv/business-process-services/elektron...
"With our secure end-to-end e-ID and eSign services, we can help you streamline document and contract management, gain access to all desired e-ID issuers, and improve cost efficiency." -- this sounds like a bad thing to compromise, but is to the best of my understanding a system for digital signatures on documents, and has no relation to BankID
https://www.cgi.com/se/sv/business-process-services/e-tjanst...
"Gain better control over your organization’s representatives with our easy-to-use representative registry. By automating the identification and verification of representatives, you’ll gain a clear overview and enhance the security of your processes." -- sounds like some bullshit CRUD app for managing who can "represent" a gov't agency
https://www.cgi.com/se/sv/business-process-services/e-tjanst...
"SHS is Sweden’s common standard for information exchange, enabling secure and efficient communication between government agencies, businesses, and organizations." -- this might be bad if real data was leaked
These are services used by various Swedish government agencies and it's pretty bad to have even a test instance of them hacked, but let's calm down. The entire Swedish state has not been compromised here.
jonashus19 hours ago
> CGI has nothing to do with BankID
That's incorrect. Skatteverket used CGI for BankID-login, I don't know if they still do. I have personal experience working on a BankID-login using CGI for another company and it is still active.
Edit: I just confirmed Skatteverket still uses CGI for BankID-auth. "funktionstjanster" is CGI.
einr19 hours ago
OK, let me rephrase that: CGI, while they may "have something to do" with BankID in the sense that they have developed systems that integrate with it, does not itself develop BankID and does not hold any private keys for BankID.
ptx20 hours ago
What does "electronic signing documents" mean? Keys used for signing? Or merely some documents that were signed with electronic signing?
einr19 hours ago
To the best of my understanding it means that a system made by CGI for digital signing of documents (as in: you get something like a PDF from a government agency and need to digitally sign it and send it back) has had its source code and/or some data belonging to it leaked.
Skatteverket, the Swedish tax authority, has been quoted in media as confirming that they use CGI's system for digital document signing but that none of their data nor that of any citizens has been leaked.
"One of the government agencies that uses CGI’s services is the Swedish Tax Agency, which was notified of the incident by the company. However, according to the Swedish Tax Agency, its users have nothing to worry about.
“Neither our data nor our users’ data has been leaked. It is a service we use for e-signatures that has been affected, but there is no data from us or our users there,” says Peder Sjölander, IT Director at the Swedish Tax Agency."
ptx18 hours ago
So if no data was leaked from the tax agency or from the users, then the leaked "digital signing documents" must have belonged to the only remaining party, which is CGI, so perhaps they were just some marketing documents about the benefits of their digital signing service?
einr17 hours ago
The original phrasing from the attacker, from the website that put the data up for download/sale, was ”documents (for electronic signing)” which implies that they’re documents that would be signed in said system. I would take all of this with a large helping of salt though. CGI claims it’s not real production data anyway; maybe it is and maybe it’s not.
The best case scenario is in line with what CGI claims: these are lorem ipsum fake docs from an old git repo for a test instance of the system.
nunobrito20 hours ago
If that is case, then it would have been wrong from the beginning for any government to keep hold of the private keys for the signature on my citizen card.
Because in that case they can sign documents on my behalf without my permission. In a court case, it would be near impossible for me to prove that the government gave my private key to someone else and that it wasn't me signing an incriminating document.
ptx19 hours ago
I apparently didn't phrase that very well. If what is the case? I was trying to ask which case was the case, not trying to claim that something specific was the case.
I'm familiar with electronic signatures, and I know what documents are, but I have never heard the phrase "electronic signing documents" and don't know what that is supposed to mean. What kind of documents? Documents about signing, documents that were signed, documents in the sense that files containing keys could be considered documents, or what?
pastage9 hours ago
Signed documents can be as simple as an ID of the transaction, a statement in text, PII data that identify what you sign, or a store of larger PDF files for download and verification. We do not know. I base this on how signing works technically in Sweden.
CGI is not the only supplier of these services.
nunobrito19 hours ago
In Portugal we were early adopters for digital signatures on citizen cards.
You use the card reader, insert your gov-issued identification and can sign PDF papers which have legal validity since the private key from the citizen card was used.
Now imagine someone signing random legal documents with your ID for things like debts, opening companies or subscritions to whatever.
whizzter19 hours ago
We might've lucked out here, there is some signature data on ID cards today and official _plans_ to make a government backed signing service, but practically _nobody_ uses them in practice to just revoking all those keys will be a minor issue.
Currently most Swede's use a private bank consortisum controlled ID solution for most logins and signatures.
JensRantil20 hours ago
I am a Swedish citizen. Lived here for almost 40 years. It is a bit unclear to be what the "the Swedish e-government platform" is. Would have been great if they at least could have published which domain name the service has.
einr19 hours ago
It's not going to be a specific service or agency with a domain name, it's going to be services that are either internal and used by employees only, or that are integrated into other systems that you may be interacting with without knowing it.
reliablereason20 hours ago
Nothing in particular, based on my understanding CGI a Swedish IT consultant company was hacked, they have contracts for and are the maintainers and developers of a bunch of various government departments IT services.
antonvs8 hours ago
CGI is Canadian, with global headquarters in Montreal.
yaris20 hours ago
I would guess that skatteverket.se, polisen.se, kronofogden.se are among those affected by the leak.
brabel20 hours ago
Some other comments mention BankID private keys . That would be the biggest disaster as that’s what everyone uses to identify themselves “securely” on all government services.
mrkickling18 hours ago
The private keys in BankID are stored in users phones, not centrally.
fmbb10 hours ago
Well doesn’t Relying Parties using the BankID API for signatures and authentication have private keys to start the flows for users scanning QR codes etc?
Could you, having the right private keys, impersonate some company soliciting a BankID signature?
I’m not sure what you can do with that though. You cannot steal some other ongoing signature I guess.
pastage9 hours ago
You can start a signing process saying you are who ever owned that certificate. E.g. if you call someone. You can not use those signatures to gain access, and it is rather in phishing.
einr19 hours ago
That's an interesting guess that I assume is based on absolutely nothing?
yaris19 hours ago
Yes, nothing and the facts that these are government services, they use BankID and they updated their websites with "maintenance work" announcements for tomorrow, Saturday. For kronofogden.se there was no maintenance planned just half an hour ago. Knowing swedish tendency to plan things months ahead I would _guess_ that this maintenance work has been rushed due to some circumstances.
einr19 hours ago
It's quite possible that the maintenance is related, but I can nearly 100% assure you this has absolutely nothing to do with BankID. I don't know who suggested that but they are either poorly informed or actively trying to sow FUD.
lysace18 hours ago
There is no such thing according to Peder Sjölander, IT Director at the Swedish Tax Agency:
– Neither our data nor our users' data has been leaked. It is a service we use for e-signatures that has been affected, but there is no data from us or our users there, says
The information that source code was leaked from a joint government e-platform is not true, according to Peder Sjölander.
– There is no such platform. I think the perpetrators in this want people to feel insecure. We feel confident that our data is safe and we have the situation under control before the tax return period opens next week.
teroshan21 hours ago
Does anyone know if there is the source code for the Swedish Armed Forces - Team Test [1] in the leak? It was a really fun collaborative flash-style game that got popular in my circle of friends for some reason back then.
When I started it was a big security theater. Had to develop on thin clients with no external internet access, for instance. Then they got some great people in charge that modernized everything.
Only drawback is when you quit, you have to make sure to unsubscribe from everything, hehe. When quitting a private company I was just removed from the github org. Here I was as well, but I was still subscribed to lots of repos, issues, PRs,heh.
jmusall14 hours ago
Very cool! Do they accept external contributions, e.g. from Norwegian citizens? Also, was there any thought given to "digital souvereignty" (wondering because the repos are hosted on a US service)?
I'm also surprised that you were able to (or expected to?) use your private GitHub account for your work.
matsemann10 hours ago
Not sure how it is now, but when I worked there ~8 years ago we weren't really equipped to accept contributions. Both from a licensing perspective (CLA), but also that we had our own timelines, projects and prioritizations in the team. So most applications were open source more in the sense of source available. Some utils (like generators for Norwegian mock data, or libraries handling Norwegian addresses or whatever) that were actively used by other companies could get some proper contributions once in a while, though.
ZaoLahma20 hours ago
Yeah. In these cases it's not like anyone is going to spin up their own instance and start competing with you.
Government / handles society-critical things code should really be public unless there are _really_ good reasons for it not to be, where those reasons are never "we're just not very good at what we're doing and we don't want anyone to find out".
elwebmaster19 hours ago
Anything taxpayer funded should be open source to begin with.
teroshan17 hours ago
Similarly taxpayer funded contracts for any type of infrastructure (obviously I have digital infrastructure powered by proprietary solutions in mind) should only be awarded if interoperability is guaranteed to prevent lock-in and abuse.
It's very hard to steal everyone's documents when they weight about the same as a train.
latexr20 hours ago
But it’s also very easy to lose all of them in a fire or flood. Different tradeoffs.
HelloUsername20 hours ago
> it’s easy to lose all of them in a fire or flood
Wouldn't a fire or flood affect everything? Both data stored on paper and hard disks?
jagged-chisel20 hours ago
The good news is you can keep offline, offsite digital copies, which is much more convenient than offsite paper copies.
Gabrys120 hours ago
I think what the comment meant was that it's harder for an individual to lose their paper documents compared to losing the electronic ones. It just shifts who's responsible for keeping them safe
noosphr18 hours ago
This is a feature not a bug.
latexr18 hours ago
That depends entirely on what the records hold and who is interpreting the event.
noosphr12 hours ago
Yes, who could ever care about German birth records from the 1700s in 1933?
bell-cot19 hours ago
Problems with well-known solutions 100 years ago:
"Fireproof file rooms and cabinets in the 1920s were crucial for protecting business and government records during the rapid expansion of the industrial era. The era saw a massive shift from flammable wooden office furniture to robust, steel-based storage designed to resist both fire and water damage."
That's a Google AI summary - but I've been in a fair number of buildings with such rooms. Thick concrete walls, heavy steel fire doors, no other openings, nothing but steel file cabinets in 'em, sealed electric light fixtures that look like they belong in a powder magazine (where one spark could kill everyone) - it's really simple tech.
And "high ground" was a reliable flood protection tech several centuries before that.
latexr19 hours ago
Then add “earthquake” to the list, or “domestic terrorists or foreign country bombing the building”. Steelman the argument. The point isn’t “just fire and water specifically”, we’re not playing Pokémon.
We have several historic examples of records being lost in disasters, and way more recent than 100 years ago.
It makes no difference that we could’ve prevented that with better building construction. We didn’t, and hindsight does not bring the records back. We should plan for the world we want but cannot ignore the world we have.
I’m not defending digital as always better or criticising physical. Like I said, different tradeoffs, meaning there are advantages and disadvantages to both, there’s no solution which is better in all situations.
bell-cot18 hours ago
I stuck to the threats you mentioned. Paper in a file room is more slightly more quake-resistant and bomb-resistant than digital. But slower to move to safety if the threat is large volcanic eruptions.
I am not saying that paper is magically perfect. Nor better in every situation. I am saying that paper is far easier (than digital) to do well for use cases like a national records collection. "Correctly" may include off-site backups - whether or not your threat model includes massive earthquakes, volcanoes, bombs, special forces, EMP weapons, biological agents, civil war, radioactive fallout, or enemy occupation. Or "Management wouldn't pay for a done-right facility".
As I noted in another comment, the largest downside to paper (within such use cases), is that it is far more difficult to get political support for old-fashioned stuff that just works, compared to anything that can be sold as cool/new/high-tech. Especially when the taxpayer-funded revenue streams from selling/installing/supporting the tech create incentives clearly contrary to the taxpaper's long-term interests.
bell-cot19 hours ago
No politician ever got elected by supporting simple, old-fashioned stuff that just worked.
vladde16 hours ago
CGI has a lot of consultants in both government and municipal places (i've worked at both), and some of our main tools like time reporting was built as a addon to our personnel system by consultants at CGI. half my team are consultants from CGI, 4 out of 7 people.
also: hi tavro! it's been a few years, how have you been :D
corroclaro20 hours ago
This keeps happening in Europe with these mega-IT suppliers repeatedly getting exposed using very bad development practices. Sweden most recently had a major breach back in 2024 when the other large IT services supplier TietoEvry had their data centres breached and claimed "not actually an issue of security".
Several government organisations / regional authorities and companies were down. Last I heard several medical journals for whole municipalities were just destroyed.
Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity, are suspicious of things like zero-trust, follow outdated engineering practices. Sigh.
bengale20 hours ago
The tender process is what they are optimised for. They are professional project bidders with a bit of outsourced software development bolted on the back.
Maxion20 hours ago
A lot of outsourced development.
The tender process + clueless buyers + tender process law(s) cause this. Whole process needs a revamp for this to not be a problem.
vladms20 hours ago
> Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity
So what you think would be the solution ? From what I see (both public tender or not), I would claim that "any large IT project/company will suffer from security issues", so not sure what is the added value to single out a process (the tender) or a region (Europe) if there is no obvious alternative.
xorcist20 hours ago
I have (the start of a) solution, but it's a boring one:
You have to have people who care about this stuff.
If you don't care, the rest does not matter. It does not matter if, when and how you outsource if you don't care about the outcome. You can't just pay someone a salary, nor a consulting bill, check the box and say you've done your part.
And the other way around: These huge consulting conglomerates would get very few jobs if purchasers cared about the details, and not just that all the boxes are checked.
dns_snek19 hours ago
I don't think that's a particularly novel idea, the question is how do you get people who care in an organization that has hundreds of thousands of employees (the public sector)?
xorcist18 hours ago
You may not like the trivial answer: The same way as we do everything else. How do we get people to show up for work? How do we get people to respect data security boundaries? None of these are questions of technology. The answer is culture. We need to create a strong shared culture of caring, by hiring people that care and putting them in an environment where caring is appreciated.
latexr19 hours ago
> You have to have people who care about this stuff.
What?! Preposterous! How could you even make money out of that? No no no, that will not do. You will ask your AI agent some vague question, commit the result without review and push it to the client. And you’ll like it. If there’s any trouble, call Timothy, he’ll be on vacation with his family in Thailand. Some resort, “Lotus” something or other.
ExoticPearTree17 hours ago
Split giant projects into small ones, award it to better smaller companies, require interoperability via API that is clearly documented and ask for around the clock security monitoring and patching. The last things being the same thing you do at any decent private company.
IBM or Accenture or whoever don't need to be the only ones winning tenders.
vladms16 hours ago
The total number of people working on the project might remain similar no matter if it's one company or many smaller companies. Writing clear documentation and API, well thought from the start is harder the larger the project.
Maybe there would be a benefit from having less layers of management, but multiple small companies or one big could have the same structure.
ExoticPearTree4 hours ago
A smsller company would have a flatter structer and less management.
Waiting for my coffee now, I had a thought: what if you have more than one company providing the same service and for a project “lifetime” of say 5 years, the money is split procentually by what company attracts the more users and you make it so that for the services offered through this you can only use one company, but you can switch at anytime.
corroclaro16 hours ago
Absolutely. One of the root causes for these terrible tender processes is a fear of in-housing competence and skill for systems.
It's the same reason major govt. IT orgs keep pushing for closed source (recently the Swedish Tax Authority was in the media for _pushing for Office 365_ as necessary for operations), out-sourced designs, big firm purchases over FOSS or real standards.
You need people that care (and they exist, even in the gigantic state orgs.) in positions to make good decisions. Right now, everything is up in the hands of nebulously defined managerial staff with none-to-doubtful technical competence.
Another recent case: the Swedish digital exams platform flopped at a rough cost of a billion SEK. Can't sustain 150K concurrent users, despite paying a "large company". Like, come on.
mvdwoord19 hours ago
Germany has iirc liability for the entire chain (engineers to upper management) in case of data breaches. I remember having to sign for that when I did a project in Germany. Would that help? I would not mind if the CEO/CTO of Odido would spend a couple of years in a federal pound them in the ass prison if it is found out the leak was due to malpractice.
ExoticPearTree17 hours ago
The probleme here is that what tends to happen is that the security requirements are relatively vague and once the customer has signed the acceptance, good luck.
And signing up with a big company is good way to cover your behind, because "if they with all their people and knowledge could not do it...". Basically the mantra or "Nobody was ever fired for buying Cisco".
bkummel18 hours ago
I see comments about Swedish personal identification numbers. But the article is about source code that's leaked, not a database of numbers, right? I was thinking: should government source code not be open source anyway?
FateOfNations14 hours ago
The same attackers are releasing the database of personal information separately (for a fee).
That said, Sweden takes a different approach to PII, so most of that information would have already been public. You can generally just look up any resident and their ID number and other biographical details in a public directory (among other things… their tax returns are also public records).
johnisgood15 hours ago
Ideally they should be open.
Lliora16 hours ago
Worked on a similar platform. The real risk isn't the code - it's the config files. Government deployments have hardcoded staging credentials, VPN endpoints, and encryption keys that don't get rotated when code leaks. Source is whatever. Those env files are the skeleton key.
yaris20 hours ago
Knowing swedish people's mindset I'm not surprised at all by the breach. What can be mildly surprising is that no major e-gov service has expressed concerns on their websites. Only on skatteverket.se, which is Swedish Tax Service website, there is a vague note on "maintenance work" planned for coming Saturday. Maybe totally unrelated though.
queuep20 hours ago
Interesting, care to elaborate?
corroclaro16 hours ago
I'm pretty sure they did an internal analysis by 8 AM at all these places and came to the conclusion that they're OK.
Of course, they might be wrong!
GuB-4216 hours ago
First reaction: How come the source code is not public in the first place, accessible to every Swedish citizen? They paid for it!
But it turns out that more than the source code was leaked.
PeterStuer14 hours ago
Misleading title, as my first thought was "why is Sweden's egov not open source to begin with?".
Turns out it's about data.
Surac11 hours ago
following AI corp logic that everything in the internet is open source we have a open source goverment in europe now
agluszak20 hours ago
e-government services should be open-sources by default!
nunobrito20 hours ago
Now there is an additional reason for that.
Public money, public code.
butz15 hours ago
Most important question: do Swedish e-government services use curl?
Schlagbohrer16 hours ago
Why was all that software not open source already?
blin2h20 hours ago
What forum is the original screenshot from? It reminds me of cs.rin.ru
olalonde19 hours ago
Anyone knows what their tech stack looks like?
FpUser18 hours ago
Unless they hardcode passwords and other juicy details in their source code what's all the fuzz about? It is a publicly funded thingy anyways.
WhereIsTheTruth20 hours ago
As long as cronyism remains the primary qualification for leadership, nothing will ever change, worse, it's only going to get worse
Accountability now, send these people to prison
hollow-moe17 hours ago
"Government surprisingly fulfills its duty by making publicly funded source code public"
Lionga21 hours ago
How much GDPR fine will they pay? Oh wait it's gov so nothing / does no matter even if.
Who will take responsibility and get fired and lose all pension etc.? Oh wait no one.
Well the citizens need to suck it up.
Habgdnv20 hours ago
Few years ago a huge NRA database was left public with admin/1234 or similar by the Bulgarian NRA. They government fined itself some non-trivial amount, then in the source/destination IBAN they put the same value and paid the fine. They managed to find someone to blame and it was not the person who left the database but the person who found it. Turns out that if you leave the PII of a whole country open to the public it is not your fault and you get to keep your cozy job. It is already unlawful to access that, so if someone access it - it is his fault - he broke the law.
Edit, i checked the facts: The Bulgarian government said that the it should pay too much to itself, and appealed the fine for few years until it somehow expired. And the guy (20 year at that time) they accused was later acquitted after they tried to ruin his life.
balamolekule19 hours ago
[dead]
the_other20 hours ago
As the attack actor now has the data, they're liable for ongoing GDPR failures, on top of the theft. Then anyone they sell the data to becomes liable (on top of handling stolen goods). Could be a money-earner for the EU if they pursue it properly.
bubbi20 hours ago
[dead]
steve197721 hours ago
Is this the open source stuff everyone is talking about?
Ok, some important context for non-Swedes. Anyone can get access to all Swedish (non-protected but those are a very VERY small subset) personal identification numbers by simply signing an agreement with SPAR[1] (the Swedish national people database). Identification numbers per se are not particularly useful or hard to get, they are effectively public information. Using SPAR you can also get the home (and any additional) addresses of individuals
A Swedish citizen database is... you know. fun. But not exactly hard to get hold of.
[1] https://www.statenspersonadressregister.se/master/start/engl...
I think this is good to highlight for non-Scandinavians.
Scandinavian countries are extremely open and transparent in a way that might be shocking for Americans. For example, in Norway, I can check nearly anyone's brokerage account holdings, addresses, phone numbers, etc. on public websites. I can in theory look up anyone's tax filings.
Personal identification numbers do not tend to be considered private in the same way that social security numbers in the US are.
We're so open, we even leak our government source code _ourselves_ https://github.com/navikt
Uff, COBOL written in Norwegian, talk about a narrow target to hit for hiring :)
I see mostly Java/Kotlin and Maven.
Pretty modern stack. I would start a government service using those today.
He is probably talking about this repo: https://github.com/navikt/DSF
Description translated:
> This system was one of the oldest IT systems in NAV, and ran in production for 51 years, from when the National Insurance Scheme was introduced in 1967. In January 2018, Presys was put into production, which together with Pesys became the successor to DSF. At that point, DSF was also shut down. The system is written in PL/I.
It's like the Apollo 11 code, but for social services.
Mostly PL/I but a few files of COBOL too, e.g. https://github.com/navikt/DSF/blob/main/src/GML/FO04D1X1.cob...
Who needs a Jones Act when you can have processes like these?
What's the point of making public how much each person owns? Aside from making you a prime target for kidnappings and targeted advertising?
Because tax is not your bill from 'government Corp ', its your contribution to the community, to your tribe. And we have explicit goals for this, besides bringing revenue (like the strongest back should carry the heaviest burden).
When we have communal contributions in other settings, your contribution is usually not a secret.
It is meant to give the tax system more legitimacy, that you don't gave to wonder if people sneak out of their contribution, you can check. It also leads to yearly debates about the tax system as the list of the richest(usually inherited) is published together with what they pay in income tax vs wealth tax.
Previously you could check up anyone anonymous. These days you have to log inn, and they get a notification. But the list of the richest and their tax contribution gets published in the newspaper.
Tax data is government data. Government data is public data. Instead of asking "what's the reason for making something public" the question is "what's the reason for making a carveout for some specific data to make it secret"
Government data about private individuals can be considered as private, for privacy reasons. If the government knows that I have a mental disability, should everyone know about it, so they can discriminate me accordingly? What kind of dystopian view of the world is this?
Or, if I own crypto, why should the government facilitate the work for criminals?
why would anyone kidnap you if they own as much as you ?
People in safe countries generally do not worry about kidnappings.
I heard a rumor that some people use this to check their neighbour's revenue and sometimes make snark comments if one of them has a high revenue but lives in a "average revenue" part of town.
They'd say that if you earn a lot, you shouldn't take a cheap housing.
Any truth to that?
There used to be a lot more of that, but a system was put in place where you have to identify yourself with electronic ID to access the information, and the information is logged so the other party can see it.
Nowadays I think mostly journalists use it to pull up information about politicians and other people that are in the public spotlight. There are of course the yearly "richest people in Norway" lists in various categories.
> There used to be a lot more of that, but a system was put in place where you have to identify yourself with electronic ID to access the information, and the information is logged so the other party can see it.
Yeah, kind of a fake solution, request it via Ratsit or whatever and all they get to see is that someone used Ratsit, but not who actually requested it.
Same goes for criminal cases, using Krimfup or whatever just leads to the service's name "leaking", while you can use fake details to sign up for both Ratsit and Krimfup.
I don't think there's anything like ratsit in Norway which would let you do this query anonymously.
> They'd say that if you earn a lot, you shouldn't take a cheap housing.
I think a lot of "humbleness" is also enforced this way, in the US seems normal (or even some European countries) to flaunt your wealth, and others seem more or less OK with it, while in Sweden it's much more socially unacceptable to in any sort of way brag about being rich, or showing that off. Humble-richness is OK and tolerated, but flagrantly displaying your wealth among the public is generally frowned upon.
So together with that, living in a average neighborhood but have a house that sticks out as clearly "rich person's house" will gain you evil looks from your neighbors, as you're "supposed to" live in a different neighborhood where neighbors look more equal, otherwise you again stick out, which is cause for friction culturally.
Lots of culture in Sweden is less about "lets correctly solve the problem" and more "lets ensure the gaping holes aren't so visible for everyone, so we can ignore it properly".
I have a friend who has moved to Sweden a while ago, and she told me a lot about the Swedish housing situation, and admittedly most if it went over my head, but in short, apparently very few places would even allow you to build even somewhat freely.
Apparently she was in a situation where she 'owned' her house, but still paid a monthly maintenance fee to some agency. and she wasn't allowed to repaint the rooms or do any sort of repairs, but had to go through some agency, who would do it for her.
Apparently that was a neighborhood thing, but she told me of epic (and apparently fruitless) struggles of her friends' who wanted to repaint their house in a different color and install some circular windows.
Probably just didn't really buy the house. Many houses are part of an association (BRF). When you buy one, you practically only buy the right to live in the house plus a share of the entire association. The fee that she paid was towards that association for things like maintainance, managment, trash-fees, internet, parking, likely heating and water, and possibly interest on the associations loan. It's just a different structure that many countries have for flats in a building, in this case applied to single family houses.
Here in Australia, I’ve seen what we call “strata title” applied to “single family homes” before (American terminology, we’d say “detached houses”) - it is uncommon, much more common with apartment buildings or townhouses/villas/semidetached (you share walls and maybe the roof with your neighbours, but there is no one above or below you)-but not completely unheard of
[flagged]
Hold on, I was sharing an anecdote from a friend living in a foreign country, and somehow you're somehow connecting this to a dastardly geopolitical plot by a league of evil nations?
Also may I ask who the heck you are to call my story uninformed? As far as I recall, there's nothing inaccurate about what I said, I might be missing some context or nuance, but there's no disinformation in there, and there's certainly no hidden motive (what would even that be?) you seem to imply.
”and admittedly most if it went over my head”
”Apparently she was in a situation where she 'owned' her house, but still paid a monthly maintenance fee to some agency.”
(This is not the norm. I can go into a lot more detail if you want to.)
I am not accusing you of disinformation. I am saying that are writing completely irrelevant stuff in a story that is, as far as I can see is mostly false and has a high probability of being propaganda related to current conflicts.
And yes, dozens of other people did the same.
Seek help.
what
Yup
Making snark comments about that sounds very unlikely. More likely they'd have respect for someone living frugally and not showing off. See https://en.wikipedia.org/wiki/Law_of_Jante
Making snarky comments about it, no, not really. Will some people snoop around? Yes, nosy people can be found everywhere.
Yes and no. You get notified if someone else actually asks for your revenue info and so in practice nobody actually does it.
Is this not trivial to get a random person to check stuff for you in exchange for making requests for them (on people they are interested in)? Or is that illegal?
There's paid services that pull it for you, most charging around 100nok (10eur) per lookup.[1]
Media is also allowed to pull "top" lists like the 100 people with the most income in a city, 100 people with the most wealth in a city, etc.
[1] https://sjekkskatt.no/
We don't talk to our neighbours.
What is the harm in this case? Shit people are shit even without information. They would be snark about something else then.
I think it was covered during a discussion about immigrants that are easily rejected - because they're immigrants.
The points was that it added another layer of issues for immigrants because they didn't understand the neighbourhood they "should be living in" with their revenue.
Why is this not the “shit people do shit things” category? This happens even without being immigrants. Large part of my family lives in a way poorer neighborhood than what we can afford, because we don’t care to move. People who have problem with this had other problems even before we got richer. There is exactly zero difference. The exact same people are snark as before, just for something else now. They were and would be snark even without this.
This seems to me a very bad attempt to hide xenophobia.
Yep, that tracks.
There's also the underlying current of Jantelagen (Law of Jante) https://en.wikipedia.org/wiki/Law_of_Jante
The US used to be more this way. Not brokerage accounts as far as I recall, but whether you own a house, how much you paid for it, your address, phone number, even your SSN didn't used to be considered very private, people had it printed on their personal checks, and schools used it as a student ID number.
Newspapers used to publish hospital admissions and discharges, nothing medical but names and dates. Probably a lot of other stuff I'm forgetting.
Let's not forget white pages, those door stopper telephone books containing everyone's name, phone and address that everyone had (along with yellow pages for business listings).
All email conversations in Swedish public institutions are basically a public act and any citizen can request an extract of them.
Out of curiosity how do you authenticate yourself with government services and finance companies and such? The reason the SSN is considered private is because it's used for authentication. Usually an SSN + one or two pieces of trivially obtainable information is enough to sign up for just about anything in somebody else's name, unless physical documents are required as in the case of a passport.
With cryptographic keys, normally stored on a smartphone. BankID[0] is the most common solution, but there are others. I personally use biometric 2fa to log in, and PIN to sign contracts or pay.
[0]: https://en.wikipedia.org/wiki/BankID_(Sweden)
Is this due to how high-trust societies work, or is it something else?
And then there are widespread amounts of identity theft and mapping out of minorities, but you may sleep well as everyone knowing where you do so is an important step in making sure corruption is no more, don't think too much about it.
Just a few years ago this was about to change in Sweden.
But they didn't change it, because "women should be able to look up the men that they date".
Oh yes. I'm Swedish and I do have to admit I have looked up quite a lot of people on these kinds of sites. It's become so normalised to do this even though I also feel like it would be better as a whole if they just did not exist in the first place.
Last update I heard about something being done about it was this:
https://www.regeringen.se/pressmeddelanden/2024/11/utredning...
Not sure what the current status is.
[flagged]
> You criticize these websites when they affect minorities, but you use them yourself to look up men. That seems inconsistent.
This is very close to the "Yet you participate in society, how curious" mean, especially since they're implying they would vote in favor of a law that changes it so that the data is no longer public in the same manner.
But then your comment history reveals enough about your intent.
I live here so I can add my experience, thank you.
Speak clearly, what do you have an issue with exactly in my comment history?
>Why are minorities so protected? :)
Because it's the law, and it's a good thing as governments and people tend to use violence against minorities. Don't like it? Move to a more racist country like Israel.
[flagged]
Svensk, anti Zionist, and proudly so. I'm not anti west, though I see all the bad shit we do to the world.
[flagged]
Yes, sadly, and a lot of it is MENA migrants. But that should be no surprise if you have any experience of the world and Sweden.
I think you are trying to be funny, but I am serious.
>“First, before 2015 it was not acceptable to talk about antisemitism which came from immigrant groups from the Middle-East. This made members of the Jewish community feel abandoned. Sweden has now changed and it’s now possible to talk about it and deal with the problem”, Kahn Nord says
> “antisemitism has long been a weapon of regimes in the Middle East, where it is deeply rooted, openly expressed, and legitimized. The spread of this type of propaganda via the internet by regimes such as Iran has contributed to the globalization of this hatred. Recently, it was revealed that the Iranian regime is suspected of having planned to murder Swedish Jews, among them Aron Verständig, the chair of the Official Council of Swedish Jewish Communities (Judiska Centralrådet). According to the Swedish Security Services (Säpo), Iran has also recruited Swedish criminal networks to carry out attacks against Israeli and Jewish targets. The Swedish National Centre for Terrorist Threat Assessment (NCT) has reported that the biggest terror threats in Sweden come from violent Islamists and right-wing extremists, which both have Jews and Jewish institutions as some of their primary targets”.
https://k-larevue.com/en/2025/05/22/sweden/
You like this I bet.
https://jcfa.org/the-uncomfortable-truth-about-malmo-sweden-...
https://www.timesofisrael.com/sweden-reports-sharp-rise-in-a...
Official Swedish statistics from the National Council for Crime Prevention (Brå) show a clear rise in antisemitic hate crimes, increasing from 111 cases in 2022 to 217 in 2024 (doubling their share of all hate crimes to 8%), with a sharp surge (>450%) to 110 reports in late 2023 following the October 7 Hamas attack. This increase correlates with large-scale immigration from Arab and Middle Eastern countries, where antisemitic attitudes are significantly higher (e.g., ADL surveys show ~74% prevalence in MENA vs. low native Swedish levels). Multiple studies and reports, including Brå analyses and victim perceptions, indicate that perpetrators are often from Middle Eastern immigrant backgrounds, with spikes tied to Israel-related conflicts and imported attitudes, though not all immigrants are involved.
Key sources:
Brå report on antisemitic hate crime (2025): https://bra.se/english/publications/archive/2025-08-29-antis...
Brå hate crimes 2024 statistics: https://bra.se/english/publications/archive/2026-01-26-hate-...
European Jewish Congress on 2024 increase: https://eurojewcong.org/news/communities-news/sweden/accordi...
FRA EU survey on Jewish experiences in Sweden (2024, pre-Oct 2023 data showing high perceptions): https://fra.europa.eu/sites/default/files/fra_uploads/fra-20...
(Sweden country sheet: https://fra.europa.eu/sites/default/files/fra_uploads/antise...)
Older Brå report noting Middle Eastern perpetrator backgrounds: https://bra.se/download/18.3808406a192bd2f0b724059/173028344...
Various analyses linking to immigration (e.g., Wikipedia summary, JCPA articles, US State Dept reports citing surveys).
People like you are somewhat amusing. You keep going on and on about how you are Swedish when the right-wing playbook is global, this could easily be a post from any of your ilk anywhere on the European continent or the United States.
Let's even grant you the premise that these statistics are accurate. What do you want to do about it? Deprive people of their rights extrajudicially because of where they come from? Should we treat people from MENA differently before the law? What about a native Swede who is antisemitic? Should they lose some rights? Should we deport people based on place of origin? Is that what the West is based on to you, increasingly arbitrary or national/ethnic access to rights vs a universalist conception of human rights? Or would that be a "third world" degeneration?
What is the West? Are Jewish people synonymous with the West? Was that always the case? You talk about minority protections are Jewish people a majority in Sweden? If not, why do you advocate protections for some minorities and not others? Do you think Jewish people have suffered in the "first world" West? Where does antisemitism come from? Was the Weimar Republic the third world? How about the regime that followed? Should European antisemites be allowed into Sweden? Maybe everyone who enters Sweden should have to pass an ideological test to prove they are sufficiently non antisemitic and appropriately Western? Or maybe you let them in but they have to walk around in special outfits or with a special lapel or label on them so we can be vigilant regarding their whereabouts? Perhaps anyone who commits a crime in Sweden should be deported, as only an anti-western person would exhibit criminal behavior?
What do you want to do about it? Highlighting crime tells us nothing. Every society deals with crime. Most societies have minorities. What separates societies is how they deal with it. So tell us, warden of the West, what you seek to do.
I should know better than to wade into a debate with someone who argues like you. Your comment history does indeed speak for itself. But I will try to debate you in good faith. I look forward to your answers.
You are already poisoning the well before I answer, so I feel like my answer will not matter to you, but I will absolutely answer in good faith as I always do.
Not sure if you are American or not, but European migration policy seems especially harsh compared to yours, but we have our reasons. (2015 aware, wir shiffen das)
I voted for Moderaterna, to be clear. You can look them up.
>Let's even grant you the premise that these statistics are accurate.
BRÅ is a state beauru and they are accurate.
>What do you want to do about it?
Vote for the party that has policy on this I agree with.
>Deprive people of their rights extrajudicially because of where they come from?
Yes! We already do this. Everyone in the EU can freely migrate to another EU country in the Schengen zone. If you are outside EU you need Visa or Asylum. Thus, we treat people differently based on where they are from. We do not have "open borders", nor should we.
We see this also with the Ukraine war. Who do we feel closest to? Someone fleeing war in Somalia or Afghanistan or someone fleeing from Russia's invasion in Ukraine?
You know the answer even if you do not want to admit it, you maybe feel the same way.
Also, "rights" was never to be allowed to migrate anywhere. Never was, never will.
>Should we treat people from MENA differently before the law?
Yes! We already do. See above.
>What about a native Swede who is antisemitic?
That is bad and I reject any type of neo-nazi conspiracies. I also fight these online and there is a perplexing unity on neo-nazis and Hamas etc and their ilk on this. They always revert to "well jews control the media, usa etc". Ridicolous.
>Should they lose some rights?
Yes! We have a law called "hets mot folkgrupp". If convicted, you lose rights.
>Should we deport people based on place of origin?
No, we base it on behaviour such as crime etc. Then they should be deported.
The policy now is prevention also.
>Is that what the West is based on to you, increasingly arbitrary or national/ethnic access to rights vs a universalist conception of human rights?
Human rights does not mean to let everyone who wants in. It never did.
>Or would that be a "third world" degeneration?
That would be one of many criteria. See Pol Pot etc.
>What is the West?
Europe, with a line towards Russia, generally. Ukraine and Georgia I consider the west for example. This is based on behaviours. To the South, Mediterranian is a border. Greece Cyprus is part of the West, not Turkey.
UK is the West also. And Canada and USA. And Israel.
>Are Jewish people synonymous with the West?
Yes, Israel and its population have shown to be our steadfast partners.
>Was that always the case?
Sadly no, it was only Napoleon who started to let Jews in so to say.
>You talk about minority protections are Jewish people a majority in Sweden?
Yes!
https://sweden.se/life/equality/national-minorities-in-swede...>If not, why do you advocate protections for some minorities and not others?
See the official recognition above.
>Do you think Jewish people have suffered in the "first world" West?
Sadly yes. See my articles above. I also assume you mean Nazi Germany as some kind of "gotcha".
>Where does antisemitism come from?
Right now? MENA countries, see my articles above. Antisemitism has a long and sordid history.
ADL surveys consistently show antisemitic attitudes in the 74–97% range across much of the region. It's not fringe, its normal there. Nazi propaganda made it worse, but it didn't create it.
>Was the Weimar Republic the third world?
No? Nobody thinks this.
>How about the regime that followed?
No? Nobody thinks this. Antisemitism is not the only requirement to be third world.
>Should European antisemites be allowed into Sweden?
Yes! We are in Schengen after all.
>Maybe everyone who enters Sweden should have to pass an ideological test to prove they are sufficiently non antisemitic and appropriately Western?
There is no "test" for "entering Sweden". But there is one to be a Swedish citizen. And even before you are a Swedish citizen, you can now be deported based on your bad conduct.
Sweden has introduced or is in the process of implementing stricter requirements and assessments in migration law, particularly around good conduct ("god vandel"), self-sufficiency, and in some cases language/knowledge.
This allows the Swedish Migration Agency (Migrationsverket) to deny entry, refuse a residence permit, or revoke/withdraw one based on a holistic assessment of the person's conduct.
"Bristande vandel" (poor/deficient conduct) includes:
Not following laws, court decisions, or authority orders (e.g., unpaid fines, ignored decisions).
Unwillingness to pay debts (to individuals or the state).
Repeated minor offenses.
Welfare system abuse (e.g., fraud).
Associations with criminal/extremist networks.
Serious addiction or a grossly irresponsible lifestyle.
This is not a moral philosophy test or quiz — it's a discretionary evaluation based on evidence (police records, debt registers, authority reports, etc.). It's broader than just criminal convictions.
For permanent residence or extensions in some categories, there are discussions of tightening rules (e.g., basic Swedish proficiency like A2/B1 level mentioned in policy contexts), but as of now, it's not a universal entry barrier.
For Swedish citizenship (medborgarskap), stricter rules are rolling out from June 2026:
Knowledge test in Swedish language (reading/listening comprehension at functional level) — planned start around October 2027.
Test on Swedish society/knowledge about Sweden.
Higher "hederligt levnadssätt" (honest way of life) requirement, similar to vandel.
Self-sufficiency requirement (no long-term welfare dependency).
>Or maybe you let them in but they have to walk around in special outfits or with a special lapel or label on them so we can be vigilant regarding their whereabouts?
I understand that you are trying to equivocate the current Swedish government to Nazi Germany, but the above is not done.
>Perhaps anyone who commits a crime in Sweden should be deported, as only an anti-western person would exhibit criminal behavior?
You have 2 parts here. We indeed should deport more foreign born criminals, and we are.
The new government have passed the "bristande vandel" or "poor conduct" addendum to the deportation law.
The concept was revived in the Tidö Agreement (2022). It called for investigating ways to deport or deny permits to non-citizens showing "bristande vandel," including things like association with criminal gangs, extremism, drug abuse, prostitution, or general non-compliance with rules.
It applies mainly to non-EU/EEA citizens and certain residence permits (not fully EU-law protected ones, though some security-based revocations are possible).
This does not directly apply to Swedish citizens (citizenship revocation has separate, stricter rules and constitutional hurdles).
>What do you want to do about it?
See above, all policy I voted for and agree with.
>Highlighting crime tells us nothing.
It does! It tells us who did it, who is responsible. And steps to avoid and correct it. Swedish National Council for Crime Prevention (BRÅ), continue to produce and release reports that analyze crime data by immigrant background or foreign background (typically defined by whether a person is born in Sweden to two Swedish-born parents, born in Sweden to one or two foreign-born parents, or born abroad). They did this in 1995, 2005 and again in 2025. If these stats offend you, maybe it says something about you.
>Every society deals with crime
Yes, but some more then others. Do you not want to live in a society with less crime or more crime? Every country has garbage and trash. Do you want less or more? Every country has electricity outages sometimes, do you want less or more?
>Most societies have minorities. What separates societies is how they deal with it.
Is that really the defining variable? It reads like something I'd have written in high school, the kind of line that sounds profound but dissolves under pressure. What about living conditions, quality of life, infrastructure, longevity, happiness? Those seem at least as relevant, if not more so.
>So tell us, warden of the West, what you seek to do.
See above, all policy I voted for and agree with.
I'm not offended. I actually appreciate you answering the questions and attempting a good faith reply.
I have some follow-ups.
> Yes! We already do this. Everyone in the EU can freely migrate to another EU country in the Schengen zone.
How about any other ways? When they are in the country? How about vs other non EU immigrants? Should people from MENA be treated differently than people from Israel? From the United States?
You say open borders are not human rights... but you said European antisemites should be allowed to come into Sweden. If you care about open borders and antisemitism so much, would you support a Swedish brexit? You seem to indicate you voted for a party that changed migration laws. Would you also support a party that banned European antisemites? Why is schengen inviolate but not your prior rules on migration or crime?
> The policy now is prevention also.
Meaning what? And on what basis?
> Yes, Israel and its population have shown to be our steadfast partners.
How is Israel a partner to Sweden? So a partner to Sweden is what makes a country Western? Earlier you seemed to suggest it was based on geography but also "behaviors". What behaviors would those be?
Lastly, I understand you think the Nazi analogies are gotchas. You'll have to forgive me. After all, while you take great care in your prior reply to be sensible, your other replies did not convey the same tone. Focusing exclusively on one minority group makes one look very suspicious. It's not like the thought of Nazis comes from nowhere.
You should know it was only last year your "Moderate" minister for migration Johan Forssell was involved in a scandal where his teenage son was pictured giving a Nazi salute, having attended neo Nazi gatherings. This is the same man that blames cultural degradation and parents for the actions of other teenagers, who wants to lower protections for young people and their parents accused of crimes or misconduct... do you not see an irony here?
https://www.theguardian.com/commentisfree/2025/jul/11/sweden...
Do you think he should have resigned? Do you not see any nexus between focusing on crime through a racial or ethnic lens and fascism? Do you take the responsibility of any criminal justice system to prove guilt and treat defendants of equal status equally before the law regardless of race, ethnicity, country of origin, .etc seriously?
Are you as surprised as he was, given his rhetoric, that the security services of your country had to inform him his own son was involved in such a group?
It seems to me someone who wants to make broad associations based on neighboring conduct and loosen protections before the law in the name of Swedish values and public safety should at the very least have the decency to resign in such a circumstance. It is deeply ironic to me and I think perfectly captures how I personally feel about the right, from Europe to the United States to Israel...
So in summary, is your position if a MENA teen in Sweden does a Nazi salute, you want them and their family deported? But if the Minister of Migration's son does it, that's fine? You agree with your party it's not a big deal?
Remind me again where antisemitism comes from?
You asked if I want less garbage and trash in my country. I'll settle for less Nazis.
Tidö have been going strong and are just starting to clean up our country. I hope they win again but I fear we have another disaster government next election.
I have a job and money so I will not be personally affected but if the left wins MP and V will dictate and it will be 2015 all over again. I do hope their voters take the brunt of the damage up close and personal that is to come from their own votes to this country.
Going strong on what exactly?
NATO status acquired. S was controlled by V and MP on this and was so-so. We see it now with S complaining about the governments talks with France over their nuclear umbrella.
(Call her she is crying https://www.tv4.se/artikel/3GXfcuT7u8zm5ApyIJ4Z8b/andersson-... )
Something I also support this government on.
Redirected grants from lesser nations to Ukraine with the biggest aid package ever to Ukraine explicitly stating that it is a top priority. So overall, prioritizing EU and Europe.
Inflation was 12% now down to 3%
Largest increase in military spending since the Cold War, this is the new Europa.
A paradigm shift against organised crime, with tougher penalties, substantial resource increases for the justice system, and expanded tools for police and prosecutors.
Shootings especially have decreased, there was 0 in January 2026 (or maybe they just stay inside because of the weather xD)
Another paradigm shift but in Migration: They have implemented the strictest migration reforms in Swedish history, leading to the lowest asylum-related immigration since 1985.
Implemented a sharp tightening of migration policy in the first 100 days: increased internal checks on foreigners by about 25%, intensified work on returning people without residence rights, expanded detention capacity, and launched information and analysis efforts on voluntary return.
Cut the annual refugee quota from around 5,000–6,400 to 900, presented by the government as delivering on the promised “paradigm shift” in asylum and migration policy.
Reddit is crying about this ofc. But again, 100% support from me on this.
We already had a deal with Finland. Would have happened no matter was in power in Sweden. Though now with trump back it's not looking like the best idea.
>A paradigm shift against organised crime
Keep doing the same thing, ask cops how to solve the problem, more cops is always the answer. The war on drugs is a massive failure.
About to get a lot more refugees to Europe thanks to Trump.
How do they have handle identity thefts, spams, etc.?
There are so many ways to misuse these data. Are the residents not concerned about this?
The root cause of identity theft in USA and some other places is the lack of "proper" national identity and the associated use of various personal "secrets" (not that secret) for identity verification because there are no good easy other ways.
Businesses in Scandinavia and many other countries would not treat someone knowing your personal information as any evidence of identity (because it's not); having all that information is not sufficient to impersonate you there - identity theft does happen but it would require stealing or forging physical documents or actual credentials to things like bank accounts; knowing all of what your mother or spouse would know is not enough to e.g. get credit or get valuable goods in your name.
The US has no single national photo + chip ID card that is available to everybody, for free, including illegal and semi-illegal immigrants and homeless people with no access to their birth certificate and such.
It's completely crazy to me that you can be "out of status" with the USCIS and still get a social security card and a bank account, for example.
It absolutely isn't free here in Norway either, around $86 is what I'd have to pay now to get an id card as an adult (same price as a passport but easier to carry).
"Identity theft" is newspeak right up there with "intellectual property". It serves the sole purpose of diminishing real theft. If someone says "we gave all your money to this other guy, but it's not our fault because he had stolen your identity" doesn't make it so. There are cases of mistaken identity, and with criminal intentions, but there is also an enormous majority of not checking identity because someone was lazy.
Which is what leads to this comedy:
https://www.youtube.com/watch?v=CS9ptA3Ya9E
"Identity theft" is a term invented to push the responsibility for fraud back on the person who is being impersonated rather than on the person or organization that failed to properly identify the impersonator.
Just knowing the personal number is not enough to do much with. To get access to services, verify who you are on when talking to companies there is a verification step, most commonly with the BankID app.
Visual example: https://images.ctfassets.net/b2dmfxhmyqno/1cD0YDHjd9DGZnWfjH...
Identity theft and spam still happens, just not through knowing the personal number.
Just knowing someone's name, address, and ID number isn't enough to like, open a bank account in their name or such. You'd need a proper ID card or passport for that. Similar thing with most businesses if you try to pay for some product with credit, they won't accept just a few digits and a pinky promise, you'll need to identify yourself properly (the BankID app for instance).
We just change our identity every three years or so.
https://www.youtube.com/watch?v=BK2gKuqbOHo
Unlike American SSNs, which are secret and wield certain authoritative powers, a Scandinavian "person number" is neither secret nor authoritative. Common misconception.
Of course ID theft happens but I think one thing that differs is that in Sweden it is harder to get a loan without verification that you are who you are (for example by Swedish BankID wish is an electronic id) while in US it seems you can take a loan if you just know someone’s social security number
It's just a unique ID of a person, it's not a password. I don't see how you can be confused by this.
It's also "anyone's brokerage account holdings, addresses, phone numbers" according to the comment that this subthread of the conversation is about.
It only gives read permissions, to make any changes requires a password.
they don't handle it at all. they let it go on. you for example have hundreds of people falsely registering their place of residence as somebody else's home, which causes massive problems for that home owner or apartment resident, and there is nothing done about it at all.
These types of laws are designed for the 1950s where there were natural barriers to acquiring and disseminating information. There is no attempt whatsoever to update them and to reduce harm caused to the average citizen today.
> How do they handle identity thefts
By just accepting it as a normal fact of life that you will have some random stuff ordered in your name sooner or later with an invoice you'll have to dispute. Happened to a relative of mine, police do not care unless they order things above a certain value, without a police report you cannot get free ID protection, and then you'll have to sit for a long time in phone queues trying to cancel a subscription for a streaming service or whatever they ordered while get thrown around by support reps who go "you SURE you or someone in your family didn't order this?"
That is absolutely not a normal fact of Scandinavian life. Gross exaggeration and misrepresentation.
I am Swedish and never had this happen to me. Never had random things show up or ordered for me at all. What would the point be, you have to pay or get an invoice? For Klarna they use BankID so only I can order an invoice for myself in reputable shops.
I am in my 30s btw so I was alive before BankID and it was a worse time. Remember my parents paid bills with paper.
There are plenty of reports online about how identity theft is becoming widespread in Sweden. The fact that something didn't happen to you is not evidence.
https://ocindex.net/assets/downloads/2025/english/ocindex_pr...
https://swedenherald.com/article/biometric-data-to-stop-fals...
The OP didn't claim it had happened to you. What they said is that it is possible to use the information about regular individuals that is publicly available to cause harm, and there are no attempts to stop this.
It is possible but it is not widespread.
Go back and edit your original comment because it is irrelevant and misleading.
No, I don't think I will.
That sounds rather unacceptable.
It basically never happens. I don't know where the GP got their story from.
Yes, I don't think anyone truly wants it to be like this. But it's just what happens.
You of course cannot access and empty out someone's bank account this way, you're safe in that regard. But you need to dispute the invoices as soon as possible to show that it is fradulent, so you don't end up needing to actually pay for it. Or get debt collectors after you.
^ Never had this happen in my 30 years here so YMMW
So don't take this poster by their word.
Not saying it DOES NOT happen as it is a system not made for the internet. But widespread? It is not.
Never happened to anyone I know either.
Not open but stupid, IMHO.
Identification numbers per se are not particularly useful or hard to get, they are effectively public information
They are absolutely trivial to get. One click on mrkoll.se.
> by simply signing an agreement with SPAR
But that seems like a completely different thing than a nefarious and anonymous person or group having access to the entire database.
Yeah, nefarious or anonymous people have never used the internet so they could never find out that this was all public information.
public information if they signed an agreement with the Swedish government?
No, public information for anyone. You realize that if it's public information, then it's public, and anyone can re-publish it online? There are websites for that. I can get the complete identification number, home address, phone number, etc for any Swedish citizen (that does not have a protected identity) in less than a minute.
You can get all of that one-by-one? Or can you get the whole database at once?
I cannot trivially get the whole database, no. But I kind of fail to see what a malicious actor would do with a large database of public information that they couldn’t otherwise do. The system is designed such that you can’t really do a lot of malicious stuff with just public data, and the stuff you can do (scam calls, etc) is probably not meaningfully more effective if you have the whole database than if you do manual lookups or web scraping. I’m open to being proved wrong about that however.
Basically: obviously it's not desirable to have that full database in the hands of a malicious actor but I'm not sure it's such a big deal either. Again, it's public data by design.
Identity theft and scams are widespread in Sweden and the most increasing crime currently.
https://ocindex.net/assets/downloads/2025/english/ocindex_pr...
I will say that the open and transparent design of Nordic society has some obvious issues when colliding with the hostile Internet we have today.
The issue here though was whether having a full database is materially worse than relying on existing public resources. I can do identity theft all day with public resources; I don’t need a full database dump.
In the US, property tax records are public by design. However, historically the records were physical and hard to search through. Now that these records are digitized and published online, it is trivial to find out where someone resides by searching through these records. So while public by design, at scale data aggregation changes the threat model.
Phone books gave out most people's home address. There were data brokers transcribing them (before reliable OCR) to build their databases.
You can trivially purchase the data from Bisnode Dun & Bradstreet Sverige.
Yes, you can buy the database for the entire population. There are commercial vendors for this, one of them is Dun & Bradstreet (Bisnode Dun & Bradstreet Sverige).
That might be interesting but it’s also completely irrelevant since no PII was actually leaked.
Also, no source code of ”Swedish e-government services” was leaked since that is not a thing:
https://news.ycombinator.com/item?id=47363966
Swedish news has some quotes from authorities that nothing of value has been leaked, and a quote from the service CGI that it only concerns test servers.[1][2]
[1]: https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-inform...
[2]: https://www.cgi.com/se/sv/news/cybersakerhet/cgi-informerar-...
I dont know nothing about this particular leak, but I have worked at Skatteverket.
Let me just say, the likelihood that CGI would have any _actual_ real personal data is close to 0%, at least on servers outside of Skatteverket. I had access to absolutely nothing even working inside. I have never worked in a more closed-down system, maybe excepting the swedish military "complex". No, actually that was less locked down in a way, at least once you were "inside" the system.
> Let me just say, the likelihood that CGI would have any _actual_ real personal data is close to 0%, at least on servers outside of Skatteverket.
Here in Norway our company was denied access to the Norwegian private person database API test environment, despite it containing 100% fully non-real synthetic data, on the grounds that they deemed we didn't need it.
We were writing an integration against it for a large customer which did have access. The API was run by Skatteetaten.
So, locked down over here too.
As a Swede this is giving me shudders, the statements reeks of paper-pushers and certification-chasers that don't seem to understand fundamental risks of how how threat actors can move around once having established footholds, hopefully there's more competent people down in the trenches.
Are we allowed to vibe code some positive changes and submit them for review?
The source code is the least of it! From the article:
> citizen PII databases and electronic signing documents were also collected but are being sold separately
Yeah the source code isn't really such a big deal aside from helping to find vulnerabilities. The PII is a real disgrace.
Seeming by other sources, it wasn't really information considered PII in Sweden (but would in other places), I'm not sure this is as a big deal as people try to make it out to be.
Man, you've got to be a real low-life to sell all of that.
You've got to be a real low-life to collect all of that and put it in a database that is not air-gapped.
It's something akin to a service provider in SAML parlance, if we are to believe reporting. How can it be air-gapped?
And if we are to believe the hacked company, it is a development environment with test data in it. That remains to be seen, but is a risky thing to lie about. If there is production data in the leak, we will surely know about it.
At the high end you can use data diodes to isolate critical data.
The point of a system like this is specifically that it’s accessible and not air gapped.
Being able to validate that a citizen is a citizen and their ID is valid inherently requires the system be accessible
If you can't implement it securely then perhaps such an undertaking wasn't a good idea? In the vast majority of cases I don't see why PII ever needs to be available over the network for remote queries. For the purpose of verification isn't it sufficient to verify hashes or better yet to attest via smartcard?
You can, they didn't; big difference.
By "can't" I mean "not capable" or "not going to in practice".
If you need the data, you cannot have it air gapped. And if it is air gapped, it is still easy to make misstakes.
"misstakes", love it, almost peotic
> it is still easy to make misstakes.
That's not an excuse though, any system handling data like that should be continuously reviewed and pentested by professionals. Hopefully they can show that this has been done otherwise it's just negligence.
It was mainly an explanation, that "airgapping" does not magically provides better security, or is required (or possible) to use at all here.
And it's pretty clear to me that they were criticizing storage of sensitive data in a database that isn't properly secured and they simply misused the term "airgapped". The database in question was easily accessible from poorly maintained development infrastructure.
> Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize
Imagine if the bank took such a cavalier attitude with the contents of my account.
Encryption keys are mentioned as well.
I wonder if the focus on source code makes Swedish news slower to jump on this. I haven't seen it in domestic news yet. (Haven't looked too wide though)
I saw it on SVT a few hours ago. DN and Expressen have also reported. The details about what exactly it is that got leaked are unclear (some report it's basically the code and certs responsible for BankID SSO) but this is certainly being reported domestically.
In Aftonbladet comments from CGI they seem to think that no production related data has been leaked:
https://www.aftonbladet.se/nyheter/a/ArvG0E/cgi-sverige-uppg...
But a copy of production data in the test environment isn't production data... It's test data! :)
As if it ever happened that a breached company admitted immediately that they've just been fucked.
some report it's basically the code and certs responsible for BankID SSO
No. CGI has nothing to do with BankID.
IMO the most credible reports suggest that the source code and data involved are related to these four services:
https://www.cgi.com/se/sv/business-process-services/e-tjanst... "Mina engagemang offers a user-friendly and flexible solution that allows your customers to manage their cases directly through a personal portal. Here, users can view, track, and interact with their ongoing cases, which enhances both transparency and efficiency in the communication process." -- some kind of ticket/case management system for gov't agencies
https://www.cgi.com/se/sv/business-process-services/elektron... "With our secure end-to-end e-ID and eSign services, we can help you streamline document and contract management, gain access to all desired e-ID issuers, and improve cost efficiency." -- this sounds like a bad thing to compromise, but is to the best of my understanding a system for digital signatures on documents, and has no relation to BankID
https://www.cgi.com/se/sv/business-process-services/e-tjanst... "Gain better control over your organization’s representatives with our easy-to-use representative registry. By automating the identification and verification of representatives, you’ll gain a clear overview and enhance the security of your processes." -- sounds like some bullshit CRUD app for managing who can "represent" a gov't agency
https://www.cgi.com/se/sv/business-process-services/e-tjanst... "SHS is Sweden’s common standard for information exchange, enabling secure and efficient communication between government agencies, businesses, and organizations." -- this might be bad if real data was leaked
These are services used by various Swedish government agencies and it's pretty bad to have even a test instance of them hacked, but let's calm down. The entire Swedish state has not been compromised here.
> CGI has nothing to do with BankID
That's incorrect. Skatteverket used CGI for BankID-login, I don't know if they still do. I have personal experience working on a BankID-login using CGI for another company and it is still active.
Edit: I just confirmed Skatteverket still uses CGI for BankID-auth. "funktionstjanster" is CGI.
OK, let me rephrase that: CGI, while they may "have something to do" with BankID in the sense that they have developed systems that integrate with it, does not itself develop BankID and does not hold any private keys for BankID.
What does "electronic signing documents" mean? Keys used for signing? Or merely some documents that were signed with electronic signing?
To the best of my understanding it means that a system made by CGI for digital signing of documents (as in: you get something like a PDF from a government agency and need to digitally sign it and send it back) has had its source code and/or some data belonging to it leaked.
Skatteverket, the Swedish tax authority, has been quoted in media as confirming that they use CGI's system for digital document signing but that none of their data nor that of any citizens has been leaked.
https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-inform...
"One of the government agencies that uses CGI’s services is the Swedish Tax Agency, which was notified of the incident by the company. However, according to the Swedish Tax Agency, its users have nothing to worry about.
“Neither our data nor our users’ data has been leaked. It is a service we use for e-signatures that has been affected, but there is no data from us or our users there,” says Peder Sjölander, IT Director at the Swedish Tax Agency."
So if no data was leaked from the tax agency or from the users, then the leaked "digital signing documents" must have belonged to the only remaining party, which is CGI, so perhaps they were just some marketing documents about the benefits of their digital signing service?
The original phrasing from the attacker, from the website that put the data up for download/sale, was ”documents (for electronic signing)” which implies that they’re documents that would be signed in said system. I would take all of this with a large helping of salt though. CGI claims it’s not real production data anyway; maybe it is and maybe it’s not.
The best case scenario is in line with what CGI claims: these are lorem ipsum fake docs from an old git repo for a test instance of the system.
If that is case, then it would have been wrong from the beginning for any government to keep hold of the private keys for the signature on my citizen card.
Because in that case they can sign documents on my behalf without my permission. In a court case, it would be near impossible for me to prove that the government gave my private key to someone else and that it wasn't me signing an incriminating document.
I apparently didn't phrase that very well. If what is the case? I was trying to ask which case was the case, not trying to claim that something specific was the case.
I'm familiar with electronic signatures, and I know what documents are, but I have never heard the phrase "electronic signing documents" and don't know what that is supposed to mean. What kind of documents? Documents about signing, documents that were signed, documents in the sense that files containing keys could be considered documents, or what?
Signed documents can be as simple as an ID of the transaction, a statement in text, PII data that identify what you sign, or a store of larger PDF files for download and verification. We do not know. I base this on how signing works technically in Sweden.
CGI is not the only supplier of these services.
In Portugal we were early adopters for digital signatures on citizen cards.
You use the card reader, insert your gov-issued identification and can sign PDF papers which have legal validity since the private key from the citizen card was used.
Now imagine someone signing random legal documents with your ID for things like debts, opening companies or subscritions to whatever.
We might've lucked out here, there is some signature data on ID cards today and official _plans_ to make a government backed signing service, but practically _nobody_ uses them in practice to just revoking all those keys will be a minor issue.
Currently most Swede's use a private bank consortisum controlled ID solution for most logins and signatures.
I am a Swedish citizen. Lived here for almost 40 years. It is a bit unclear to be what the "the Swedish e-government platform" is. Would have been great if they at least could have published which domain name the service has.
It's not going to be a specific service or agency with a domain name, it's going to be services that are either internal and used by employees only, or that are integrated into other systems that you may be interacting with without knowing it.
Nothing in particular, based on my understanding CGI a Swedish IT consultant company was hacked, they have contracts for and are the maintainers and developers of a bunch of various government departments IT services.
CGI is Canadian, with global headquarters in Montreal.
I would guess that skatteverket.se, polisen.se, kronofogden.se are among those affected by the leak.
Some other comments mention BankID private keys . That would be the biggest disaster as that’s what everyone uses to identify themselves “securely” on all government services.
The private keys in BankID are stored in users phones, not centrally.
Well doesn’t Relying Parties using the BankID API for signatures and authentication have private keys to start the flows for users scanning QR codes etc?
Could you, having the right private keys, impersonate some company soliciting a BankID signature?
I’m not sure what you can do with that though. You cannot steal some other ongoing signature I guess.
You can start a signing process saying you are who ever owned that certificate. E.g. if you call someone. You can not use those signatures to gain access, and it is rather in phishing.
That's an interesting guess that I assume is based on absolutely nothing?
Yes, nothing and the facts that these are government services, they use BankID and they updated their websites with "maintenance work" announcements for tomorrow, Saturday. For kronofogden.se there was no maintenance planned just half an hour ago. Knowing swedish tendency to plan things months ahead I would _guess_ that this maintenance work has been rushed due to some circumstances.
It's quite possible that the maintenance is related, but I can nearly 100% assure you this has absolutely nothing to do with BankID. I don't know who suggested that but they are either poorly informed or actively trying to sow FUD.
There is no such thing according to Peder Sjölander, IT Director at the Swedish Tax Agency:
https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-inform...
– Neither our data nor our users' data has been leaked. It is a service we use for e-signatures that has been affected, but there is no data from us or our users there, says
The information that source code was leaked from a joint government e-platform is not true, according to Peder Sjölander.
– There is no such platform. I think the perpetrators in this want people to feel insecure. We feel confident that our data is safe and we have the situation under control before the tax return period opens next week.
Does anyone know if there is the source code for the Swedish Armed Forces - Team Test [1] in the leak? It was a really fun collaborative flash-style game that got popular in my circle of friends for some reason back then.
[1] https://flashism.wordpress.com/2010/03/09/swedish-armed-forc...
Maybe they should go open source from the start, then there's nothing to leak.
P.S.: And strangers will sometimes help you find vulnerabilities (and sometimes be very obnoxious but that's not open source's fault).
When I worked for the government in Norway, it slowly changed to all code being developed in the open. 3k repos here now: https://github.com/orgs/navikt/repositories
When I started it was a big security theater. Had to develop on thin clients with no external internet access, for instance. Then they got some great people in charge that modernized everything.
Only drawback is when you quit, you have to make sure to unsubscribe from everything, hehe. When quitting a private company I was just removed from the github org. Here I was as well, but I was still subscribed to lots of repos, issues, PRs,heh.
Very cool! Do they accept external contributions, e.g. from Norwegian citizens? Also, was there any thought given to "digital souvereignty" (wondering because the repos are hosted on a US service)?
I'm also surprised that you were able to (or expected to?) use your private GitHub account for your work.
Not sure how it is now, but when I worked there ~8 years ago we weren't really equipped to accept contributions. Both from a licensing perspective (CLA), but also that we had our own timelines, projects and prioritizations in the team. So most applications were open source more in the sense of source available. Some utils (like generators for Norwegian mock data, or libraries handling Norwegian addresses or whatever) that were actively used by other companies could get some proper contributions once in a while, though.
Yeah. In these cases it's not like anyone is going to spin up their own instance and start competing with you.
Government / handles society-critical things code should really be public unless there are _really_ good reasons for it not to be, where those reasons are never "we're just not very good at what we're doing and we don't want anyone to find out".
Anything taxpayer funded should be open source to begin with.
Similarly taxpayer funded contracts for any type of infrastructure (obviously I have digital infrastructure powered by proprietary solutions in mind) should only be awarded if interoperability is guaranteed to prevent lock-in and abuse.
https://publiccode.eu
I like paper documents for this very reason.
It's very hard to steal everyone's documents when they weight about the same as a train.
But it’s also very easy to lose all of them in a fire or flood. Different tradeoffs.
> it’s easy to lose all of them in a fire or flood
Wouldn't a fire or flood affect everything? Both data stored on paper and hard disks?
The good news is you can keep offline, offsite digital copies, which is much more convenient than offsite paper copies.
I think what the comment meant was that it's harder for an individual to lose their paper documents compared to losing the electronic ones. It just shifts who's responsible for keeping them safe
This is a feature not a bug.
That depends entirely on what the records hold and who is interpreting the event.
Yes, who could ever care about German birth records from the 1700s in 1933?
Problems with well-known solutions 100 years ago:
"Fireproof file rooms and cabinets in the 1920s were crucial for protecting business and government records during the rapid expansion of the industrial era. The era saw a massive shift from flammable wooden office furniture to robust, steel-based storage designed to resist both fire and water damage."
That's a Google AI summary - but I've been in a fair number of buildings with such rooms. Thick concrete walls, heavy steel fire doors, no other openings, nothing but steel file cabinets in 'em, sealed electric light fixtures that look like they belong in a powder magazine (where one spark could kill everyone) - it's really simple tech.
And "high ground" was a reliable flood protection tech several centuries before that.
Then add “earthquake” to the list, or “domestic terrorists or foreign country bombing the building”. Steelman the argument. The point isn’t “just fire and water specifically”, we’re not playing Pokémon.
We have several historic examples of records being lost in disasters, and way more recent than 100 years ago.
https://en.wikipedia.org/wiki/National_Personnel_Records_Cen...
It makes no difference that we could’ve prevented that with better building construction. We didn’t, and hindsight does not bring the records back. We should plan for the world we want but cannot ignore the world we have.
I’m not defending digital as always better or criticising physical. Like I said, different tradeoffs, meaning there are advantages and disadvantages to both, there’s no solution which is better in all situations.
I stuck to the threats you mentioned. Paper in a file room is more slightly more quake-resistant and bomb-resistant than digital. But slower to move to safety if the threat is large volcanic eruptions.
I am not saying that paper is magically perfect. Nor better in every situation. I am saying that paper is far easier (than digital) to do well for use cases like a national records collection. "Correctly" may include off-site backups - whether or not your threat model includes massive earthquakes, volcanoes, bombs, special forces, EMP weapons, biological agents, civil war, radioactive fallout, or enemy occupation. Or "Management wouldn't pay for a done-right facility".
As I noted in another comment, the largest downside to paper (within such use cases), is that it is far more difficult to get political support for old-fashioned stuff that just works, compared to anything that can be sold as cool/new/high-tech. Especially when the taxpayer-funded revenue streams from selling/installing/supporting the tech create incentives clearly contrary to the taxpaper's long-term interests.
No politician ever got elected by supporting simple, old-fashioned stuff that just worked.
CGI has a lot of consultants in both government and municipal places (i've worked at both), and some of our main tools like time reporting was built as a addon to our personnel system by consultants at CGI. half my team are consultants from CGI, 4 out of 7 people.
also: hi tavro! it's been a few years, how have you been :D
This keeps happening in Europe with these mega-IT suppliers repeatedly getting exposed using very bad development practices. Sweden most recently had a major breach back in 2024 when the other large IT services supplier TietoEvry had their data centres breached and claimed "not actually an issue of security".
Several government organisations / regional authorities and companies were down. Last I heard several medical journals for whole municipalities were just destroyed.
Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity, are suspicious of things like zero-trust, follow outdated engineering practices. Sigh.
The tender process is what they are optimised for. They are professional project bidders with a bit of outsourced software development bolted on the back.
A lot of outsourced development.
The tender process + clueless buyers + tender process law(s) cause this. Whole process needs a revamp for this to not be a problem.
> Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity
So what you think would be the solution ? From what I see (both public tender or not), I would claim that "any large IT project/company will suffer from security issues", so not sure what is the added value to single out a process (the tender) or a region (Europe) if there is no obvious alternative.
I have (the start of a) solution, but it's a boring one:
You have to have people who care about this stuff.
If you don't care, the rest does not matter. It does not matter if, when and how you outsource if you don't care about the outcome. You can't just pay someone a salary, nor a consulting bill, check the box and say you've done your part.
And the other way around: These huge consulting conglomerates would get very few jobs if purchasers cared about the details, and not just that all the boxes are checked.
I don't think that's a particularly novel idea, the question is how do you get people who care in an organization that has hundreds of thousands of employees (the public sector)?
You may not like the trivial answer: The same way as we do everything else. How do we get people to show up for work? How do we get people to respect data security boundaries? None of these are questions of technology. The answer is culture. We need to create a strong shared culture of caring, by hiring people that care and putting them in an environment where caring is appreciated.
> You have to have people who care about this stuff.
What?! Preposterous! How could you even make money out of that? No no no, that will not do. You will ask your AI agent some vague question, commit the result without review and push it to the client. And you’ll like it. If there’s any trouble, call Timothy, he’ll be on vacation with his family in Thailand. Some resort, “Lotus” something or other.
Split giant projects into small ones, award it to better smaller companies, require interoperability via API that is clearly documented and ask for around the clock security monitoring and patching. The last things being the same thing you do at any decent private company.
IBM or Accenture or whoever don't need to be the only ones winning tenders.
The total number of people working on the project might remain similar no matter if it's one company or many smaller companies. Writing clear documentation and API, well thought from the start is harder the larger the project.
Maybe there would be a benefit from having less layers of management, but multiple small companies or one big could have the same structure.
A smsller company would have a flatter structer and less management.
Waiting for my coffee now, I had a thought: what if you have more than one company providing the same service and for a project “lifetime” of say 5 years, the money is split procentually by what company attracts the more users and you make it so that for the services offered through this you can only use one company, but you can switch at anytime.
Absolutely. One of the root causes for these terrible tender processes is a fear of in-housing competence and skill for systems.
It's the same reason major govt. IT orgs keep pushing for closed source (recently the Swedish Tax Authority was in the media for _pushing for Office 365_ as necessary for operations), out-sourced designs, big firm purchases over FOSS or real standards.
You need people that care (and they exist, even in the gigantic state orgs.) in positions to make good decisions. Right now, everything is up in the hands of nebulously defined managerial staff with none-to-doubtful technical competence.
Another recent case: the Swedish digital exams platform flopped at a rough cost of a billion SEK. Can't sustain 150K concurrent users, despite paying a "large company". Like, come on.
Germany has iirc liability for the entire chain (engineers to upper management) in case of data breaches. I remember having to sign for that when I did a project in Germany. Would that help? I would not mind if the CEO/CTO of Odido would spend a couple of years in a federal pound them in the ass prison if it is found out the leak was due to malpractice.
The probleme here is that what tends to happen is that the security requirements are relatively vague and once the customer has signed the acceptance, good luck.
And signing up with a big company is good way to cover your behind, because "if they with all their people and knowledge could not do it...". Basically the mantra or "Nobody was ever fired for buying Cisco".
I see comments about Swedish personal identification numbers. But the article is about source code that's leaked, not a database of numbers, right? I was thinking: should government source code not be open source anyway?
The same attackers are releasing the database of personal information separately (for a fee).
That said, Sweden takes a different approach to PII, so most of that information would have already been public. You can generally just look up any resident and their ID number and other biographical details in a public directory (among other things… their tax returns are also public records).
Ideally they should be open.
Worked on a similar platform. The real risk isn't the code - it's the config files. Government deployments have hardcoded staging credentials, VPN endpoints, and encryption keys that don't get rotated when code leaks. Source is whatever. Those env files are the skeleton key.
Knowing swedish people's mindset I'm not surprised at all by the breach. What can be mildly surprising is that no major e-gov service has expressed concerns on their websites. Only on skatteverket.se, which is Swedish Tax Service website, there is a vague note on "maintenance work" planned for coming Saturday. Maybe totally unrelated though.
Interesting, care to elaborate?
I'm pretty sure they did an internal analysis by 8 AM at all these places and came to the conclusion that they're OK.
Of course, they might be wrong!
First reaction: How come the source code is not public in the first place, accessible to every Swedish citizen? They paid for it!
But it turns out that more than the source code was leaked.
Misleading title, as my first thought was "why is Sweden's egov not open source to begin with?".
Turns out it's about data.
following AI corp logic that everything in the internet is open source we have a open source goverment in europe now
e-government services should be open-sources by default!
Now there is an additional reason for that.
Public money, public code.
Most important question: do Swedish e-government services use curl?
Why was all that software not open source already?
What forum is the original screenshot from? It reminds me of cs.rin.ru
Anyone knows what their tech stack looks like?
Unless they hardcode passwords and other juicy details in their source code what's all the fuzz about? It is a publicly funded thingy anyways.
As long as cronyism remains the primary qualification for leadership, nothing will ever change, worse, it's only going to get worse
Accountability now, send these people to prison
"Government surprisingly fulfills its duty by making publicly funded source code public"
How much GDPR fine will they pay? Oh wait it's gov so nothing / does no matter even if.
Who will take responsibility and get fired and lose all pension etc.? Oh wait no one.
Well the citizens need to suck it up.
Few years ago a huge NRA database was left public with admin/1234 or similar by the Bulgarian NRA. They government fined itself some non-trivial amount, then in the source/destination IBAN they put the same value and paid the fine. They managed to find someone to blame and it was not the person who left the database but the person who found it. Turns out that if you leave the PII of a whole country open to the public it is not your fault and you get to keep your cozy job. It is already unlawful to access that, so if someone access it - it is his fault - he broke the law.
Edit, i checked the facts: The Bulgarian government said that the it should pay too much to itself, and appealed the fine for few years until it somehow expired. And the guy (20 year at that time) they accused was later acquitted after they tried to ruin his life.
[dead]
As the attack actor now has the data, they're liable for ongoing GDPR failures, on top of the theft. Then anyone they sell the data to becomes liable (on top of handling stolen goods). Could be a money-earner for the EU if they pursue it properly.
[dead]
Is this the open source stuff everyone is talking about?