October 17, 2018

[Surviving Sweden] How to remove your personal data from eniro.se, hitta.se and ratsit.se

Are you a Swedish national? Do you have a Swedish personal number (personnummer)? If so, chances are that a lot of your personal information is being displayed on websites such as eniro.se, hitta.se, ratsit.se, and, for certain, on many other sites that I am not aware they even exist. I would recommend you to bookmark this page for future reference, as I will be expanding it as long as I find ways to get my personal information from those up-to-today-unknown-to-me sites.
[Poster: GDPR Privacy Invasion]

Shortcuts

Share article


Study case

Do you know Amy Poehler, from Parks and Recreation? If you do not, she is—arguably—a famous comedian in the USA. Her brother Greg, also a comedian, had a TV series called Welcome To Sweden, which I particularly liked because it mirrored the reality of many new immigrants to this country. To my knowledge, he is married to a Swedish citizen, is a resident of Sweden and, most likely, has a personnummer.

With only his name and date of birth, which I got from Wikipedia since he is a public figure, and, with no further ado, let's see what we can find about him.

Findings

As suspected, he has a personnummer and not to my surprise, I was able to find quite a lot of information not only about him, but also about his wife.

By comparing the results, it is evident, due to the amount of information displayed, that the most intrusive of these websites is ratsit.se, and the more minimalist is eniro.se; You can compare the three profiles by following their respective links: [ ratsit.se | hitta.se | eniro.se ], else, you can take a look of a few screenshots I took from the results obtained.

I have blurred some details from the images because in case that the information gets removed from these kind of sites, I would not like be the one keep sharing information that I think should not be shared to begin with, #theirony.

ratsit.se

On ratsit.se we can find not only his address, but business he owns, the land value of his house (estimated, not real), phone numbers, cars registered, and some other information. The profile of his wife, Charlotta, is linked on his page, thus, we also checked what information is available for her.
Since they are married, they share common information, and the websites display the same information for address, map, car registrations, among other details.

It is curious to me that there is much more information available about his wife than about him. Perhaps because she is "really" Swedish and there is more information available from her past.

hitta.se

Along comes hitta.se which provides a little bit less public information about them, for example, they conceal telephone numbers, although, under the numbers there is a link that translates to English as "Display the number"—what leads me to believe that you can buy this information form them. Hitta.se also links to his wife's profile.

eniro.se

And last, but not least, eniro.se which is the one with less information displayed, although it provides full telephone numbers. And, just as the other two sites, it also displays a link to his wife's profile.

Observations

Do you see the problem with this unwilling display of personal information?

Contact information, business details, real estate values, car registrations with model and year (at least they do not share the color), even if you own a dog, all of this information is out there for anybody to grab, basically for free! Who would need a private investigator, right?

In many countries, these kind of websites are gold mines for organized crime, kidnappers and stalkers—I guess authorities do not see or understand the link between particular particular scams and public display of personal information. Crime perpetrators can browse for victims, and pay extra for more detailed information about someone they may find "interesting", from the comfort of their own homes.

These unscrupulous websites put anybody at the mercy of spammers, con-artists, stalkers, and, even in some cases, in actual physical danger.

Think about people in abusive relationships where the abuser could always keep an eye on where the abused lives, works, or have access to an always up-to-date phone number, for free. Of course, in these type of situations, you can request protection from the authorities and your data, even in their private servers, will be deleted. In any other case, the data will be removed from public view, but kept however in the websites' private databases.

How do these companies make profit out of my information?

Mainly, by showing you ads. The more time you spend on their websites browsing for people, the more money they make by exposing you to hundreds of ads. Another source of income is referrals, which means that if you send flowers or a gift to someone from a link on their sites, they get a commission off your buy. They also make revenue by selling more detailed information, such as annual income and credit reports, full telephone numbers and, ironically, identity-theft protection. Ironically, because they are the ones who put you at the most risk by making available your data to anyone.

So, to begin with, how do these websites get my information?

These websites collect the information mainly from the Swedish Tax Agency (Skatteverket). However, there are some other sources from where these sites can gather more information, such as:
  • Your mobile operator. You may have to call your operator and request to make your number not public, since some of them do provide these sites with your details. The mobile operator I use, Vimla, for example, claims that it does not share your information with anybody and, so far, my mobile number has never showed up in any of these sites.
  • The State's Population Address Register (Statens personadressregister, SPAR), which this governmental body in charge of keeping an up-to-date public list of all the information received by Skatteverket from the public.
  • Loyalty programs. When you sign up to collect points with H&M, ICA, Coop, Willy's, Clas Ohlson, gyms, among many others, you may be granting rights to use your personal information to God knows how many "partner" businesses.
  • Other online subscriptions. Sometimes when you download a game or when you authorize applications on your mobile phone you may be consenting to share your personal data with companies related to theses sites, thus, allowing them to share your information.
Evidently, the easiest culprits to track would be your mobile operator, and the SPAR. Perhaps some of the loyalty cards, and even any other online subscriptions. However, I doubt that anybody would take the time to read the Terms and Conditions for everything installed or downloaded to their devices, let alone to contact each individual company to remove you from their databases. Having said that, the best option is to cut the problem from its root: the site that actually displays your information.

But wait… did you just mentioned that they get our information from the government? So, is it legal what these companies do?

Due to some weird loophole in Swedish law, these companies are exempt of following certain privacy protection laws, such as the GDPR, thus, yes, they are legally allowed get away and try to make a profit with this information. The following is a simple explanation of rationale in the law, as presented on the SPAR's website:
My personal data is displayed on the Internet. According to Swedish constitutional law, data submitted to a Swedish authority is as a general rule public. This is one outcome of our principle of disclosure and is a tool for the public to scrutinize the work of authorities and public officials. When Internet sites publish your personal data on the Internet, they are protected as a general rule by the constitution of freedom of expression. Usual law providing protection of personal data is then not applicable.
I have, many times, read the above principle being used as an excuse to justify these companies when in fact—and if the wording above is the correct translation—the line that reads "for the public to scrutinize" should be enough argument to ban for-profit use of this data. For-profit companies are not the public. Every individual has the right to request this information to Skatteverket and it should not be the "job" of private companies to jeopardize your peace of mind by displaying your information in pursuit of an economic benefit.

Incidentally, you can use your BankID credentials to access the SPAR website (Swedish-only), and use the following services:

Upon signing in with your BankID credentials, you will be prompted to use two services:

SPAR Services

  1. Reklamspärr

    Activate or desactivate Reklamspärr. According to its website, SPAR can put a lock on direct-addressed targeted advertising. When such a lock is on, your name and address will not be disclosed to the samples prepared for direct mailing. Please note that the lock only applies to direct-addressed advertisers using SPAR as the source of addresses.

    * Note: The text above is my translation of an extract of the page Reklamspärr (Swedish only).
  2. Registerutdrag

    This is the Extract of the Registered Records. When you click on that button you are provided with a PDF file containing all the information that the SPAR has on record about you and it is likely to be shared only with direct-addressed advertisers, and their business associates and other partners. ;)
Alternatively, if you do not have BankID credentials, you can also use the services:
  • For the Reklamspärr: Fill out the online form located on SPAR's website. Download and fill out PDF called Begäran om reklamspärr—available for download right after the Skicka buttom of the online form. Once you filled out the PDF file, send it back to them at spar@skatteverket.se.
  • To get an Extract of the Registered Records (Registerutdrag), you need to send a signed request to:
    Skatteverket SPAR
    171 94 SOLNA
It is not possible to be removed from the list, it is just not shared with direct-addresses advertisers. People can still go to a tax office and the information will be provided.

Enough with this mumbo jumbo already, how do I get my data removed from these sites?

The procedure to remove your data from public display varies by website. I have investigated, and successfully removed my personal information, only from the services listed below. The procedures are not as difficult as you may have thought. Just follow the steps for each website to remove, or start the process of, getting your data removed.

hitta.se

They have the easiest way to remove your data IF you have BankID credentials. If you do not have them, hitta.se does not offer an alternative to get your data removed.

So, assuming that you do have BankID, it will take no more than 5 minutes to remove your information from their public search results. The instructions are as follows:

The instructions:

  1. Go to this page: https://www.hitta.se/kontakta-oss#ta-bort-kontaktsida
  2. Type in your name or phone number (it may help if you have a very "common" name),
  3. Once you found your data, click on the red «TA BORT» button,
  4. A window should pop up requiring you to input your personnummer and to select either BankID or Mobile BankID, identify yourself with the appropriate service and sign (approve) the request.
And voilà, that would be it. In about 24 hours your information will no longer be displayed in hitta.se search results.

eniro.se

Eniro is as fast but not as efficient as hitta.se self-removal process—it is as easy, though. You can choose between sending your application by either by postal service or, more conveniently, by email. These are the steps to follow:

The instructions:

  1. Download the eniro.se data removal request PDF file, fill it out and print it. The original document is in Swedish but I have made a few changes to it and allow you to introduce your information before printing the actual form.
  2. Sign the printed version of your application.
  3. Make a copy of your Passport, Nationellt ID-kort, Skatteverkets ID-kort or driver's license (körkort).
  4. You can now send your application, and your options are:
  • Postal service

    1. Introduce in an envelope your signed application and the copy of your ID document.
    2. Address and mail your application to:
      Eniro Sverige AB
      Box 7044
      SE-164 07 Kista
      Att.: Dataskyddsansvarig
  • Email message

    1. Go to your email service and compose a new message with the subject: "Dataskyddsansvarig".
    2. If you would like, write a small, simple text, like:
      Hi, I would like to request the removal of my personal information from your search result page/database.

      I have attached to this email a copy of my removal request application, as well as a copy of my ID document, and please, do not hesitate to contacting me if you have any doubt or question.

      Regards,
      Your name.
    3. Attach to your message the scanned copy of your signed application and the scanned version of your ID document.
    4. Send your email to the address: privacy.se@eniro.com
Now, you only need to wait. It will take 3-4 days for eniro to remove your personal information. In case you sent your form by regular postal service, you have to take into consideration the delivery time (or any other mail-related incident that could cause a delay).

ratsit.se

The process with ratsit is rather slow, when compared with hitta.se's BankID approach, and even with eniro's removal process (at least they accept email requests). The steps are the following:

The instructions:

  1. Download the ratsit removal request PDF file, fill it out and print it. The original document is in Swedish but I have made a few changes to it and allow you to introduce your information before printing the actual form.
  2. Make a copy of your Passport, Nationellt ID-kort, Skatteverkets ID-kort or driver's license (körkort).
  3. In an envelope, put the printed page from the ratsit removal request PDF file and the copy of your ID, and finally
  4. In an envelope, introduce your signed application and copy of your ID document, and finally, address and mail your application to:
    Ratsit AB
    Kundservice
    Ålegårdsgatan 1
    431 50 Mölndal
It will take, upon reception, approximately 30 days for ratsit.se to get your information removed from public display. You should receive an email around the time your information has been taken down.

Final notes

I would like stress the point that removing your data from the public display does not necessarily translate into its removal from the websites' private databases, since they have the legal right to have it and, by extension, sell it—they are just being polite to us by removing it from public sight =)

The thing is that, at least now, people will have to pay to find you and if they have to pay, there must certainly be a record of the transaction which could be traced back to the person who requested the information.

In my opinion, the most important issue is still the fact that people have the right to go to any Skatteverket office and request—without any kind of explanation nor any form of identification—your personnummer, your current address, your relatives on record, your taxable income, among other very sensitive information that can be collected about you.

That being said, I am not against this right at all. I just cannot believe that it is more "difficult" to check a book out of a library, than to get an individual's, or group of individuals', personal sensitive information.

To check a book out of a library, you need a library card. To get a library card, you need to present an ID. Personal (initially-believed) private information is available to anyone stepping into a tax office, with no record whatsoever about who requested it.

Lastly, regarding the time it takes for your information to disappear from most of the internet. It is very important to mention that it could take a bit longer to "disappear" from most of the internet because, sadly, it is almost impossible to completely "disappear", once entangled in the web. There are many mechanisms that record, take screenshots, or even periodically save entire websites as backup or for historical purposes. Thus, although eniro.se, hitta.se, and ratsit.se could have removed you from the their results your information may still publicly available elsewhere (give me a shout in the comments if you discover a new service so I could investigate how to get unlisted, and grow this list).

In case that you find yourself in that situation, such sites must be contacted individually and asked to get your information removed and, if they are not an authorized publisher (as in the case of these three sites we are analyzing) they are breaking the law by handling and displaying your information.

tl;dr

For the direct instructions on how to get your personal data from eniro.se, hitta.se, and/or ratsit.se, download the respective PDF file:

Removal instructions:

  1. hitta.se:
    [HTML version|PDF version]
  2. eniro.se:
    [HTML version|PDF version]
  3. ratsit.se:
    [HTML version|PDF version]
Alternatively, you may download all the guides in one single PDF file.

I hope you find this information useful, and any comment, opinion or feedback would be greatly appreciated :)

With kind regards,
EOZyo

No comments:

Post a Comment