Update with new reference:

Katarina Stensson (2021-02-19). ”Vad händer om Apple och Google plötsligt stoppar bank-id-appen?”. https://computersweden.idg.se/2.2683/1.747279/debatt-apple-google-oligarki

My letter to datainspektionen on how the “Mobile BankID” app is compromising privacy of Swedish citizen and the (anonymized) negative reply by datainspektionen leaves the question open, who is taking responsibility in such cases.

1. Question

Gesendet: Freitag, 07. Februar 2020 um 18:45 Uhr
Von: “Wilmar Igl” <REMOVED>
An: datainspektionen@datainspektionen.se
Betreff: Mobile BankID (android-based version) breaches data privacy

Hej,

to increase my privacy and avoid sharing data with Google on US servers, I have installed the open-source Android system “Lineage OS” [1] on my smartphone (Motorola Moto G4) including the “Mobile BankID” app [2]. Unfortunately, “Mobile BankID” requires Google Mobile Services (ie Google Play Store etc) [3, 4] and a Google account. This means that Google Mobile Services will continuously send and store user information (call history, text messages, emails, calendar, location data, connection data, …) [8] on the servers of Google, as a very powerful, profit-driven US-american company subject to US law and the US government.

Major IT companies have been shown in the past to sell user information to promote agendas by powerful, rich interest groups (cf Facebook/Cambridge Analytica scandal) [5]. Even if they don’t do that, the profit-driven algorithms harness user data [8] to engage users by using micro-target advertising and recommending more extreme contents. These methods are assumed to contribute substantially to world-wide (right-wing) extremism and misinformation about vital global problems, eg the climate crisis (cf Google-owned YouTube’s role in the election of right-wing president Bolsonaro in Brazil [7]).

In addition, the US government has shown in the past that it does not respect the privacy of US citizens or other citizens world-wide (cf leaks by Edward Snowden) [9] and the current US government is showing a strong concerning trend towards an authoritarian system with a president seemingly acting beyond and above the law [10].

Mobile BankID is presumably used by several millions Swedish Citizens on android-based system, which are more or less forced or groomed into using Mobile BankID to use bank services and services of the government and public agencies. Therefore, Swedish citizens are vulnerable to abuse of their private information by Google and the US government.

Therefore, my proposal is to require the software company (Finansiell ID-Teknik BID AB, Org.nr: 556630-4928) to develop current and all future versions of the Mobile BankID app independent of Google Mobile Services and without requiring a Google Account and allow users to fully control the information they share without being forced to share information with third-parties.

I am looking forward to receiving your reply.

Best regards,

Wilmar Igl

PS: I have no information to what degree similar problems affect iOS-based (cf iPhone) versions of Mobile BankID.

Links:

[1] https://lineageos.org/
[2] https://www.apkmonk.com/app/com.bankid.bus/
[3] https://www.android.com/gms/
[4] https://en.wikipedia.org/wiki/Google_mobile_services

[5] https://www.theguardian.com/news/series/cambridge-analytica-files

[6] https://www.newyorker.com/podcast/political-scene/how-facebook-continues-to-spread-fake-news

[7] https://www.nytimes.com/2019/08/11/world/americas/youtube-brazil.html

[8] https://www.cnet.com/how-to/google-keeps-a-scary-amount-of-data-on-you-heres-how-to-find-and-delete-it/

[9] https://www.theguardian.com/world/series/the-snowden-files

[10] https://theintercept.com/2019/10/10/trump-crimes-law/

2. Reply

Gesendet: Montag, 02. März 2020 um 10:40 Uhr
Von: “Datainspektionen (no-reply)” <no-reply@datainspektionen.se>
An: “wilmar.igl@gmx.de” <wilmar.igl@gmx.de>
Betreff: Reply from Swedish Data Protection Authority

Dear Wilmar,

Thank you for contacting the Swedish Data Protection Authority (SDPA).

The company you refers to is a private company and does not have anything to do with the SDPA. We can offer general guidance in questions about the rules in the General Data Protection Regulation (GDPR), but we cannot take decision about how a company must design a particular service. A recommendation is therefore that you send your suggestion also to the company.

XXX YYY

Legal Advisor

The Swedish Data Protection Authority

www.datainspektionen.se

———————-

The Swedish Data Protection Authority is a public authority.

Information about how the Swedish Data Protection Authority processes personal data

Wilmar Igl - Biosphere Protection

A blog on biosphere protection in the face of the ecological, social, and economic crisis

Wilmar Igl - Biosphere Protection

A blog on biosphere protection in the face of the ecological, social, and economic crisis

Does the “Mobile BankID” app (android-based) compromise the privacy of Swedish citizens? – My letter to “datainspektionen”

Does the “Mobile BankID” app (android-based) compromise the privacy of Swedish citizens? – My letter to “datainspektionen”

1. Question

2. Reply