|
On January 6, 1978 - a historic date for the technology market - France became the first country in the world to create a law on information technology, archives and freedoms, according to the nomenclature of the time.
At that time, the concern was that, with the capacity of information technology, the French government would be able to cross all citizens' databases and end the privacy of the French. This law should set limits on this.
Since then, governments have managed to cross-check all the data about our personal lives, they know how much we spent on credit cards during the year, what our financial transactions were, how many fines we took and, therefore, where we were, the hotels we were in. we stay, know what we access on the internet, etc.
Let's assume that governments act in good faith. Therefore, anyone who shouldn't is not afraid. The problem is that the government is capable of doing all of this, but so are criminal organizations, so it is necessary to take this into account in any national information security and data privacy policy.
Since May 2016, Bill 5276/2016 has been discussed, which deals with the Protection of Personal Data, which is a sensitive issue, because on the one hand, one wants to have the maximum of personal privacy, with the maximum comfort and without hindering the development of the country, in an era when the world economy turns into a data-driven economy.
From an analysis of the project, article 2, item III draws attention:
The discipline of the protection of personal data is based on respect for privacy and:
I- Computer self-determination;
II- Freedom of expression, communication and opinion;
III- The inviolability of intimacy, privacy, honor and image;
IV- Economic and technological development; and
V- Free initiative, free competition and consumer protection.
As well as Article 5, which describes, in its item I, the following:
I- Personal data: data related to the identified or identifiable natural person, including identifying numbers, location data or electronic identifiers when they are related to a person;
In fact, for privacy, it is understood that no one will break into your home or work to threaten, steal, or that no one will use your name, steal your identity.
The following three stories, which have been happening constantly, concretely illustrate item III of paragraph 1 of PL 5276/16.
The retiree:
The phone rings, the retiree answers and those who introduce themselves say that they are part of the Central de Bancos (?):
CB - Good morning! I would like to speak with Mrs. Letícia.
Le - It's her.
CB - Good morning, Dona Letícia. This is Alfredo, from the Audit of Central Bank, and I would like to confirm that you really want a MCard Black Card for retirees, with no annuity fee for the rest of your life and with a credit limit of 20 thousand reais?
Le - Well, does it really cost?
CB - Absolutely and the interest rate is the lowest in the market, 1.99% per month against 14% of other cards.
CB - I need to confirm some data that I already have with you, because I need positive identification that you are really Dona Letícia. I speak and the lady only confirms:
CB - Yours CPF is 202.728.497-08? The Lady resides to Rua Santa Antonia, 45? Your mother is it Judith? Your Bank account Federal is at agency 3045, account 27889-5?
Le - Yes.
CB - Very good. Your identification is confirmed.
CB - To finish and you receive your MCard Black without an annual fee for the rest of your life, we need copy of your identity card, CPF and proof of residence, which can be the electricity bill.
CB - As it is a MCard Black Card, we will send a messenger to your home to collect the documents. The card and the password will be mailed to you in separate envelopes.
She calls her son, just before handing over the documents to the bearer, and he manages to convince her that it is all just a scam, another identity theft.
Apparently, the only place where criminals could access all of this data is in the INSS registry. Has the registration data been hacked?
The fine:
José receives a traffic ticket for not respecting the rotation, in São Paulo: R$ 130.16. Check the photo and the license plate. Everything checks out. As it is suspicious, check the RENAVAN, which also checks.
He doesn’t remember riding his car on Thursday, but he thinks “payment within 30 days with a discount of 20%. Better pay at the bank right away to get rid of the problem and save R$ 26.00 ”.
In the licensing, months later, he verifies that that fine never existed.
Criminals take random photos, set up the fine, with a bar code that leads to the bank account of some "orange". They got all of José's data somewhere, from the sign they got to RENAVAM, from RENAVAM to his address and sent the false ticket.
Has the registration of Detran or Contran been hacked?
The magazine:
Maria receives magazine advertisements in her e-mail, but on behalf of her late father. Strange, because he never had email in his life. Maria reflects on the problem and remembers that the only place where she informed her e-mail as her father's was in the Income Tax.
How did the magazine get access to your father's records with the IRS?
As the debate on privacy and data protection now permeates society, Congress, Executive and Judiciary, it is time to go back to the origins of the problem and clearly discuss what personal data, metadata and what is actually meant by privacy and the real role of the Government.
Nobody wants their personal data to be used by criminals to steal their identity, nor invade their home when they go on vacation, kidnap their children at school, and even divulge their intimacy.
Article 5 of PL 5276/16, item I recalls that it is personal data: including identifying numbers.
The most important personal data that everyone has in Brazil, their only identifying number is their CPF number and, oddly enough, this is a public data.
Do a Google search by placing your name in the search field followed by your CPF and you will certainly find your CPF.
Another very important personal data is your residence. Use the same search engine and you can easily find your address.
The most important personal data (CPF and Residence) are in Public Databases, which are not encrypted or have no controlled access. Any employee with the proper credentials can access it and no one controls the need for that access.
Any legal action you take part in has your CPF available to anyone who wants to see it.
There is even the legend that it is possible to buy the registration of taxpayers and the INSS at Rua Santa Efigênia, in São Paulo, with the registration data and even anyone's income.
Evidently, the Justice must be transparent, but with today's technology it is possible to encrypt the data and, at the time of presentation, use the technology Format Preserved Encription, and the data appears in the preserved format, as credit cards do:
José Antonio Silva, CPF 201.XX9.XX7-49, resident and domiciled at ALXMXXA XOX NXXBIQXXS n. 0X7X, email JXXXXO.XXXA@UOL.COM.BR.
This data would be enough to identify Mr. Silva, but not enough to steal his identity.
It bothers me to receive unwanted e-mails, since the issuer is not respecting the Code of Ethics, but it bothers me a lot more to have my identity stolen, credit cards issued in my name and an unknown debt appearing at the end of the month.
Technology cannot and should not trample on individual privacy, but on the contrary. In Brazil today, certainly, with more technology, more encryption and masked presentation of data with the preserved format would indeed help to defend our privacy.
The attack on privacy does not come only from websites that aid navigation, nor from those offering shoes, but it comes mainly from the lack of technology and security in government databases at all three levels.
Data protection begins with the security of data held by governments.
Although the Federal Government has advanced in information management and security, with the launch of a national information governance policy and strategy in 2016, there is much to be done in this area, both in the federal government and in state and municipal governments. .
There is a lack of a national standard for all levels of government, something with the PCI, which is the international standard for credit cards (Payment Card Industry Data Security Standard), which defines the minimum standards for the storage and exposure of private data held by consumers. Governments. Without this, privacy will not be guaranteed.
Francisco Camargo
President of ABES
Brazilian Association of Software Companies
Francisco Camargo, Production Engineer at Escola Politecnica da USP, with courses at the School of Communication and Arts at USP and Harvard Extention School, he is an entrepreneur and specialist in Information Security and President of ABES (Brazilian Association of Software Companies).
About ABES
ABES, the Brazilian Association of Software Companies, is the most representative entity in the sector with around 1,600 associated or associated companies, distributed in 23 Brazilian states and in the Federal District, responsible for generating more than 120 thousand direct jobs and annual revenue US$ 20 billion per year.
The companies associated with ABES represent 86% of the turnover of the software development and commercialization segment in Brazil and 33% of the total turnover of the IT sector, equivalent in 2015 to US$ 60 billion of sales of software, IT services and hardware.
Since its foundation, on September 9, 1986, the entity has exercised the mission of sectorial representation in the legislative and tax areas, in proposing and guiding policies aimed at strengthening the value chain of the Brazilian Software and Services Industry - IBSS, in defense intellectual property and combating piracy of national or international software and in supporting initiatives to promote research, development, innovation and the development of national software. Access the ABES Portal - www.abes.org.br or talk to our Relationship Center: (11) 2161-2833. |
EN 
PT 
