The concern, then, was that with the capacity of information technology, the French government would cross all citizens' databases and end the privacy of the French and the law should establish limits for that.
Since then, governments have managed to cross-check all the data about our personal lives, they know how much we spent on credit cards during the year, what our financial transactions were, how many fines we took and, therefore, where we were, the hotels we were in. we stay, you know what we access on the internet etc.
Let us suppose that governments act in good faith and, therefore, those who should not do not fear. The problem is that the government is capable of doing all of this and so are criminal organizations. This has to be taken into account in any national information security and data privacy policy.
Since May 2016, Bill 5276/2016 has been discussed, which deals with the Protection of Personal Data, which is a sensitive issue, because on the one hand, one wants to have the maximum of personal privacy, with the maximum comfort and without hindering the development of the country, in an era when the world economy turns into a data-driven economy.
From an analysis of the project, article 2 draws attention :, item III:
The discipline of personal data protection is based on respect for privacy and:
I- Computer self-determination;
II- Freedom of expression, communication and opinion;
III- The inviolability of intimacy, privacy, honor and image;
IV- Economic and technological development; and
V- Free enterprise, free competition and consumer protection.
As well as Article 5, which describes, in its item I, the following:
I- Personal data: data related to the identified or identifiable natural person, including identifying numbers, location data or electronic identifiers when they are related to a person;
In fact, privacy means that no one is going to break into your home or work to threaten you, steal it, or that no one is going to use your name, steal your identity.
The following three stories, which take place every day, concretely illustrate Item III of paragraph 1 of PL 5276/16.
The retiree:
The phone rings, the retiree answers and those who introduce themselves say that they are part of the Central de Bancos (?):
CB - Good morning, I would like to speak with Ms. Leticia.
Le - It's her.
CB - Good morning mistress Leticia, this is Alfredo, from the Audit of Central Bank, and I would like to confirm that you really want an MCard Black Card for retirees, with no annuity fee for the rest of your life and with a credit limit of 20 thousand reais?
Le - Well, does it really cost?
CB - Absolutely and the interest rate is the lowest in the market: 1.99% per month against 14% of other cards.
CB - I need to confirm some data that I already have with you, because I need positive identification that you are really Dona Leticia. I speak and the lady only confirms:
CB - Yours CPF is 202.728.497-08? The Lady resides to Rua Santa Antônia, 45? Your mother is it Judith? Your Bank account Federal is at agency 3045, account 27889-5?
CB - Very good, your identification is confirmed.
CB - To finish and you receive your MCard Black without an annual fee for the rest of your life, we need Xerox copy of your Identity Card, CPF and proof of residence, may be the electricity bill.
CB - As it is an MCard Black card, we will send a messenger to your home to collect the documents. The card and the password will be mailed to you in separate envelopes.
She calls her son, just before handing over the documents to the bearer, and he manages to convince her that it was all just a scam, another identity theft.
Apparently the only place where criminals could access all this data is in the INSS registry. Has the registration data been hacked?
The fine:
José receives a traffic ticket for not respecting the rotation in São Paulo, R$ 130.16, check the photo, check the plate, check the date, check. As it is suspicious, check RENAVAN, check.
Do not remember to ride the car on Thursday, but come on, pay within 30 days with a discount of 20%, better pay at the bank right away to get rid of the problem and save R$ 26.00.
In the licensing, months later, he verifies that that fine never existed.
Criminals take random photos, set up the fine, with a bar code that leads to the bank account of some "orange". They got all of José's data somewhere, from the sign they got to RENAVAM, from RENAVAM to his address and sent the false ticket.
Has the registration of Detran or Contran been hacked?
The magazine:
Maria receives advertisement for the magazine in her e-mail, but on behalf of her late father. Strange, he never had an email in his life. Maria reflects on the problem and remembers that the only place where she informed her e-mail as her father's was in the Income Tax.
How did the magazine get access to your father's records at the IRS?
As the debate on privacy and data protection now permeates society, Congress, Executive and Judiciary, it is time to go back to the origins of the problem and clearly discuss what is personal data, metadata and what is actually meant by privacy and the real role of the Government.
Nobody wants their personal data to be used by criminals to steal their identity, invade their home when they go on vacation, kidnap their children at school, and even divulge their intimacy.
Article 5 of PL 5276/16, item one recalls that it is personal data: including identifying numbers.
The most important personal data that everyone has in Brazil, their unique identification number, is their CPF number, and oddly enough, this data is public.
Do a Google search by placing your name in the search field followed by your CPF and you will certainly find your CPF.
Another very important personal data is your residence, use the same search site and you will easily find your address.
The most important personal data, CPF and residence, are in Public Databases, which are not encrypted or have no controlled access. Any employee with the appropriate credentials can access it and no one controls the need for that access.
Any legal action you take part in has your CPF available to anyone who wants to see it.
There is even the legend that it is possible to buy the registration of Taxpayers and the INSS at Rua Santa Efigênia in São Paulo, with the registration data and even anyone's income.
Evidently, Justice has to be transparent, but with today's technology it is possible to encrypt data and, when presenting, use technology Format Preserved Encription, and the data appears in the preserved format, as credit cards do:
José Antonio Silva, CPF 201.XX9.XX7-49, resident and domiciled at ALXMXXA XOX NXXBIQXXS n. 0X7X, email JXXXXO.XXXA@UOL.COM.BR.
This data would be enough to identify Mr. Silva, but not enough to steal his identity.
It bothers me to receive unwanted e-mails, as the issuer is not respecting the Code of Ethics, but it bothers me a lot more to have my identity stolen, credit cards issued in my name and an unknown debt appearing at the end of the month.
Technology cannot and should not override Individual Privacy, but on the contrary, in Brazil today, certainly more technology, more encryption, masked presentation of data with the preserved format, would indeed help to defend our privacy.
The attack on privacy does not come only from websites that aid navigation, nor from those offering shoes, but it comes mainly from the lack of technology and security in government databases at all three levels.
Data protection begins with the protection of data held by governments.
Although the Federal Government has advanced in information management and security, with the launch of a national information governance policy and strategy in 2016, there is much to be done in this area, both in the federal government and in state and municipal governments.
There is one missing national standard for all levels of government, something like PCI, which is the international standard for credit cards (Payment Card Industry Data Security Standard), which defines the minimum standards for the storage and exposure of private data held by Governments, without this, privacy is not guaranteed.
Francisco Camargo he is a production engineer at the Escola Politécnica da USP, with courses at the School of Communication and Arts at USP and at Harvard Extention School, he is an entrepreneur and a specialist in Information Security.