One of the more interesting questions in the second survey is whether authorities have a policy in place for dealing with collection of user data or take down of information. Unfortunately most authorities that answer the second survey do not have one of these policies in place. Recently though, the Swedish Tax Agency got around to answering the survey, answered that they have a policy, and we can now show what this policy contains! In the end, the policy does turn out to regulate things that don’t quite match our research, but there are some common elements, so it’s worth looking into.
The Tax Agency make two distinctions when it comes to research. First of all, is the information open, or closed. Open information means information that is publicly available with having to use a log in. In some cases, where a service only requires an email for verification, systems are still considered open even if you have to take active measures to get to the information. Closed systems are all systems that require creating accounts, befriending, connecting or similar ways to actually see the information. The closed parts of the internet is also the part of the internet “that could be considered as private”.
In the same line of reasoning, they also differentiate between “normal” internet and social media, and we’ll come back to the reason for this.
The second distinction is whether or not the information gathering is tied to an errand that the agency is dealing with, or if it is gathering information without a goal. The quickly disregard the second alternative as it is “ineffective” but a viable option for narrowing options before going in to an active investigation.
These two distinctions end up in a grouping where different actions on different levels of openness add up to allowed or disallowed actions, creating a comprehensive list of options for investigators at the agency.
In the end, the policy of the Swedish Tax Agency is very strict in what is allowed, when an investigator needs to ask for permission and get an ok from supervisors, and when data collection is prohibited. All in all, they are pretty much only allowed to look into openly available information (where it is NOT necessary to even contact the company in question) and only rarely is it possible to go into social media even with permission. If they do need information, there are also guidlelines for what kind of identity they are allowed to take on – they always have to show either full name, or the name of the Tax Agency, or both.