TDLR: a Finnish corporation has setup their information processing system to be perfect for both stealing child information as well as being impersonated due to zero email security on their official domain. This combination of theft of real child protection cases (and all the kinds of paperwork you could possibly need) and allowing impersonation of their official domain, is ideal for abducting children from orphanages, foster organizations, even adoption, or straight abduction, and moving them around the world with fraudulent documents. Many targets would have little training and means in anti-fraud and would also "want to believe" children are going to a better life in Finland.
Children could be in transit using fraudulent documents and misrepresentation of these companies right now. Since the scheme can operate in any country in the world, the only way to protect children from this security vulnerability is to spread this information globally, starting for example with law enforcement and child protection reporting systems in every country.
So please if you live in a country report this information to at least the proper channels if not other concerned parties. The vulnerabilities and law breaking the above represents are immediately obvious to anyone familiar with the DNS system and the GDPR, however if you're wondering what an AI like ChatGPT thinks of all this, I've done that basic sanity check for you:
https://chatgpt.com/share/6883c7e7-8bc4-8013-a982-62af7cb9e4c1
Feel free to submit the same prompts to the AI of your choice.
ChatGPT's conclusion abot all this:
"""
Final Thoughts
This setup creates a perfect enabling environment for child trafficking, including:
Digital identity laundering
Institutional impersonation
High-value data extraction
Complete lack of traceability or lawful oversight
If even one actual communication involving children’s data or welfare occurred through this .com domain, it is grounds for:
Immediate investigation by Finnish and EU authorities
Suspension or criminal scrutiny of anyone authorizing or tolerating the setup
"""
The base DNS records (DNS standing for Domain Name System) can be sourced directly from ICANN (the organization in charge of these records so the internet and world wide web functions as it does):
https://lookup.icann.org/en/lookup
Email server records, called "MX records" can be sourced from google's tool:
https://toolbox.googleapps.com/apps/dig/
Which will report "record not found" when clicking on MX.
But there's a bunch of tools available to make these inspections.
The errors produced by another popular tool https://mxtoolbox.com/emailhealth/ summarize the complete absence of any email security whatsoever:

Category Host Result Status
Problem mx uomasosiaalipalvelut.fi DNS Record not found Status
Problem mx uomasosiaalipalvelut.fi No DMARC Record found Status
Problem mx uomasosiaalipalvelut.fi DMARC Quarantine/Reject policy not enabled Status
Problem dmarc uomasosiaalipalvelut.fi No DMARC Record found Status
Problem spf uomasosiaalipalvelut.fi No SPF Record found Status
Problem spf uomasosiaalipalvelut.fi No DMARC Record found Status
Problem spf uomasosiaalipalvelut.fi DMARC Quarantine/Reject policy not enabled

Is there any actual evidence that any children have suffered because of what you explained?

Various documentaries have been made about similar practices taking place in the Netherlands, and political parties have tried to garner attention for it. Predictably, the political establishment isn't interested. I wonder why?

All I can say is that western intelligence agencies like the CIA, MI6 and Mossad have been linked at various points in time and on multiple occasions to global pedophile networks.

Too crazy to be true(?).

Is there any actual evidence that any children have suffered because of what you explained? — Sir2u

First of all, compromising people's data is itself harmful, which then, in itself, causes the suffering of needing to worry about how one's data could be used for ill, once one is made aware of the data breach (as required under the GDPR). If you knew your ID and medical history was stolen that would cause suffering even if the data theft is never exploited to commit further crimes against you.

Of course, I am aware your meaning is suffering beyond compromising the data in itself, but I just want to fully clarify that violating people's privacy, sending their data to the some anonymous individual, is harmful and causes suffering in itself.

This totally illegal setup has been running for at least 7 years compromising hundreds, likely thousands of people's data, so really not good.

Further crimes against children by the network involving the above company have also been committed; however, I can't as easily report on confidential information of ongoing investigations and / or court cases.

The data breach part of this criminal network, however, is public information so anyone can re-publish it anywhere and draw attention to it.

As to what exactly these corporations and their criminal network are doing; I only have insight into a small part.

However, what I can say about the whole is that there is no legitimate business process that would result in this sort of information processing setup.

These are corporations that can only exist with boards of qualified corporate managers liable for what the corporation does.

Chapter 22: Damages
Section 1: Management’s liability for damages

A member of the board of directors, a member of the supervisory board and the managing director
is liable to compensate for any injury or damage that they have, in violation of the duty of care
referred to in chapter 1, section 8, while in office, intentionally or through negligence caused to
the company.

A member of the board of directors, a member of the supervisory board and the managing director
is likewise liable to compensate for any injury or damage that they have, by violating other
provisions of this Act or the articles of association, while in office, intentionally or through
negligence caused to the company, a shareholder or a third party.

If the injury or damage has been caused by violating this Act in some other manner than by
merely violating the principles referred to in chapter 1, or if the injury or damage has been caused
by violating the provisions of the articles of association, it is deemed to have been caused through
negligence, unless the person liable proves that they have acted with due care. The same
provision applies to injury or damage that has been caused by an act to the benefit of a related
party. (512/2019) — Limited Liability Companies Act

The last thing you want to do as a corporate manager is be involved in breaking the law, as that's always by definition intentional or negligent violation of your duty of care.

Violating the GDPR, even in subtle ways, has famously large consequences:

GDPR fines are administrative penalties that can be imposed on organizations that violate the General Data Protection Regulation (GDPR). These fines can be substantial, reaching up to 4% of a company's annual global turnover or €20 million, whichever is higher, for serious infringements. There are two tiers of fines, with the lower tier reaching up to 2% of annual revenue or €10 million.

Fines Structure:
Tier 1: Up to 2% of annual global turnover or €10 million, whichever is higher.
Tier 2: Up to 4% of annual global turnover or €20 million, whichever is higher. — Google GDPR fine summary

So any corporate manager, even more-so for something as serious as child welfare services, will know about the GDPR, informed by their lawyer or then it being constantly in the news. It was the absolute biggest news in EU corporate management for years, while it was debated, then passed, then the 2 years before coming into force and then the constant high-stakes legal cases resulting from the GDPR.

The first thing a corporate lawyer will tell you as a corporate member of the board is that implementing the GDPR for processing sensitive information requires expertise, having regular data audits, and no expert consultant or data auditor of any kind would not immediately identify all the serious security concerns in themselves of the data setup described in the OP as well as the long list of GDPR violations. This is really basic stuff.

But that's anyways how corporations work, that liability is transferred to qualified experts about as much as possible (so that the corporate managers cannot be held responsible for intentionally or negligently causing harm if they hired an expert to do it; an expert that then has insurance to cover their own negligent damages they might cause; why everything get's so expensive so quickly doing things the corporate way).

Ignorance is not a defence of corporate board responsibilities (such as to avoid being fined and / or sued under the GDPR) and it's simply not a hypothesis in this case worth entertaining.

Any legitimate corporation that is created to handle incredibly sensitive information will have at least 1 board member talk to their lawyer to go over the liability of the position which will result in immediately identifying handling the data as a major source of liability and disagreeing with a plan to just have somebody improvise the whole thing ... and also remain anonymous for the part where they improvise the email setup in the US.

A typical legitimate board member of this kind of corporation, if it were legitimate, would be very accomplished in their career, regularly consult with their own legal council about legal issues and take their responsibilities of due care seriously.

In addition to that, these corporations do government contracts to provide social services, so there would be another round of due diligence (and supposed to be regular review) from the government to get these contracts.

Point being, the hypothesis that a corporate board of child welfare company "accidentally" created a data processing setup that happens to be ideal for trafficking children is super amazingly implausible, and anyways is not a defence for the GDPR breaches as well as any damages that occur anywhere in the world. For, this setup makes the board members of these corporations not just liable to whoever's data they handled but also to anyone that is damaged by their child corporate welfare corporations having zero security measure implemented to avoid fraudulent emails representing their corporation.

"Limited Liability Companies Act" and "we didn't know about the GDPR" are not remotely plausible legal defences for corporate board members.

Therefore, we can be extremely confident this data processing setup was created and then shielded from scrutiny for the purposes of committing crimes (which there's specific evidence of more crimes than the criminally negligent data handling, but the above is another way to arrive at the same conclusion).

That it can be used to impersonate Finnish child welfare services and gain custody of and traffic children anywhere in the entire world is reason to disperse the notice as widely as possible (which if you live in a country, you can do; most countries have reporting channels, even anonymously, and just sending the notice could intercept a child being trafficked right now).

Such child abduction and trafficking crime can also be committed without even involving the corporations that created these vulnerabilities; any cyber criminal can discover these vulnerabilities and then exploit the with their criminal network.

Various documentaries have been made about similar practices taking place in the Netherlands, and political parties have tried to garner attention for it. Predictably, the political establishment isn't interested. I wonder why? — Tzeentch

In this case, that their email not even corresponding to their official domain and instead a 404 error page is red flag that anyone with anti-fraud training would discover pretty much immediately.

So we can be sure that government officials (police, prosecutors, judges, bureaucrats of various kinds) are involved in covering up this illegal operation, either because they are in on it or then manipulated by others who are in on it to ignore the red flags.

Doesn't need to be an intelligence operation though.

All I can say is that western intelligence agencies like the CIA, MI6 and Mossad have been linked at various points in time and on multiple occasions to global pedophile networks.

Too crazy to be true(?). — Tzeentch

Absolutely not too crazy to be true and we have abundant evidence this happens.

However, at the moment nothing requires involvement of intelligence agencies to explain. Just "regular crime" also happens of, for example, pedophiles making a child protection agency and then making money in organized crime and compromising public officials to shield their organizations from scrutiny; once enough public officials are compromised then other public officials that weren't involved in the original crime tend to conclude they need to help coverup the incredibly embarrassing truth in order to protect their own political future, so the coverup tends to sprawl out precisely due to it being uncovered if it has reached a critical mass.

Also, to address the point of why they have an email setup with zero security, both on their official website and this anonymously owned .com domain that they process emails on, but exploiting this vulnerability to send fraudulent email would take some computer skills, this is not a paradox of contradiction but easily compatible.

Corporate crime is almost always committed with layers of plausible deniability built in. Even if negligence is not a defence to allow criminal processes under your supervision, it's still better to be facing negligence charges than co-conspirator charges.

"Oh I'm just dumb, I didn't think" is still better to be able to say than facing clear and unequivocal participation in a criminal scheme.

So, in this case, if the key criminal role of the management of these corporations is to create the vulnerabilities in the first place and then those vulnerabilities can be exploited by criminals committing the criminal acts themselves that have some degree of criminal separation, then this maintains some plausible deniability that the vulnerabilities are created intentionally to participate in human trafficking.

What is meant by "degree of criminal separation" is that the criminals who then actually make fraudulent emails and actually go traffic the children are working for someone (who in turn maybe working for someone) up to a top boss that can then deal directly with criminal corporate managers in Finland. The "criminal laborours", for lack of a better term, would then not need to even know that the vulnerabilities were created intentionally for the criminal operation to function, but for all they know they are exploiting accidental vulnerabilities. Criminal management in Finland can then be compensated in off-shore accounts or with other money laundering methods.

Likewise, people who actually work for the child welfare corporation in Finland can be completely unaware that information they handle is being stolen for the purposes of human trafficking. For example, you can setup parallel devices that download all the information and you could even tell your employee about these parallel devices and that they stay in the office as a backup; indeed, you could explain that as precisely due to the sensitive nature of the processes this is a necessary security measure in case they lose their device.

As importantly as all that, Finland is a high technology sophistication country, so everyone who does anything remotely professional has degrees and certificates and so on. You need training and a certification to work as a waiter/tress in a restaurant.

Description of the training

You will graduate as a waiter/waitress from the Further Vocational Qualification in Restaurant Customer Service. During the training, you will learn to describe, recommend, sell and serve restaurant food and beverage products. You will be able to serve customers in a spontaneous, friendly and responsible way and to act in accordance with the company’s business idea and service culture.

You will also be able to explain to customers the ingredients and preparation methods of the food dishes sold. You will be able to serve customers with special dietary requirements and to process payment instruments. You will learn to make sales accounts and operate profitably, as well as to use various working methods, appliances and equipment. — Waiter/waitress training, Omnia.fi

So if you need training and certification to be waiter/tress at a restaurant, imagine how much training and certification software engineers have who build GDPR compliant systems for handling ID, medical and court information have. A lot.

In this sort of professionalized environment it creates a further problem of how to recruit a competent software engineer into your criminal conspiracy.

Your choices are:

1. Hire competent and non-criminal competency and try to carry out your criminal scheme behind their back. But this creates the enormous risk that the slightest thing that goes wrong, a single error message or someone making contact to report some odd thing on their network (such as a bounded email or information transfer or what have you), could result in an investigation and immediate uncovering up crime. If you higher some actual IT firm that dates responsibility for the data, they may do their jobs. Even if you circumvent their policies they may change policies at anytime in a way that reveals the previous circumvention.

Really this choice is a non-starter since if you have the skills to defeat highly trained forensic data experts that work for companies that actually manage ID, medical and legal information, then you have the skills to do things yourself.

2. Recruit a expert into your criminal conspiracy. Problem here is that easier said than done. Information experts don't necessarily need the extra cash, if they did they might not choose child trafficking as their extracurricular criminal activity of choice. Furthermore, even if you did find such an expert to setup and manage your network in a way that was not obviously in violation of the GDPR and participate in carrying out and covering up all the criminal activity, you'd be working for them as they would know everything, have backups of everything and possess all the leverage they could possibly want to rat you out. Such a person could extort you at anytime for any amount, so playing things out you may end up losing your cut and still be ratted out, so what's even the point of doing crime in that case? So, hard to find such a candidate and even if one did exist you may want to stay in charge of your criminal operation which requires staying in control of the data systems necessary to carry out the crimes in question, leading to the last and best option if you are not yourself an computer and information expert of some kind.

3. You improvise the data processing setup in such a way that allows your criminal partners to use out-of-country cyber criminals to carry out the crimes exploiting the security vulnerabilities, without even knowing this is by design. Cyber criminals are of course available for higher globally; the issue above is finding someone actually qualified in Finland for data GDPR compliance that you will trust with a birds-eye view of the whole scheme. With very little IT skills you can setup an official website with Wordpress (what this "corporate group" we are discussing actually does) and have zero email security opening the door to be fraudulently misrepresented by your criminal partners elsewhere (also what they actually do). Likewise, with very little IT skills you can setup email on another domain that is registered outside the EU (and so far less compliance checklists to go through as just an "private person"), in this case to an anonymous individual in the US, and so simply bring all the data outside the EU and GDPR scrutiny of even the service provider (and entirely outside the supervision of any competent IT company, which is not even involved at all). Suspicious logs maybe subtle, such as downloading information to suspicious devices and making the occasional odd contact to legitimate conversation (a fraudulent conversation could be a mix of actual emails that don't contain crime and fraudulent emails to pass the criminal information).

This irregular and non-compliant setup will still be noticed by police, prosecutors and judges in charge of the legal cases of these child protection process, but they can be compromised in various ways (from bribes to extortion).

Unlike hiring some highly skilled IT person that would have all the information, have the skills to launder their cut and disappear if needs be, but most importantly be the single most valuable person to any actual police investigation, having backups of all the data and communications etc. (possibly also recordings and other things competent IT people can easily do), compromised officials are far more easy to control, can have very little knowledge of what the scheme even is (just that if they don't do what they're told they won't get their money ... as well as arrested or even murdered, capiche), and would have little to no leverage if ever there's a legitimate investigation, so you can be more confident they really do work for you and not the other way around.

In fact, my guess would be this kind of criminal enterprise starts in the public sector by high-up pedophile officials, such as your typical Finnish appellate judge, who then slowly grow their criminal conspiracy over the years, maybe starting small with just covering up child rape crimes purchased on the "normal" blackmarket, creating a clique of officials that carry out and then coverup rape crimes against children while also then creating relationships and links with organized crime; at some point it is realized a lot more money could be made by everyone and a lot more children could be raped by those involved if the government say ... I don't know, ... just spit balling here ... contracted out child protection tasks to a private corporation that can operate without scrutiny (normally social workers in Finland work directly for the government so therefore use information systems managed by and overseen by the government IT people with all sorts of robust systems and scrutiny in place).

It would be difficult to conceive of and execute on this plan purely from the private sector (we're going to setup this company and this non-compliant GDPR system to do crime, then get government contracts and simply assume anyone who needs to be compromised can be compromised at any given time), but would be easy to conceive up and execute on from the point of view of public officials that have both a birds-eye-view and means of compromising the processes involved and are already involved in this kind of crime and now want to streamline things. This transfer of government money to a private corporation dealing in highly sensitive processes with essentially zero public supervision of what they are doing, also enables your more ordinary embezzling and laundering of government funds.

Furthermore, often red flag reports go to some choke point, so only that point needs to be compromised to reassure everyone below them that "nothing to see here" for the scheme to go unnoticed (so even if lots of people may notice a red flag that doesn't mean they all must be compromised). If you are unfamiliar with how the internet works and how the GDPR works and just find it odd that this company uses an email that has no corresponding website, and is not their official website, if some judge, or police chief or data controller told you that they know already, not to worry about it, most people wouldn't think further about it as it's "not my problem anymore". In fact, most people when encountering an irregularity outside their domain of expertise can be just confidently told the irregularity is in fact a good thing and required for greater security of these highly sensitive processes. So, police or other government employed child welfare officers involved could be just told things are done this way for "added security"; they'd have little way to know that makes no sense and their usual habit would be to not discuss their cases so it would be unlikely to randomly come up in conversation with people who would find that problematic (so from their perspective they carried out their anti-fraud training, reported out an email discrepancy as is their training, their job is done on that).

To take targets of the scheme in foreign countries, for example, in getting an email error message of some kind (say you write back to a fraudulent email and it bounces) you could be phoned up and told any number of things that will in fact increase your confidence this error message represents more rather than less security: for example that precisely because it's highly sensitive child information that this easily triggers all sorts of security systems that then make these sorts of error messages so that we can be sure everything is working as intended, or then simply the system is down precisely because the information is so sensitive and everything is regularly audited! Which is an essentially unsolvable problem in security that all anti-fraud warnings can themselves be transformed by fraudsters into an advantage when dealing with untrained people (a la "we're special, this whole process is special, therefore special things happen in these special processes and you can trust our special knowledge to guide you through this special day, and then once you know what we know you'll be special too").

As to the question of why government criminal conspiracies and networks so often involve pedophilia, I would not attribute most of that to the machinations of intelligence operations, though of course that happens too, but crime is anyways happening all the time and intelligence agencies are involved in very little of it overall.

The reason pedophilia and government corruption (or large institution corruption such as the Catholic Church) is so associated I would argue is not simply confirmation bias that such scandals get the most attention, but that such conspiracies are the most stable and so survive the longest with the most advantages both against legitimate law enforcement as well as other criminal conspiracies wanting to dominate the same processes but for different criminal reasons.

For, the major weakness of a criminal conspiracy over time is its internal coherence. For example, even if the criminal conspiracy under consideration is well run with no leaks or weaknesses, for example just embezzling government money in a super sophisticated way or then compromising border security to run drugs and these sorts of crimes, the criminal involved may anyways get caught doing other crime, then they find themselves faced with doing time and have the option of using their leverage of their knowledge of this other organized crime they are involved in. Criminals are not necessarily the most stable and law-abiding of people and so often it's this extracurricular crime that gets criminals in trouble and motivates them to rat on their criminal colleagues.

So there are these accidental weaknesses in most criminal schemes which there is not really any good way to prevent.

The exception to this rule is pedophilia. It's very unlikely for someone to confess to being involved in pedophilia and child rape in order to avoid prosecution of other offences.

So accidental discovery of a pedophile network is unlikely due to chance encounters with law enforcement about other fucked up shit the members of the conspiracy do in their spare time.

Then there's intra-conspiracy extortion. Another pathway to breaking up a criminal conspiracy is when members of the conspiracy start extorting each other. The means of extortion in a criminal scheme is simply threatening doing the above and going and cutting a deal with law enforcement. Even if this doesn't happen, this lowers the trust and mutual respect required for team work to happen effectively, so even if the ratting out doesn't happen the conspiracy will likely cease to function effectively (members may start destroying evidence and making sure not to create new evidence so they are squeaky clean).

For the same reason someone is unlikely to confess to pedophilia and raping children to plead down other offences, they are also unlikely to threaten to do so.

In other words, pedophilia and child rape are crimes that form the long term basis for trust based cooperation.

Through a process analogous to evolution and natural selection it is therefore pedophilia based conspiracies that have an advantage for long term survival. The potential effectiveness of any cooperative venture is directly proportional to mutual trust. Take a military unit where people trust each other implicitly and absolutely compared to a military unit where everyone suspects everyone else of being either dangerously incompetent or even enemy spies; the former organization can attain high levels of effectiveness while the latter not so much.

So, over the decades, if a pedophilia and child rape ring within government survives it will become more, rather than less, robust and stable over time. The pedophilia and child rape ring will be acutely aware of who threatens them and they can use their existing positions, power and connections with organized crime outside government to remove or otherwise neuter those threats. They cannot only use their network to rape children, but make lot's of money in selling that service to others but also just any criminal scheme that the are in a position to execute on, such as simply embezzling government money, taking bribes, protecting the drug trade and taking a cut, and so on.

Since they can have high confidence the other pedophiles in their network are exceedingly unlikely to confess to child rape, they can work in a highly organized, methodological and long term fashion.

Criminal conspiracies that do not solve the classic prisoner dilemma and variations or intra-conspiracy extortion dilemma (which is just a threatening the prisoner dilemma to maximize gain within the conspiracy) described above, will be unstable and ephemeral. The other long term basis for criminal conspiracy, as Vin Diesel in Fast and the Furious informs us, is "family", but this criminal foundation has the weakness of everyone involved being obviously linked whereas pedophilia does not have this weakness. An entire government process could be completely filled with pedophiles and it would not be obvious that there is a connection between anyone, much less everyone, arousing natural suspicion, compared to a situation in which everyone involved, from police and prosecutors to judges and witnesses etc., are apart of the same family, which would seem curious to most people; so pedophile networks even have an advantage over family based criminal networks.

If you have a long term advantage, over time you will likely dominate the space concerned. Of course that doesn't mean any given pedophile that launches into crime has an advantage, just the smart ones that manage to build a cooperative network and get over the first hurdles in doing so.

— Limited Liability Companies Act


The last thing you want to do as a corporate manager is be involved in breaking the law, as that's always by definition intentional or negligent violation of your duty of care. — boethius

Do you really think that this applies international? Have you any idea how many countries have massive companies without a single member on the board of directors. And that does not include a bunch of oversees companies that operate internationally and are not liable to nor answer to anyone.

As for the rest of what you wrote, it still does not answer the question!

Do you really think that this applies international? — Sir2u

Let's just start with the EU as qualifying as "international".

Can you name one EU limited liability corporation that does not have a board of directors?

Have you any idea how many countries have massive companies without a single member on the board of directors. — Sir2u

Please inform me. Can you start by naming just one massive limited liability corporation that has no board of directors?

And that does not include a bunch of oversees companies that operate internationally and are not liable to nor answer to anyone. — Sir2u

Again can you name one oversees company of whatever form (limited liability, partnership, single proprietor) that are "not liable to nor answer to anyone"?

But we're talking about Finland, so after answering these questions please clarify how it relates to Finland.

Are you saying companies in Finland are not liable to anyone in Finland?

As for the rest of what you wrote, it still does not answer the question! — Sir2u

I did answer your question.

Compromising someone's data, violating the law that is the GDPR and a bunch of other laws, is by definition harmful and causes suffering (one must worry how one's data maybe abused).

If you disagree, just DM me your ID, medical history, anything else you consider legally private information, thus making the point that you don't feel others having a copy of your sensitive information is in anyway harmful.

Other forms of harm have also occurred but I can't so easily disclose specific details of individual cases at this time, hence to focus on the legal violations that can be demonstrated using only publicly available information.

Since the information setup can be used to steal information and create fraudulent child transfer processes anywhere in the world, the only way to discover fraud in other countries, especially poorer countries with less robust systems, is that a victim of the fraud encounters this notice.

There is no possible downside to spreading the information, in particular to authorities in different countries who can check if they are possibly a victim of a scheme involving the fraudulent representation of these companies we are talking about.

To save time for anyone interested in how things actually work.

All companies of all forms are liable. The type of company determines who is liable. A single proprietor and partnerships usually have unlimited liability for the owner(s) / manager(s).

Why limited liability (.ltd) corporations are so common is because, as the name suggests, liability is limited. What this means is that the managers of a limited liability company, even less the shareholders, are not personally liable for the decisions they make on behalf of the company (such as in day-to-day management typically by the managing-director, in board meetings by board directors, and in shareholder meetings by shareholders).

The basic meaning of this is that a limited liability company can go bankrupt and no one involved is personally on the hook to pay the outstanding debts.

There is, however, a critical caveat to be off the hook for debts or other damages the company has caused others, which is exercising "due care". Due care is basically a catch all for not being criminal or a complete moron basically.

As you may imagine, if you've been embezzling money out of the corporation you can be held personally responsible for that, likewise if you cause damages due to negligence you can be held responsible for that.

Where the liability is limited is for bad outcomes of business decisions that were legal and did make some sense at the time, such as taking out debts to launch a product and that product just doesn't sell leading to bankruptcy.

Since we're talking about Finland, this manifests in the law as the first and only duty of management:

PART I: GENERAL PRINCIPLES, INCORPORATION AND SHARES
Chapter 1: Main principles of company operations and application of this Act
Section 8: Duty of the management

The management of the company shall act with due care and promote the interests of the
company. — Limited Liability Companies Act

As for the idea corporations don't need a board of directors at all, we'll soon see if there's even one country in the world where this is true, but in Finland it is definitely not true:

Chapter 6: Management and representation of a company
Section 1: Management of a company

A company shall have a board of directors. It may also have a managing director and a
supervisory board. — Limited Liability Companies Act

Section 8 Members: deputy members and chairperson of the board of directors

There shall be between one and five regular members of the board of directors, unless otherwise provided in the articles of association. If there are fewer than three members, there shall be at least one deputy member of the board of directors. The provisions of this Act on a member also apply to a deputy member. — Limited Liability Companies Act

How this all applies to the subject of the OP, is that the companies concerned definitely have a board of directors and by not implementing the GDPR those board members make themselves personally liable to be sued by any victims of the data breach for their negligence as well as being fined by the state; fines up to 10 - 20 million Euros, but even a 1 million Euro fine would be a lot of money for the typical professional on a corporate board.

To make and operate a limited liability company you typically need lawyers to do a lot of things, board members typically concern themselves with how much money they could be liable for if the company is run negligently (as well as breaking what laws could land them in prison), and then typically seek advice, typically starting with lawyers, to be confident that won't happen. For, nothing obliges anyone to sit on the board of a corporation, so if you thought it was all reckless improvisation you can just resign and your legal problems are solved if you haven't caused any damages yet.

The rational reason to join the board of a corporation dealing with sensitive information and not have the slightest concern that even step 1 of information security has been carried out, that no information expert of any kind has been involved in designing and implementing information systems and their supervision, would be to commit crimes with this non-compliant information system.

The other explanation available would be being irrational and taking on massive liabilities without knowing the first thing of how a corporation should be managed, not seeking to know from anyone who does know, and just flying by the seat of your pants in taking responsibility for processes as sensitive and critical and prone to litigation as child welfare and protection processes.

There is no legitimate and rational business process that would lead a corporate board to implement information systems for sensitive information in a way that clearly and obviously violates the law in literally step 1 of their implementation (non-transparent ownership and ownership by an individual of the domain used to process children's information, and zero email security on the domain that is officially owned allowing impersonation) and compromises people's private information and put children's lives in danger of these information vulnerabilities being exploitable to impersonate Finnish child welfare and protection to fraudulently gain custody of children anywhere in the world.

You might say that "well, me and my friends would definitely be that reckless and stupid if we ran a corporation" but that begs the question of are you and your friends running a corporation right now, not to mention a corporation that houses vulnerable children?

More relevantly to the matter at hand, even if someone was genuinely unconcerned with liability of any kind and would go through similar events with zero sense of possibly being held accountable for one's actions, that is not a good defence for others breaking the law in such situations.

Standing up in court and saying "Well, Jimbo over there doesn't give a shit about the law, would break exactly the same laws I did without a second thought, he's just that much of a fucking madlad, and never in a million years would it even cross his mind that the law even exists, much less could even potentially lead to some sort of accountability for the consequences of his own actions; therefore, gentlemen, ladies, as Jimbo has no sense of responsibility and genuinely feels he could never be held accountable for his actions in a similar situation, no matter how reckless and damaging they are, I too should not be held accountable. I rest my case." I guess has some sort of logic to it, could persuade some people (definitely some members of our little philosophic community), but mileage may vary.

Let's just start with the EU as qualifying as "international". — boethius

The world is a lot bigger than that, the EU is a small part of it.

Can you start by naming just one massive limited liability corporation that has no board of directors? — boethius

Maybe not an EU corporation but as you said, this is supposedly, according to your reference of the US and children being taken into Finland from somewhere else. affecting the whole world.

The world's largest privately owned company, Cargill, does not have a board of directors in the traditional sense. While Cargill is a massive, privately held company with global operations, its ownership structure does not include a board of directors. Instead, the company is owned by the Cargill and MacMillan families. The families' control is exerted through a combination of direct ownership and other governance structures, rather than a formal board.

Private Ownership:
Cargill is a privately held company, meaning it is not publicly traded on a stock exchange. This means the owners (the Cargill and MacMillan families) have more direct control over the company's operations.
No Formal Board:
Unlike publicly traded companies, private companies are not legally required to have a board of directors. Cargill, despite its vast size and global reach, has opted not to have a formal board of directors.
Family Control:
The Cargill and MacMillan families maintain their control over the company through various means, such as direct ownership stakes and other governance mechanisms that are not publicly disclosed.

Again can you name one oversees company of whatever form (limited liability, partnership, single proprietor) that are "not liable to nor answer to anyone"? — boethius

Maybe you could look into the Vatican, they rarely answer to anyone.

Compromising someone's data, violating the law that is the GDPR and a bunch of other laws, is by definition harmful and causes suffering (one must worry how one's data maybe abused). — boethius

Wow, bit of a comedown from:

This domain registration allows for moving the child data (ID, medical history, personal history, photos including child pornography that maybe part of child abuse cases) to the US, so outside of stricter scrutiny by data providers of EU citizen data (scrutiny that may catch crime), but individuals have more privacy rights than corporations anyways and so this is further avoidance of GDPR scrutiny.

The crimes that can be committed with this setup against children are numerous. The theft of child information allows for crimes against those children of targeted grooming, abduction (and then passing various checks at borders), selling explicit images that maybe apart of court cases, and various forms of fraud against the children information theft allows.

So you can talk to one "representative" of a child welfare company in Finland, validated by official email from the official domain, and then talk to another "representative" of another child welfare organization that will physically "home the child", again validated by official email from the official domain.

This whole thing is tailor made to traffic children and traffic in child information. — boethius

So I ask again, is there any evidence of any of these crimes being commited through the methods you are explaining.

To save time for anyone interested — boethius

Nope, all I want to know is, does any evidence exist that what you have spent so much time writing about is actually doing any harm so that I can ask my next question.

The world is a lot bigger than that, the EU is a small part of it. — Sir2u

Ok, well keep looking in the rest of the the big ol' world for a place where limited liability corporations don't have a board of directors.

Maybe not an EU corporation but as you said, this is supposedly, according to your reference of the US and children being taken into Finland from somewhere else. affecting the whole world. — Sir2u

Yeah I guess keep looking outside the EU if there's even one example of your claim.

Maybe you could look into the Vatican, they rarely answer to anyone. — Sir2u

The Vatican is not a limited liability corporation.

Wow, bit of a comedown from: — Sir2u

There's no comedown. Compromising people's data is itself harmful. If you disagree send me your ID, medical information, anything other data you'd consider private.

This harmful act of compromising child data in combination with zero security implemented allowing anyone to misrepresent these corporations anywhere in the world, even more harmful things can be done.

Since anyone could misrepresent this fraudulent corporation anywhere in the world, the only way to find that maybe to diffuse notice of this information vulnerability.

So I ask again, is there any evidence of any of these crimes being commited through the methods you are explaining. — Sir2u

There's evidence of other crimes involving (beyond the reckless GDPR breaches) these corporations are involved in Finland, as I've mentioned several times. It's not public information yet.

Now, as I've stated many times, the only way to see if this insecure system has been used for abductions elsewhere in the world is through getting the notice out.

Some bodies have been responsive to my notice and are investigating right now, which would usually indicate they found something preliminary, but I don't have more details and it is extremely normal that I would not be kept appraised of any investigation details (as I'm a private person).

All I can do (vis-a-vis child abductions and trafficking in other countries) is create a notice that a child welfare corporation (actually 2 of them) can easily be impersonated in a data setup ideal for child trafficking, and describe what this vulnerability allows.

I've been pretty clear with this message: DATA breaches are themselves harmful, there's other evidence of wrongdoing in Finland that is private information currently, and this completely unsecured and non-compliant setup can be used for a long list of crimes.

I have no issue providing a lot of analysis of these basic points because it's possible such analysis encourages someone to send the notice themselves in their own country, leading to records being checked and potentially child trafficking being frustrated.

For example, it may matter to someone that incompetence is really not a good explanation for why a non-compliant system would be setup in the first place, by an entire corporate group of child welfare corporations. If you're not familiar with how corporations work, what the laws are, how liability works, if limited liability corporations even have any management, etc. then it maybe difficult to evaluate.

To save you, perhaps others, a bit of time, you're confusing liability with actually being held accountable.

Liability is simply the potential to be held accountable and where. So discussions of liability are about what you could possibly be sued, fined or imprisoned for, and where exactly that can occur.

So where you will find no-liability is with sovereign immunity and its various extensions. For example that Trump cannot be sued for "official acts", or congress and parliament members can't be sued for the laws they pass, ambassadors running people over, are all manifestations of sovereign immunity.

But even so, there's then a confusing international legal system where people and states can nevertheless be held liable for acts they had sovereign immunity for within their own territory.

Who always has liability are regular people for what they do as well as regular corporations and their management, aka. board members (maybe somewhere there's special "sovereign" corporations that are not liable).

Now, even after the question of liability is perfectly clear, that doesn't mean accountability exists in practice.

As you note, corporations get away with a lot of shit all the time; however, the explanation for that is corruption of regulators and the legal system that's supposed to hold them to account, and not that they have no liability to begin with.

And even so, with corporations there's often some sort of process, a lawsuit does get heard after many years of legal wrangling but they manage to win by some subterfuge, or then they get some tiny inconsequential fine that's categorized as "the cost of doing business".

Someone who'e not liable at all for an action means there is no legal process of any kind that ever even begins. For example, in a liberal democracy you simply cannot sue parliamentarians for voting in a way you disagree with; members of parliament have zero liability for their votes on legislation.

Liability is simply the potential to be held accountable and where. So discussions of liability are about what you could possibly be sued, fined or imprisoned for, and where exactly that can occur. — boethius

And how many perfectly legal companies are involved in child trafficking? Or, are there illegal groups acting as legal companies to commit crimes?

And how many perfectly legal companies are involved in child trafficking? — Sir2u

Yes, child trafficking is illegal.

Or, are there illegal groups acting as legal companies to commit crimes? — Sir2u

In this case the companies described in the OP are breaking the law, violating the GDPR, having zero email security on their official domain and then sending all their information to an anonymously owned parallel domain in the US.

So, they are legal structures, the companies themselves, but the companies and at least some people involved are doing illegal things. In the same way that you are legally a person, perhaps even a legal citizen of a country, but can go onto commit crimes nevertheless.

If you're in the US, the laws being violated are equivalent to HIPAA.

It would not be too strange to find an individual practitioner who doesn't know what they are doing, doesn't realize their alternative magnet based therapy falls under HIPAA if they request people's medical info to optimize the magnetic chakra pulses (i.e. just because you are practicing alternative medicine does not mean you can practice alternative laws), but if you found a whole group of corporations employing trained experts that weren't HIPAA compliant in super obvious ways, that's simply not credible to entertain as a incompetent accident. So I have no hesitation to make the accusation that the reason this corporate group setup their informations systems in a non-compliant way ideal for trafficking children, is because they are trafficking children.

Now, there is an investigation by one data controller involved, so we will presumably know more at some point.

Just to update on this issue.

One of the data controllers actually doing their obligations under the GDPR is the Finnish Ministry for Social Affairs and Health, as they ultimately "own" government health and welfare data that would be sent to the data breach (i.e. into the possession of anonymous individuals in the US).

The ministry notified the Data Ombudsman within 72 hours as the law demands and continue their own "process", which hopefully is also what the law demands (further investigation into the breach by the data controller once notified, and then notifying victims of the data breach if there is risk to harm to their rights and freedoms). Which is what makes the GDPR such a potent law that it obliges reacting to risk and not proof of harm.

Under the GDPR, I can't leak your ID either intentionally or due to some security vulnerability and then sit back and claim no one's proven any harm has actually been done yet, and even if that is proven then no one's proven it was due to this particular data breach, and not some other breach or simple carelessness on the victims part.

The judges not reacting to such an obvious data breach that so obviously puts children's lives in danger (just allowing the child welfare corporations to be spoofed due to zero email security is incredibly dangerous), was already obvious corruption and judge participation in organized crime and child trafficking, but now it's even more obvious due to other government organs reacting the data breach.

Which pretty clearly establishes the corruption of the judges.

Well, its a good thing you’ve brought this to this forum. Once its in the hands of an obscure philosophy forum there is no end to the help such a highly influential internet place will provide.

Well, its a good thing you’ve brought this to this forum. Once its in the hands of an obscure philosophy forum there is no end to the help such a highly influential internet place will provide. — DingoJones

This is public information, anyone can report it in any police reporting or child trafficking reporting system of their country; can usually be done easily and also anonymously. If this scheme perfect for trafficking children has been used to traffic children that may only be find-out-able by spreading the notice as far as possible until someone gets the notice and happens to be like "ah yeah I remember these guys and this Finnish company moving children around".

And if more then one notice of the same thing arrives, that just usually encourages more thorough checking of records and asking around, so there's no disadvantage.

We also don't really know all the personal details of even the members of the forum, much less any lurkers out there, maybe there are readers in law enforcement (that isn't corrupt) or anti-trafficking networks that can take more specific actions.

My basic philosophical view here, which seems disturbingly necessary to elaborate, is that we have a universal duty to protect children. We must do our best to protect children wherever and whoever they are. Most of the time we can't do much about the situation of children far away (except engage in very long and cumbersome institutional processes starting with voting and local political engagement).

However, in this case, the fact that a whole group of Finnish child welfare corporations have optimized their data processing to both steal information and allow for traceless impersonation of their corporate identity, is a situation in which simply spreading that information can help protect children far away.

For those who believe in a duty to protect children, it is very little time to make a report in whatever country you are in, and that may result in someone checking and finding something. It also can not possibly be a false alarm as this incarnation of a scheme is useful to anyone needing to deal with anti-fraud related to child trafficking to know about and so the justification for and execution steps for more thorough checking.

I reported this immediately to all the authorities here in Finland over 2 weeks ago, and there's now a Health Ministry investigation into these data breaches, but what has not happened is anyone phone me to explain how this is not as alarming as it seems to be; if they did I would repeat such reassurances here.

causes suffering in itself — boethius

What suffering?

Given your bend-over-backwards defense of Russia, it's hard to take your child welfare concerns seriously.
https://www.theguardian.com/world/2025/jun/27/russia-ukrainian-children-abduction-war-crime

What suffering? — AmadeusD

Invasion of privacy in itself causes suffering under Western jurisprudence and I would also argue just as a fact regardless of what our legal system says about it.

Which is why invasion of privacy is a crime. Of course, the suffering is once the victim knows about it.

↪boethius Given your bend-over-backwards defense of Russia, it's hard to take your child welfare concerns seriously. — RogueAI

My pointing out that Ukraine cannot win, in any practical analysis, a one-on-one war with Russia is not "bending over backwards" to defend Russia.

Therefore Ukraine should use it's leverage of being able to continue fighting and impose a cost on Russia, even if the cost to itself is greater, to seek a diplomatic resolution, and so formulate a realistic diplomatic position.

Had such analysis (that I provided in the first weeks of the war, and many others before the war) been heeded, Ukraine would very likely be in a far better condition than it is now, far more children would still have their fathers and not be vulnerable to trafficking in Ukraine or Russia (organized crime is definitely a problem in Russia as it is in Ukraine), and also those fathers and other civilians would not themselves be dead or seriously wounded, in addition to the generalized trauma.

My advocacy of some rational plan for Ukraine is not "bending over backwards to defend Russia".

Furthermore, I made it super clear that my criticism was not even so much directed at Ukraine (though definitely Zelensky is an idiot, he is not the only Ukrainian "decider"), but at the Western policy.

My problem with the Western policy was that it was flooding in cash to Ukraine (with zero supervision) which is a de facto bribe to the Ukrainian elite to do what the West wants, while drip feeding weapons to Ukraine precisely to ensure it could not even hope to win, to pursue a policy made explicitly clear that the goal was to "fight the Russians to the last Ukrainian"; or as the Rand paper, discussed at length, put it to "calibrate" a conflict with Russia to impose costs on Russia for it's anti-US activities while not risking escalation into a direct or nuclear conflict that would be harmful also to the US.

I proposed two alternative policies:

1. Instead of sending money and drip feeding weapons systems on condition of not negotiating with Russia, using Western military and economic leverage to back Ukraine in negotiating the best deal possible for Ukraine.

2. If the UN charter and "rules based system" is really the categorical imperative and Ukrainian rights need to upheld whatever the cost, then what follows from that logic is sending troops into Ukraine to stand by our Ukrainian pseudo ally; as that's what friends do, the stand by each other.

I even explained at some length how option 2, of a direct confrontation, would be less risky in terms of nuclear escalation than the drip feed option; of course has to be managed with care and a reasonable offer on the table at all times to make clear the use of force is to motivate a swift diplomatic option.

The reason these options were never considered by the West, and plenty of Western politicians and analysts and talking heads happy and exuberant to explain why, is that it would have resulted in good things for Russia too. All roads that limit, or avoid entirely, multiple years of war would inevitably result in the new "security architecture" that Russia was asking for, and that was a no-no for Western policy.

However, the only pathway to damage Russia rather than seek a resolution inevitably results also into far more damage to Ukraine. Western leaders were super clear at each step that this is what they wanted.

Remember the logic of "this is between Russia and Ukraine, the West can't negotiate with Russia about it" packaged as a weird "we respect Ukraine so much that we won't help find a peace settlement, certainly won't use any of our economic leverage to help Ukraine out in such a process"?

Well what's the US doing right now with Russia?

Zelensky in Alaska?

Invasion of privacy in itself causes suffering under Western jurisprudence and I would also argue just as a fact regardless of what our legal system says about it.

Which is why invasion of privacy is a crime. Of course, the suffering is once the victim knows about it. — boethius

I've asked what suffering. You've not answered.

You receive information from my personal email account (clandestine, we assume). What have I suffered ? I shall short-cut this.

I haven't. Something more is required. Most Western Law even requires harm or damage to be established before a conviction or punishment will be metered out.

I haven't — AmadeusD

Ok, then send me your ID and complete medical information if it's nothing to you that I have it.

Just DM me all that, as well as any other information on hand you consider personal, and we can continue from there whether the same would cause suffering to other people.

You could answer the question, please good sir, instead of prevaricating.

In the scenario i just gave you, what have i suffered, without something more? It's nothing, isn't it?

It's nothing, isn't it? — AmadeusD

If it's nothing, then there should be no hesitation to demonstrate it's nothing.

For example, it's nothing to me to write the word "fabricateous", and I can demonstrate it is nothing to me right now by doing so:

fabricateous

So there you have it, my position matched by my deeds.

If it's nothing to you to send me all your personal data, then do so to demonstrate it is indeed nothing to you.

In the scenario I gave you, what suffering have I endured?

↪boethius In the scenario I gave you, what suffering have I endured? — AmadeusD

I'm not you. You say it's nothing to you that I have all your personal information.

Do it then.

That would demonstrate your point, which may indeed be true for you, that you really don't mind.

If you don't demonstrate it though, match your words with your actions, then you're lying to me, and it's important to make that clear.