Ray Walsh

Ray Walsh

August 31, 2017

After bad news in both Russia and China concerning Virtual Private Networks (VPNs), it perhaps doesn’t come as any surprise that yet another nation is seeking to control the use of the privacy-enabling technology. Worryingly, however, on this occasion it is the European nation of Sweden that, according to a government whistleblower, is seeking to increase surveillance and crack down on the use of VPNs.

Many had thought it was unlikely that Western nations would follow in Russia’s footsteps by cracking down on VPNs. Now a leak by the Swedish ISP Bahnhof allegedly reveals that the Swedish government has taken inspiration from more authoritarian states.

A Growing Trend

Not long ago, the West was considered a bastion of human rights. People were innocent until proven guilty and privacy was a fundamental human right. In the digital age, however, those hard-won rights are being quickly eroded away, with mandatory data retention laws and anti-encryption sensibilities putting citizens at the mercy of overreaching governments (and businesses at risk from cybercrime).

In Sweden, the government introduced mandatory data retention laws back in 2010. Since then, the European Court of Justice (ECJ) found data retention to be unlawful because it encroached on “the fundamental right to respect for private life and the fundamental right to the protection of personal data.”  

That didn’t stop Sweden, however. It continued its data retention program despite its incompatibility with human rights. Now, growing political pressure within the nation – due to a perceived rise in criminality that is blamed on immigrants – is pushing the country into an ever more totalitarian state.

Why Mandatory Data Retention?

What citizens do online permits government authorities to easily profile them and put them into little boxes. In addition, who they communicate with – and what about – allows governments to understand their social circles and gauge whether they might become persons of interest.

Forcing Internet Service Providers (ISPs) to keep those web browsing histories and metadata on file allows governments to put people under surveillance even before they are suspected of a crime.

The ECJ rightly found this to be unlawful. In fact, the ECJ was clear in its judgment that this type of surveillance should not only stop but that it should never have been carried out in the first place. Despite the clearly specified obligations laid out by the EU, Sweden continued to enforce mandatory data retention for a period of six months. The same is true of other countries, including the UK, which also passed a mandatory data retention law.

A Growing Problem

Now, leaked proposals that have made their way into the hands of the ISP Bahnhof, reveal that the Swedish government has plans to double down on that invasive policy. According to the leak, which was leaked by an anonymous whistleblower within the Swedish ranks, the government wants to extend the six month holding period to ten months.

VPNs in the Crosshairs

According to the contents of the leak, the Swedish government will require Swedish VPNs to log VPN use. Martin Müller from the Swedish VPN firm PrivateVPN was quick to point out that, for now, these are just rumors. In addition, Müller told me that it would take years to enforce such a policy.

Talking about a worst case scenario, Müller told me that if the government did ever act on these threats, it’s possible that PrivateVPN would be forced to leave Sweden. This would be a shame for Sweden’s tech economy. Another possibility is that customers would be forced to use NAT firewall. As for any suggestion that Sweden might also ban NAT, Müller informed me that,

“It’s impossible to ban NAT as all bigger ISP like Telia has NAT”.

PrivateVPN also told me that there had been several cases in which the police had asked it for logs. However, due to the fact that the firm has a zero logs policy, it had nothing to hand over to the authorities.

ISP IP Address Logging

Another possibility is that the logging of VPN use could be enforced at the ISP level. ISPs can use Deep Packet Inspection (DPI) to ascertain whether a VPN is being used by a particular IP address. The ISP can then flag that household to the government as a VPN user.

The privacy of the VPN user would still be assured because the ISP and the government would not be able to tell what the IP address had done online (thanks to the VPN’s encryption). However, it could flag it up as an IP address of interest. In reality, however, DPI is costly, so using it en masse to analyze everyone’s traffic is highly improbable.

Another prospect is to use lists of IP addresses known to belong to VPNs in order to watch Swedish internet users. If a Swedish IP address connects to an IP address that is known to belong to a VPN, the ISP can inform the Swedish government about VPN use. This method is much less costly and is exactly how Netflix and other online services tell that VPNs are being used.

For now, it is unclear exactly what is meant by logging “first activation of anonymization services”. Jon Karlung, the CEO of Bahnhof, has made the following (Swedish) comment:

“It is still necessary to analyze what the proposal means in practice. But, of course, the state has raised the eyes of VPN services. The state can clearly not accept that citizens sometimes want to be in peace”

With this in mind, we will have to wait to see if anything concrete materializes from these claims. One thing is for sure – the largely left wing Swedish government is bound to be conflicted about this on the inside, a fact that is allegedly backed up by Bahnhof’s anonymous source:

“There is a conflict on the inside too. There is upset about the proposals.”

In fact, it is because of these conflicts and because the ECJ will be against these proposals that Müller from Private VPN told me,

“That’s why PrivateVPN, as a VPN provider based in Sweden, are not so worried about this.”

Finally, Private Internet Access, which last year pulled their servers from inside Russia due to new regulations that made it impossible to promise a zero-logs service there told me:

“As IP address and other metadata logging by ISPs is proposed and implemented in more and more countries, so too will VPN use. If a country’s laws make it so that even VPNs, not just ISPs, need to keep logs, then running a no log VPN gateway in that country isn’t viable. Private Internet Access monitors regulatory changes around the world and will pull servers out of any country that seeks to invade our users’ privacy, as we did in Russia last year.”
Opinions are the writer’s own.

Title image credit: Denys Prykhodov/Shutterstock.com

Image credits: InshStyle/Shutterstock.com, Valery Brozhinsky/Shutterstock.com