Bahnhof, one of Sweden’s largest internet service providers, just revealed that the Sweden is proposing new data retention laws at a massive scale.
The law requires that data storage be extended in a multitude of ways and that internet service providers must rebuild systems to be compliant with data monitoring and surveillance.
Unofficial estimates conclude that ISPs would need to build more than 300 terabytes of storage to keep up with the the new laws. The new laws will be presented on October 9th, but Bahnhof is leaking some of the proposals already.
Do Swedish Police Have too much Power Already?
Even now, police in Sweden have a large amount of power. They can obtain information about anyone suspected of a crime, like their IP–no matter what type of crime it is. While in the past the European Court of Justice has tried to control this power, investigators in Sweden do not seem concerned.
Bahnof reports that data storage is to be extended from the current 6 month period to 10 months. “Sweden is raising the massive data storage instead of slowing down,” reports Jon Karlung, CEO of Bahnof.
Additionally, the entire network of Sweden would need to be rebuilt for these new surveillance changes to be introduced. Right now, Sweden’s network infrastructure is built to be fast and effective. It’s not built for surveillance per se, but under the new laws, investigators and the government want network ISPs to forcibly rebuild their systems to enhance surveillance capabilities and powers.
Each user on the internet has an IP address, and that IP address works as a fingerprint of the user’s real life location, as well as their log files held by the Swedish Internet Service Provider that show what websites they visit. This information can be requested by the police, but with the increase of users, and with the advent of NAT technology (network address translation) that allows more and more users on the internet through remapping and sharing of IPs, anonymity has increased as well.
Now that the police want to increase the capability of NAT technology surveillance, an estimated 1 terabyte a day per internet service provider would be required, which corresponds to an extra 300 terabytes a year. But even with new changes to increase surveillance of the mass amount of IPs, it’s still uncertain if police can even attain the necessary information to identify IPs since Swedish ISPs are not required to store NAT logs.
“The whole internet industry is in rebellion here. Now, Sweden is like China, where the state requires the network to be tailor-made for monitoring, not for the internet to work as well as possible.The cost is getting bigger, but the worst thing is that our system engineers have to deal with protocols and implementations that slow down the internet. We want to make every effort to make the network faster, ” says Karlung.
The proposed changes would not only cost hundreds of millions and tens of millions in operating expenses per ISP each year, but it would significantly affect the internet speeds of each user.
Is Sweden Disobeying the European Court of Justice?
The European Court of Justice has already ruled that general data storage is not legal since surveillance of internet data is a violation of human rights privacy. If it is to be allowed, multiple criteria must be met, but Karlung believes that the Swedish government is not listening to the ECOJ.
Already, it’s defying the ECOJ by monitoring all users, and Karlung believes that “there is a limit to how much information the police can collect without the storage and gathering being a greater threat to society than the crime that they claim to fight.”
New Proposals Attack VPN
In addition to requiring more data storage and network changes, the new proposals are also attacking anonymity services like VPN which make data storage impossible. The proposals want to start logging the IP of users who try to use Swedish anonymization services.
This means that the Swedish government would attempt to force Swedish owned VPN providers to log user IP’s, which is bad news for any privacy service operating within Sweden. This law does not apply to TorGuard VPN and will not affect us in any way.