According to documents obtained by Swedish internet service provider Banhof, the Swedish government appears to be interested in increasing the country’s data retention requirements, and may even be interested in starting surveillance of virtual private networks (VPNs) and other anonymization services. Data retention requirements in Sweden first took effect in 2010. Privacy advocates such as Rick Falkvinge, the founder of the Pirate Party, say that the current Swedish data retention laws already violate fundamental European Union privacy rights. In 2010 German courts struck down a German data retention directive as an unconstitutional violation of privacy. The 2010 ruling in Germany was followed by a ruling from the European Court of Justice in 2014 which struck down the European Union’s data retention directive.
After the 2014 court ruling, Swedish internet service providers were told that the data retention requirements would no longer be enforced. Banhof had stopped retaining customer metadata, and several other Swedish internet service providers then followed Banhof in stopping their data retention programs as well. However, the suspension of data retention requirements in Sweden did not last for long, as government officials deemed the Swedish data retention laws were compatible with the European Union’s Charter of Fundamental Rights. Swedish internet service provider Tele2 filed a lawsuit which they lost when the Swedish courts ruled that the data retention acts were still lawful and could be enforced. Banhof resisted the court’s ruling but was then threatened with a multimillion dollar fine if it continued to refuse to retain customer metadata.
Under current Swedish law, internet service providers must record and store customer metadata for 6 months. Sweden’s new data retention proposal would increase the length of data retention from 6 months to 10 months. While implementing the European Union’s data retention directive from 2006, the Swedish government considered making data retention requirements between 6 months to 2 years. The Swedish government decided to make their data retention law only require data to be stored for 6 months. A broader Data Retention Act which was passed by the Swedish parliament in 2003 was struck down by the European Court of Justice in late December of last year. That 2003 data retention law was struck down for violating the Charter of Fundamental Rights of the European Union.
What remains a mystery is what exactly was meant by requirements to log the activation of anonymization services. A post made on Banhof’s website originally referred to this requirement as applying to VPNs, however, the company updated the post and said that they believe this may be a requirement aimed at prepaid cellular phones. A spokesman for a Swedish VPN called PrivateVPN said that the VPN surveillance requirements were so far only rumors, but did suggest the company would likely leave the country if the Swedish government ever did enact VPN surveillance. Another option would be to force the VPN’s customers to use Network Address Translation (NAT) firewalls. It appears unlikely that the government would ban NAT. However, VPN surveillance could be enforced by internet service providers instead of by the VPN provider, through the use of deep packet inspection.
“Sweden now acts as China when the state requires the network to be tailor-made for monitoring, instead of the internet functioning as well as possible,” Jon Karlung, Banhof’s CEO, said on a post on the company’s website. Karlung says that it will cost hundreds of millions of Swedish kronors to be able to meet the new data retention requirements. He estimates that the average service provider will need to get 300 terabytes of more storage to implement the proposed requirement. “The whole industry is in rebellion,” Karlung says. He believes the government wants service providers to rebuild the network to make surveillance easier, than to make it perform well. The information Banhof received came from a government investigation that is being conducted on the data retention laws. The government’s new report and recommendations will be delivered on October 9.