Mullvad, in its assessment of the Swedish Surveillance Act says:
For users (of computers and other electronic devices), the new Covert Surveillance of Data Act grants law enforcement agencies the authority, upon a special permit (in each specific case) from a competent Swedish court, to secretly install software or hardware on suspect users' devices or devices which the suspect in special cases have or will most likely contact. This implies that law enforcement agencies may access a suspect userâs information before it is encrypted by VPN-services âŚ
To me, it reads as if the FRA (the Swedish NSA, if you will) can own their equipment (servers) if they deem the suspect is most likely to contact it.
In a separate page, they have the usual disclaimer that their opinions arenât exhaustive nor legal advice.
Note that the summary is not exhaustive and its sole purpose is to provide you, as a user, with a certain overall, general understanding of the new law and an understanding of why Mullvad VPN is not subject to the new law. The summary is not intended to constitute, and must not be used as, professional legal advice in any respect. All use of the content is at the user's own risk.
The Act, it seems, grants the FRA a wide-berth, including installing software/hardware secretly. This seems to violate PGâs VPN criteria for Trust.
Believe PG should reach out to Mullvad (& possibly some 3p, if possible) and ask for explicit clarification (rather than the generic ⌠âit doesnât apply to us but it might ifâŚâ).
It also seems like, if Mullvad was coerced into cooperating / complying, they cannot go public about it.
PG could also perhaps consider re-evaluating either the minimum VPN criteria for Trust or recommending Swedish providers.
You are missing the point. Mullvad cannot be forced to do secret-logging. Like nothing in Swedish law states that they can coerce Mullvad in doing secret-logging.
What you are saying is police can try and hack Mullvad, which is quite different.
I also disagree on a lot of specifics you mention, but above is my main point.
Here are two other articles from Mullvad that relate to this, and I will quote two specific parts here:
Swedish law also means the police canât pressure us. They arenât allowed to twist our arms to make us secretly begin logging traffic. Swedish law also means that no other country can step in and ask for information without going through the Swedish legal apparatus and Swedish laws. Here you can read more about the Swedish laws that apply to Mullvad â and why Sweden is a good country to run a VPN service from. Essentially the legal system here makes it possible to keep your data private.
We are prepared to shut down the service
Should a government somehow succeed in legally forcing us to spy on our users, we will cease operation of our service in the affected jurisdiction and only resume it if the legal situation* has been remedied. Just as where no data can be revealed if it does not first exist, the service canât be used as a surveillance tool if itâs not in operation.
*We retain lawyers to help us monitor the legal landscape in Sweden and keep us abreast of any developments. We also stay up to date on how to move critical parts of our business to other jurisdictions around the world, should we need to.
Where the identity of the suspect is not known, but his contacts are known, or a third party (such as a website which the suspects visits) is known, one can permit secret data reading of these contacts, or the third party, but only in order to identify the suspect.
âŚ
Under section 12 of the Act, an authorization can provide for secret entry to premises to plant spyware physically on an information system (e.g. a stationary computer).
âŚ
The figures, published since 2020, when the Act was introduced, show that the overwhelming purpose for which secret data reading is granted in Sweden is to break a deviceâs encryption.
My point is, if Mullvad was, can they be even transparent about it? From what I can tell, they canât be. Ergo, you canât trust their own blogs / write-ups on the topic.
Section 2 of the Act distinguishes between the following categories of data which can be collected:
communication interception data: data on the content of messages that are transmitted or have been transmitted to or from a telephone number or any other address in an electronic communication network
communication monitoring information: information about messages that are transmitted or have been transmitted in an electronic communication network to or from a telephone number or any other address,
location information: information about the geographical area in which certain electronic communication equipment is or has been
camera surveillance data: data obtained through optical personal surveillance
audio surveillance data: data relating to speech in a private room, conversations between others or negotiations at meetings or other gatherings to which the public does not have access
other stored and real-time data on the device not falling into the above categories.
âŚ
For notification afterwards on the use of secret investigative measures ⌠in particular where notification would damage ongoing investigations or damage other interests requiring secrecy. There is a list of serious offences (mainly security offences) where notification need not occur.
There is a standing remedy mechanism. Section 3 of the Supervision Act provides that, at the request of an individual, SIN is obliged to check whether he or she has been the subject of secret surveillance ⌠SIN is to inform the complainant that a control has been carried out. However, the standard reply is âno violation of the law has occurredâ.
I expect theyâd do it, but I am not gullible to bet my house on it. That said, I donât see how doing so meets PGâs current minimum criteria on secret logging.
Yes, it is an absolutely absurd law that never should have passed. It only applies until March 2025, though I have no doubt it will be made permanent. That being said, you are not making a good faith effort to understand what the law says or itâs implications. It does not allow Mullvad to be coerced into logging traffic. It isnât even realistic that they could hack Mullvad because that would violate the proportionality principle which is explicitly a part of the law and Swedish legal tradition. Foreign intelligence agencies already have wide reaching mandates to hack essentially whoever they like outside their own nations with impunity, so I would be more worried about that in your case.
You bring this up for the second time, as if youâre intimately familiar with the lawfare in Sweden. Nevertheless, you seem unaware that AFA this Act is concerned, âproportionalityâ / ânecessityâ is a state-kept secret.
(from refs above) The FUD applies the principles of necessity (least intrusive means) and proportionality (balancing the degree of interference with the value of the material which can be obtained) in granting a warrant, and may impose conditions on the warrant. A warrant is issued for a maximum of six months. No case law has been made public, so it is difficult to know how FUD interprets these principles in practice.
Iâm sorry you think that. Trying my best to quote 3p sources rather than pass off opinions based on vibes nor am I parroting some businessâ CYA assessment of it.
Do read the first ref in the first post. Or the excerpts in my other reply. It is all verbatim and has none of my ânot good faithâ commentary on it.
The goal posts are moving? Letâs keep this topic on Sweden.
Obviously we canât know whether this is being honoured because everything they donât want the public to know is just made a state secret on ânational securityâ grounds. That being said I still donât think if changes that they canât be coerced to keep logs. Moreover, I think the foreign intelligence comparison is justified given that they are not being given any power that would be uniquely effective for the jurisdiction where the provider is location (I.e. coercive powers).
Youâve read the first ref (3p)? They think otherwise (and lay out exceptions when this can happen). Though, PGâs criteria for VPNs concerns itself with secret logging and not storing the said logs.
If the providers were coerced into doing so, the rest of us, âobviously canât knowâ either.
Irrelevant to PGâs minimum criteria for Trusting VPNs, which only concerns itself with the jurisdiction a VPN provider is subject to.
We still know what the law says, and it doesnât allow for secret logging. Sweden has strong rule of law, and I think itâs a strange to dismiss that. Like it or not is has a real bearing on the effect of these kind of ambiguously worded laws.
Yes. Per refs, it doesnât say what you seem to be thinking.
Secrecy is the weakest link. If everything around this law is covert (including the safeguards), then Iâd rather rely on 3p opinion, which makes it clear what is (âinstalling hardware/softwareâ in third-party services like âwebsitesâ or equipments such as âcomputersâ) and isnât possible (ânotifyingâ those that were pwned).
As I read it (from 3p reports), PGâs minimum criteria for VPNs is a high bar for Swedish providers to meet. Iâm interested in what others here have to say, too.
But they canât be forced to do anything per swedish law, so yes they would be no legal basis for police to ask for this. They are not subjected to the law.
Also, why canât I trust their blog? They are a reliable company with no screw ups until now, so I trust what they say.
Interesting how the arguments are going from âno such lawâ to ânot subject to this lawâ.
Per my limited reading comprehension, Mullvadâs (use-at-your-risk / donât-quote-us-on-it) claim is they are not subject to the section which forces service providers to co-operate. Not that theyâre exempt from the entire Act.
The last I checked, VPN providers do need to run a âwebsiteâ, which, per a source I linked in the first post, absolutely puts them in the crosshairs.
Can you trust them to be transparent on this specific Act, as it seems to explicitly legally forbid them from informing anyone about covert surveillance (or it wonât be covert, would it)?
Respectfully, their reliability isnât the topic here.
Even in the Venice commission doc, I only see that âsecret dataâ reading of website is allowed under very very limited excpetion. And they donât mention the website owner is forced to cooperate in any way.
The requirement that there be someone who is reasonably suspected for the offence is central to Swedish special investigative measures, and is an important safeguard. However, it is modified by an exception. Where the identity of the suspect is not known, but his contacts are known, or a third party (such as a website which the suspects visits) is known, one can permit secret data reading of these contacts, or the third party, but only in order to identify the suspect. Only (stored) historical metadata, not real-time data or communications and not by means of activation of audio or video surveillance functions can be used for this (section 4b).
In fact, the act seem to be designed for allowing targeted attacks to inviduals, not mass surveillance.
Okay now this is just plainly false. There is NOTHING that says or even suggests that Swedish companies would somehow be blocked from being negative about the act.
You assume they arenât trustworthy because you say we canât trust what they say about this law.
No, you deflect. This topic isnât about Mullvad. I guess, thatâs why youâre riled up? It is mostly about what the 2020:62 Act means for PG. My take is, because of this law, Swedish providers do not meet PGâs minimum criteria for VPNs.
Either PG changes its criteria, or figures out what this law actually means, preferably from 3p sources.
My replies to you are based on direct quotes from refs (see my second reply to you). Those are not âmy commentaryâ, if you will.
Both of us agree. I expect you will stop posting from Mullvadâs blog and pass it off as some irrefutable truth, like you have been doing.
I must say though, instead of reading the law myself, Iâd rather defer to 3p opinion of it. Two of which Iâve linked in my original post.
Exception or not, does it not make Mullvad subject to this Act? I guess, now youâre admitting it does. On this, we agree.
Oh all okay, then?
Can you rephrase it? Not sure what this statement is about? I donât see from where the whole âcompanies canât be negativeâ is even a discussion point.
Yes, pretty much this, as they canât talk about it even if they complied. What am I misunderstanding about the words âsecretâ and âcovertâ?
Implying that PG should remove Mullvad, arguably the most privacy-respecting VPN provider that is constantly innovating in the VPN space, is completely insane when Mullvad has specifically stated in multiple instances in here, here, and here, that this specific law does not affect them. The fact that you do not trust Mullvadâs word is your personal issue and shouldnât affect the recommendations of PG.
It is also interesting how you initially wish that we ask Mullvad to clarify the situation, and when more sources are given to you that directly tell that the law doesnât apply in their case, you start questioning Mullvadâs trustworthiness, and demand an opinion from a 3rd party. Yet, your linked 3rd party sources do not say anything about VPN providers specifically that appear to be the key when trying to understand if the law affects Mullvad or not.
However, since Mullvad has stated that the law does not affect them, I have no reason to doubt that considering their spotless track record and strong reputation in the privacy community. I also believe that they are more knowledgeable about this specific law than you are, which is why I think it is a bit odd that youâre pushing this narrative without any kind of real prove that would demonstrate anything to the contrary.
Mullvad states no such thing. They only go as far as âno obligation to co-operateâ. But co-operate if they did, the law prohibits them from being transparent about it.
Since Mullvad VPN is not to be regarded as an electronic communications service with a reporting obligation ⌠Mullvad VPN cannot be subject to a duty to cooperate in connection with the enforcement of a decision authorising covert surveillance
Why are you folks so riled up? I see youâve also deleted a previous exchange. So strange.
Btw, I didnât author PGâs criteria for VPNs.
You might want to re-read the first post, if you havenât. Iâm tired of repeating myself over and over, every other reply.
Donât patronize me.
Source for what? Something completely tangential to the topic?
Yeah, Iâm merely asking PG to consider 3p opinion. Whatâs your beef with 3p? Or with that âdemandâ?
Of course they do not explicitly call out âVPN providersâ, but if you read the transcript, it is clear the law is wide ranging.
Why are you fixated about Mullvad? My post is about the Swedish law and how it concerns PGâs criteria.
From whatever Iâve read, they state no such thing. Where did you get this from?
Tbh, quit. Stop engaging. I have no desire to thrust this narrative up on you.
Covert Surveillance of Data Act (2020:62) (the act is short-term legislation and entered into force on 1 April 2020)
Since Mullvad VPN is not to be regarded as an electronic communications service with a reporting obligation according to LEK, Chapter 2, Section 1, Mullvad VPN cannot be subject to a duty to cooperate in connection with the enforcement of a decision authorising covert surveillance of data in accordance with the new Covert Surveillance of Data Act.
As for why the law isnât relevant for VPN:s, Mullvad explains more thoroughly why towards the end here: Swedish Covert Surveillance of Data Act (specifically in sections Duty of cooperation imposed on certain parties and Conclusions).
(Incredibly, I am repeating this for 5th time) Mullvad do assert they neednât co-operate, not that the Act in its entirety doesnât apply (which it should, as theyâre based in Sweden, no?)
Now, if any Swedish provider did co-operate, whoâd know, as the entire ceremony around it is super covert by law anyway?
This brings me to the Q posed in the first post:
Should PG amend itâs minimum criteria for VPNs (to accomodate Swedish providers, for example).
Solicit clarification from Swedish providers it today recommends (aka Mullvad). And/or solicit/consult 3p opinion/sources.
)
