Swedish authorities seek backdoor to encrypted messaging apps

The Swedish government is pushing forward legislation to mandate backdoors in end-to-end encrypted messengers. In response, Signal claims that it will exit Sweden if this law is passed.

Sweden’s law enforcement and security agencies are pushing legislation to force Signal and WhatsApp to create technical backdoors allowing them to access communications sent over the encrypted messaging apps.

Signal Foundation President Meredith Whittaker said the company would leave the Swedish market before complying with such a law, Swedish news outlet SVT Nyheter reported Monday.

The bill could be taken up by the Riksdag, Sweden’s parliament, next year if law enforcement succeeds in getting it before the relevant committee, SVT Nyheter reported.

I’m curious to see if anyone in Sweden (or are familiar with folks there) can comment. Recent news have not been going well for privacy rights lately

Government trying to backdoor encryption? Must be a day that ends in y.

The Swedish Armed Forces routinely use Signal and are opposing the bill, saying that a backdoor could introduce vulnerabilities that could be exploited by bad actors.

Interesting, so it’s the cops vs the military.

Decentralized IMs focused on privacy, security and E2EE is the way to go!

I wonder if we should once again start having/developing good quality XMPP clients and service providers - preferably based in Switzerland for obvious reasons.

–

Video and Article Suggestion to @jordan and @em (hope you don’t mind a direct tag)

An ELI5 guide on how to set up your own Signal proxy that everyone who wants to do this can start sharing with their family and friends. If enough people do it, the price for this could come down from select VPS providers (specifically for Signal proxy set ups) and will or could eventually lead to “decentralization” with Signal.

Every other video online about this is still too complex for even tech savvy people at times. So, a step by step spoon feeding directions on how to do this will become a no nonsense guide that’s easy to read and follow will be a fantastic addition to PG resources and a gold standard for a how to set up such proxies.

C’est la vie!

Law enforcement officers breaking a universal technological standard (encryption) that they barely understand.

The law (2020:62), that’s now being made permanent after 2+ amendments, isn’t only limited to e2ee “messengers”. Per my reading of another 3p assessment, all apps that deal with encryption (like Browsers / VPN), digital services (like web-based email / websites), and communication servers (ex: network middleware) are all subject to covert surveillance (in some cases, by the means of hardware backdoors).

Such patronisation needs to die, especially in light of Snowden revelations which showed how very capable state actors in NSA, GCHQ etc are. Besides, LEA (law enforcement agencies) regularly fund/liaison with foremost academics & researchers (Tor & WireGuard both being recipients of such funds). They understand things (even if by proxy) perfectly well.

Oh boy do I have a lot to say about this.

I am pissed. We are (supposedly) a freedom-loving nation with a score of 99/100 by Freedom House. Tragically, this is a gross misrepresentation of the state of freedom in Sweden today. Rising gang violence, which was not being seriously tackled until the current governing coalition came into power in 2022, is the core issue here. The excuses of gang violence and more recently national security have increasingly been used as a blank check excuse to pass incredibly privacy-invasive laws with non-existent debate from the opposition or the public. The justice minister (Gunnar Strömmer) was once a believer in human rights and even started the Centre for Justice but is now seemingly firmly in the pocket of special interest groups.

Luckily, this specific proposal is getting much more media attention than usual, and the centre party has stated its strong opposition to such a law, as has the military, as you noted. Interestingly, it was just two weeks ago that the military began to officially allow Signal to be used for certain classified information, though I suspect it was likely used unofficially already, especially for communicating with third parties.

It’s a bad idea because when you open back doors for the police, there are also back doors that everyone else could use, so if you don’t have a door, no one else can get in through it. But if you build a door, it could be used by others too if they have the technical know-how. And China has that, Russia has that, Iran has that. If we look at the US, where they have similar legislation, China, for example, has managed to get in and access the phone and messaging information of Kamala Harris, Donald Trump, JD Vance, people like that. We don’t want them to have access to that. There’s a reason why the Armed Forces says you should use end-to-end encrypted apps, as they’re called, or services, to make sure that what you say gets to the person you’re saying it to and nobody else. What we want to do now is to go to the Defence Committee and say to the other parties: ‘Do you agree that we must, just as the Swedish Armed Forces say, guarantee access to secure communications for Sweden’s citizens, authorities, companies, etc. Then they will have to decide if they actually think we should have it, or if they want to listen more to Gunnar Strömmer than they do to the Swedish Armed Forces.’ says Niels Paarup-Petersen (C)

The Pirate Party (not very relevant anymore unfortunately) has also said they would like to see the right to encryption in the basic law (grundlagen, basically the constitution).

I am cautiously optimistic that the media coverage and perhaps more importantly the Armed Forces strong objections will be enough to curtail this specific law. I seriously doubt however that we will see any meaningful change in the general trend of entrenching on personal freedoms and liberties in Sweden.

The agencies of course understand, but I don’t think the same can necessarily be said for average law enforcement officers and more importantly the politicians that push this kind of stuff based on pressure of lobbyists and other groups.

That might have been true 15-20 years ago but nowadays, you need to separate national and military intelligence agencies with domestic law enforcement. Many do support encryption for counter-intel related purposes.

(Disclaimer: I do not believe that they are 100% pro-encryption. I’m just stating that the debate has become more nuanced lately because of recent cyberattacks.)

Classic. Create national security issues (and distance conservative voters) with immigration, then use that to curb freedom (distance liberal and progressive voters). AfD and its counterparts will have elections on a platter soon.

Nah, they’ve just been naive and incompetent for decades with regards to the immigration of peoples with too different values, and now they’re trying to hamfistedly solve the consequent problems. Politicians are, after all, rarely the best specimens of humanity.

As Hanlon’s razor phrases it: Never attribute to malice that which is adequately explained by stupidity.

I get your point, but to your reason… Does EU have open borders? If so, are values of Bulgaria same as Ireland?

Yep. See: Refuse to be Terrorized - Schneier on Security

Our politicians help the terrorists every time they use fear as a campaign tactic. The press helps every time it writes scare stories about the plot and the threat. And if we’re terrified, and we share that fear, we help. All of these actions intensify and repeat the terrorists’ actions, and increase the effects of their terror.

Even if I accept that point that domestic and international agencies have varying competencies and capabilities … those Chickens will eventually come home to roost. Imperial boomerang - Wikipedia

This would definitely be a great topic to cover in a tutorial. I am taking note of this and will bring it up to the team. Thank you for your suggestion

@mods: Do feel free to just remove the above if it’s too off-topic.

Anyway, with my musings on why the lovely Swedish government thinks they need to emulate 1984 out of the way:

I’m tired, boss. We have more important things to deal with (slava Ukraini) so I personally don’t really have the energy to deal with this nonsense. Really hoping the situation with our lovely neighbor means they’ll listen to the armed forces telling them they’re being stupid (again) and they’ll drop this.

If they don’t and Signal actually leaves Sweden (whatever that means—no app stores?) I’m not confident the friends and families I’ve slowly managed to get on Signal, will be willing to keep using it, or switch to something else that’s actually secure. So I might have to go back to sending texts as my primary means of communication

And as @ignoramous mentioned, the delightful Covert Surveillance of Data Act (2020:62) is being implemented permanently in about a month, and I’m (slowly) trying to make sense of how and why exactly it doesn’t apply to VPNs. Legalese is a pain in the butt (but interesting) to read.

And, completely unrelated to anything at all concerning politicians, for some mysterious reason I keep thinking of this part from Mostly Harmless by Douglas Adams:

“But nobody’s ever been to look or search or rescue. There’s been absolutely nothing.” “Well, there wouldn’t be. It’s a whole complicated insurance thing. They just bury the whole thing. Pretend it never happened. The insurance business is completely screwy now. You know they’ve reintroduced the death penalty for insurance company directors?” “Really?” said Arthur. “No, I didn’t. For what offense?” Trillian frowned. “What do you mean, offense?” “I see.”

We had this conversation shutdown before on this forum.

To circle back though, one of the PG mods did reach out to Mullvad and they replied a lot more vaguely to the tune of “there’s no privacy intrusive law that the Swedish police can target them with” (I can share their full reply if the concerned mod consents).

Yeah I know, on the surface it sounds simple and clear, but it gets muddy for me when I try to find the specific law paragraphs that says so. Which I do think I as a citizen ought to be able to do. Question is if I’m just not understanding what I’m reading or if it doesn’t clearly say. So if the mod consents, I’d appreciate to read it!

As for the off-topic discussion, I’ll send you a PM I always welcome being shown I’m wrong or dumb — because then I’ll be less so.

Signal has already said they will not comply and exit Sweden if the law is passed.

Yes, this was part of the original reporting on the subject.

Reminder about this feature!

If Signal does leave, it would just be removed from Google Play and Apple’s App Store. Tor or a VPN can easily allow someone to download the APK anyways.

I am not sure if Sweden would force ISPs to block Signal like Russia and Venezuela. Regardless, folks with Signal installed can just use the built-in censorship circumvention service.

TLDR; Apple users are screwed over in these scenarios

[removed because it was wrong]

Also @KevPham, I’m really enjoying the work you’re doing with posting all these news and articles

No, this doesn’t solve the problem because Apple maintains an iron grip on app distribution. AFAIK an app is only allowed to be on one app store, and Signal is on Apple’s app store.

edit: I’m fairly certain this is true but apparently downloading apps from developers websites is also supposed to be possible so I’m not sure how that plays into it (I don’t own an iPhone). Feel free to correct me if I’m wrong. Installing apps through alternative app distribution in the European Union - Apple Support