The day is coming where Sweden does something and Mullvad is directly affected. I wonder what the (or one of the) best entity in the space is going to do and how they’re going to fight.
This looks like the beginning of the EU’s “ProtectEU” policy for “lawful and effective access to data for law enforcement,” which it intends to implement by 2030. Linked to the original article, this article outlines its parts.
- Data retention. The EU Commission is expected to carry out an impact assessment with the aim of extending the EU’s data retention obligations and reinforcing cooperation between service providers and authorities.
- Lawful interception. Lawmakers seek to explore measures aimed at improving cross-border cooperation for lawful interception of data by 2027.
- Digital forensics. The goal here is to develop technical solutions that allow authorities to analyze and preserve digital evidence stored on electronic devices.
- Decryption. Next year, the EU Commission is set to present a Technology Roadmap on encryption to identify and evaluate decrypting solutions. These technologies are expected to equip Europol officers from 2030.
- Standardisation. The Commission is said to be committed to working alongside Europol, industry stakeholders, experts, and law enforcement practitioners to standardize the new approach to internal security.
- AI solutions for law enforcement. Lawmakers also seek to promote the development and deployment of AI tools by 2028. These solutions will enable authorities to lawfully and effectively process large volumes of seized data.
This is so flipping exhausting. Why is everyone all of a sudden obsessed with surveillance of law abiding and peaceful people? Is there anywhere in the world that still follows some semblance of rule of law/human rights on this?
It honestly feels like the fight for human rights in this area is already lost. There is little pushback, experts are being ignored, and everyone is running willy nilly on this (Asia, Australia, NA, Europe, etc etc). Social media bans, ID laws, proposed laws to ID for even videogames. Desire to surveil VPNs. On phone scanning. Attempts to break decryption.
Is privacy even gonna be possible in a couple years? Or will everything be gone?
Gonna be honest. I’m super discouraged. It feels like out whole digital world, as we know it, will be gone soon. No privacy. ID for everything. Owning nothing, and renting everything. Even for the tech savvy…
Imagine if all the non-logging VPN companies had to relocate out of the EU!
I guess the mobile stores could ban downloads in that region too?
This makes political gridlock and dysfunction in the U.S. look comparatively attractive. Can’t pass bad laws if you aren’t passing any I guess.
+1 for Swiss based service providers.
Swiss was also close to going insane with violating privacy worse than the US. Let’s not think even the “perfect” country is going to always remain perfect for your privacy tools. The fight is always ongoing so one must always stay vigilant. That’s the price for freedom we should all be willing to pay.
Everyone is welcome to Turkey!
The government may waive tax collection for several years if investments totalling millions of dollars are made. That sounds appealing, doesn’t it? Of course, this assumes that the government will not conduct arbitrary raids and imprison authorised individuals. But they wouldn’t do something like that, would they? 
Which country outside the EU is ideal for VPNs then? Not many options. There are several small countries who can amend their own laws to make it attractive for privacy tech companies to operate there (who won’t depend on the US or 5 eyes so they can’t be bullied into amending their perfect rules for them). I wonder if these small countries will do anything about it.
I don’t know why countries such as Iceland, or some South American nations are not home to more providers (ie Argentina, Chile, etc).
Getting talent to move to those places is one reason, maybe the biggest one.
Does all talent need to move? I would imagine the majority if not all of the work for the majority of the workforce can be done remotely. Of course, the country’s economic conditions are going to be a factor for sure (including safety & rule of law).
Countries may require businesses to establish legal and liable entities if they employ their residents.
In most places that’s just registering as a business in the country. This is not overly complicated nor expensive as far as I know.
The effectiveness of VPNs for privacy and hiding one’s IP address relies on the security promise of no logging, so mandatory data retention will obviously affect VPNs. But end-to-end encryption, anonymizing networks, file sharing services, cloud storage apps and other internet services are targets too. Imagine the traffic analysis that would be possible if all messaging traffic or all Tor traffic is logged.
NordVPN argued that the proposal “effectively outlaws privacy within the EU.”
Services that claim to protect against global adversaries like Nym look promising but I wonder how effective it will really be in practice in the event data retention becomes mandatory, and given it requires payment, won’t be something everyone can access.
This mandatory data retention is just the beginning of “ProtectEU.” Employing AI to sift through the logged data and conduct surveillance, enhanced digital forensics, access to encrypted data etc are also on their dystopian roadmap.
From what I see happening simultaneously in the EU, UK, US and elsewhere over the past year or two, jurisdiction shopping may work for another few years but it’s an expensive exercise, and honestly I think there will be no safe haven for privacy-enhancing technologies in the not-too-distant future.
The privacy community may need to formulate solutions, urgently while still possible, that keep technology development, deployment and practices alive in a hostile world environment. For instance that could be novel offline solutions, security culture, anonymous development, plausibly-deniable hidden data storage.
India made VPN rules so absurd that it’s practically the same. If it “works” in/for India, why not elsewhere? That’s the logic and proof we have where all bad ideas will be tried everywhere, even where your favorite privacy product is based. Those are the scary days that I don’t want to see but know is inevitably coming.
Sovereign nation states have always had / desired / wanted wires on tap. These “bad ideas” have almost always been at the forefront of the ruling/political thought. Case in point: The ITU. Curiously, they didn’t catch up with the Internet (as in the beginning, ie the dial-up era, the Internet was mostly traversing in plain text over wires they could surveil anyway).
Excerpts from comparitech/surveillance-states / mirror (2022)
EU countries tend to share a large amount of their citizens’ data with fellow member states
…
Italy: Lengthy data retention periods (six years for internet and telephone traffic data)
…
Hungary: Government agencies are able to take data from telecommunication companies without a warrant
…
Slovenia: … the highest record of human rights violations per capita in Europe …
…
Germany: Controversial data retention directives.
…
Spain: Its communication data retention policies (12 months after the communication but this can be extended to 2 years) …
It’s the ProtectEU thing. Nothing that new to honest. Many VPNs providers and groups which care about privacy in the EU, have already written against it profusely. Looks like plan B for ChatControl (like was expected as well). Nothing is going to really stop this witch’s hunt, I guess.
For what’s worth, here is a petition from a group called Vallem (never heard of them before, but maybe somebody here has?): https://vallem.com/en/petition-against-protecteu/#informatieeu