Skip to main content

(L)awful interception


One of democracy's foundations is the fact that all human beings have certain inalienable rights and freedoms. Suspended by trust and shared values. Today, trust and shared values are being replaced by “control and surveillance”.

First off, there are three major differences – and consequently huge implications:

  1. Between the concepts of nations spying on other nations,
  2. nations spying on their own citizens,
  3. and of nations forcing their own corporations – by law – to become involved in collecting information about their own citizens.


The existence of multilateral agreements such as the 5, 9, and 14 eyes means that all traffic that crosses international borders is intercepted and shared between a number of nations.

Many countries insist that they do not spy on their own citizens. However, Edward Snowden’s leaks proved that this was false. Domestically, governments require telecommunications operators to provide legal interception gateways and nodes for the interception of communications. The interfaces of these gateways have been standardized by telecommunication standardization organizations.

This means that “meta data” (i.e. who is talking to who, and who is using what service) is mass collected for essentially all activities on the Internet. Rumor has it that even encrypted data is saved so that it in the future, when the encryption is breached this data can be read and fully analyzed.

The United States of America

Services based in the United States are exposed to the country's surveillance programs and use of National Security Letters (NSLs) with its accompanying gag orders, which forbid the recipient from talking about any request. This combination allows the government to secretly force any US companies to grant complete access to customer data – without anybody ever necessarily finding out.

The Lavabit mail service is a good example of this. In fact, this remains true even in cases in which US corporations are active in the EU, and claim to store data only in EU; US companies are even legally obligated to lie. Any data “stumbled upon” in this manner can be used as the sole basis on which to file charges. No court order has to exist and no “reasonable suspicion of aggravated criminality” comes into play.

The People's Republic of China

China’s 2017 National Intelligence Law requires organizations and citizens to “support, assist and cooperate with the state’s intelligence work.”

The European Union

Under the GDPR, cross-border data transfers outside the EU may take place if the country to which data is exported is deemed to ensure an adequate level of data protection (currently: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay).

On 16 July 2020, the Court of Justice of the European Union (CJEU) issued its judgment which invalidated the EU-US Privacy Shield (a framework for regulating exchanges of personal data for commercial purposes between the EU and the United States).

The Schrems II case concerns an Austrian privacy advocate, Maximillian Schrems, who filed a complaint with the Irish Data Protection Commissioner in 2015 challenging Facebook Ireland's reliance on the SCCs as a legal basis for transferring personal data to Facebook Inc. in the USA. Schrems argued that due to the surveillance activities undertaken by US intelligence agencies, adequate protection was not provided to personal data transferred from the EU to the USA under either the SCCs or the EU-US Privacy Shield.

Additionally, the CJEU held that there is no effective remedy available for EU individuals to ensure protection of their personal data after they have been transferred to the US.

According to Article 48 of the GDPR, any judgement of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognized or enforceable if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the EU or one of its member states (without prejudice to other grounds for transfer pursuant to chapter V of the GDPR).


Sweden is a member of the EU. This means that Sweden needs to transpose EU directives into national legislation. This process sometimes “goes wrong” as when CJEU announced that Sweden’s existing law, the Electronic Communications Act, was too general and lacked safeguards for implementation.

Read more about how Swedish law is affecting Mullvad VPN AB.

The Digital Dilemma

The real change is that we are “going digital.” Not just events, but also money, signatures, evidence, proofs, etc. have now moved out of the realm of the physical. Once digital, they can, in addition to being easily collected as described here, also be easily changed and manipulated. You can be charged for anything online, and endless “proofs” of various kinds are collected automatically. But there is no way to prove that any of them are actually real! Example: Deepfake Queen Elisabeth II to deliver Channel 4 Christmas message.

Memorable summary

It is all about trust and shared values. One of the biggest points of international consensus in history and part of the foundations for democracy is the fact that all human beings have certain inalienable rights and freedoms. These are codified and enshrined in the United Nations’ Universal Declaration of Human Rights (UDHR), an international document which was adopted by the United Nations’ General Assembly on December 10, 1948 (58 members at the time).

Notably, the UDHR’s Article 12 covers privacy. It declares that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

Today, trust and shared values are being replaced by “control and surveillance”; a path that has been proven to only lead to civil war.

It all comes down to You

We highly recommend you to not use any services that are not encrypted end-to-end. Mask your IP (meta data) with a trusted VPN service or TOR. If you would like to communicate in a truly safe manner, do not trust any 3rd party – encrypt yourself. Do not use any US-based service for anything secret, especially if you are a company or government handling PII information.

Closely monitor the laws in the EU – the last bastion of data privacy(?) – before they are silently defanged.

And conclusively, we hope that system transparency will be a reality – soon.


For the universal right to privacy,

Mullvad VPN