The following is a general summary of parts of the new Swedish Covert Surveillance of Data Act, based on the legislative history of the new law.
Note that the summary is not exhaustive and its sole purpose is to provide you, as a user, with a certain overall, general understanding of the new law and an understanding of why Mullvad VPN is not subject to the new law. The summary is not intended to constitute, and must not be used as, professional legal advice in any respect. All use of the content is at the user's own risk.
At present, it is possible for the police and other law enforcement agencies to use several different covert supervision measures. As a result of the robust increase in the use of encryption via the internet, the law enforcement agencies have encountered difficulties in using these various covert supervision measures.
Over 90 per cent of the intercepted internet traffic is encrypted, meaning that law enforcement agencies can presently only surveil less than ten per cent of the data communication which may actually be intercepted or monitored. In order to address this problem, the Swedish Parliament has adopted the Government's proposal for a law regarding covert surveillance of data.
The Covert Surveillance of Data Act (2020:62) will enter into force on 1 April 2020. The Act is short-term legislation which will remain in force for five years and terminate on 31 March 2025. The law will then be evaluated.
Covert surveillance of data may only be used by law enforcement agencies in certain preliminary investigations, for intelligence purposes, and in conjunction with special controls in respect of aliens. In addition, covert surveillance of data may only be used following authorisation where there is reasonable suspicion of aggravated criminality or to investigate which persons can reasonably suspected of such an offence.
Scope of application of the law
Under the law, law enforcement agencies, after having been granted authorisation, will be entitled, via covert surveillance or recording using technical means (both software and hardware), to review data intended for automated processing in an information system. "Information system" means electronic communications equipment (such as computers, mobile telephones, tablets, etc.) or a user account for, or a correspondingly designated part of, a communication service, storage service, or similar service.
The surveillance may take place through direct access to the information system or in an adjacent information system, such as via a computer which gives access to data in another computer. The measure pertains to a focused effort in respect of a specific information system, which entails that the measure will only include data which is present in that specific information system.
The data need not be located in an information system which can be surveilled at the time the application for authorisation is evaluated; instead, data retrieved through communications interception can also refer to future conversations which are not subject to automated processing until later (e.g. when a telephone conversation is conducted or a message is sent).
After the enforcement agency has been granted authorisation for covert surveillance of data, it may also activate, for example, the recording function on a mobile telephone. Only certain types of data may be surveilled or recorded (see section 2). Authorisation for covert surveillance of data may only be granted to intercept or record the following types of data:
- communication interception data;
- communication monitoring data;
- location data;
- camera surveillance data;
- bugging data;
- data which is stored in an information system which may be surveilled which is not referred to in subsections 1-5; or
- data which shows how an information system which may be surveilled is used but which is not referred to in subsections 1-6.
Authorisation to conduct covert surveillance of data does not mean that all types of data may be surveilled or recorded. Separate express authorisation is required for each and every type of data.
Authorisation for covert surveillance of data may only be granted where the reasons for the measure outweigh the intrusion or inconvenience which the measure otherwise entails for the person against whom the measure is directed or for any other opposing interest (see section 3). This means that a proportionality assessment must be conducted in each and every individual case in order to determine whether covert surveillance of data will be permitted.
The proportionality assessment must take into consideration possible risks that the measure poses to information security, business secrets, or other sensitive information.
Possible risks may include that the law enforcement agency reviews data which has no significance whatsoever in respect of the matter to which the measure relates, that data is expected to be of a particularly sensitive nature, or that the agency reviews data from persons who are not covered by the matter. In such cases, the relevant authorisation can be limited to certain data only.
Covert surveillance of data during a preliminary investigation
In order to be granted authorisation for covert surveillance of data in a preliminary investigation, there must be a connection between the information system which may be surveilled and the suspected person. Accordingly, this may mean that the suspected person uses the information system which may be surveilled or that there is otherwise specific cause to assume that such person has used, or will use, it.
If several individuals jointly use an account for a service, covert surveillance of data may take place if the suspected person is one of the individuals who uses the account.
In addition, authorisation for covert surveillance of data may be granted for intercepting or recording such data in an information system which may be surveilled other than that used by the suspected person where there is particular cause to assume that the suspected person, during the time covered by the authorisation, has contacted or will contact the other information system.
Covert surveillance of data outside the scope of a preliminary investigation
Authorisation for covert surveillance of data may be granted outside of the scope of a preliminary investigation if there is a tangible risk that an individual will carry out such criminal activity as referred to in section 1 of the Act (2007:979) on the Use of Measures to Prevent Certain Particularly Serious Crimes(for example espionage and terrorist offenses).
Authorisation may also be granted if there is a tangible risk that such criminal activity as referred to in section 1 of the Crime Prevention Act will take place within an organisation or a group. In addition, there must be an expectation that a person who belongs to or works for the organisation or group will knowingly promote this activity.
In addition, covert surveillance of data may also be used outside of the scope of a preliminary investigation when there are circumstances which can form the basis for covert supervisory measures pursuant to the Special Controls in Respect of Aliens Act (1991:572) (known as “LSU cases”) when, for example, when there is a deportation decision pursuant to the Special Controls in Respect of Aliens Act or decision denying entry or a deportation decision pursuant to the Aliens Act (2005:716) or corresponding older provisions.
Authorisation for covert surveillance of data may also be granted if the measure is of particular importance to impede, prevent, or discover criminal activity entailing a crime under section 2 of the Data Collection of Electronic Communication in the Intelligence Activities of Law Enforcement Authorities Act (2012:278) (such as espionage or hijacking).
In these cases, there is no requirement that it be possible to tie the information system to a specific person and that surveillance or recording of communications surveillance may only relate to data and messages from the past which have already been transferred (messages in real-time are thus not covered).
Prohibition against covert surveillance of data confidentiality obligation
Authorisation for covert surveillance of data may not refer to an information system that can be surveilled which is constantly used:
i) in activities which are subject to confidentiality pursuant to Chapter 3, section 3 of the Freedom of the Press Act or Chapter 2, section 3 of the Fundamental Law on Freedom of Expression;
ii) in activities which are conducted by members of the Swedish Bar Association, doctors, dentists, midwives, nurses, psychologists, psychotherapists, or family counselors pursuant to the Social Services Act (2001:453); or
iii) by clergy in a religious community or by persons with a corresponding position in such a community, in activities for confession or private spiritual direction.
In order for covert surveillance of data not to be allowed, the information system must be used constantly, or specifically intended to be used, in one of the activities stated above. This means that the system is a permanent element of the activities and that it is used for any of these purposes or it is specifically intended to be used in the activities.
Accordingly, it is not the physical place of work that determines whether the information system can become subject to covert surveillance of data but, instead, whether the information system is constantly used, or is specifically intended to be used, in the stated activities.
Permissible technical methods
After authorisation for covert surveillance of data is granted, the technical means necessary for the surveillance and recording may be used. If necessary, system protection may be breached and bypassed, and technical vulnerabilities may be exploited (see section 22).
According to the legislative history, this may involve, for example, a law enforcement agency logging into a service using log-in details which it has learned or using more technologically advanced measures. A law enforcement agency may, for example, carry out covert surveillance of data by installing software or by installing a physical object on the information system which may be surveilled.
Duty of cooperation imposed on certain parties
A party which conducts activities which are subject to a reporting obligation pursuant to Chapter 2, section 1 of the Electronic Communications Act (2003:389) ("LEK") is obligated, upon request of the enforcement agency, to cooperate in connection with the enforcement of covert surveillance of data.
This means that parties which provide public communications networks or publicly accessible electronic communications services are subject to the duty of cooperation. Such services may, for example, be mobile telephone and internet operators.
Accordingly, the operator may need to assist and identify which services a specific user has and which connections are used, to provide advice regarding which technical means may be used, to provide the opportunity to install technical means in the operator's network in order to carry out enforcement, or to assist with other similar support.
1. What significance does the law have for users of the Mullvad service?
For users of VPN services, the new law on covert surveillance of data entails that law enforcement agencies have the possibility to install a technical means in, for example, a suspected person's equipment (such as a computer or mobile telephone) which could provide information regarding the content of communication before it is encrypted through VPN or read through access to the user's computer monitor via remote control (in real time).
The law enforcement agency thus accesses the information before it is actually encrypted (if this does not take place via, for example, remote control of any device).
In those cases where an organisation which is subject to confidentiality (see section 11) uses Mullvad as a permanent element in its operations, and if the service is used for any purpose of the operations’ activities or the service is specifically intended to be used in the operations, there is no possibility for law enforcement agencies to be granted authorisation for covert surveillance of data of data before it is encrypted by the service (or via, for example, remote control).
Note that law enforcement agencies may exploit technical vulnerabilities in both software and hardware.
2. What significance does the law have for the Mullvad service?
Mullvad cannot be made subject to a duty to cooperate in connection with the enforcement of a decision authorising covert surveillance of data since VPN services are not an activity subject to a reporting obligation pursuant to Chapter 2, section 1 of the LEK.
Why aren’t VPN services regarded as an activity subject to a reporting obligation pursuant to Chapter 2, section 1 of the LEK?
The legislative history of the LEK states that VPNs can take place over a public communications network but that does not subject the party providing a VPN to a special obligation to report the activities under the LEK. It is the party providing the public communications network that is subject to the reporting obligation for this (if it is provided against payment).
This is also clear from the study on data storage and EU law (Swedish Government Official Reports 2017:75) - which was undertaken after the data storage directive was declared invalid - and the Tele2 judicial decision that the storage obligation under the LEK does not include storage of data regarding anonymisation services (i.e. VPN services) which are not activated until after internet access.
Mullvad is thus not covered by either the data storage provisions in the LEK for operations subject to a reporting obligation, or the duty to cooperate pursuant to the Covert Surveillance of Data Act.