There are two types of mass surveillance. Commercial, which you can read about here. And mass surveillance carried out by states and rulers. Both are reprehensible, and our attitude is well-established: mass surveillance infringes individuals’ human rights, invades the personal privacy free societies are built on, and is also ineffective against the problems it’s claimed to solve. This is the ultimate core of our business. Our company was founded in 2009 because the surveillance laws were going in the wrong direction, and our message to those in power all over the world is the same now as it was then: there’s a difference between surveillance and mass surveillance. Don’t get involved with the latter: don’t carry out mass surveillance on your population or that of other countries. Use targeted surveillance if there’s a suspicion of a crime, in a proportional way and via independent court decisions.
We think human rights are worth preserving and defending. And it’s important to remember that they’re there to protect people against the state. They are a landmark to cling to, to prevent the worst parts of human history repeating themselves. They are there because people and those in power take bad decisions. Because governments change. Because no state should have total and uncontrollable power. Ultimately, the state should be there for the people and not the other way round
Even if a large part of today’s mass surveillance is global, it originates in different countries and changes depending on what country you live in. You can read about the consequences of mass surveillance here. But in this article, we’re going to take a look at some of the clearest examples of how widespread it has become in large parts of the world.
USA: with the capacity and experience of monitoring the entire population of the world.
There’s a problem with reporting the mass surveillance carried out by countries like the USA (at least if you want to stick to proven facts): they aren’t very happy about you talking about it. Of course there are exceptions. Like when self-satisfied managers like the CIA’s chief technology officer Ira ‘Gus’ Hunt give presentations and boast to journalists about how “we try to collect everything and hang onto it forever”. Or when a senior Defense Department official explains that not even the Pentagon’s employees can expect to have their privacy respected: “We want our people to understand: they should make no assumptions about anonymity. You are not anonymous on this planet at this point in our existence. Everyone is trackable, traceable, discoverable to some degree”.
And sometimes a building says more than a thousand words, like when the NSA constructs enormous server halls out in the Utah desert to store data.
But to get mass surveillance down in black-and-white, to produce hard facts and figures, it requires brave whistleblowers like Edward Snowden. It’s only through this type of hero that we get an insight into what’s actually going on. Even now we still don’t have better answers than what Snowden gave us in 2013. We’d hoped for change in the wake of his revelations, but unfortunately they’re still relevant today, so that’s where we’ll start.
Snowden's revelations showed that American authorities were monitoring hundreds of millions of people all over the world – every day.
American mass surveillance is possible thanks to Section 702 of the Foreign Intelligence Surveillance Act (FISA), a law that the USA renews every five years. Section 702 is the key to why American authorities need no court decisions to monitor people. The law came into being on the pretext that terrorists were being tracked after the 9/11 attacks, and would ‘only’ refer to eavesdropping on non-American citizens, but as the law is written and as the internet is constructed, in practice it means surveillance of both foreign and American citizens. When Snowden’s revelations emerged, it also turned out that it wasn’t just being used against people suspected of a crime, but that the American administration was carrying out mass surveillance of millions of people. Other documents that Snowden leaked demonstrated how the National Security Agency (NSA) had the capacity to monitor essentially every person on the planet, and that they weren’t saving their powder: the documents showed, amongst other things that they collected 200 million text messages from different parts of the world – every day.
Using the program Xkeyscore, the NSA’s analysts had access to a database covering “nearly everything a typical user does on the internet”. This included both direct data like emails in people’s inboxes, chat conversations and private messages on Facebook. But also things categorized as metadata; search histories and exactly what sites millions of people were visiting. Using XKeyscore the analysts could also do searches on people’s internet behavior – entirely without judgments from either a court or even a superior inside the NSA. Either via a hard search: for example through an IP address or email address, which could give them access to virtually everything a specific person did online. Or via a soft search: a search for a keyword or phrase, which could give them lists of people with a particular internet behavior. Snowden showed the world how easy it was for the NSA to search in XKeyscore and how much they could get out from the program. But where did all the data come from?
Section 702 contains two parts that give American authorities such as the FBI, CIA and NSA access to enormous quantities of data, and they go by the names of PRISM (downstream) and Upstream.
PRISM means that they have the right to demand data from American companies without a court decision. When the authorities have free rein to request information from the world’s biggest tech companies, it’s not surprising that it ends in mass surveillance. But Snowden revealed that the situation was even worse. The leaked documents revealed that the authorities didn’t even need to request the material, but that they more or less had direct access to the tech companies’ systems and servers. As Snowden wrote in his book Permanent Record: _”_PRISM enabled the NSA to routinely collect data from Microsoft, Yahoo!, Google, Facebook, Paltalk, YouTube, Skype, AOL, and Apple, including email, photos, video and audio chats, Web-browsing content, search engine queries, and all other data stored on their clouds.”
Of course all the tech companies on the list denied that the FBI, CIA and NSA had direct access to systems and servers. Which maybe wasn’t all that strange, because the law can actually mean that it’s illegal for the companies to admit their involvement.
The systems reacted to keywords such as 'anonymous internet proxy' or 'protest'. There, algorithms decide which of the agency's exploits – malware programs – to use against you. Once the exploits are on your computer, the NSA can access not just your metadata, but your data as well. Your entire digital life now belongs to them.
While PRISM gave the NSA the right to demand data from American companies such as Microsoft, Facebook and Google, Upstream gave them the right to directly connect to the backbone used by American telephone and internet service providers. This involved major American telecoms companies such as AT&T but also the world’s biggest router manufacturers, who built monitoring for the NSA into their products. Snowden again:
“Upstream collection, meanwhile, was arguably even more invasive. It enabled the routine capturing of data directly from private-sector internet infrastructure – the switches and routers that shunt internet traffic worldwide, via the satellites in orbit and the high-capacity fiber-optic cables that run under the ocean.”
It would take a lot to prevent global internet traffic from traveling via American servers, cables and services. That’s how the digital infrastructure and power relationships are constructed. In principle, PRISM and Upstream therefore gave the American authorities the possibility of monitoring every person on the globe. Snowden showed that they could search people’s history, but also monitor them in real time. Handling that quantity of data required sorting, which was done via the TURMOIL and TURBINE programs. In Permanent Record, Snowden wrote:
“You can think of TURMOIL as a guard positioned at an invisible firewall through which internet traffic must pass. Seeing your request, it checks its metadata for selectors, or criteria, that mark it as deserving of more scrutiny. Those selectors can be whatever the NSA chooses, whatever the NSA finds suspicious: a particular email address, credit card, or phone number; the geographic origin or destination of your Internet activity; or just certain keywords such as ‘anonymous internet proxy’ or ‘protest’. If TURMOIL flags your traffic as suspicious, it tips it over to TURBINE, which diverts your request to the NSA’s servers. There, algorithms decide which of the agency’s exploits – malware programs – to use against you. Once the exploits are on your computer, the NSA can access not just your metadata, but your data as well. Your entire digital life now belongs to them.”
Snowdens whistleblowing revealed that the American authorities were eavesdropping on people’s conversations, reading their messages and even looking right into their homes via cameras in computers and mobile phones. And yet it’s common for states carrying out mass surveillance to deny it and try to hide behind the phrase ‘we only collect metadata’. As if that wasn’t enough. American cryptographer and security expert Bruce Schneier describes it as follows in his book Data and Goliath:
“In a text message system, the messages themselves are data, but the accounts that sent and received the message, and the date and time of the message, are all metadata. An e-mail system is similar: the text of the e-mail is data, but the sender, receiver, routing data, and message size are all metadata. Metadata may sound uninteresting, but it’s anything but. Collecting metadata on people means putting them under surveillance. Eavesdropping gets you the conversations. Surveillance gets you everything else. Metadata reveals our intimate friends, business associations. It reveals what and who we’re interested in and what’s important for us, no matter how private.”
Metadata includes all the websites you visit and your entire search history, and when you realize that, the ‘we only collect metadata’ defense suddenly becomes very thin. Stewart Baker, former general counsel for the NSA, expressed this clearly: “Metadata absolutely tells you everything about somebody’s life. If you have enough metadata you don’t really need content.” You can read more about metadata here.
When Edward Snowden decided to turn whistleblower, he was firmly convinced that he needed to get hold of the right journalists for the job. The question was who was most suitable. He thought about this for a long time. Sketched out different criteria and scenarios. Tried to reason who would be best. But then he realized it was better to let the NSA system choose for him. Because of course he could enter a group of carefully selected search terms to produce a list of journalists critical of the USA’s mass surveillance society. The system came up with names including Laura Poitras and Glenn Greenwald, two of the journalists who finally met Snowden in that Hong Kong hotel room.
The fact that the NSA was monitoring journalists wasn’t particularly surprising. The American surveillance apparatus wasn’t merely eavesdropping on terrorists and criminals. They were also carrying out industrial espionage and monitoring human rights organizations like Amnesty and Human Rights Watch. They weren’t simply listening to hundreds of millions of Americans, but for example also captured 70 million French phone calls per month. And of course the system was used to monitor politicians and world leaders.
We haven’t been able to get as good an insight into how the American authorities work since Snowden’s revelations. We don’t know exactly how they carry out mass surveillance today. But Section 702 has been extended. And every year since 2013, more and more information has emerged about how the NSA, CIA and FBI are sticking to their tactics of not merely monitoring suspects, but carrying out mass surveillance of the entire population.
End-to-end-encryption was a pipe dream in 2013. An enormous fraction of global internet traffic traveled electronically naked. Now, it is a rare sight. But the capabilities governments had in 2013 seem like child's play compared to today.
In 2017, we all got a new insight into the American mass surveillance apparatus. The leak was far from as comprehensive as Edward Snowden’s, but it was clear that these activities were still continuing when Wikileaks revealed that the CIA had hacked into people’s phones, computers and TVs to carry out mass surveillance. And this time, not even the commercial partners denied it: “If your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition”, as Samsung expressed it.
The quote could have come directly from George Orwell’s 1984 dystopia, with its telescreens that both sent out propaganda and listened to the population.
In 2023, Snowden gave his picture of how the world had changed, ten years after he had become a whistleblower. He spoke about how his revelations had made the tech companies introduce end-to-end encryption and that in many ways it’s no longer as easy for authorities to simply eavesdrop on all internet communication. At the same time, the technical skill and development have advanced enormously, even on the other side. As Snowden expressed it:
“If we think about what we saw in 2013 and the capabilities of governments today, 2013 seems like child’s play. The idea that after the revelations in 2013 there would be rainbows and unicorns the next day is not realistic. It is an ongoing process. And we will have to be working at it for the rest of our lives and our children’s lives and beyond.”
The tenth anniversary of Snowden’s revelations received widespread attention, and the majority of sources were in agreement that global mass surveillance has certainly not ceased, merely found different approaches.
Europe: Countries in close collaboration with the USA. Sometimes even worse than Big Brother.**
But Edward Snowden’s whistleblowing didn’t expose only the actions of the American authorities. In the same way as the US Upstream system, the UK connects directly to the fiber optic network between the USA and Europe, and gives what it calls the Tempora program access to internet traffic between the two continents. With Tempora, the British intelligence organization GCHQ could, it claimed, “Master the internet”, and Snowden’s leak showed that it was a very apt description. In 2013, 300 GCHQ and 250 NSA employees worked full time to analyze the data that arrived via 40,000 different key triggers. In total, 850,000 NSA employees had access to the British system, which processed 600 million ‘telephone events’ and other traffic every day via 200 fiber cables. Snowden called Tempora “the largest program of suspicionless surveillance in human history”. But what did GCHQ have to say? When they trained new analysts in the tool, the presentation had the title “You are in an enviable position – have fun and make the most of it”. It suddenly doesn’t sound so unlikely that NSA employees would pass around naked pictures of the people they were monitoring.
And the USA and UK aren’t the only countries collaborating and sharing surveillance between them. Since the Second World War, the countries in the Five Eyes electronic eavesdropping alliance have shared data amongst themselves. From the outset, the members of the English-speaking Five Eyes pact were Australia, Canada, New Zealand, the UK and the USA. But Edward Snowden’s leaks revealed that the alliance had been expanded and that it now went by the name Fourteen Eyes, with the new members being Belgium, Denmark, France, Germany, Italy, the Netherlands, Norway, Spain and Sweden.
VPN actors who claim they are better because their business isn't in a Fourteen Eyes country are ignorant and dishonest. The internet is a global phenomenon, and your traffic crosses the borders of several Fourteen Eyes countries as soon as you start to surf, regardless of where your VPN company is based.
It’s important to emphasize: Mullvad VPN is a Swedish company, and our business is based in a Fourteen Eyes country. That has absolutely no impact on our users. The Fourteen Eyes agreement is based on collaboration between intelligence services and on the fact that they sometimes share the internet traffic that crosses their country borders in the physical cables that, for example, run under the Atlantic. As we’ve already observed, the internet is a global phenomenon and the majority of traffic is sooner or later routed via the USA, so it’s really not important where a VPN actor is based. Regardless of where their business is in the world, and regardless of where their servers are, their users will not be able to remain within those borders, because they will naturally visit websites and use services that are located elsewhere. In addition, these 14 countries were revealed more than 10 years ago. No VPN actor knows how high the figure is today and which countries are involved.
But fortunately, the whole idea of a VPN is to encrypt traffic, to make it impossible to read, for example if an authority has connected to a fiber cable. So when VPN actors claim they are better because their business is based ‘outside Fourteen Eyes countries’, it’s not only proof of a serious lack of knowledge, it’s also dishonest and misleading. When it comes to where your VPN actor is based, only the country’s laws are relevant. The laws that control how a VPN service must log and reveal data are crucial. Sweden is a good country from this perspective. You can read more about the laws relevant to Mullvad here.
It’s hardly news that the intelligence services in different countries collaborate, and nor is it a problem. The problem is that they do so via mass surveillance, despite the fact that it’s constantly being judged as horrifying and illegal. In 2018, the European Court of Human Rights stated that the Tempora program was illegal and incompatible with the conditions required for a democratic society and in 2020, an American court decided that the NSA surveillance of hundreds of millions of people was unlawful and unconstitutional. You might be forgiven for thinking that such repeated scandals would tip the world in another direction. But instead, it seems like mass surveillance is simply getting more and more extensive.
An intense tug-of-war is under way in the EU. At one end: the EU’s highest court, which over and over again rules that mass surveillance is illegal, plus the part of the EU trying to put legal pressure on tech companies via directives such as the GDPR and the Digital Service Act. Up to now, the GDPR Directive has been largely ineffective, and has mostly succeeded in handing out symbolic (in the context) fines to the world’s richest companies while simultaneously making the internet experience a cookie nightmare for every user. But this type of regulation has actually started to put pressure on big tech companies like Meta and Google. Hopefully this will ultimately lead to something good, but there’s a risk that the tech companies will simply adapt, regroup and come up with new solutions to collect data. Read more about their techniques here. But we still applaud attempts from the EU and hope that this is the power in Brussels that gets the longest straw. Because there’s another side in this battle, that’s pulling in completely the opposite direction.
At the other end of the rope, for example, we find EU countries like France, which wants to introduce AI video surveillance and a Hungary installing black boxes allowing the state direct access to ISPs’ networks, and therefore to users’ internet behavior, without a court decision.
In the same sphere, we also find parts of the commission wanting to introduce a total prohibition on private communication with its proposed chat control law, which would mean mass surveillance on a level that would even make the NSA jealous. Needless to say, we’re closely following the battle between those who want to transform the EU into an authoritarian alliance and those who actually care about privacy and are attempting to provide a good example for the rest of the world.
In the UK too, there are powers that want to undermine the encrypted traffic that’s become more popular since the Snowden revelations, through the draft Online Safety Bill.
In both Europe and other parts of the world, we’ve also seen how Pegasus spyware is used by countries to target dissenters, political activists and journalists.
Governments and authorities in democratic countries have shown that they have no problem carrying out mass surveillance of entire populations and looking straight into law-abiding people’s homes via phone cameras and microphones, TVs and computers. And their authoritarianism shines through their ambitions, like when EU Commissioner Ylva Johansson thinks the EU’s experts and independent regulatory authorities make it difficult for Europol to do its work. It bears repeating: human rights are there to protect people against the state. And it’s also important to remember that rights are something you also have to fight for.
Authoritarian countries: don’t conceal their ambitions for their mass surveillance.
The fact that totalitarian countries also use mass surveillance scarcely needs saying. In the world, there are more than 4.5 billion internet users. 76% of them live in countries that imprison people for things they’ve written online about political, social or religious issues. Almost as many live in countries that block and censor online content. In other words, in authoritarian countries a VPN isn’t used only to reduce mass surveillance, but also as a tool to even be able to get out into a free, uncensored internet, so that people can gain free access to information.
Here are a couple of examples: in Iran, the state has become known for switching between completely shutting down the internet and allowing its surveillance program, SIAM, to control, filter and monitor how people use their phones (via the mobile network).
In India, foreign apps are blocked and strict internet laws have forced VPN services to leave the country.
In Russia, the Russian Federation’s federal security service (FSB) has long used the SORM system to eavesdrop on phone calls, and to read emails and messages. By combining this with censorship, blacklisted technology and other surveillance, Russia’s really cracking down hard on its citizens. In Moscow, the state has introduced a system that combines several hundred thousand surveillance cameras, facial recognition and monitoring of mobile data. The system has been used to track and imprison demonstrators, political opponents and journalists. They call both the program and the Moscow’s digital infrastructure ‘Safe City’.
Ironically, however, this massive mass surveillance system has begun to bite the hand that feeds it. On the digital black-market cyber bazaar known as Probiv, corrupt and/or poorly paid and dissatisfied officials have begun leaking data from the enormous databases resulting from mass surveillance. The problem for those in power in Russia is that they’re in the database too. For a very small sum, it became suddenly possible to buy information about Putin’s innermost circle, which the opposition, other countries and investigative journalists didn’t hesitate to exploit.
The Great Firewall of China controls and censors the internet for 750 million inhabitants. They are under total surveillance and the police system claims to be able to predict when someone is going to commit a crime, and where.
The list of countries using mass surveillance, censorship and persecution on their citizens is a long one. Here’s a good review of the situation in different countries and how the trends look (spoiler: the world has declined by this measure 12 years in a row). Many countries compete to be worst in the world, but regardless of how you count it’s very difficult not to think that China beats them all.
The Chinese state controls the country’s 750 million internet users in an “utterly mind-boggling way”, as Edward Snowden has put it. The state controls the sites users can access, blocks VPN services and requires inhabitants to register using their real name to be able to post content. Social media and messaging apps in the country are under state surveillance, foreign apps are prohibited and even TikTok, which was founded in China, has a special version that blocks international content. Internet service providers in the country are forced to collaborate with the state, and all of China’s mobile phones are under constant monitoring via location data. The Chinese people’s internet experience is completely controlled and censored under what’s known as The Great Firewall of China and even by 2013 there were 2 million ‘internet public opinion analysts’ working manually to censor citizens’ messages online.
But of course the country doesn’t work merely with manual monitoring. In what has been called ‘public opinion analysis software’, the state collects data and uses AI to react to ‘sensitive material’. The list of activists, journalists and perfectly ordinary people imprisoned for criticizing China online seems endless. You only have to insult ‘heroes and martyrs’ to risk spending three years behind bars.
In the Police Cloud, the state has also constructed a system based on big data which is said to be able to ‘visualize’ hidden trends and relationships between people. Using this system, the state draws up relationship maps and registers what it calls ‘extreme opinions’. Another part of the program is claimed to be able to predict crime and where it’s most likely to take place.
China also collect ‘voice prints’ from people, has installed more than half of the world’s 1 million surveillance cameras and has also introduced technology that not only contains face recognition but can even identify how you’re feeling. Overall, the image emerges of a surveillance society that’s not merely reminiscent of the dystopian societies we’ve read about in science fiction but in many ways goes well beyond them.
For authoritarian countries, mass surveillance is a tool of control, and significant resistance will be needed to improve the situation for the inhabitants of those countries. In totalitarian states, the technologies used to persecute dissenters, censor information and stifle protest movements. There’s no doubt about this – and this type of country isn’t exactly ashamed of it, either.
Democratic countries don’t boast about it as much and the consequences for those affected are not as severe. But we’ve already seen how mass surveillance is used to win free elections and how dissenters and journalists are monitored. There are several democratic countries on a slippery slope and the question is where they will end up when history is being written. Do they want to continue being democratic or not? Because that’s what mass surveillance is about. Mass surveillance equals control and is the opposite of freedom. And there’s a boundary somewhere. Somewhere, you finally lose your position as a free society. That’s why we fight for a free internet.