Swedish ISP Will Automatically Encrypt All Traffic To Protect Privacy Under New Data Retention Laws
from the how-it-all-works dept
When Sweden first put in place its IPRED law, which required ISPs to hand over identifying info on people accused of file sharing, one of the first ISPs to respond was Banhof, who immediately put in place a new policy to delete all log files. Now that Sweden is pushing forward with a data retention law that would require ISPs to keep log files, Banhof has taken things up a notch by encrypting all traffic on their network via a VPN. That means that even if it keeps logfiles, the information will be effectively useless. Honestly, I'm surprised that more ISPs haven't done something similar and pitched themselves as focused on protecting privacy. It's difficult to see how Swedish politicians can really respond to this. They can't exactly order ISPs not to encrypt traffic. Just think of the mess that would cause. So, as the US starts looking (again) at data retention laws, they might want to consider what's happening in Sweden.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data retention, encryption, sweden, vpn
Companies: banhof
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Honestly, if they are going to this extent to "protect" their clients, aren't they reaching the point of being active participants in the very activities the law seeks to stop?
[ link to this | view in chronology ]
Re:
Nope, simply protecting users against unreasonable government requests. You know, the kind of things good corporate citizens SHOULD be doing.
Next question?
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
A cop would not be able to walk in to your house and search it, under the pretense of "if you have nothing to hide you shouldn't be worried."
[ link to this | view in chronology ]
Re: Re: Re:
GASP! You GOT me! Oh well, the veil is off, might as well make the best of it.
So come one, come all, down to Dark Helmet's torrent search site. You too can get all the torrenty goodness you need, all you have to do is click on www.darkhelmettorrentssitethatimadebecauseihadtoonceithoughtprivacyforprivatecitizensmightbeagoodide a.com
Yes, that's the site, my friends. It's a grand place where you can get all the torrents your heart desires. But wait! We have a special focus for our search site. We focus on torrent searches in the following categories:
1. Golf porn
2. Movies about Chicago quaterbacks NOT named Jay Cutler
3. Nina Paley's movies (shhhh! She's gonna be sooooooo pissed zomg lols)
4. Videos that start off like those ones that have cute little squirrels doing human things w/their hands, but ends with such animals getting run over by semi trailers
5. All footage of Bulls games during the Jordan era, with all white people edited out for the further enjoyment of basketball fans
6. The collective works of Timothy Geigner (we know a guy....)
So come on down, you're the next contestent on stupid claims easily mocked by Anonymous Cowards....
[ link to this | view in chronology ]
Re: Re: Re: Re:
Mind if a cyber squat on that domain name?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Gay Golf Porn With Puppies
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Oh, never mind!
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Golf Porn
Golf Porn
Golf Porn
Golf Porn
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Domain name may not exceed 63 alphanumeric characters
Well bugger, there goes my idea for an entertaining weekend of building the next Youtube. :(
[ link to this | view in chronology ]
Re: Re: Re: Re:
*click*
SERVER NOT FOUND
:( Looks like ICE got Darkhelmet already. Damn, they're eerily efficient. Sadly it seems I'll have to get my squished squirrels fix somewhere else.
[ link to this | view in chronology ]
Re: Re: Re: Re:
the GPIAA(golf porn *IAA)
must have had it ddos`ed
[ link to this | view in chronology ]
Re: Re: Re:
Okay, I really wish Mike would put a "Lame" button up. or "Weakest Rebutal" because that was the worst of the week.
Its two totally seperate statements you are trying to combine. Neither has anything to do with the other. We need to send you off to shilling and trolling school.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
buttons
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
There is a point where it crosses the line from customer service to helping people evade the law. They crossed that line a ways back.
[ link to this | view in chronology ]
Re: Re: Re:
There is also a point where government crosses the line between governance and oppression. They are doing that now as we speak.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Ok, if you want to make that argument, then it looks like there is something missing between paragraph 1 and paragraph 2... evidence of said intent.
Perhaps it was accidently deleted in you rush to post such an informative post.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
That is totally against our system of justice as well as the statute of limitations on crimes.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
"We (the Government) are going to ban privacy protection implemented by Internet Subscription Providers. This is being done because these ISP's and you, their users, are engaging in activities that we have deemed unlawful and harmful to the country, the economy, our corporate sponsors, the planet, the children, and puppies. Because of this we have decided that no one will have Internet privacy. That way you can be monitored at our discretion and prosecuted when we deem appropriate."
Yea. that'll go over well.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
Curious. How do you outlaw using a VPN?
[ link to this | view in chronology ]
Re: Re:
But they are PRIVATE, as soon as you stop outside that 'private network', you enter the PUBLIC network, ie THE INTERNET.
And all the rules and laws that apply to the PUBLIC network, or the internet will apply to you.
Sure, it will not apply to you if you are using the VPN and ONLY the VPN, but if you are using the VPN to access the public internet.. Then by definition it is NO LONGER A VPN.
And if you leave your safe VPN and enter the internet, and you access an IP address that is considered illegal, then the law states that the ISP has to provide the IP address, name and ID of the person or user that accessed that public internet IP address..
Im sure mike you know how a VPN works, don't you ???
[ link to this | view in chronology ]
Re: Re: Re:
I'm not sure that you do, Darryl. And when has ANY IP address EVER been considered illegal let alone the simple act of connecting to it? Please, do answer in gruesome detail and provide as many sources as you can find. Wikipedia is allowed, but try cracking a law book or two while your at it. As for the VPN issue, the encryption lies in the idea of putting an encrypted black box process in the middle of all passing traffic connections from one side of the ISP to the other. All the logs would show is that the ISP's VPN connections are very popular. No capacity to connect traffic from one side of the ISP to the other would be possible.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Thanks for the warning, I'll check back here in a month for the tough-talking-a-dead-person approach I'm half certain he will follow.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Cost is the main reason ISP's cite when they oppose data retention laws. ISP's might look at this as a protest method. The government might back off if they realized that the logs were going to be useless to them except in extreme cases when they get the NSA involved.
Let's face it, the MPAA is probably the one pushing the retention to make it easier to sift through the ISP logs and catch file sharers en mass. Even a puny 128 bit ISP encryption system would throw a giant monkey wrench into those plans.
[ link to this | view in chronology ]
Re: Re:
If anything, the slight bump in expenses in order to implement encryption would be felt *more* by a small provider like Banhof. For a large scale ISP, this would be like batting an eyelash.
[ link to this | view in chronology ]
Re: Re: Re:
For "data retention" (the term is defined VERY loosely), you basically just archives your logs, which costs nothing if only a few more HDDs.
[ link to this | view in chronology ]
Re: Re: Re: Re:
If I want to encrypt anything at all, anything, nearly instantaneously, I can do so with a ~150 line C program implemented one of Marsaglia's KISS RNGs with a run-time in the milliseconds per megabyte.
I could also use some nasty asymmetric, easily broken, encryption, and laugh quietly to myself while a 1kb file takes 2 hours to decrypt, even with the key. Here you go, sirs, 200 GB of records. Here's the encryption keys and method. See you in, oh, 48,000 years for the follow-up requests?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
As for your encryption gibberish, you should really read up on how easily it is to break almost any encryption with the proper tools and resources. Your KB file would take someone with resources less than a millisecond to decrypt. Your 200GB, a few hours tops.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
When they already have a crook in mind, fair enough.
But the expense of doing that repeatedly just for fishing expeditions is going to make more pressure for such searches to have a legit reason.
[ link to this | view in chronology ]
Re:
They have serverfarms in several cities, the one in Stockholm is housed in a cold war era nuclear bunker(http://www.bahnhof.net/).
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Antiprivacy slippery slope
[ link to this | view in chronology ]
Re: Antiprivacy slippery slope
That is just glorious. By that logic, anyone not keeping track of who they sell ammo to (hello Dick's sporting goods!), arguable is considered to be an accessory to future gun crime. Can also quite reasonably apply that to hunting knives, bows, arrows, tomahawks and boomerangs. So the only "consistency" in TAM's argument is that his bs makes no sense in the real world.
[ link to this | view in chronology ]
Re: Antiprivacy slippery slope
Huh?
[ link to this | view in chronology ]
Re: Antiprivacy slippery slope
Future crime!
*has hiccups from laughing*
Good one.
[ link to this | view in chronology ]
Re: Re: Antiprivacy slippery slope
[ link to this | view in chronology ]
Re: Antiprivacy slippery slope
Just like it is unreasonable to spy in every citizen of a cities to get one person, it is also unreasonable to collect data on everyone to go after someone before anything happens. We all know people get murdered do we give law enforcement the right to search every home because of it? Of course not is a violation of privacy and given the authorities propensity to abuse of their power is like granting an alcoholic access to booze without supervision.
Do they want to get those one off's or just the repeating offenders?
One off's are not problematic are they? the problem is repetition and that excludes the need for pass records because those individuals will get caught doing it again, authorities have the power record that activity legally, why do they need to spy on the rest of the population to get just a few persons? Even more interesting is why the police is involved in a civil mater at all.
[ link to this | view in chronology ]
Re: Re: Antiprivacy slippery slope
We do in America.
[ link to this | view in chronology ]
Re: Antiprivacy slippery slope
> future crime
I can't speak for Sweden but in the U.S., we don't have liability for "future crimes". This isn't the Minority Report. Yet.
[ link to this | view in chronology ]
Slippery slope
I don't want data retention even if the result is that a few criminals avoid justice.
Internet freedom is more important than the enforcement of laws against victimless crimes.
[ link to this | view in chronology ]
Re: Slippery slope
Regular people see pirating and see, not a criminal, but a copyright violator.... who is best punished using the CIVIL LEGAL SYSTEM, not the criminal one.
[ link to this | view in chronology ]
Gun analogy
No, this analogy fails for the reason that there is as far I know no preexisting requirement that ammo dealers keep logs, but there are regulations mandating that legal gun use and possession must be associated with firearms with valid serial numbers.
If an enterprise deliberately sells firearms with obscured serial numbers, or assists the buyers in making their registered firearms untraceable, I think that such a business is in serious trouble.
I can't remember the exact federal statute, but knowingly reselling or giving away a firearm with an obscured serial number is a crime even if you aren't otherwise disallowed from owning a firearms. So even law abiding citizens with no felony conviction, or the other BS excuses for depriving people of their Second Amendment rights are breaking the law if they want to obscure the firearm serial number.
So regulation of firearms is already premised on the Orwellian assumption that you don't have the right to hide your firearm posession from the government. A dealer traficking in firearms with obscured serial numbers would likely not be an accessory to a future crime, since the mere traficking in such is already independently illegal. By analogy, an ISP knowingly routing its trafick in such a way as to make legally required regulation impossible is either operating in a grey area, or must expect future adverse government regulation.
[ link to this | view in chronology ]
Re: Gun analogy
See Egypt and Tunisia for references.
[ link to this | view in chronology ]
Re: Gun analogy
Verizon, or was Comcast?, just proved in the U.S. that they can do so.
So all this BS fighting crime necessity can stop at the borders of the reasonable and not the ridiculous.
[ link to this | view in chronology ]
Re: Gun analogy
[ link to this | view in chronology ]
Re: _Bad_ Gun analogy
"So regulation of firearms is already premised on the Orwellian assumption that you don't have the right to hide your firearm posession[sic] from the government."
For example in Maine the government is _prohibited_, yes I wrote _prohibited_by_law_ from keeping track of the fact that a private citizen may or may not possess a firearm. It is legal for private citizens and gun shows to sell guns to each other. You are not supposed to posses a firearm if you are a mental patient or a convicted felon, but practically there is no way for them to find out unless you running around with a firearm and give them a reason to check on your history.
Carrying a firearm openly is legal practically everywhere (there are a few places like government buildings where you can't). The closest thing to a record is when you apply for a concealed gun permit, then they would have a record that you have a permit to carry concealed, but even then the government doesn't know if or how many firearms you own.
Not too long ago they passed a law requiring people subject to a restraining order to surrender their firearms to the police. It didn't pass, until it was changed so that you could surrender any firearms to a friend or neighbor. Even in this the government isn't allowed to know if or how many firearms you might posses.
As you can see, it might be illegal to have a firearm with a missing or concealed serial number, but unless it is used in a crime there's no practical way for the government to know that. Also, since most people don't trade in serial numberless firearms, the fact the no one is required to register thei
[ link to this | view in chronology ]
I suppose they can use an asymmetric encryption algorithm to encrypt it with and delete the other key, but secure asymmetric encryption is processor costly.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
The data is stored on your drive to be decrypted by someone, so someone with the key that was used to encrypt it can decrypt it.
Maybe a Swedish ISP can store data, encrypt it, and periodically delete the key after storing the data and come up with a new key to again store the data, encrypt it, and after a week or so delete it and come up with a new key. That might work, until new laws are passed that prohibit such practice.
[ link to this | view in chronology ]
They are not encrypting the logs... they are encrypting the TRAFFIC. What Banhof is effectively proposing is that if any logs are submitted, they would just show "your computer IP traffic to/from VPN IP" as opposed to "your computer IP traffic to/from "ethically questionable IP" "
The logs would be useless.
[ link to this | view in chronology ]
Plausible deniability
Yes, but since the holder of the encrypted data doesn't know how to decrypt it, he can't comply even with a legally binding subpoena.
Truecrypt includes an interesting plausible deniability feature making it possible to hide a smaller volume within a larger volume.
If the government tells you to decrypt, you can decrypt the larger volume and deny the smaller hidden volume exists. The only way arouned encryption is banning it or making the mere use of it illegal.
Maybe a Swedish ISP can store data, encrypt it, and periodically delete the key after storing the data and come up with a new key to again store the data, encrypt it, and after a week or so delete it and come up with a new key. That might work, until new laws are passed that prohibit such practice.
Sure, and then the users switch to opensource encryption software. Criminals could set up their own private VPNs over 'the internet, and ISP logs would prove only that customer a and b had a connection to each other over port xxx. If enough people adopt strong end-to-end encryption, logging all traffick becomes rather useless. The EC directive only requires the retention of a narrow category of identifying information email, http, port number and Ip address but not the contents of the communication. The data retention directive is already controversial, and the commission might well suggest a shortening of the retention time.
Sweden only passed the data retention law because it had to.
[ link to this | view in chronology ]
Re: Plausible deniability
[ link to this | view in chronology ]
Re: Gun analogy
Obscuring the serial number is itself a crime without any nexus to the seller knowing that the firearm is going to be used in the commission of a crime.
So a gun retailer caring about privacy of its customers commits a crime if he helps them make their firearms untraceable to the government.
The untraceable firearms kill people is unfortunately very close to the untraceable internet use facilitates crime argument.
Of course Tam is also against the Second Amendment and effective self-defense.
[ link to this | view in chronology ]
Re: Re: Gun analogy
And the law requires that ISP to log you're IP connections.
That is what the data retention law is about, THEY HAVE TO RETAIN THAT DATA, in plain text, human readable form,
So if you have an account with that ISP, that ISP will have to provide the IP you used at the time, your Name and your Address.
No VPN is going to stop that from occuring.
[ link to this | view in chronology ]
Re: Re: Re: Gun analogy
So if you have an account with that ISP, that ISP will have to provide the IP you used at the time, your Name and your Address.
No VPN is going to stop that from occuring."
You seem like you don't fully grasp how a VPN works, think of it as surfing via a proxy server, all the logs from the ISP will show you connected to the VPN - not the target webpage/service/ftp/newsserver/tracker/whatever.
So in plaintext, the ISP will hand over the logs, but the logs will be useless since they will only show you connected to the VPN.
And before you even start, a VPN is a service, not an ISP, so the law does not apply to a VPN.
[ link to this | view in chronology ]
The pirate box
Next? VPN is illegal. People have been saying this for months, if not years. But the industry shills are computer illiterates. By the time they notice, understand, buy the policitians (they're very good at it) and change the laws, a new technology will be in place and they will have to start all over again.
Technology is and has always been one step ahead. Not even a police state will solve this problem. Ever.
Has anyone seen the pirate box? No internet needed. Sharing is here to stay.
[ link to this | view in chronology ]
From the "yea, that'all work Dept.
If this mob handed them a bunch of encrypted files, they would not accept them as THE CORRECT files, and they would be fined accordingly.
If you think that will fix them, you are as silly as they are !!!..
[ link to this | view in chronology ]
Re: From the "yea, that'all work Dept.
They can fully comply with the law and hand over the useless logs.
So yes, That will work.
[ link to this | view in chronology ]
Ignorant fool
Complete nonsense, an IP address itself is not proof of illegal activities in particular not if the IP address is a proxy or VPN server used by several users some of whom aren't engaged in illegal conduct. The ISP's responsibility only extends to identifying *who* connects to the IP address, but doesn't extend to the data exchanged between the customer and the VPN server. The data retention directive only obligates the member state to mandate retention of a narrow category of dentifying connection data and doesn't mandate decryption or packet inspection.
[ link to this | view in chronology ]
Two caveats to this article,
[ link to this | view in chronology ]
Re: Two caveats to this article,
[ link to this | view in chronology ]
Re: Two caveats to this article,
You can hear him saying(in the audio part) they will do it at some point and it will be the default with people having to opt out at a price of 50SEK.
Is that not what he said there?
[ link to this | view in chronology ]
Federal law
[ link to this | view in chronology ]
Re: Federal law
So if it's made locally.... you can do whatever you like to the serial number as long as it never crosses a border. Or you never check the serial number and hence receive/ship it "un-knowingly".
Not poking fun at you sir... just what looks to be a glaring hole in the law (and yes I am sure the other 42 cluses probably close it)
[ link to this | view in chronology ]
Re: Federal law
Only in matters of federal jurisdiction. In all other matters, state law is supreme.
[ link to this | view in chronology ]
Commentary
Naturally, we need to account for population intellect which I would think Sweden has more of than say those who voted in favour of a 'The President has a 'Stop teh Internet-button''. See how well that worked for the Egyptians. :D
[ link to this | view in chronology ]
I know, there's a thousand loopholes in each argument, but this is how the Corporate State works - it will continue to fight and rape and subjugate until it either owns the World or we incinerate it and never allow it to rise again.
[ link to this | view in chronology ]