Swedish Covert Surveillance of Data Act
Swedish Covert Surveillance of Data Act (2020:62) is a new law which came into effect in Sweden on April first 2020. The new law means that police and other enforcement agencies are allowed to hack into various technical devices to take part of the data that exists on the device or passes through the device.
Long story short; OVPN is not affected by the law and as such we are not required to — nor will we ever — help anyone spy on our users.
About the law
Data surveillance can be used as part of a preliminary investigation, for intelligence purposes, and "certain immigration control." It can only be used for especially heinous crimes with a minimum prison sentence of at least 2 years.
The law is intended to give police another tool to use against organized crime as those criminals often use encrypted apps to communicate and often avoid public places where there is any kind of camera or sound surveillance.
Permission need to be granted by a judge for each type of surveillance used, with special permissions given for crimes outlined in chapter 27, section 2, subsection 2, 2-7 of the procedural code, which includes sabotage, arson, general destruction, hijacking, insurrection, armed threat to legal order, civil liberty violation, high treason, war instigation, espionage, illegal intelligence operations, corporate espionage, and terrorist crimes.
Which areas are covered by the law?
The law intends to cover surveillance of the following areas:
- Data interception
- Data surveillance
- Geolocation information
- Camera surveillance
- Sound surveillance
- Data which is stored on a medium but not covered by 1-5
- Data that show how a storage media has been used but is not covered by 1-6
How does the law affect OVPNs users?
The law allows a law enforcement agency to apply technical surveillance — either in the form of malware or physical tampering — to intercept data before it is encrypted. This means that if you are the target of such a surveillance method, a VPN connection will not help as long as the technical surveillance is applied directly on the device itself.
The method used for surveillance will vary from suspect to suspect, device to device and even which permission has been granted by a judge. If required, the law enforcement agency is even allowed to use various exploits as well as remove or circumvent various system protections, provided the law enforcement agency can restore the system protection to at least the same state as before the surveillance started.
The law enforcement agency may, if permission has been granted, use various vulnerabilities in phones or televisions to activate the microphone in said devices and listen in on conversations. Exploits in cameras can also be used in order to record whatever is going on where the camera is located. Permissions for camera surveillance can not be granted for someone's permanent residence for crimes falling under the first category, namely crimes with prison sentence of at least 2 years.
However, if a person is suspected of a crime defined in chapter 27, section 2, subsection 2, 2-7 of the procedural code, camera surveillance can be granted not only for someone's permanent residence — but also friends, family and other acquaintances of the suspect, as long as there is reason to believe said person will be in that residence during the period the permission is granted for.
How is OVPN affected?
The law states:
Section 24 Anyone who conducts activities that is subject to notification pursuant to Chapter 2. Section 1 of the Electronic Communications Act (2003: 389) is, at the request of the executing authority, obliged to participate in the execution of Covert Surveillance of Data.
VPN services are not subject to notification pursuant to Chapter 2. Section 1 of the Electronic Communications Act (2003: 389), which means that OVPN can not be forced to help.
OVPN will keep publishing monthly transparency reports which contain information about requests from authorities, police and other companies.
How does the law affect OVPNs internet service providers?
Our Swedish internet service providers are subject to notification and can thus be forced to help law enforcement agencies. However, our server infrastructure is designed in a very special way which prevent these kinds of attacks.
Unlike most VPN providers, all of our servers are wholly owned by us. All of our VPN servers use our own modified hardware and modified software, and we use several methods to obstruct any attempts to manipulate our servers both on a software and hardware level. We also guarantee that any such attempts will lead to us switching to a new data center.
All hardware used to run our service is owned by us and are locked in isolated rack cabinets. All VPN servers run without hard drives — instead, the entire operating system only resides in the RAM memory. It's also not possible to manipulate the servers via console, keyboard or USB, which makes it impossible to perform cold-boot attacks to read or manipulate data or modify anything in the server itself.
When our servers boot, they fetch the correct disk image by iPXE from our encrypted boot servers. As soon as the disk image has been downloaded, a verification of the kernel and initrd signature is performed to ensure that nothing has been tampered with.
The operating system is loaded into the RAM memory, and the server can finally boot if the verification passes. If the verification fails, the server will reboot and retry this process until the verification signature is valid and it's safe to boot.
What can I do?
If you are worried that one of our servers might be tampered with or want to take extra measures to safeguard your privacy we do offer the Multihop add-on which is included for free with bi-annual and annual subscriptions. This feature tunnels your traffic through two servers in different jurisdictions and thus improves your integrity by making you much harder to track.
Although pranks are common on April 1st (commonly referred to as April fool's day), we would love for this to be a joke in bad taste. Alas, it is not.