Swedes have started to sign up for a free service from ISP Bahnhof to hide their Internet communications metadata from the police, and the company's CEO is urging other European ISPs to follow suit.
The Swedish ISP will start offering a free VPN (virtual-private-network) service to its customers on Monday. That same day it will also resume retaining customer location and traffic metadata for law enforcement purposes to comply with Swedish law, something it stopped doing in May. By complying again with the data retention rules, the ISP will avoid a fine of 5 million Swedish Kronor, or about US$678,000.
The free VPN service will let customers be anonymous online and avoid being subject to mass surveillance, Bahnhof CEO Jon Karlung said on Tuesday. "It is an alternative. It allows customers to choose whether they want data retention or not," he said. The ISP is launching the VPN service on the same day it starts to retain customer data again "so we can countermeasure the effect of the data retention."
Bahnhof, which has about 150,000 residential subscribers and between 10,000 and 15,000 business clients, stopped retaining and deleted all metadata after a May ruling by the Court of Justice of the European Union (CJEU).
The court invalidated the EU's Data Retention Directive because it seriously interfered with fundamental privacy rights. Swedish data retention law is based on that directive and the Swedish Post and Telecom Authority (PTS) allowed ISPs to stop collecting and delete the data without consequence after the ruling.
However, in August the PTS made a 180 degree turn and ordered ISPs to start retaining data again, a move that prompted Bahnhof to call on the European Commission to intervene, so far with no result.
The VPN service, called LEX Integrity, will be operated by the 5th of July Foundation, a Swedish organization that aims to protect online rights and co-signed the letter Bahnhof sent to the Commission.
The service will not encrypt the traffic and is only meant to hide someone's identity, Karlung said. "It acts as a laundry machine. It removes all data about who has done what on the Internet," he said. The servers of the foundation are located close to Bahnhof's, so network speeds should not be affected, according to Karlung.
Oscar Swartz, chairman of the foundation said Bahnhof has no access to the foundation's machines. "They have no way of knowing what their customers are doing after handing them over to our servers," he said.
When Bahnhof customers surf using the VPN, they share IP addresses, meaning many users can have the same address at the same time. "As a provider of this service we do not have to retain data. Even if we would have to, there would be no useful information to be had from us," Swartz said.
However, the PTS isn't so sure that the service is exempt from the data retention law. From a legal perspective, the VPN service could be deemed to be run by Bahnhof, said Steffan Lindmark, legal advisor at the PTS. At the moment, the PTS cannot rule out this possibility because the authority hasn't yet looked into the matter.
However, there are no plans to do that, Lindmark said. There have been similar VPN services offered in Sweden by others and the PTS has never heard complaints about them from the police. And as long as Bahnhof starts retaining data again on Monday, all should be fine. "We will wait for an indication they are not following the law before we do anything with Bahnhof again," Lindmark said.
Karlung thinks more European ISPs should follow Bahnhof's example, and that European consumers should put pressure on their ISPs to offer this type of service.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to [email protected]