Swedish ISP to let users shield Internet activity from police

A free VPN service from Bahnhof will keep web surfing and other online usage anonymous

Swedes have started to sign up for a free service from ISP Bahnhof to hide their Internet communications metadata from the police, and the company's CEO is urging other European ISPs to follow suit.

The Swedish ISP will start offering a free VPN (virtual-private-network) service to its customers on Monday. That same day it will also resume retaining customer location and traffic metadata for law enforcement purposes to comply with Swedish law, something it stopped doing in May. By complying again with the data retention rules, the ISP will avoid a fine of 5 million Swedish Kronor, or about US$678,000.

The free VPN service will let customers be anonymous online and avoid being subject to mass surveillance, Bahnhof CEO Jon Karlung said on Tuesday. "It is an alternative. It allows customers to choose whether they want data retention or not," he said. The ISP is launching the VPN service on the same day it starts to retain customer data again "so we can countermeasure the effect of the data retention."

Bahnhof, which has about 150,000 residential subscribers and between 10,000 and 15,000 business clients, stopped retaining and deleted all metadata after a May ruling by the Court of Justice of the European Union (CJEU).

The court invalidated the EU's Data Retention Directive because it seriously interfered with fundamental privacy rights. Swedish data retention law is based on that directive and the Swedish Post and Telecom Authority (PTS) allowed ISPs to stop collecting and delete the data without consequence after the ruling.

However, in August the PTS made a 180 degree turn and ordered ISPs to start retaining data again, a move that prompted Bahnhof to call on the European Commission to intervene, so far with no result.

The VPN service, called LEX Integrity, will be operated by the 5th of July Foundation, a Swedish organization that aims to protect online rights and co-signed the letter Bahnhof sent to the Commission.

The service will not encrypt the traffic and is only meant to hide someone's identity, Karlung said. "It acts as a laundry machine. It removes all data about who has done what on the Internet," he said. The servers of the foundation are located close to Bahnhof's, so network speeds should not be affected, according to Karlung.

Oscar Swartz, chairman of the foundation said Bahnhof has no access to the foundation's machines. "They have no way of knowing what their customers are doing after handing them over to our servers," he said.

When Bahnhof customers surf using the VPN, they share IP addresses, meaning many users can have the same address at the same time. "As a provider of this service we do not have to retain data. Even if we would have to, there would be no useful information to be had from us," Swartz said.

However, the PTS isn't so sure that the service is exempt from the data retention law. From a legal perspective, the VPN service could be deemed to be run by Bahnhof, said Steffan Lindmark, legal advisor at the PTS. At the moment, the PTS cannot rule out this possibility because the authority hasn't yet looked into the matter.

However, there are no plans to do that, Lindmark said. There have been similar VPN services offered in Sweden by others and the PTS has never heard complaints about them from the police. And as long as Bahnhof starts retaining data again on Monday, all should be fine. "We will wait for an indication they are not following the law before we do anything with Bahnhof again," Lindmark said.

Karlung thinks more European ISPs should follow Bahnhof's example, and that European consumers should put pressure on their ISPs to offer this type of service.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags Bahnhofsecuritylegaldata protectionprivacy

More about EUEuropean CommissionIDGNews

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts