WikiLeaks ISP To Circumvent Data Retention Laws

Wikileaks ISP Bahnhof will anonymise all traffic by default to render Swedish data retention laws “toothless”

Swedish ISP Bahnhof will pass all customers’ traffic through an anonymising service by default in response to a law that would require telecommunication providers to retain customer data, the company’s CEO said on Swedish radio.

Sweden is in the process of passing a law that implements the European Union’s Data Retention Directive, which requires fixed and mobile telephone companies and Internet service providers to retain customer data to facilitate the “investigation, detection, and prosecution of serious crimes”.

Encrypted VPN Renders Users Invisible

Bahnhof, Wikileaks ISP and host, said it will make the law “toothless” by implementing a technical solution that will encrypt all customer traffic.

“We plan to let our traffic go through a VPN service,” Bahnhof’s Jon Karlung said in an interview with Sveriges Radio (transcript translated through Google Translate) on January 26. With the encryption in place, it will be impossible for Bahnhof to see or log what customers are doing.

The European Union’s Data Retention Directive, currently under review in several member states, requires telecommunication providers to retain traffic, location and subscriber information for all customers for a minimum of six months. Germany is one of the 20 member states that put the directive in place after it was established in 2006. But a recent court decision has declared the law unconstitutional. The European Commission filed a complaint against Sweden and a number of other countries for not yet complying with the directive.

Sweden appealed but lost its case before the European Court of Justice last year. As a result, the government has proposed legislation that will require Swedish telephone and Internet providers to retain data for six months. The law picked the shortest possible retention period allowed by the EU in order to “create adequate protection for personal integrity”, Justice Minister Beatrice Ask said at the time.

Bahnhof chose a technical solution that will allow its customers to continue surfing anonymously, Karlung said. With the encryption in place, Bahnhof will have no idea what their customers do online, what sites they are looking at or who they are talking to, Karlung said. The company will store all customer data up to the point where the traffic is anonymised, and that information will be available to the police, but it will be “irrelevant,” Karlung said. “What happens after that is not our responsibility and is outside Bahnhof,” he said.

As for accusations that Bahnhof will become a safe haven for drug dealers, stalkers, and other criminal elements, Karlung said Bahnhof supports law enforcement cracking down on Internet crime. Those efforts must be based on individual cases “where there is suspicion” and not just looking at a “general storage of all the people’s communication,” he said.

Ask admitted to SR that the proposed law has loopholes because technology changes rapidly. “It is impossible to cover every possible alternative route,” Ask said. “I always think it’s bad when you slip away important legal rules,” she said in reference to Bahnhof.

This is not the first time Bahnhof circumvented Swedish law. Sweden introduced the Intellectual Property Rights Enforcement Directive in 2009, which gave rights holders the authority to request personal details of alleged copyright infringers. Bahnhof promptly ceased logging customer activity altogether, claiming there was no data available to hand over.

There are on average 148,000 requests per year for the customer data in countries that have implemented the directive, according to the European Commission.

United States business interests appear to have pressured Swedish officials to draft the law, according to a US State Department cable from March 2009 that was released by WikiLeaks, reported Rick Falkvinge on his Info Policy blog. Motion Picture Association of America is an organisation that relies on ISP data to crack down on piracy. The Federal Bureau of Investigation has relied on such logs as part of its probe of “Operation Payback” attacks perpetuated by the “Anonymous” group of activist hackers protesting efforts to shut down WikiLeaks.

Anyone really concerned about staying anonymous can use Internet cafes, anonymisation services, public telephones, or unregistered mobile telephone cards.

According to SR, several other Swedish ISPs are also researching technical solutions to circumvent the upcoming law. Bahnhof is the only one who has publicised its intentions at this time.

However, Karlung says he is all for giving customers a choice. Customers can opt-in to have Bahnhof save their traffic data for an additional SEK 50 (£4.87) a month, he said.