Swedish Government-Approved Spyware?

by Pekka on June 18th, 2008 in Comment.

There is an ongoing debate about whether FRA, the Swedish National Defense Radio Establishment, should be allowed to extend their surveillance activities to include the surveillance of wire-based Internet traffic and phone conversations that pass the Swedish borders.

The proposed law was first discussed in 2007, and a decision was tabled during this past year. The proposal has resurfaced with the same vague wording as in the original proposal presented a year ago, and there are few clear rules for when such extended surveillance activities should or should not be allowed. There is also a big question mark regarding the authorization of the wire-based surveillance activities as well as the storage and the destruction of sensitive surveillance data.

The decision to accept the proposal or not, as well as a deliberate invasion of privacy, is in the hands of the Swedish Riksdag (national government), requiring a vote in order to pass the law. Today the Swedish Riksdag voted for a re-wording/re-design of the proposal in order to better address the privacy-related concerns that were in the original proposal. It has also been proposed that a new government authority should be established in order to deal with the surveillance authority issues. This responsibility was previously handled by the Swedish Defense Intelligence (SDI) Committee. Obviously, it is not a good idea to have the Swedish Defense Intelligence control themselves. The Swedish Lawyer Association has criticized the idea of this newly-proposed government authority and states that the mandate for the Swedish Defense Intelligence (SDI) remains unchanged, even if a new government authority is formed.

So, a proposal addendum is required by the Swedish Riksdag. It needs to clarify the search criteria to be used by FRA in order to conduct the automated surveillance of the Internet traffic passing the Swedish borders. The addendum also has to clarify the commissioner of the surveillance data, and for what purpose the data is collected. The main criticism against the new proposal is that it has been done in a careless manner, and that more time needs to be invested in such matters of critical importance. The surveillance law and the new proposal will be discussed further today/tonight in the Swedish Riksdag, and they seem to be pushing to come to a decision as quickly as possible.

This is where we must ask, "What's the hurry?" The Swedish people have strongly protested against the new law that would inevitably lead to a high level of privacy intrusion. It could be argued that the central idea of the new proposal is to show who's in charge of controlling the public. It could also be argued that the addendum makes the original law proposal "rounder" in the corners, making it easier to swallow for the masses. The SDI is the only agency that has total oversight of FRAs activities. There is the risk that an external government authority would only receive information deemed as "sufficient" by the SDI, or by the members of the "inner circle" of the secret activity.

The original proposal states that FRA needs to have authorization in order to monitor telecommunications traffic. There is, however, an exception where no authorization is needed. If the surveillance is to satisfy the needs of the Swedish government, then it could be performed without any external authorization. Most of the surveillance could be done in a manner that satisfies the needs of the Swedish government, and it is up to FRA to decide when these criteria are met. The main objective for the extended surveillance is to protect Sweden against terrorism, etc., but the current needs of the Swedish Government can and would compromise several areas.

The argument that FRA will only monitor traffic crossing Swedish borders seems strange to us, as there are no clear borders in the global network. E-mail traffic, etc., is often re-routed/re-directed many times before it reaches the recipient (and often outside of specific country boundaries). The possibility to re-route traffic is one of the main security features within Internet. If a node (computer) in any path is dysfunctional, the traffic is re-routed. This means that that traffic between Swedes and their neighbors across the street may be monitored by FRA. It could also be argued that Swedens IT reputation is in danger if the FRA law is accepted, and many companies may think twice about placing their servers in Sweden. The Swedish ISP´s has been rather quiet in their criticism, but said that the obvious intrusion of privacy may be a competitive disadvantage. Other countries may regard it negatively that the SDI can monitor their confidential telephone- and Internet communications. Swedish companies within the IT- and Telecommunication sectors are also concerned about having to carry some of the costs of the extended surveillance.

Many of those who were asked about the effect of knowing that their government monitors their telecommunication- and Internet traffic replied that it really would not affect them as they "have nothing to hide". Every individual, however, has the right to privacy that is protected by one or more constitutions.

At Lavasoft, our daily battle is against the various forms of spyware and malware that pose a risk to privacy protection and system integrity. Centralized surveillance actions, like the FRA law, may not be easily remediated using effective software counter-measures, including security software programs. We can only hope that the Swedish Government considers every aspect and angle before subjecting the Swedish population to an approved invasion of privacy, and especially of the magnitude represented by the FRA law.