> Here I'd say look at the jurisdictions of the orgs.
Per Covert Surveillance Act passed in 2020, looks like Sweden (where Mullvad is based) can ask communication providers / website services to secretly add or assist with backdoors?
... Where the identity of the suspect is not known, but his contacts are known, or a third party (such as a website which the suspects visits) is known, one can permit secret data reading of these contacts, or the third party, but only in order to identify the suspect. Only (stored) historical metadata, not real-time data or communications and not by means of activation of audio or video surveillance functions can be used for this (section 4b).
In short, "Mullvad is thus not covered by either the data storage provisions in the LEK for operations subject to a reporting obligation, or the duty to cooperate pursuant to the Covert Surveillance of Data Act."
But it could be interpreted contrarily - that VPN services through, for example, encryption via signals that the VPN service itself has power over through agreements with subcontractors, etc. could possibly be seen as an electronic communications service ...
And I'm not just talking about Mullvad VPN (the "electronic communication service" provider), but Mullvad AB, which also hosts websites and builds apps (like the browser and VPN clients), too.
So, is the "law doesn't apply" a fact? If so, may want to reword this bit on your website to make that much clear:
[Mullvad's] opinion is that the reasonable interpretation is that a VPN service is not to be considered as an electronic communications service based on previous legislative history.
If not, due to the "covert" nature of the Act, if Mullvad was coerced to co-operate with the govt, it seems Mullvad couldn't even publicly talk or hint about it (like warrant canaries, for example)?
I'm writing this on my phone and for whatever reason can't find the passages that you're quoting. Are they in the same article that I linked?
In any case, to my knowledge the law in question doesn't apply to us. If the Swedish government tried to argue otherwise we'd get our lawyers involved.
Having said all of this, I am concerned about National Security Letters and similar concepts. Technologies like reproducible builds, transparency logs, and remote attestation can help there.
> to my knowledge the law in question doesn't apply to us
Fair. This isn't the official Mullvad position, then (which is that the law may apply)?
The "Communication provider" part aside, another source (quoted above) makes it explicit that backdooring "websites" (Mullvad has a website) are fair game, btw.
> If the Swedish government tried to argue otherwise we'd get our lawyers involved
I don't doubt you would. Given the "covert" nature of the Act, Mullvad's arguments & Sweden's counter-arguments and the outcome from it (backdoors, compromises, coercion etc) will be kept a state secret. That is, there doesn't seem to be a way for the public to independently ascertain the claim that the Mullvad did fight and indeed "the law didn't apply"? [0]
> reproducible builds, transparency logs, and remote attestation
Much needed (:
Per Mullvad's posts, the Act seems to grant wide-ranging powers to Swedish authorities, including installing hardware & other sorts of physical compromises (which no amount of software mitigations would thwart, I don't think).
[0] Focusing on the premise: "Forced by government: Here I'd say look at the jurisdictions of the orgs."
> Fair. This isn't the official Mullvad position, then (which is that the law may apply)?
I'm pretty sure our official position is that it doesn't apply, rather than it may apply. Note that the article on our website that I quoted is more recent than the one you quoted. I can't find a more recent legal opinion than that.
Regarding backdooring websites, that's interesting. I'll have to ask someone about that. Thanks.
> the outcome from it (backdoors, compromises, coercion etc) will be kept a state secret
I am not a legal expert, but I'm pretty sure you're wrong. The first-order outcome would be a court case that says the law applies to VPNs, or not. The second-order outcome would be secret coercion in a specific criminal case, or nothing. The first-order outcome would be public. Interesting question though. I'll have to ask about this too.
> Much needed (:
Yes. :)
It might interest you to know that I've spent the past six years working on things like that. My role at Mullvad since several years is only strategic, as I spend almost all of my time on applied research. See glasklarteknik.se and tillitis.se.
> (which no amount of software mitigations would thwart, I don't think)
Physical security is hard. However, I see no reason to limit ourselves to only software-based mitigations.
> Regarding backdooring websites, that's interesting. I'll have to ask someone about that. Thanks
No, thank you! I look forward to an update on Mullvad's help/blog on this.
> The first-order outcome would be a court case that says the law applies to VPNs, or not.
My contention was, Mullvad AB (the other parts of its services like the app, the browser, the website, & the parts of its infrastructure like its control plane that isn't running the VPN) is already subject to 2020:62 (the Act) in ways which may remain secret, if enforced. I'm not an expert in Swedish law, but also, I'm not sure who else to ask.
For example, here's some revealing text (on just who 2020:62 applies), from a 3p source I linked to in my first reply:
The possibility for the police and security police to use spyware was introduced by the Act (2020:62) on Secret Reading of Data. For domestic purposes, secret data reading means that "information, which is intended for automated processing, is secretly and with technical means, read from or recorded in a readable information system".
"Readable information system" in turn means "an electronic communication device or a user account for, or a correspondingly delimited part of, a communication service, storage service or similar service".
Thus, it covers both physical equipment, such as a mobile phone or a computer, as well as a user account to, or a correspondingly delimited part of, a communication service, storage service or similar service.
Note that "electronic communication service" is just ONE of the 3 entities subject to 2020:62, per that source. The legal language is pretty wild and pretty wide, imo. Which brings me to...
> The first-order outcome would be a court case that says the law applies to VPNs, or not ... would be public.
May not matter as Mullvad AB might decisively meet other criteria laid out in 2020:62 (the Act). That is, regardless of whether Mullvad "VPN" is subject to 2020:62, Mullvad as a business building all kinds of other software might be.
> only software-based mitigations
True. Thanks for being so patient. I tried to send follow-up queries to you folks via PrivacyGuides, but for some reason they didn't & in fact, they stonewalled, & even deleted/removed posts on the topic. Now that I'm hearing from you directly, I feel that much more assured.
I guess, it pays to go direct rather than fight it out on some forum with gatekeepers.
> tillitis.se
Dang... didn't realise 'twas you folks. Amazing.
> glasklarteknik.se
Eventually expect Mullvad severs to experiment with either microkernels (ala Fuschia) or unikernels, to replace the monolith that is Linux Kind of like (the uber sophisticated) OpenVPN vs. (leaner, meaner) WireGuard.
It is worth noting that your second quote is from a blog posted in May 2020, and the link that kfreds posted is from their follow-up blog post, dated July 2020.
Per Covert Surveillance Act passed in 2020, looks like Sweden (where Mullvad is based) can ask communication providers / website services to secretly add or assist with backdoors?
https://www.venice.coe.int/files/Spyware/SWE-E.htm / https://archive.vn/LgE7a