Swedish ISP protects customers from surveillance with free VPN

Last month I reported on the case of Bahnhof, a Swedish ISP that is resisting the country’s revival of its data retention law. Bahnhof CEO John Karlung said at the time that he had a “Plan B” in mind that would mitigate the effects of storing customer data for the benefit of spies and law enforcement, and here it is: free VPN.

On Sunday, Bahnhof said it would comply with a court’s November 24 deadline for storing customers’ communications data — in particular, details of which websites they’re visiting — but would at the same time start giving all those customers a way to anonymize their traffic, in the form of free access to a virtual private network called LEX Integrity.

As a result, the data Bahnhof will collect (and store in its ex-nuclear-bunker data center) will become meaningless for the purpose of surveillance — assuming customers take up the offer.

The VPN will be run by a digital rights group called the 5th of July Foundation, which noted in a Sunday blog post that, not being an ISP, Sweden’s data retention law doesn’t force it to store customer data:

When a Bahnhof customer wants to surf via our servers they connect via PPTP. We at the foundation have no idea about who these customers are. We do not have any information about them, no name or address. We just check whether this (for us) unknown surfer should be permitted to connect via our servers…

The Foundation uses its own hardware and own technicians. Bahnhof has no access to our machines, they have no way of knowing what their customers are doing after handing them over to our servers.

Sweden’s data retention law was based on an EU-wide law that has since been struck down on privacy grounds. The country first reacted to that striking-down, in April this year, by removing its requirement that ISPs help authorities snoop on their customers, but then its government managed to get the requirement back in force.

Bahnhof, which has complained to the European Commission that the law is illegal, was the last of the ISPs to resist the requirement’s return.