I'm writing this on my phone and for whatever reason can't find the passages that you're quoting. Are they in the same article that I linked?
In any case, to my knowledge the law in question doesn't apply to us. If the Swedish government tried to argue otherwise we'd get our lawyers involved.
Having said all of this, I am concerned about National Security Letters and similar concepts. Technologies like reproducible builds, transparency logs, and remote attestation can help there.
> to my knowledge the law in question doesn't apply to us
Fair. This isn't the official Mullvad position, then (which is that the law may apply)?
The "Communication provider" part aside, another source (quoted above) makes it explicit that backdooring "websites" (Mullvad has a website) are fair game, btw.
> If the Swedish government tried to argue otherwise we'd get our lawyers involved
I don't doubt you would. Given the "covert" nature of the Act, Mullvad's arguments & Sweden's counter-arguments and the outcome from it (backdoors, compromises, coercion etc) will be kept a state secret. That is, there doesn't seem to be a way for the public to independently ascertain the claim that the Mullvad did fight and indeed "the law didn't apply"? [0]
> reproducible builds, transparency logs, and remote attestation
Much needed (:
Per Mullvad's posts, the Act seems to grant wide-ranging powers to Swedish authorities, including installing hardware & other sorts of physical compromises (which no amount of software mitigations would thwart, I don't think).
[0] Focusing on the premise: "Forced by government: Here I'd say look at the jurisdictions of the orgs."
> Fair. This isn't the official Mullvad position, then (which is that the law may apply)?
I'm pretty sure our official position is that it doesn't apply, rather than it may apply. Note that the article on our website that I quoted is more recent than the one you quoted. I can't find a more recent legal opinion than that.
Regarding backdooring websites, that's interesting. I'll have to ask someone about that. Thanks.
> the outcome from it (backdoors, compromises, coercion etc) will be kept a state secret
I am not a legal expert, but I'm pretty sure you're wrong. The first-order outcome would be a court case that says the law applies to VPNs, or not. The second-order outcome would be secret coercion in a specific criminal case, or nothing. The first-order outcome would be public. Interesting question though. I'll have to ask about this too.
> Much needed (:
Yes. :)
It might interest you to know that I've spent the past six years working on things like that. My role at Mullvad since several years is only strategic, as I spend almost all of my time on applied research. See glasklarteknik.se and tillitis.se.
> (which no amount of software mitigations would thwart, I don't think)
Physical security is hard. However, I see no reason to limit ourselves to only software-based mitigations.
> Regarding backdooring websites, that's interesting. I'll have to ask someone about that. Thanks
No, thank you! I look forward to an update on Mullvad's help/blog on this.
> The first-order outcome would be a court case that says the law applies to VPNs, or not.
My contention was, Mullvad AB (the other parts of its services like the app, the browser, the website, & the parts of its infrastructure like its control plane that isn't running the VPN) is already subject to 2020:62 (the Act) in ways which may remain secret, if enforced. I'm not an expert in Swedish law, but also, I'm not sure who else to ask.
For example, here's some revealing text (on just who 2020:62 applies), from a 3p source I linked to in my first reply:
The possibility for the police and security police to use spyware was introduced by the Act (2020:62) on Secret Reading of Data. For domestic purposes, secret data reading means that "information, which is intended for automated processing, is secretly and with technical means, read from or recorded in a readable information system".
"Readable information system" in turn means "an electronic communication device or a user account for, or a correspondingly delimited part of, a communication service, storage service or similar service".
Thus, it covers both physical equipment, such as a mobile phone or a computer, as well as a user account to, or a correspondingly delimited part of, a communication service, storage service or similar service.
Note that "electronic communication service" is just ONE of the 3 entities subject to 2020:62, per that source. The legal language is pretty wild and pretty wide, imo. Which brings me to...
> The first-order outcome would be a court case that says the law applies to VPNs, or not ... would be public.
May not matter as Mullvad AB might decisively meet other criteria laid out in 2020:62 (the Act). That is, regardless of whether Mullvad "VPN" is subject to 2020:62, Mullvad as a business building all kinds of other software might be.
> only software-based mitigations
True. Thanks for being so patient. I tried to send follow-up queries to you folks via PrivacyGuides, but for some reason they didn't & in fact, they stonewalled, & even deleted/removed posts on the topic. Now that I'm hearing from you directly, I feel that much more assured.
I guess, it pays to go direct rather than fight it out on some forum with gatekeepers.
> tillitis.se
Dang... didn't realise 'twas you folks. Amazing.
> glasklarteknik.se
Eventually expect Mullvad severs to experiment with either microkernels (ala Fuschia) or unikernels, to replace the monolith that is Linux Kind of like (the uber sophisticated) OpenVPN vs. (leaner, meaner) WireGuard.
In any case, to my knowledge the law in question doesn't apply to us. If the Swedish government tried to argue otherwise we'd get our lawyers involved.
Having said all of this, I am concerned about National Security Letters and similar concepts. Technologies like reproducible builds, transparency logs, and remote attestation can help there.