WikiLeaks' ISP to Anonymize All Traffic to Circumvent Data Retention Law

In advance of the Swedish government implementing a law that would require all telecommunication providers to store customer data, WikiLeaks' ISP Bahnhof said it will anonymize all customer traffic by default.

Swedish ISP Bahnhof will pass all customers through an anonymizing service by default in response to a law that would require telecommunication providers to retain customer data, the company's CEO said on Swedish radio.

Sweden is in the process of passing a law that implements the European Union's Data Retention Directive, which requires fixed and mobile telephone companies and Internet service providers to retain customer data to facilitate the "investigation, detection, and prosecution of serious crimes." Bahnhof, WikiLeaks' ISP and host, said it will make the law "toothless" by implementing a technical solution that will encrypt all customer traffic.

"We plan to let our traffic go through a VPN service," Bahnhof's Jon Karlung said in an interview with Sveriges Radio (transcript translated through Google Translate) on Jan. 26. With the encryption in place, it will be impossible for Bahnhof to see or log what customers are doing.

The European Union's Data Retention Directive, currently under review in several member states, requires telecommunication providers to retain traffic, location and subscriber information for all customers for a minimum of six months. Germany is one of the 20 member states that put the directive in place after it was established in 2006. But a recent court decision has declared the law unconstitutional. The European Commission filed a complaint against Sweden and a number of other countries for not yet complying with the directive.

Sweden appealed, but lost its case before the European Court of Justice last year. As a result, the government has proposed legislation that will require Swedish telephone and Internet providers to retain data for six months. The law picked the shortest possible retention period allowed by the EU in order to "create adequate protection for personal integrity," Justice Minister Beatrice Ask said at the time.

Bahnhof chose a technical solution that will allow its customers to continue surfing anonymously, Karlung said. With the encryption in place, Bahnhof will have no idea what its customers do online, what sites they are looking at or whom they are talking to, Karlung said. The company will store all customer data up to the point where the traffic is anonymized, and that information will be available to the police, but it will be "irrelevant," Karlung said. "What happens after that is not our responsibility and is outside Bahnhof," he said.

As for accusations that Bahnhof will become a safe haven for drug dealers, stalkers and other criminal elements, Karlung said Bahnhof supports law enforcement cracking down on Internet crime. Those efforts must be based on individual cases "where there is suspicion" and not just looking at a "general storage of all the people's communication," he said.

Ask admitted to Sveriges Radio that the proposed law has loopholes because technology changes rapidly. "It is impossible to cover every possible alternative route," Ask said. "I always think it's bad when you slip away important legal rules," she said in reference to Bahnhof.

This isn't the first time Bahnhof circumvented Swedish law. Sweden introduced the Intellectual Property Rights Enforcement Directive in 2009, which gave rights holders the authority to request personal details of alleged copyright infringers. Bahnhof promptly ceased logging customer activity altogether, claiming there was no data available to hand over.

There are on average 148,000 requests per year for the customer data in countries that have implemented the directive, according to the European Commission.

United States business interests appear to have pressured Swedish officials to draft the law, according to a U.S. State Department cable from March 2009 that was released by WikiLeaks, reported Rick Falkvinge on his InfoPolicy blog. The Motion Picture Association of America is an organization that relies on ISP data to crack down on piracy. The Federal Bureau of Investigation has relied on such logs as part of its probe of "Operation Payback" attacks perpetuated by the "Anonymous" group of activist hackers protesting efforts to shut down WikiLeaks.

Anyone really concerned about staying anonymous can use Internet cafes, anonymization services, public telephones or unregistered mobile telephone cards.

According to Sveriges Radio, several other Swedish ISPs are also researching technical solutions to circumvent the upcoming law. Bahnhof is the only one that has publicized its intentions at this time.

However, Karlung says he is all for giving customers a choice. Customers can opt-in to have Bahnhof save their traffic data for an additional $8 (SEK 50) a month, he said.