SoylentNews

Cops Raid Swedish VPN Provider Only to Find Out There's No 'There' There

upstart writes:

Cops Raid Swedish VPN Provider Only To Find Out There's No 'There' There:

[...] So, it always gives me pleasure to learn that cops armed with court orders approached a privacy oriented tech company only to find out the stuff they wanted didn't actually exist at the place they searched. Due diligence is a thing, investigators. Your boilerplate is obviously false if you've claimed (based on "training and expertise") that the place you want to search contains the information you wish to obtain.

That's the case here. A Swedish VPN provider was raided by local law enforcement, but was unable to produce any of the information officers were searching for... something officers might have realized prior to the search if they'd bothered to read the terms of service. Here's Michael Kan with the details for PC World:

The company today reported that Swedish police had issued a search warrant two days earlier to investigate Mullvad VPN's office in Gothenburg, Sweden. "They intended to seize computers with customer data," Mullvad said.

However, Swedish police left empty-handed. It looks like Mullvad's own lawyers stepped in and pointed out that the company maintains a strict no-logging policy on customer data. This means the VPN service will abstain from collecting a subscriber's IP address, web traffic, and connection timestamps, in an effort to protect user privacy. (It's also why Mullvad VPN is among our most highly ranked VPN services.)

If the cops had run a search of Mullvad's website before running a physical search of its offices, it might have discovered the stuff they swore would be found there actually wouldn't be found on Mullvad's premises. It's not like it's that difficult to find:

There is a law to collect user data in India and other countries. Does this affect Mullvad?

Mullvad does not collect user data. Mullvad is based in Sweden and none of the Swedish regulations (https://mullvad.net/help/swedish-legislation/) can force VPN providers to secretly collect traffic-related data. We also have no servers, infrastructure or staff in India.

In other words, bring all the law you want, but in the end:

Raid if you want. But you can't have what providers like Mullvad are unwilling to collect. In the end, you've done nothing more than make some noise and embarrass yourself. It's all there in the Mullvad FAQ, including the fact that Mullvad performs no logging of user activity. If your investigation leads you to providers like Mullvad, it's a dead end. Look elsewhere.

This policy isn't in place because Mullvad wants to protect criminals. It's in place because people all over the world deserve protection from government overreach. That criminals may benefit from policies like these doesn't make these policies bad, it just makes it more difficult for abusive governments to engage in third-party-enabled surveillance.

And the long history here shows Mullvad isn't a home for criminals. It's just an extremely well-run VPN provider:

"Mullvad has been operating our VPN service for over 14 years. This is the first time our offices have been visited with a search warrant," the company added.

Cops Raid Swedish VPN Provider Only to Find Out There's No 'There' There - followup

Mullvad has published an update: The Swedish authorities answered their protocol request but without providing any information. The Swedish authorities based their refusal on claims of national security due to carrying out the raid at the behest of Germany. Mullvad quotes the specific laws which even show that they were raided in error.

Electronic Communications Act (2022:482) (LEK) Does not apply to Mullvad VPN AB

According to LEK's definitions, LEK does not apply to Mullvad since we, as a VPN service provider are not regarded as an electronic communications network nor an electronic communications service.

Act (2012:278) on Collection of Data in Electronic Communication in the Crime Combating Authorities' Intelligence Service (IHL)

This law can only be used to request user data from businesses having the LEK reporting obligation. This means authorities cannot use LEK nor IHL to request information from Mullvad.

The Swedish Code of Judicial Procedure (1942:740) (RB)

According to this, a search of premises may be instigated not just on the individual who is suspected on reasonable grounds but on anyone, provided that there is a factual circumstance and that it can be tangibly demonstrated that there is a reasonable expectation of finding items subject to seizure, or other evidence of the offense in question. Objects may also be seized if they are believed to have importance for the investigation.

According to one of the relevant laws, the government can only grant the police permission to search the premises if it can be tangibly demonstrated that there is a reasonable expectation of finding items subject to seizure. Given that Mullvad neither collects that information nor is required to collect that information, there was no basis for the raid except, I conjecture, for possible harassment.

Furthermore the Swedish authorities seem to have lost Mullvad's earlier inquiry.

Original Submission #1  Original Submission #2