Several people abroad have started mailing me and others asking if rumors of new legislation to be passed in Sweden on the 17th of June is for real. There are also reports in international forums starting to pop up. This is fairly old news, and I think that most of us are surprised that this has not generated more press both inside and outside Sweden earlier. This legislation will allow for the Swedish National Defense Radio Agency (FRA) to wiretap Internet traffic leaving the country.

Many people seem to have interpreted the text in the proposed law on performing the intercept at co-operation points to mean the Swedish Internet Exchange Points (IXPs), which I guess is part of the reason why I get these questions. Now, when it comes to the implementation of the law, I am a foreigner living in Sweden so I will probably be the last to know :-). That said, I do have a few view points on this topic.

1) If you are to intercept Internet traffic on a larger scale, IXPs are actually quite poor locations to do so. First of all (At least for Sweden) there is a rule of thumb that we only see around 50% of the national traffic (the rest is private peering) and only 50% of all traffic stays in the country (the rest is Internet transit traffic). The figures are surely not exact, and peer2peer traffic means that probably some more is national traffic, but let’s assume this is a valid estimation. IXPs further the drawback that they are normally one or more Ethernet switches. So you will need to drop all traffic or mirror certain ports. The problem with the latter is that the collected traffic no longer fits on one port on the switch and you need to start doing fancy aggregation of your mirrored traffic (if it is at all doable).

2) If you want to do traffic interception effectively, or if I where to do it. I would concentrate on the top 5 transit providers. I would intercept traffic between their routers and their WDM system leaving the country. You would most likely intercept 80% of the traffic leaving the country (Which is what FRA says they are interested in). If you want to also intercept traffic inside the country it becomes much trickier as a lot of traffic stays inside the wholesale DSL product of the former monopoly.

3) I am sure that the public reasons why FRA want this capability, to intercept terrorist and criminal traffic is true, but the problem with that intelligence is that you only know what you are looking for after an event has happened, and as you are screening traffic based keywords and discarding the rest (I will assume that is the only scalable way—and also what FRA have said in public what they are and will be doing), it’s then a bit late to look for that data. However, Sweden also happens to be a large transit country for cable based traffic out of Russia, the baltic states, Finland and several of the former USSR countries. I would guess that much more interesting to FRA, and for intelligence in general, is trying to find encrypted (and non-encrypted) traffic from other states, that passes through Sweden. This encrypted material would be useful to the code-breakers at FRA (which is also one of their operating areas—but one that is less talked about). It would also probably be hard currency at the worlds Intelligence agencies flea-markets. What is more interesting is that if that would be FRAs true motives, that would be a much easier sell to the public, but it would not be acceptable in Sweden’s relations with other countries.

4) What the legislation proposes is hardly unique in the intelligence business—and is actually what they have been doing without any oversight for radio communications for a long time. To ask for permission to continue, is either very clever or extremely naive.

Personally I am a bit split in this question. I partly believe that we are heading to a society where privacy is fundamentally being given up by our politicians. On the other hand, I also believe we are just starting to become aware of what has always been going on. FRA actually used to have permission to intercept traffic during and after WWII. So in reality the proposed legislation won’t change much. However, it’s also the case that the current legislation does not really provide for proper oversight, control and what I would like to see—clear and hard punishment for violation of the oversight, leakage and use of the data collected. So I think the law as written should not pass, but I have less issues with the fundamentals behind it.