Swedish police, service providers on collision course over direct access to user data
The Swedish Security Service wants direct access to systems used by service providers to collect information on user communications, but the providers are convinced that would be a threat to data privacy.
The E.U. data-retention directive has been a hot topic in Sweden and was finally implemented last year. The data now saved allows authorities investigating crimes to find out things such as who, when, and where two people communicated using, for example, email or text messages.
The process is now handled manually, but the national security service wants to standardize and automate it. Doing this would decrease the risk for potential errors that could occur when the process is done manually, the Security Service said in a statement Tuesday. The new system also makes it easier for the Commission on Security and Integrity Protection and the Data Inspection Board to prevent misuse, it said.
But it seems that will be difficult to achieve. Saving the data is mandatory for service providers, but automating the process to hand over data is voluntary and large service providers aren’t on board with the proposal.
“We have a role to play when it comes to crime prevention, and we are willing to accept that. But we don’t think that a completely automated process is appropriate. Our primary task is to protect the privacy of our customers and we feel we can’t do that with an automated process,” said Iréne Krohn, senior media relations manager at TeliaSonera.
The message from Sweden’s other large fixed and mobile operators—Tele2, Telenor, Tre and ComHem —is the same: automating the hand over of information of data isn’t acceptable.
“We think it’s a really bad idea to let the police access our systems on their own, so we said no to that,” said Erik Hörnfeldt, public relations manager at Tre.
However, standardizing the way requests and replies are formatted would be a step in the right direction, according to Hörnfeldt.
Smaller Swedish networks
In addition to the service providers, the Swedish telecommunications market consists of a large number of smaller metro networks. The issue isn’t as straightforward for them, because they don’t have the same resources as their bigger competitors, according to Mikael Ek, managing director at the Swedish Urban Network Association.
The association may have underestimated how sensitive this matter is, and will now discuss it with members and decide how to proceed, Ek said. Earlier this year, the association signed a deal with a company called Maintrac on behalf of its members to handle their obligations related to data collection and sharing.
In the end, automating the retrieval process might not even be possible. A spokesman at the Swedish Post and Telecom Authority, which monitors the electronic communications and postal sectors, questions if automating it would be legal.
“The law specifies that operators have a responsibility to check a number of things, including the recipient and the decision behind the request, and that could make it difficult to automate,” said Staffan Lindmark, a lawyer at PTS.
On a European level, the implementation of the data retention directive is out of control, according to Joe McNamee, executive director at European digital rights group EDRi.
“The problem we have is that the European Commission is quite happy to take action against member states if they haven’t implemented the directive, but any amount of over-implementation and lack of safe guards present no problem at all for the commission,” he said.