Faced with a hefty fine, the last Swedish ISP holding out against a legal requirement to store customer data for law enforcement purposes has given in. However, the ISP is also offering customers a free VPN service to keep that data private.
The free VPN is the ISP Bahnhof's response to a threat from the Swedish Post and Telecom Authority (PTS) last month to(€500,000) if it refused to retain subscriber metadata for the mandatory six-month period.
"The European Court of Justice (ECJ) has held that it is a human right not to have their data stored. We believe the time is ripe for VPN services to become popular," Bahnhof CEO Jon Karlung said in a statement.
Sweden, like the rest of Europe, has implemented its version of the 2006 European data retention directive, which requires ISPs to store certain subscriber data for a period of between six and 24 months.
The ECJ declared Europe's data retention directive invalid this April, prompting ISPs to halt data retention. Bahnhof was the first ISP to stop collection, followed by Telia, Tele2, Three, and ComHem.
However, some politicians weren't keen to give up the law. A review of Sweden's data retention law, commissioned by the former moderate government, found it didn't conflict with the country's obligations under the European Convention on the Protection of Human Rights and Fundamental Freedoms.
Following that, PTS was given the go-ahead to enforce the law again and over the summer, every ISP except Bahnhof voluntarily resumed data retention.
Bahnhof has dubbed its new free VPN service for customers LEX Integrity. The product will start working on 24 November, the date Bahnhof will resume data retention.
The VPN will be hosted and run by the July 5 Foundation — a Swedish internet rights group which has Karlung on its board and is lobbying against Sweden's data retention law.
"We at the foundation have no idea about who these [VPN] customers are. We do not have any information about them, no name or address. We just check whether this (for us) unknown surfer should be permitted to connect via our servers," the foundation said yesterday.
"When they surf via LEX Integrity they share IP addresses out towards the internet. Many users can have the same address at the same time. As a provider of this service we do not have to retain data. Even if we would have to, there would be no useful information to be had from us."
Drawing a line between itself and Bahnhof, the foundation said its own technicians maintain its servers.
"Bahnhof has no access to our machines. They have no way of knowing what their customers are doing after handing them over to our servers," the foundation said.
As Bahnhof notes, customers can still use its existing OpenVPN based service that costs SEK 40 (€4.32) per month.