Sweden

Last week, the Swedish government made vital changes to the law they approved this summer.

According to Digi.no (sorry, only Norwegian), the Swedish government has changed the law, and there is no longer legal to do surveillance without consent.

In July, I covered the story when the Swedish approved the new law, allowing their police and surveillance teams to tap into ANY and ALL internet traffic that came through their country - no matter if there where any suspicions or not at hand. This meant that everyone suddenly became victims, and no-one would be able stay off their radar - innocent or not.

This time, the Swedish government where forced to redo the law. They had to add a quality control mechanism, something that has been a very well accepted rule in the western world for centuries - that any surveillance must be following (not followed by) a suspicion. Thus following the principle - innocent until proved guilty.

In the past (mainly since 9/11/2001), we have seen dramatic changes in how this principle is followed. Privacy is lessened by the day. Surveillance increases - with or without our consent. Our legal rights are set aside by the governments increased lack of control. And our politicians constantly fail to understand how technology changes the world - no, not slowly, but at speeds that keeps spinning the world around so fast that no-one are really able to grasp even the smallest of implications.

Today, laws tends to come around way too late to tackle the initial challenge. And instead of allowing the technology be an enabler, they tend to force into action regulations that are no longer relevant, to challenges no longer available.

I applaud the Swedish government for extremely quick action when they discovered their error. This kind of reaction is exactly what is required to stay up to date for any government. Don't just sit around, poking your stick in the ground, waiting for someone to decide for you.

Governments challenge is to turn their reactive regulations into proactive delegations. By using laws as enablers, as opposed to regulators as they are today, governments will be able to change the way we do business, and the way we use technology. And the way we interact.

It is summer in my part of the world. Sun is shining for a few hours, then rain is cooling everything back down. And when the refreshment is over, sun warms and invites us all to go to the beach and enjoy.

It surely is hard to work under these conditions!

Late last week (I was away the computer all week - only occationaly checking mail on my cellphone...puh, I am hot...), my ears picked up a heated discussion on the radio. IKT-Norge (the organization for ICT in Norway) was extremely conserned (sorry, Norwegian text) about the fact that the Swedish government decided to allow surveillance of all the internet traffic in the Swedish backbones.

IKT-Norway claimed that this would become an extreme security threat to Norway (almost all the backbones in Norway are connected through Sweden - thus most of the Internet traffic to and from Norway is routed through Sweden). And this guy Hallstein Bjerke at IKT-Norge said things like the Swedish surveillance team might pick up sensitive and secure data from the Norwegian DoD, as well as from Norwegian multinationals and oil companies.

I say: Duh - time to wake up. If you think your members are NOT evaluating risk, and taking the propper precautions when communicting over the Internet, I think you have in the wrong place.

One of the examples was that  Sweden (one of two potential suppliers of new Jet-Fighters to the Norwegian Airforce) are now able to surveille and read all communications the Norwegian DoD have with the competitor Jet Fighter supplier - just by reading the emails.

HELLO!!! Do you REALLY think that the Norwegian DoD would email such information JUST LIKE THAT? Do you REALLY think that the DoD have NO CLUE WHAT SO EVER about the e-mail communication protocol? And that they have made NO precautions? The DoD in the US MADE the Internet back in the days. Norway was one of the very first countries OUTSIDE of the US to join the Internet in 1972.

What planet are you on, really?

 

Another example was the Oil company Statoil Hydro in Norway, and how the Swedish now may tap into all the e-mail communication they send and use.

I happen to know a fair bit of how such organizations think about security. Some think they are a bit too paranoid. Companies like this one is successful due to their ability to measure and counter risks. Further, they are technology driven, and have a very clear understanding of both their core business and values, and ICT - both from a maintenance and developement point of view, AND from a security/Risk point of view.

These companies would not use Internet to send and recieve ANY (valuable) information unless they previously weighted the risks involved, and put in place counter measurements (alternative communication tools like SatPhone, encryption, snail mail and personal delivery).

These companies ARE NOT STUPID.

 

The third example is about surveillance of the Norwegian Governments communication with the EC. I am the first to admit that I do not know much about professional politicians. But I do find it hard to believe that there are no training; or common security awareness in the government. Yes, we do see that they post their traveling itineraries on public websites from time to time, but I am pretty sure that not even politicians would be using e-mail and other non-secure communication channels when they are discussing matter of national security. I may be wrong, of course - they are politicians after all.

 

The only good thing about the action taken from IKT-Norge is the fact that now more people know that:

1. Sweden has a legal manner to tap into ALL communication on the Internet (that passes through their network), thus they no longer need to hide their surveillance (the way most other countries does it),

2. regular people may (or may not) have gotten a better idea of how EASY it is to use the Internet to gather information.

 

Still, somehow I've got the gutfeeling that the regular users do not see the relevancy of this. After all, most act like "I have nothing to hide!", and thus allow the legal AND the illegal surveillance teams to gather extremely attractive profiles.

For companies - yes, people in Norway are naïve (in a good way, always thinking the best of people), but most companies and business people do realize that the world is smaller, and that precautions are needed.

We may be naïve - but we are not stupid.