On 18 February 2020, the Swedish parliament passed a law that enables Swedish law enforcement to hack into devices such as mobile phones and computers that the police thinks a suspect might use. As with the recent new data retention law only one party (and one member of another party) voted against the resolution (286-26 with 37 absent). The previous data retention law was struck down, and given the directions of the recent Court of Justice of the European Union (CJEU) Advocate General (AG) Opinions on data retention, the current data retention law is likely to be struck down as well.
What capabilities does this give law enforcement agencies?
For crimes that “under the circumstances” can reasonably give at least a two-year prison sentence, law enforcement agencies (LEAs) can request a court warrant to hack into the suspect’s device. This warrant can be given to gather information (for example from encrypted messaging apps) or even in some cases to stop information from being sent from that device.
The law has a number of serious issues that has been pointed out to lawmakers over several years when the law was going through the public inquiry phase. For example, the law does not say that a minimum sentence of two years in prison is required, but that if the prosecutor just believes that the suspected crime might carry two, or more, years in prison, that already give LEAs the legal basis to ask for a court warrant.
Even more worryingly, even citizens who are not suspect of having committed any crimes, but are associated with a suspect might be the targets of hacking by the police. The law gives the LEAs a mandate to hack devices that they reasonably think a suspect might primarily use. So if a suspect might uses their mother’s phone, for example, that device is open to hacking. If you are someone that the police think their suspect will call or message, your phone might also be in danger of being hacked, just because you happen to know someone that the police suspects of a crime. They can also be allowed to use hacking to find a suspect – this means you simply shouldn’t be at the wrong place at the wrong time, or else the police might hack your devices.
The law also includes a clause that states that if the prosecutor feels like the courts will be too slow to issue a warrant, he or she can issue it. If the court then finds that the warrant was wrongly issued, the prosecutor will then have to go to court for review, and any evidence gathered can not be used against the suspect. Of course, the person whose device was hacked (who might not even be a person suspected of a crime) has already had their privacy breached, and the law doesn’t provide any recourse for such abuses.
The new law goes into effect on the 1 April 2020 and will be valid for five years, after which the Swedish parliament will decide to make it permanent or not.
AG’s Opinion: Mass retention of data incompatible with EU law (29.01.2020)
Proposal for the police hacking law 2019/20:64 (only in Swedish)
Dataskydd.net’s statement on the report proposing the new law (only in Swedish)
(Contribution by Eric Skoglund, EDRi observer Dataskydd.net)