How to make politicians really understand the dangers of mass digital surveillance and the importance of information security?
Gustav Nipe, the 26-year old president of the Swedish Pirate Party’s youth wing, tried to do it by setting up an open Wi-Fi network at the Society and Defence National Conference held in S?Â¤len, Sweden, late last and earlier this week, and collecting and analyzing the metadata of conference attendees who connected to it.
This conference is an annual summit organized by the Swedish Society and Defence NGO, during which defense and national security issues in Sweden are debated by the speakers and other participants, usually Riksdag (Swedish parliament) members, representatives of political parties, trade unions, the government, and journalists.
Nipe set up an open wireless Internet access point named “Open Guest” on the premises of the hotel where the conference was held, and over 100 delegates used this particular unsecured Wi-Fi network to go online.
The collected metadata showed that, among other sites, they visited those of daily Swedish newspaper Aftonbladet, Swedish private ads website Blocket, eBay, and tourism sites. “This was during the day when I suppose they were being paid to be at the conference working,” Nipe noted for The Local.
But the collected metadata also showed a far more serious thing: on several occasions, users connected to e-mail servers belonging to the likes of the Swedish Civil Contingencies Agency (MSB) and other government organizations.
“The [MSB] is tasked to develop the community’s ability to prevent and handle emergencies and crises. That their staff is apparently not adequately trained in information security is problematic,” Nipe pointed out in a press release (via Google Translate), adding that their use of an open unencrypted network to read official emails is astonishing.
“The scary part is that with unsecure networks like these you can end up getting access even to secure servers because people so often use the same passwords for different sites. So we could have got into the government’s server or used other information to track people in their everyday lives,” he noted.
The fact that they managed to identify authority figures, journalists and politicians through their use of a wireless network and their less thoughtful use of online services demonstrates the tremendous power available to anyone controlling the internet, they pointed out.
“It also shows the risk involved for public figures and private individuals to work and live their lives on a network whose safety is compromised,” they said, and called for the authorities and the security establishment to work towards the creation of a safer Internet on which all non-suspect privacy is protected.
This action has been criticized by many, and the question of whether a stunt like this is legal according to the Sweden’s Personal Data Act has been raised. Nipe promised to encrypt all the collected information and to destroy it after it’s thoroughly analyzed.
He also pointed out that it was the delegates who used their network without permission, and added that using an unprotected network for logging into their official email accounts must be against official operational rules at the agencies for which they work.