Law Library Stacks

Back to Government Access to Encrypted Communications

Summary

Swedish law allows for the issuance of search warrants when a crime with a prison sentence is being investigated. Swedish law does not require encryption companies to decrypt cellphones. Legislation enabling forced decryption has previously been proposed but never adopted. All searches and seizures require a prior proportionality test, weighing the reasons for the measure against the privacy and integrity of the subject of the search. A recent Supreme Court case indicates that searches on devices may be limited because of this test. Legislative proposals are pending that would allow the Swedish police to infect suspects’ computers with Trojan horse malware.

I. Background

Swedish police and prosecutors have previously requested authority to use new tools, such as the deployment of Trojan horse malware, to enable decryption of suspects’ cellphones, according to news reports.[1]

A 2015 audit by the Swedish National Audit Office revealed that forensic experts at the Swedish (national) Police occasionally hack into cellphones. [2] Police access to cellphones has reportedly only rarely been hampered by encryption or similar preventive efforts.[3] The Swedish Security Police (SÄPO) reports that forensic analyses are part of all its investigations.[4] There are legal restrictions, however, not least in regard to international cloud services, which under Swedish law cannot be searched by Swedish police if the servers are outside of Sweden, as it would be considered a search in a foreign country.[5]

Following the Paris terrorist attacks in November 2015 the Swedish government declared that it would initiate, research, and propose new legislation to enable access to encrypted information.[6] The proposal is forthcoming—no initial committee report has yet been published.[7]

Back to Top

II. Current Law

A. Decryption Pursuant to Warrants

Swedish law provides limited possibilities for decryption pursuant to a warrant. The Swedish Constitution provides protection against unlawful searches of persons and property.[8] Search warrants can only be made under law.[9] The issuance of search warrants is regulated in Rättegångsbalken (the Civil and Criminal Procedure Act).[10] A search warrant can be issued if the crime investigated is sanctioned with a prison sentence.[11] However, in each case the person issuing the search warrant must conduct a proportionality test (proportionalitetsprövning), weighing the invasion of the suspect’s privacy versus the benefits of issuing the warrant. [12] A police officer may conduct a search without first securing a search warrant if there is an immediate danger in not conducting the search.[13] Subject to a proportionality evaluation, a search warrant may also be issued for a place not directly connected with the crime or suspect if there are extraordinary reasons to suspect that useful information will be found. [14]

The Swedish Supreme Court has found that searches of computers and cellphones are an especially sensitive area of the law, as computers and cellphones “may . . . include evaluation of a significant number of files and large amounts of data that is not sought [by the Police].”[15] This means that the proportionality test is especially important in these cases. [16] Depending on the outcome of a proportionality test, seizure of a cellphone may thus be possible under Swedish law, but decryption might be illegal.

B. Seizure of Encrypted Information

Property that can reasonably be presumed to have importance in an investigation can be seized,[17] except for excluded property such as secret information pertaining to information that a person could not divulge in court.[18] Parliamentary committees have interpreted this exclusion to also include electronic property.[19] The Supreme Court in 2015 affirmed that conclusion.[20] If a document (or electronic media) is protected by a prohibition against seizure ( beslagsförbud), this is absolute and cannot be overridden by the proportionality test.[21] The reason behind this absolute prohibition is that the police and prosecutor must not be able to circumvent the rules limiting what can be asked of a witness—for example, limitations based on the attorney-client privilege or doctor-patient confidentiality under Swedish secrecy law. [22]

The Supreme Court has previously refused requests for the production of certain data because the data was held by persons who were subject to legally mandated, professional secrecy.[23] Where secret information is present on a device such as a cellphone, that fact alone does not bar a search for information on the device, but does weigh negatively against the search in a proportionality test. [24]

C. Information Owner’s Obligation to Decrypt

Sweden is a signatory to the Council of Europe Directive on Cybercrime.[25] In a 2013 government report the Cyber Convention Commission, while evaluating the need for new legislation to enable implementation of the Cybercrime Directive, found that there currently is a possibility under Swedish law to “order a person with knowledge of a computer systems’ function or of measures that are used to protect the [desired] information, to provide information that is necessary to enable the execution of the warrant.”[26] The Cyber Convention Commission thus concluded that there was no need to change Swedish legislation to adopt the Council of Europe Directive on Cybercrime. [27] It is unclear whether the Commission’s interpretation would apply to the creators of encryption software or only to the person who stored the information.

The Swedish Data Protection Authority criticized the Commission’s interpretation that a person subject to a warrant can be required to provide keys to his or her computer.[28] The statement could be interpreted by the courts as a requirement to self-incriminate—for example, when an individual is required to present his or her password—and as such could be a violation of human rights as interpreted by the European Court of Human Rights (ECHR).[29]

Another police measure that could potentially be invoked to force access to encryption keys is “testimony before the courts during police investigations” ( vittnesförhör inför rätta under en förundersökning).[30] Persons who are thought to have information of importance to an investigation may, under the threat of a fine (vite), be asked to report to the investigator (generally the police) to divulge their information before the court.[31] This could be interpreted to include requests that third parties aware of a password divulge that information.[32]

D. Obligation of Encryption Companies to Decrypt Data

Swedish law does not require encryption companies to decrypt data. However, members of Parliament have previously made such proposals. For instance, Motion 2013/14:JU277 proposed that encryption companies be required to decrypt files in child-pornography cases, but that proposal was rejected by the Justice Committee, which cited other efforts by the government to address child pornography.[33]

E. No Decryption Requirement for Internet Service Providers

Internet Server Providers (ISPs) are required to collect and store metadata on all of its customers for six months. [34] However, ISPs cannot be required to decrypt any information sent over their networks. The extent of the data collected as well as the willingness to produce such data varies among Swedish ISPs.[35]

F. Secret Surveillance

Secret surveillance is regulated in chapter 27 of the Civil and Criminal Procedure Act.[36] The police are allowed to secretly surveil electronic communications for crimes that carry a sentence of at least two years’ imprisonment. [37] However, the police may only use secret surveillance if it is of exceptional importance to the investigation and the target is suspected, on reasonable grounds, of having committed the crime.[38] The police are not allowed to surveil electronic communications over communications networks that are of lesser importance from a public communications perspective.[39]

Back to Top

III. Court’s Call for Legislative Action

In a 2015 decision denying access to digital images in a robbery case, the Swedish Supreme Court issued a rare statement [40] explaining that it was restricted by the fact that Swedish “legislation regarding the use of coercive measures in the so-called virtual space is outdated.”[41] The Court continued, “[i]t is urgent that the legislative branch [Swedish Parliament] correct this [as the Court cannot do this, not least] as good legal custom presumes a significant level of technical or other non-legal expertise.”[42]

The case hinged on the fact that the images were protected by a constitutional right of freedom to communicate information (meddelarfrihet) and that seizing the images could have exposed the photographer, which was not outweighed by the police’s need for the picture. Swedish journalists are not allowed to reveal confidential sources, as specified in the Swedish Constitution,[43] and a proportionality test is always required by law.[44]

Back to Top

IV. Conclusion

In practice it is unlikely that a Swedish court would force an ISP, encryption company, or other entity to decrypt data pursuant to current law, as the measure would not be considered proportional. The matter will likely be addressed by the legislature.

Back to Top

Prepared by Elin Hofverberg
Foreign Law Research Consultant
May 2016


[1] Säpo kräver trojaner , VeckansAffärer (Apr. 25, 2014),http://www.va.se/nyheter/2014/04/25/sapo-kraver-trojaner, archived at https://perma.cc/2MM7-JBW4; Prosecutors Want Access to Decryption Tools, Radio Sweden (Aug. 22, 2012), http://sverigesradio.se/sida/artikel.aspx?programid=2054&artikel=5246277 , archived at https://perma.cc/N33Z-ZTD2.

[2] Riksrevisionen It-relaterad brottlisghet – polis och åklagare kan bli effektivare 18, RIR 2015:21, http://www.riksrevisionen.se/PageFiles/23153/RiR_2015_21_IT-relaterade-brott_Anpassad.pdf , archived at https://perma.cc/P5AV-MVR4.

[3] Id . at 47.

[4] IT är med i alla våra brottsutredningar , Säkerhetspolisen, http://www.sakerhetspolisen.se/ovrigt/menyer/ medarbetarportratt/it-ar-med-i-alla-vara-brottsutredningar-.html (last visited Apr. 12, 2016), archived at https://perma.cc/VB83-ZGJL.

[6] Fler insatser för att motverka terrorism , Regeringen (Nov. 19, 2015), http://www.regeringen.se/artiklar/2015/11/ fler-insatser-for-att-motverka-terrorism , archived at https://perma.cc/6HN4-JR6E.

[7] For an overview of the process for adopting legislation, see Commissions of Inquiry, SverigesRiksdag, https://www.riksdagen.se/en/How-the-Riksdag-works/What-does-the-Riksdag-do/Legislation/Commissions-of-inquiry (click headings under “Commissions of inquiry” in the list of topics on the left) (last visited Apr. 11, 2016), archived at https://perma.cc/664Z-29FF.

[9] Id. 2 ch. 6 & 20 §§.

[10] Rättegångsbalken [RB] [Code of Civil and Criminal Procedure] (SFS 1942:740),https://www.notisum.se/ rnp/sls/lag/19420740.htm, archived at https://perma.cc/ULE7-Y8JQ.

[11] Id . 28 ch. 1 §.

[12] Id . 28 ch. 3a §.

[13] Id . 28 ch. 5 §.

[14] Id . 28 ch. 1 § 2 st.

[15] Högsta Domstolen [HD] [Supreme Court], 2015-08-18, Ö 3074-15, at 6, http://www.hogstadomstolen.se/ Domstolar/hogstadomstolen/Avgoranden/2015/2015-08-18%20O%203074-15%20Beslut.pdf , archived at https://perma.cc/A5AA-8JBT (all translations by author).

[16] Id . 17, 28–29 ¶¶.

[17] 27 ch. 1 § RB.

[18] Id . 27 ch. 2 §.

[19] See, e.g. , Statens Offentliga Utredningar [SOU] 2011:45 Förundersökning – objektivitet, beslag, dokumentation m.m. [government report],http://data.riksdagen.se/fil/40CFC0F1-4704-4C11-9CA1-D03634483049, archived at https://perma.cc/NHV9-68VT.

[20] HD Ö 3074-15, 14 ¶.

[21] Id . 20 ¶.

[22] Id . 23 ¶.

[23] Id . 24 ¶; see Nytt Juridiskt Arkiv [NJA] 1981 s. 791 & NJA 1992 s. 307.

[24] HD Ö 3074-15, 29 ¶.

[25] Convention on Cybercrime, Nov. 23, 2001, 185 E.T.S., http://www.europarl.europa.eu/meetdocs/2014_2019/ documents/libe/dv/7_conv_budapest_/7_conv_budapest_en.pdf , archived at https://perma.cc/AZE4-YJ5M;Chart of Signatures and Ratifications of Treaty 185, Convention on Cybercrime, Status as of 18/04/2016, Full List, Council of Europe, Treaty Office, http://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185/signatures? p_auth=GfgVFijr,l , archived at https://perma.cc/R335-RSB7.

[26] SOU 2013:39 Europarådets konvention om it-relaterad brottslighet [government report series], at 146, http://www.regeringen.se/contentassets/b7ef66bff0b94040b781df446546c745/europaradets-konvention-om-it-relaterad-brottslighet-sou-201339 , archived at https://perma.cc/HN8M-K877.

[27] Id . at 150.

[28] See Datainspektionen, Remisssvar av betänkandet Europarådets konvention om it-relatedard brottslighet [Consultation Response to the Government Report on the European Council’s Convention on Cybercrime] (SOU 2013:39) 2–3(Sept. 19, 2013), http://www.datainspektionen.se/Documents/ remissvar/2013-09-25-konvention-it-brottslighet.pdf , archived at https://perma.cc/4V8A-UJKG.

[29] SOU 2013:39, supra note 26, at 283; see also Johan Holmgren, Kryptering, dekryptering och de mänskliga rättigheterna 20–22 (unpublished thesis, Law Faculty, Lund University), available at https://lup.lub.lu.se/student-papers/search/publication/3046392 (last visited Apr. 19, 2016), archived at https://perma.cc/ZK9S-MHNN.

[30] SOU 2013:39, supra note 26, at 146.

[31] 23 ch. 13 § RB; see also id. 23 ch. 6, 6a, 6b §§.

[32] SOU 2013:39, supra note 26, at 334.

[33] Justitieutskottet betänkande 2013/14:JuU14 Polisfrågor [Justice Committee Report 2013/14:JuU14, Police Issues], https://www.riksdagen.se/sv/Dokument-Lagar/Utskottens-dokument/Betankanden/Polisfragor_H101JuU14/?html= true , archived at https://perma.cc/39D3-WEBY.

[34] 6a, 16d §§ Lag om elektronisk kommunikation [LEK] [Act on Electronic Communication] (SFS 2003:389),http://www.notisum.se/rnp/sls/lag/20030389.HTM, archived at https://perma.cc/3YFS-C9YN.

[35] For example, the ISP Banhof has taken a more restrictive stance on when to provide data to the government. Advokaten: Det måste finnas gränser för vad polisen ska kunna få tillgång till, Bahnhof (Apr. 8, 2016), https://www.bahnhof.se/press/press-releases/2016/04/08/advokaten-det-maste-finnas-granser-for-vad-polisen-ska-kunna-fa-tillgang-till , archived at https://perma.cc/PY9X-EWQQ.

[36] 27 ch. RB.

[37] Id. 27 ch. 18 § 2 st.

[38] Id. 27 ch. 20 § 1 st.

[39] Id. 27 ch. 20 § 3 st.

[40] Press Release, HD, Högsta domstolen avslår åklagarens begäran om husrannsakan hos Aftonbladet (Aug. 18, 2015), http://www.hogstadomstolen.se/Mer-om-Hogsta-domstolen/Nyheter-fran-Hogsta-domstolen/Hogsta-domstolen-avslar-aklagarens-begaran-om-husrannsakan-hos-Aftonbladet , archived at https://perma.cc/W4KA-CL4S.

[41] HD Ö 3074-15, 43 ¶.

[42] Id .

[43] See 1 ch. 1 § 3 st Tryckfrihetsförordningen [TF] [Freedom of the Press Act] (Constitution).

[44] 27 ch. 1 § 3 st RB.

Back to Top

Last Updated: 10/01/2016