Security Theater Lessons From Utøya

As the shock passes into reflection of the Utøya massacre — could anything have been different? — and the grief for and honoring of the missed and wounded, people will start asking questions as to how this could possibly happen.

Having gone through the methodology used, just like Hax did, we can examine one step after another of Breivik’s plan.

I frequently say that power in society is about information advantage. If you know more about your opponent than your opponent knows about you, then you will have the advantage. In this case, Breivik knew how to not look like the nutjob he was.

It’s not even particularly hard. As long as you do whatever horrible deed you plan to do alone, you will evade all wiretapping and data retention. The largest civilian spy program in history is useless against people like Breivik.

It’s a matter of knowing what sets off red flags in the system, and taking active steps to not have them pop up.

Breivik had guns. Three of them: a Glock handgun, a scoped hunter rifle and a shotgun.

Well, yes. So maybe you should have gun controls and strict background checks.

Except Norway has that already. Strictest on the planet, even; same as Sweden. You need to be a flawless, regular and standing member of a licensed shooting club for a full year to get a 9mm handgun license, with a spotless criminal record (Breivik had just a ten-year-old traffic ticket). A hunting license is separate, with extensive and different tests, and apparently Breivik had that too. This doesn’t redflag in itself.

Nobody would imagine that the handgun was planned to be used for point-blank executions with the scoped hunter rifle being planned for teenagers who tried to swim to safety. No program would catch it. Doing so would require mind reading.

Breivik could make tons of explosives. Metric tons.

Well, yes. The nutjob literally bought an entire farm to stay under the radar on this one. Nobody is surprised that farms buy tons of fertilizer; ammonium nitrate, specifically. Nor is anybody surprised that farms need diesel fuel. This was all that was needed, and with a minimum of 8th grade chemistry.

If you are going to prevent either one of these, where do you want your food to come from in the future? Or should we ban the knowledge of chemistry, or perhaps license it? Remove the books on basic chemistry from libraries and censor web pages that mention that knowledge?

Again, it is a matter of information advantage. If you know how to blend in, you will survive in an environment hostile to your intentions.

Which brings us to the last part:

Breivik intended to kill — no, execute — people.


As despicable as that is, how would you like to catch it, the key word being “intend”? He didn’t speak to anybody about it. Even his parents were caught completely off guard. He planned it alone; for nine full years, according to some sources. We have neither mindreading nor precrime technology.

And yet.

We now have wanton en-masse ubiquitious wiretapping in Europe (specifically Sweden), explicitly for national security purposes, which would pick up a lot of what is said and spoken in Norway as well. We have individual location tracking of all citizens. Still, for all this surveillance which is the most extensive in human history, it was utterly and totally useless.

If we cannot prevent an event like Utøya, the worst killing spree ever in world history and the worst terrorist act in entire Europe in two decades, by any means conceivable — why are we playing this security theater and giving up hard-won civil liberties one after another?

The only thing that would have caught Breivik would have been frequent police raids turning his farm inside out, leaving no room to hide his experiments in chemistry. Turning all industries and homes inside out with sharp regularity might have prevented this. Even still, a person as determined as Breivik would likely have been able to blend in even under such circumstances.

Benjamin Franklin famously said, that “a people who gives up its freedom to gain a little security will lose both and deserve neither”. But now that it has been shown in the most gruesome, in-your-face way that we don’t even gain a little security by giving up these freedoms, then why are we doing so?

Norwegian Prime Minister Stoltenberg is absolutely right when he says we must fight antidemocratic lunacy with more democracy and more humanity. His quote from one of the young on Utøya, “if one man can show so much hate, imagine how much love we all can show together“, is one of the most statemanworthy I have seen in my entire life. Both when it came from the young surviving lady right off the island, and from Stoltenberg on repeating it in his official capacity.

It brings me to tears, and to something more important: hope.

Rick Falkvinge

Rick is the founder of the first Pirate Party and a low-altitude motorcycle pilot. He lives on Alexanderplatz in Berlin, Germany, roasts his own coffee, and as of right now (2019-2020) is taking a little break.


  1. Magnus

    It is that theater you write about that foster monsters like this, by using fear as the driving force. Yes, we have just seen the logical extension of the war on terror. Basicly a wierd puppet of the Bush-regime that needs to frame islam in nazi-terms to justify his own hatred born out of the “either with or against” doctrine in the war on terror.

  2. Civilian

    Terrorism is a way of reaching goals using fear against civilians.
    The way I see it, the Security Theater does exactly this…

  3. Peter Andersson

    I might sound like a conspiracy theorist now, but if so it’s only because yesterday you emphasized that when dealing with IT one must always think about ALL the possible weaknesses and potential security holes in a system. So here’s one; sure, we have en-masse wiretapping in Sweden and Norway, explicitly for national security purposes – but do we know for sure that prior to the shooting he wasn’t already detected by that?

    We Scandinavians aren’t the ones doing all the analysis, the lion part of the data retention analysis is outsourced to the USA – a country now in a situation where it’s de facto in its interest that other countries continue to sign up behind their war against terrorism as they themselves are going broke. And what better means to ensure that a country previously free from major terror continue to stay in the fold than allowing a nutcase to slip through, blow up a bomb in the capital and shoot a few people?

    And by a few people I mean that the horrifying number of dead, almost one hundred, could at that prior point NOT have been foreseen even by someone so self-interest demented as to allow that racist utter nutcase to proceed, even ten would still have been a high number.

    So if we are to take ALL the possible weaknesses and potential security holes into account, then the first order of business would be to stop handing over any internet surveillance data to other countries for analysis and give our own security agencies the means to do that part of the job themselves.

    Damn! Did I just logic myself into a pro-FRA standpoint? How do I get out of that while remaining my online integrity beliefs?

    1. Rickard Olsson

      By accepting targeted surveillance only after real police work turn up suspicions. Blanket wiretapping is inefficient. Having cops on the beat, knowing the locals is unbeatable.

  4. Mumfi.

    Maybe I shouldn’t even say this…
    If the state had monitored all his interactions, he would have triggered flags. He read all the wrong blogs, he talked to the wrong people, and I’m sure he googled the wrong stuff. Well, so do I, for different reasons. I’m sure I would pass the psychological test after the security police come get me.

    I actually rather get blown up, but it is doable. And AI gets better all the time…

    1. Rickard Olsson

      That would also create a staggering number of false positives, rendering the system useless anyway.

      1. Mumfi.

        No problem. We just set the citizens to check out the false positives themselves. If no one knows who actually works for the secret police no one will dare not do a god job of it. After all it may be a test from the secret police to se if you do a good job.
        It is only useless I’d you have some kind of ambition to let people have civil rights.

      2. David Wees


        Furthermore, it would reduce us to a state where everything we do is observed. That has been tried, and doesn’t work. See the former Soviet Union for an example of how ineffective mass surveillance of the population is (or modern day China).

      3. Peter Andersson

        @ Mårten

        I see now that I shouldn’t have used the word “snap”. I guess it implies too much that someone goes from 0 to 100, from normal to nutcase, in just seconds. That’s not what I meant. And i believe that is very rare. Fortunatelly.

        What I meant was the kind of snap that DOES have a build-up period, like this Norweigian racist seems to have had, like the development of a sickness in my examples above, or the development of life-hating paranoia (as oppose to the kind of live-saving IT-security mind default paranoida that Rick made a good argument for yesterday).

        So it boils down to this: Some of these build-up nutcases could be catched by simple internet habit surveillance. Shold we refrain from that possibility altogether in the name of absolute integrity or should we put the job to do the analysis in the best possible hands?

        (And just to try to avoid any further missunderstandings: As you might rightly conclude from my long post above on this thread I do not consider handing over integrity sensitive data en masse to another country, especially one in functional turmoil, as “best possible hands”).

      4. Mårten

        “Some of these build-up nutcases could be catched by simple internet habit surveillance.”
        I doubt that and I suspect there already are such systems, it’s just that they are easy to avoid if you take some basic precautions that most people can figure out

        But lets say there was a system that could detect anyone trying to make a bomb. After a while it would be public knowledge so a terrorist would simply chose another tactic. In this case the bomb appears to have been a diversion, the real terror was caused later by one psychopath with a gun. Weapons are heavily regulated so he must have been in police registers already and the police don’t need mass surveillance to know about right wing fascist forums and blogs… Another infamous example is 9/11. What stops a terrorist from becoming a pilot and fly into a building? All it takes is a nutcase with enough determination.

        Mass surveillance of normal people wouldn’t have helped, in the long run it only exposes people to more risks.

    2. Johannes

      I have not read his 1500 page manifesto, not even parts of it, but it’s rumoured that he actually adresses this, advicing to use open WIFI when investigating bomb recipes etc. He was rather paranoid in that way; maybe rightly so?

      1. Mårten

        I have looked at it and it appears he took basic measures to avoid detection. As pointed out, he even bought a farm in order to not raise any alarms when buying fertilizer. The kind of internet mass surveillance we are implementing is easy to circumvent if you are determined enough (as critics have been pointing out). Then again, the FRA-law was never about stopping terrorists.

        Preventing hate and terror isn’t done by surveillance and fearmongering, it’s done by creating an open, tolerant and loving society.

      2. Peter Andersson

        @ Mårten

        Creating an open, tolerant and loving society is a beautiful phrase, but it’s also a cliche of the worst kind, or at least one of the new age utopian sci-fi type of kind.

        Truth is that some people turn “evil” because of the odd kind of brain tumour, or enviromental posioning that alters the function of their psyche, or the traumatic event of losing a loved one due to non-societal events out of anyone’s actual control, or a combination of that and/or other unforeseenable factors.

        Even in the most open, tolerant and loving society imaginable there are always gonna be people that just “snap” – how do we protect ourselves against them/that?

      3. Mårten

        Peter, he didn’t ‘just “snap”’, he’s been at it for over 9 years while listening to right-wing extremist hate propaganda and islamofobic fearmongering.

      4. Mårten

        And, Peter, how do you envision surveillance would protect us from people who “just snap”. What if someone picks up a kitchen knife and goes on a killing spree. No surveillance in the world can prevent that.

        There is no way to stop someone who’s determined to hurt other people.

        The _only_ way to prevent it is by working towards a society where people doesn’t want to. A society where people doesn’t fear each other,

      5. Mumfi.

        Using WiFi will not help you in a totalitarian panoptical state.
        First, no one will dare to share their WiFi. If you break in, and it triggers inspection, they know where and who you are by your mobile communication devices, security cameras, traffic cameras, purchase and credit trails. And with what is in place today. A state like this will probably simply come get you as soon as you turn of your personal transponder or some such device.

  5. AeliusBlythe

    “But now that it has been shown in the most gruesome, in-your-face way that we don’t even gain a little security by giving up these freedoms, then why are we doing so?”

    Because, tragically, people put more emphasis on feeling secure than being secure. Unfortunately, I fear (not only) Norway will take this as an opportunity to say “see, see–we need MORE security!” and people will be afraid and think the answer is yes–not unlike what happened in the US after 9/11.

    Politicians tend to be more concerned with doing something for the sake of doing something, even if it not effective and would never have been effective. Unfortunately, this makes people feel safer, even if they are not.

  6. […] I saw the following commentary on a Swedish blog called Falkvinge & Co. on Infopolicy.  The author is Rick Falkvinge.  I thought his ideas were worth republishing since the implications of his argument extend beyond Utøya.  His post has been lightly edited; the original, along with links, can be found here. […]

  7. Tore Kullgren

    Correction: This attack was the worst act of terror in Europe since 2004 (The Madrid train bombs killed 191 people).

    1. Rick Falkvinge

      Global Terrorism Database (the link in the statement) lists the fatality count from the 2004 Madrid bombings at 73.

  8. Peter Anderssons

    Darn, my new comment/question for Mårten ended up on the wrong part of the overall comments thread, because I clicked at the wrong place when trying to calculate how to get it in under his when that one had no reply button:

    Why is there a limit to the number of sublevels on comments in the first place?

  9. Tombo

    It seems the terrorism db lists the bombs in Madrid as several different attacks. If one instead counts them as one single attack, the number of deaths in Madrid exceeds the number in Norway.

    1. Mumfi.


  10. Björn Persson


    Endast regelbundna kallocainundersökningar av hela befolkningen kan garantera vår säkerhet, inte sant?

    Jag hoppas verkligen att ingen någonsin lyckas framställa kallocin.

  11. […] difficult to use such a fresh tragedy to prove a point, a post by Rick Falkvinge looks at why security theater in Norway was ineffective in preventing this tragedy, and how no further ratcheting up of security theater is likely to do […]

  12. Helvetet på jorden « TantraBlog

    […] Behring Breiviks kommentarer hos, Statsminister Jens Stoltenbergs tal i Oslo Domkirke, Piratpartiets Rick Falkvinge resonerar intelligent kring det omöjliga i att ha ett samhälleligt säkerhetssystem som förhindrar våldsdåd av denna […]

  13. Morten

    If the citizens were allowed to carry firearms, this might have gone better. I understand people are afraid of this, and want to outlaw everything they are afraid of, but it is simply impossible to get rid of all guns by law. If it was possible, it would be another matter. You can only ensure that criminals are the ones who have them. Sadly people have a tendency to imagine the worst, and not thinking clearly when they are afraid.

    If it were allowed, then there would very likely have been a few civilian guards at this event, and they could have taken this lunatic out much earlier. Guns are just as likely or more likely to prevent violent crime as to enable them.

    I hope people will honestly consider allowing guns. I might be horribly wrong, but I believe that most peoples reluctance to allow them is based on an irrational fear of horrible things that might happen, while imagining a perfect world without guns is better. Neither is realistic.

  14. Breivik, les limites de la surveillance » OWNI, News, Augmented

    […] son blog, Rick Falkvinge, le fondateur du Parti pirate suédois, dresse les “leçons sécuritaires” d’Utoya. D’emblée, il rappelle l’inanité d’une surveillance généralisée : Tant que vous gardez […]

  15. […] les limites de la surveillance (Olivier Tesquet voor en Security Theater Lessons From Utøya (Rick Falkvinge van de Zweedse Pirate Party): We now have wanton en-masse ubiquitious wiretapping […]

  16. They Have Their Exits and Entrances « Colorado Libertarian

    […] of which is to bring you this heartbreaking and terrible reminder of just what security theater actually means: If we cannot prevent an event like Utøya, the worst […]

Comments are closed.