Switzerland has long been known for keeping the secrets of foreign governments and individuals, including financial transactions and more recently, digital transactions. For the past few years, startups have built encrypted software services (such as ProtonMail and ProtonVPN) on Swiss servers, away from the prying eyes of U.S. intelligence services. Customers from around the world have relied on the sovereignty of Swiss borders - and Swiss courts - for digital privacy. But all of that could soon come crashing down.
In early March 2018, a series of new laws will allow "for the provision of information requests, real-time interceptions, retroactive interceptions (historical data), emergency searches and tracing" and require dozens of domestic ISPs to operate permanent surveillance systems.
"The ISP and the providers of communication services with more extensive information and monitoring obligations must retain the details of the telecommunications services for the purpose of identification for the duration of the customer relationship and for 6 months after the termination of the contract be able to deliver it."
These wide-sweeping laws affect internet access, email, and "other telecommunications services", including messaging services, social networking communications, cloud platforms, and proxy services. Businesses are expected to hand over customer data (name, date of birth, address, ID card number, IP address, etc) to authorities upon request.
Although the European Union is set to launch the General Data Protection Regulation (GDPR) to bolster digital privacy rights, Switzerland is not a member of the EU, which leaves Swiss citizens and their data exempt from protection.
A related upcoming Supreme Court battle between Microsoft and the U.S. Department of Justice threatens to give U.S. intelligence services the ability to seize foreign data without court approval. The final ruling could further damage public perception of Swiss privacy.
ProtonMail has reached out and pointed to a blog post from 2015, which suggests their email service will be "exempt",
"The new laws could compel us to hand over data that we have, but ... any obligations for service providers to remove encryption wouldn’t apply because the encryption is applied by the end-user on their device, and not by ProtonMail."
However, ProtonMail has not denied that they would be compelled to hand over unencrypted email sent or received via their email service, or if their VPN service will be forced to maintain and disclose user metadata and activity logs.
Published February 14, 2018 by Ethan F Grant