In September of this year, the Swiss Parliament passed a new Swiss surveillance law, known as the Nachrichtendienstgesetz (NDG) in German and la Loi sur le renseignement (LRens) en française.
2017 Update – In the months since the law was first introduced, we have had repeated contact with the Swiss government and held a meeting at our office together with legal counsel and members of the PTSS. In our meetings, we discussed the practical challenges of implementing such a law, and helped to advise policy makers on the most sensible implementation.
We appreciate that the Swiss government has recognized the leading role that Proton Technologies AG plays in developing the cybersecurity tools of the future, along with the role that we play in the economic re-orientation of Geneva, and Switzerland as a whole towards the high tech sector, and sought a meeting with us to discuss how to ensure both security and privacy in the digital age.
As a participant in these discussions, we can confirm unequivocally that upon implementation, the provisions regarding data retention introduced by the BÜPF will exempt companies like ProtonMail and ProtonVPN which are not major telecommunications operators. This is in addition to the points in the article below, which still hold.
This did not come as a total surprise because the Swiss surveillance law has been debated for quite some time, and mirrors similar efforts which are ongoing in other countries such as Germany, France, the UK, and the US. Unfortunately, due to the tragic events in Paris, efforts to curtail privacy have attracted political support even though it is clear that banning encryption won’t prevent terrorism.
As the world’s largest secure email service, we are following the discussions in Switzerland closely and we have gone over law with legal experts to understand the implications for ProtonMail. The Swiss surveillance law is similar to the one which was recently approved in Germany. However, there are some differences. The Swiss version requires sign off by a judge and needs to go through two levels of judiciary for approval. The Swiss also don’t have a history of cooperating with the US, unlike German intelligence.
After careful analysis, we can conclude that the new Swiss surveillance law will not significantly impact the environment for secure email services in Switzerland, and in particular will not affect ProtonMail. There are a couple reasons for this.
First, the new law only allows Swiss intelligence to conduct more surveillance. Given Switzerland’s neutrality, Swiss intelligence is mostly concerned with domestic threats and does not have an interest in the data of the 95% of ProtonMail users who are not from Switzerland. While the new law might open the door for Swiss intelligence, it certainly doesn’t open it for the NSA or other foreign intelligence agencies.
Second, there is a distinction between handing over the data we already have (which is end-to-end encrypted), and being forced to actively hack users. The new laws could compel us to hand over data that we have, but they definitely CANNOT force companies to hack their users. Because ProtonMail’s encryption is done client side, any obligations for service providers to remove encryption wouldn’t apply because the encryption is applied by the end-user on their device, and not by ProtonMail. It is also not clear the clauses regarding encryption would even apply to us in the first place, because we don’t fall under the standard definition of communication service provider used in the law, which largely relates to ISPs. This applies also for ProtonVPN, as there is nothing in the law that can compel us to break ProtonVPN’s encryption, or force us to obtain data from users that we don’t naturally possess (such as IP logs), nor are we legally obligated to start possessing them.
Third, while it seems bad that these new laws can force ProtonMail to hand over encrypted user data, this doesn’t actually change anything. Any company (ProtonMail included), can already be asked to hand over user data provided there is a VALID Swiss court order. The new law doesn’t change this. What it does is provides Swiss intelligence another avenue to get data. Instead of having to bring a case through the courts first, they can now directly request through the judiciary. This of course applies only to Swiss intelligence, foreign intelligence agencies will still need to go through the courts.
Fourth, since ProtonMail emails are encrypted using PGP (which provides end-to-end encryption), any emails that we do hand over would be encrypted, and only the owner of the emails will have the ability to decrypt them. This means the new Swiss surveillance laws actually strengthen instead of weaken ProtonMail’s use case. If Swiss intelligence has easier access to confidential personal data under the new laws, it becomes even more important to encrypt this data, which is exactly what ProtonMail does.
For the non-Swiss ProtonMail users, it is safe to say that these laws have little to no impact. As for Swiss users, unfortunately the privacy environment in our country has gotten worse which increases the need for secure email services like ProtonMail. Even though the new Swiss surveillance law does not fundamentally harm ProtonMail’s usage case (it in fact arguably improves it), we are consistent in our stance of opposing government invasion of personal privacy. For this reason, we are supporting the referendum effort to overturn these laws, and we encourage all Swiss ProtonMail users to also study the laws and sign the referendum. More information about the referendum can be found in our blog post here.
Finally, it is worth noting that even with increased surveillance powers, Swiss surveillance agencies are not the primary threat actors that our security team are worried about. We see better funded and resourced actors such as the US NSA, CIA, and Russian or Chinese state security, and black hat criminal groups operating without the constraints of laws, as posing significantly larger threats. Compared to these actors, Swiss surveillance agencies operating within the confines of Swiss law are simply not the main risks to ProtonMail and ProtonVPN users.
If you are interested in better protecting your email privacy, it is possible to get a ProtonMail account here: https://protonmail.com/invite
The Proton Team