ProtonBlog(new window)
Swiss surveillance law

Impact of Swiss surveillance laws on secure email

Share this page

In September of this year, the Swiss Parliament passed a new Swiss surveillance law, known as the Nachrichtendienstgesetz (NDG) in German and la Loi sur le renseignement (LRens) en française.

2017 Update – In the months since the law was first introduced, we have had repeated contact with the Swiss government and held a meeting at our office together with legal counsel and members of the PTSS(new window). In our meetings, we discussed the practical challenges of implementing such a law, and helped to advise policy makers on the most sensible implementation.

We appreciate that the Swiss government has recognized the leading role that Proton AG plays in developing the cybersecurity tools of the future, along with the role that we play in the economic re-orientation of Geneva, and Switzerland as a whole towards the high tech sector, and sought a meeting with us to discuss how to ensure both security and privacy in the digital age.

As a participant in these discussions, we can confirm unequivocally that upon implementation, the provisions regarding data retention introduced by the BÜPF will exempt companies like Proton Mail and Proton VPN which are not major telecommunications operators. This is in addition to the points in the article below, which still hold.

This did not come as a total surprise because the Swiss surveillance law has been debated for quite some time, and mirrors similar efforts which are ongoing in other countries such as Germany(new window), France(new window), the UK(new window), and the US(new window). Unfortunately, due to the tragic events in Paris, efforts to curtail privacy have attracted political support even though it is clear that banning encryption won’t prevent terrorism(new window).

As the world’s largest secure email service(new window), we are following the discussions in Switzerland closely and we have gone over law with legal experts to understand the implications for Proton Mail. The Swiss surveillance law is similar to the one which was recently approved in Germany(new window). However, there are some differences. The Swiss version requires sign off by a judge and needs to go through two levels of judiciary for approval. The Swiss also don’t have a history of cooperating with the US, unlike German intelligence.

After careful analysis, we can conclude that the new Swiss surveillance law will not significantly impact the environment for secure email services in Switzerland, and in particular will not affect Proton Mail. There are a couple reasons for this.

First, the new law only allows Swiss intelligence to conduct more surveillance. Given Switzerland’s neutrality, Swiss intelligence is mostly concerned with domestic threats and does not have an interest in the data of the 95% of Proton Mail users who are not from Switzerland. While the new law might open the door for Swiss intelligence, it certainly doesn’t open it for the NSA or other foreign intelligence agencies.

Second, there is a distinction between handing over the data we already have (which is end-to-end encrypted), and being forced to actively hack users. The new laws could compel us to hand over data that we have, but they definitely CANNOT force companies to hack their users. Because Proton Mail’s encryption is done client side, any obligations for service providers to remove encryption wouldn’t apply because the encryption is applied by the end-user on their device, and not by Proton Mail. It is also not clear the clauses regarding encryption would even apply to us in the first place, because we don’t fall under the standard definition of communication service provider used in the law, which largely relates to ISPs. This applies also for Proton VPN, as there is nothing in the law that can compel us to break Proton VPN’s encryption, or force us to obtain data from users that we don’t naturally possess (such as IP logs), nor are we legally obligated to start possessing them.

Third, while it seems bad that these new laws can force Proton Mail to hand over encrypted user data, this doesn’t actually change anything. Any company (Proton Mail included), can already be asked to hand over user data provided there is a VALID Swiss court order. The new law doesn’t change this. What it does is provides Swiss intelligence another avenue to get data. Instead of having to bring a case through the courts first, they can now directly request through the judiciary. This of course applies only to Swiss intelligence, foreign intelligence agencies will still need to go through the courts.

Fourth, since Proton Mail emails are encrypted using PGP (which provides end-to-end encryption), any emails that we do hand over would be encrypted, and only the owner of the emails will have the ability to decrypt them. This means the new Swiss surveillance laws actually strengthen instead of weaken Proton Mail’s use case. If Swiss intelligence has easier access to confidential personal data under the new laws, it becomes even more important to encrypt this data, which is exactly what Proton Mail does.

For the non-Swiss Proton Mail users, it is safe to say that these laws have little to no impact. As for Swiss users, unfortunately the privacy environment in our country has gotten worse which increases the need for secure email services like Proton Mail. Even though the new Swiss surveillance law does not fundamentally harm Proton Mail’s usage case (it in fact arguably improves it), we are consistent in our stance of opposing government invasion of personal privacy. For this reason, we are supporting the referendum effort to overturn these laws, and we encourage all Swiss Proton Mail users to also study the laws and sign the referendum. More information about the referendum can be found in our blog post here(new window).

Finally, it is worth noting that even with increased surveillance powers, Swiss surveillance agencies are not the primary threat actors that our security team are worried about. We see better funded and resourced actors such as the US NSA, CIA, and Russian or Chinese state security, and black hat criminal groups operating without the constraints of laws, as posing significantly larger threats. Compared to these actors, Swiss surveillance agencies operating within the confines of Swiss law are simply not the main risks to Proton Mail and Proton VPN users.

If you are interested in better protecting your email privacy, it is possible to get a Proton Mail account here: https://proton.me/mail/pricing(new window)

Secure your emails, protect your privacy
Get Proton Mail free

Share this page

Andy Yen(new window)

Andy is the founder and CEO of Proton. He is a long-time advocate for privacy rights and has spoken at TED, Web Summit, and the United Nations about online privacy issues. Previously, Andy was a research scientist at CERN and has a PhD in particle physics from Harvard University.

Related articles

Can you password-protect a folder in Google Drive?
Protecting a folder with a password is a simple yet effective way of securing files. You may wonder whether you can password-protect a folder in Google Drive. We explain what access controls Google Drive offers and what you can do to improve your sec
Proton Pass now supports passkeys on all devices and plans
We’re excited to announce that Proton Pass supports passkeys for everyone, allowing you to manage and use passkeys across all devices seamlessly. Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing atta
what is a passkey?
Passkeys are a new way to secure your online accounts using cryptographic keys instead of passwords. They offer a high level of convenience and security, and are a real game-changer in the way we access and secure sites. What is a passkey, though, an
Apple’s marketing team has built a powerful association between the iPhone and privacy. The company’s ad campaigns claim that “what happens on your iPhone, stays on your iPhone.” And, “Privacy. That’s iPhone.” But Apple’s lawyers are telling a diffe
A cyberattack on national public employment service France Travail has exposed the personal data of as many as 43 million people.  The latest breach is the second major cybersecurity attack to happen in France in the past month, raising concerns abo
If I share a folder in Google Drive, can anybody see my other folders
Google Drive makes it easy to share files and folders, but you may have wondered at some point whether the people you’ve shared a folder with can see your other folders. We answer this question below and also share some tips for truly secure link sha
In 2014, Proton Mail was introduced as a web app, revolutionizing how we think about email privacy. Today, we’re excited to broaden the horizons of secure communication by launching the Proton Mail desktop app. Anyone can now use the new Proton Mail