Updated June 6, 2019
We are often asked why ProtonMail is based in Switzerland and whether there are real advantages to being a Swiss company. We believe there are several good reasons to call Switzerland home, and this article explains why.
ProtonMail’s roots are from the European Organization for Nuclear Research (CERN) in Geneva, where many of our early team members worked together on particle physics experiments. Thus, ProtonMail was born in Switzerland back in 2014. When we investigated the legal considerations about where to establish our growing service, it became clear that Switzerland was in fact a hospitable location for a tech company focused on privacy.
Unless you host your servers on a boat in international waters, you will need to be under some legal jurisdiction. Choosing one is particularly important because, as the Lavabit example shows, local laws can have an existential impact on the service. Given that we serve users with highly sensitive privacy and security requirements from around the world, Switzerland, being outside of US and EU jurisdiction, has the advantage of being a neutral location.
Switzerland also has a long history of privacy and security, dating back over a century, and its laws are much more protective of individual privacy rights. In the US and EU, gag orders can be issued to prevent an individual from knowing they are being investigated or under surveillance. While these type of orders also exist in Switzerland, the prosecutors have an obligation to notify the target of surveillance, and the target has an opportunity to appeal in court. There are no such things as National Security Letters, and all surveillance requests must go through the courts. Furthermore, while Switzerland is party to international assistance treaties, such requests for information must hold up under Swiss law, which has much stricter privacy provisions.
Nearly every country in the world has laws governing lawful interception of electronic communications for law enforcement purposes. In Switzerland, these regulations are set out in the Swiss Federal Act on the Surveillance of Postal and Telecommunications Traffic (SPTT), which was last revised on March 18, 2018. While parts of the SPTT are still in dispute and subject to various legal challenges within Switzerland (including a challenge from ProtonMail), the present interpretation does not subject ProtonMail to any mandatory data retention directives; nor does it enforce upon us a full obligation to identify ProtonMail users. Moreover, as a Swiss company, ProtonMail also cannot be compelled to engage in bulk surveillance on behalf of US or Swiss intelligence agencies.
While ProtonMail benefits from strong legal protections within Switzerland, we have also built in technological safeguards against surveillance, such as utilizing end-to-end encryption. We do not possess the keys required to decrypt users’ emails. Even emails between non-ProtonMail accounts cannot be decrypted on our servers thanks to our use of zero-access encryption. As a result, even if ProtonMail was forced to turn over all our computer systems, email contents will continue to be encrypted. These technical safeguards are the strongest privacy protections because unlike national laws, the laws of mathematics cannot be changed or altered.
We believe comprehensive security can only be achieved through a combination of technology and legal protections, and Switzerland provides the optimal combination of both. Because of Switzerland’s advanced IT infrastructure and its unique legal environment, ProtonMail can deliver a service that is both reliable and secure.
For more information about Internet surveillance in Switzerland and requests for information made to ProtonMail, please view our Transparency Report.