Recently I read a blog post by Martin Steiger, a well known Swiss legal expert on all sorts of questions relating to life online: privacy, copyright, and so on. He was commenting on a case of Swiss law enforment cooperating with US law enforcement and the cooperation of ProtonMail.
The shortest summary is that Swiss data and privacy protection is đ© đ„.
Swiss privacy protection could be a lot better and any claims to strong Swiss privacy protection have to be considered carefully.
The rest of this page is link dumps and quotes to expand on this.
Aufgrund von Daten von ProtonMail, die rechtshilfeweise in die USA gingen, zeigte sich, dass der Beschuldigte gleich mehrere Nutzerkonten bei ProtonMail verwendet hatte. Nach eigenen Angaben hatte der Beschuldige zu ProtonMail gewechselt, weil er glaubte, durch das schweizerische Datenschutzrecht und Ende-zu-Ende-VerschlĂŒsselung geschĂŒtzt zu sein. Dennoch konnte der Absender im Zusammenspiel von Daten von ProtonMail sowie weiteren Online-Diensten wie beispielsweise Mail.com identifiziert werden. â ProtonMail: Nutzerdaten fĂŒr die USA dank Rechtshilfe und guter Zusammenarbeit mit Behörden, Martin Steiger
My translation:
Data provided by ProtonMail to the USA based on a request for legal aid show that the accused used several ProtonMail accounts. According to the accused, they had switched to ProtonMail thinking that Swiss data protection law and end-to-end encryption would keep them safe. Nevertheless, the sender could be identified by correlating data by ProtonMail and other online service providers like Mail.com.
The following are a few links from swissinfo.ch (SWI). Whoâs that, you ask? Itâs the organisation that took over from the Swiss short wave radio station.
SWI swissinfo.ch is an online news and information service, founded in 1999. It is the successor to Swiss Radio International (SRI), which began shortwave broadcasts in 1935 as the Swiss Short Wave Service. In the Second World War, it was often the only link to the homeland for about 200,000 Swiss expatriates. Through the war and much of the 20th century, the shortwave broadcasts also underlined Swiss neutrality and the countryâs democratic positions. As part of its public service mandate, SWI swissinfo.ch provides independent reporting on Swiss politics, business, science, culture and society ⊠â About SWI
They have texts in ten languages including English, which makes them well suited for quoting, should you be an English reading visitor. đ
Letâs start with two laws: BĂPF and NDG. Whenever a new law is introduced, the Swiss can collect signatures for a referendum. If enough signatures are collected, the referendum is held. There, those with the right to vote (about 63% of the population) can reject the new law. (Critically, the Swiss cannot propose a new law, they can only reject a law proposed by the national council.)
At the previous elections in 2015, 5.28 million people were entitled to vote out of a total population of 8.33 million (63%). Who were the remaining 37%? â Who can vote in Switzerland? Who canât?
Who can vote in Switzerland? Who canât?
Hereâs what German email service provider Tutanota had to say at the time, talking about the BĂPF, the law expanding police powers, resulting in more surveillance for all of us.
Switzerland plans to revise their data retention law BĂPF so that all communication data (post, email, phone, text messages, ip addresses) can be stored for 12 months. The opponents of this law even say that it would allow the monitoring of mobile phones and the installation of trojans on computers, tablets and mobile phones. â Let's Stop the Swiss Surveillance Law BĂPF, by Matthias, for Tutanota
Let's Stop the Swiss Surveillance Law BĂPF, by Matthias, for Tutanota
Sadly, not enough signatures were collected to hold a referendum. The referendum itself would surely have failed. đ
Someone Googling certain key words or terms also could come to the attention of the Federal Intelligence Service (FIS), which will have more latitude for monitoring private online communications, tapping phone lines and looking at postal mail. It will also be allowed to use drones to record public events. â Challenge to surveillance law fails
Challenge to surveillance law fails
The NDG is the new anti-terrorism law expanding the secret serviceâs powers, resulting in even more surveillance for all of us.
The Swiss government has proposed new legislation aimed at preventing extremist violence and forcing people deemed a threat, including children aged 12 upwards, to be registered with the authorities. House arrest could also be applied to suspects as a last resort in some cases. The idea is to target people who have not yet committed a crime but who are considered to be a risk. â UN experts criticise Switzerland over anti-terrorism law
UN experts criticise Switzerland over anti-terrorism law
I donât think more draconian surveillance laws solve our problems.
9/11, but also the bomb attacks in London, the attacks in Madrid, the horror in Paris, the horror in Brussels, filled people with a profound fear. As a result of this fear many people have lost faith that the rule of law is able to protect them. That may be the biggest challenge we are facing today. We are dealing with a public opinion that has become convinced, after all the horrors we have been through, that our fear justifies any means. We have to reconvince this public opinion that the cry for more draconian laws, the militarisation of society, is not going to make us any freer or safer. â âSwitzerland is sending a dangerous signal to the worldâ, Fionnuala NĂ AolĂĄin, the United Nations special rapporteur for counter-terrorism and human rights, in an interview with Daniel Ryser of Republik Magazine
So what, you ask yourself. Itâs still better than elsewhere! But elsewhere where? Some countries have pretty low bars, obviously. But more than that, I think this is a moral question: if weâre all doing something bad, is the one doing the least bad free of all obligations to do better? Of course not. Therefore, I donât really care whether weâre doing better than elsewhere.
Of course itâs still an interesting question. Letâs take the European Union (EU). Theyâre big, theyâre close, and Switzerland is not technically part of it. There are thousands of agreements we signed, of course, and plenty of law that we simply need to adopt so that we can continue to trade with the EU. And our anti-terrorism act is at odds with attempts by the EU to reign in data collection, face identification, and so on.
More controversial is the fact that electronic surveillance measures are decided by fedpol without the agreement of a court and that the data collected can be used for a purpose beyond that provided for by law, highlights FrĂ©dĂ©ric Bernard, a professor of public law at the University of Geneva. ⊠Although it has a data protection law, some of which is compliant with the European Unionâs GDPR privacy legislation, Switzerland does not have anything comparable to the proposed European technology legislation. â Will Switzerland distance itself from the EU on mass surveillance?
Will Switzerland distance itself from the EU on mass surveillance?
One defence often invoked is that law enforcement either does not have the will, the means, or the time to act in harmful ways. That always strikes me as legislation via hopes and prayers. This is not how it is supposed to work. Here is a short summary of the state of affairs in 2020. The Trojan horse malware euphemistically called âGovWareâ to infiltrate the computers and phones of suspects is also on the rise.
Swiss law enforcement agencies were granted 9,085 warrants to conduct covert electronic surveillance on suspected criminals last year â up from 8,666 operations in 2019. ⊠The use of so-called GovWare state-controlled monitoring software, which was authorised in Switzerland in 2018, continued last year (107 cases) at about the same pace as in 2019 (103). â Swiss state surveillance on the rise
Swiss state surveillance on the rise
The first take home message to anybody not familiar with the situation in Switzerland is therefore: when you think about Switzerland, donât just think about the cows, the mountains, the lakes, and chocolate. There is more to Switzerland than just that, and itâs not always great.
Anyway, so why am I picking on ProtonMail? The key is this: on their website, they say:
ProtonMail is incorporated in Switzerland and all our servers are located in Switzerland. This means all user data is protected by strict Swiss privacy laws. â Secure Email: Based in Switzerland, ProtonMail
Secure Email: Based in Switzerland, ProtonMail
The question is: how strict, and compared to what? As I hopefully managed to get across with my earlier comments and quotes, my impression is that the law we have is not strict enough. This is what Iâm struggling with: I am disappointed in the Swiss legal situation and yet ProtonMail uses it as a selling point.
To be clear: Iâm not saying you shouldnât use ProtonMail or that you should use some other service. Iâm saying that if you use them because you think Swiss privacy law and data protection is great, then make sure you know what youâre comparing it to. Perhaps itâs better than what you get at home and thatâs cool. But also remember that Swiss law enforcement and Swiss secret services are bound in a network of agreements. The Swiss secret service helps other secret services in exchange for reciprocity. Itâs all politics.
Thereâs also the question of what you think you are getting and what you are actually getting. Hereâs what ProtonMail is saying:
We use end-to-end encryption and zero access encryption to secure emails. This means even we cannot decrypt and read your emails. As a result, your encrypted emails cannot be shared with third parties. â Secure Email: Based in Switzerland, ProtonMail
Secure Email: Based in Switzerland, ProtonMail
Now remember the situation described in Martin Steigerâs blog post, at the very top: somebody is threatening the life of somebody important, via email. It doesnât matter whatâs in the email since the victim is reading the threat and taking it to the police. So the question is not whether the police can read the email. Thatâs the easy part. The question is if they can find the sender. The email service provider cooperating with the Swiss police whoâs doing a search on behalf of the US police does not contradict the promise made.
You really need to know the limits of what you are getting.
Iâm just talking about ProtonMail because theyâre based in Switzerland and Iâm based in Switzerland. Letâs look at an email service provider in Germany. Letâs look at Tutanota. I quoted them above when they were supporting the struggle against the police surveillance law.
With end-to-end encryption and 2FA, your emails have never been more secure. The built-in encryption guarantees that your mailbox belongs to you: Nobody can decrypt or read your data. â Secure email for everybody, Tutanota
Secure email for everybody, Tutanota
And yet, that doesnât protect them from the law. When they argued in court that they didnât have the data law enforcement was looking for, they were ordered to develop it.
⊠a court in Germany last month ordered Tutanota to help investigators monitor the contents of a userâs encrypted mailbox. The site has until the end of the year to add functionality to perform this surveillance. â Court orders encrypted email biz Tutanota to build a backdoor in user's mailbox, founder says 'this is absurd', by Gareth Corfield, for The Register
My main point is, I think: advertising is advertising, and state power is state power. No amount of strong fighting words will end state power. The problem is that we have allowed all of this to happen with our anti-terrorism laws, our safety-first laws, our empowerment of police and secret services, and some of us think we can solve the problem by paying $5/month to some company abroad but that isnât how it works. Shit is fucked up at the political level and E2E is not absolving us.
â#Privacy â#Mail â#Switzerland
(Please contact me if you want to remove your comment.)
â
As @TrechNex correctly noted, âin an ideal world, this whole problem could be avoided if it was easier for people to host their own email servers, and therefore their own data.â
I tried that, but it wasnât easy. I ended up abandoning it.
@seb also mentioned âto stay anonymous you have the option of using a VPN or Tor to access Protonmail and pay with cryptocurrency.â
I guess thatâs true. It depends on how much you trust VPNs, Tor, and cryptocurrencies. It seems to me that cryptocurrencies are already a blight on the world with all the electricity they consume, and VPNs are hard to trust, and Tor has been under attack⊠Itâs all a question of driving up cost, perhaps. My preference would be to defend our rights in parliament, however. We need better laws, not better tools to run circles around law enforcement.
â Alex 2021-08-04 12:36 UTC
---
People are still afraid of terrorists? Which people? In a post-POTUS45 world surely everyone is more afraid of the rise of authoritarian leaders than some guys in caves with rusty Kalashnikovs...
â rnkn 2021-08-05 03:09 UTC
---
A political leader is going to be blamed for a terrorist attack. âThey did not do enough!â A political leader facilitating an authoritarian leader is not going to get blamed, they just lost the election or let themselves be tricked or bullied. Poor von Hindenburg.
â Alex 2021-08-05 05:19 UTC
---
Hereâs a similar case:
So @ProtonMail received a legal request from Europol through Swiss authorities to provide information about Youth for Climate action in Paris, they provided the IP address and information on the type of device used to the police â @tenacioustek on Twitter
There is a reply by @protonmail on Reddit:
In this case, Proton received a legally binding order from the Swiss Federal Department of Justice which we are obligated to comply with. There was no possibility to appeal or fight this particular request because an act contrary to Swiss law did in fact take place (and this was also the final determination of the Federal Department of Justice which does a legal review of each case). â answer by u/ProtonMail
Know what you are paying for.
Caveat emptor, quia ignorare non debuit quod jus alienum emit (âLet a purchaser beware, for he ought not to be ignorant of the nature of the property which he is buying from another party.â) â What Does 'Caveat Emptor' Mean?
What Does 'Caveat Emptor' Mean?
â Alex 2021-09-06 09:48 UTC
---
This just in.
These are all standard unencrypted information from email headers, inherent to the SMTP email specification, though it appears that ProtonMailâs previous promises about user information logging were a bit over-generous. Back in January this year, the companyâs homepage stated: âNo personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first.â â ProtonMail deletes 'we don't log your IP' boast from website after French climate activist reportedly arrested, by Gareth Corfield, for The Register
So, read promises made like a lawyer. If somebody says the donât keep logs âby defaultâ â now you know that it means that the do keep logs some of the time. It just depends on the details.
â Alex 2021-09-07 15:02 UTC
---
Happy to hear this:
[The Swiss Post and Telecommunications Surveillance Service] PTSS had decided in September 2020 that Proton could no longer benefit from limited surveillance obligations but had to store data necessary for surveillance and be available to answer questions. The court overturned this and sent it back on appeal. â Proton wins appeal in Swiss court over surveillance laws
Proton wins appeal in Swiss court over surveillance laws
â Alex 2021-10-27 05:38 UTC