ProtonBlog(new window)
Swiss surveillance law

Impact of Swiss surveillance laws on secure email

Share this page

In September of this year, the Swiss Parliament passed a new Swiss surveillance law, known as the Nachrichtendienstgesetz (NDG) in German and la Loi sur le renseignement (LRens) en française.

2017 Update – In the months since the law was first introduced, we have had repeated contact with the Swiss government and held a meeting at our office together with legal counsel and members of the PTSS(new window). In our meetings, we discussed the practical challenges of implementing such a law, and helped to advise policy makers on the most sensible implementation.

We appreciate that the Swiss government has recognized the leading role that Proton AG plays in developing the cybersecurity tools of the future, along with the role that we play in the economic re-orientation of Geneva, and Switzerland as a whole towards the high tech sector, and sought a meeting with us to discuss how to ensure both security and privacy in the digital age.

As a participant in these discussions, we can confirm unequivocally that upon implementation, the provisions regarding data retention introduced by the BÜPF will exempt companies like Proton Mail and Proton VPN which are not major telecommunications operators. This is in addition to the points in the article below, which still hold.

This did not come as a total surprise because the Swiss surveillance law has been debated for quite some time, and mirrors similar efforts which are ongoing in other countries such as Germany(new window), France(new window), the UK(new window), and the US(new window). Unfortunately, due to the tragic events in Paris, efforts to curtail privacy have attracted political support even though it is clear that banning encryption won’t prevent terrorism(new window).

As the world’s largest secure email service(new window), we are following the discussions in Switzerland closely and we have gone over law with legal experts to understand the implications for Proton Mail. The Swiss surveillance law is similar to the one which was recently approved in Germany(new window). However, there are some differences. The Swiss version requires sign off by a judge and needs to go through two levels of judiciary for approval. The Swiss also don’t have a history of cooperating with the US, unlike German intelligence.

After careful analysis, we can conclude that the new Swiss surveillance law will not significantly impact the environment for secure email services in Switzerland, and in particular will not affect Proton Mail. There are a couple reasons for this.

First, the new law only allows Swiss intelligence to conduct more surveillance. Given Switzerland’s neutrality, Swiss intelligence is mostly concerned with domestic threats and does not have an interest in the data of the 95% of Proton Mail users who are not from Switzerland. While the new law might open the door for Swiss intelligence, it certainly doesn’t open it for the NSA or other foreign intelligence agencies.

Second, there is a distinction between handing over the data we already have (which is end-to-end encrypted), and being forced to actively hack users. The new laws could compel us to hand over data that we have, but they definitely CANNOT force companies to hack their users. Because Proton Mail’s encryption is done client side, any obligations for service providers to remove encryption wouldn’t apply because the encryption is applied by the end-user on their device, and not by Proton Mail. It is also not clear the clauses regarding encryption would even apply to us in the first place, because we don’t fall under the standard definition of communication service provider used in the law, which largely relates to ISPs. This applies also for Proton VPN, as there is nothing in the law that can compel us to break Proton VPN’s encryption, or force us to obtain data from users that we don’t naturally possess (such as IP logs), nor are we legally obligated to start possessing them.

Third, while it seems bad that these new laws can force Proton Mail to hand over encrypted user data, this doesn’t actually change anything. Any company (Proton Mail included), can already be asked to hand over user data provided there is a VALID Swiss court order. The new law doesn’t change this. What it does is provides Swiss intelligence another avenue to get data. Instead of having to bring a case through the courts first, they can now directly request through the judiciary. This of course applies only to Swiss intelligence, foreign intelligence agencies will still need to go through the courts.

Fourth, since Proton Mail emails are encrypted using PGP (which provides end-to-end encryption), any emails that we do hand over would be encrypted, and only the owner of the emails will have the ability to decrypt them. This means the new Swiss surveillance laws actually strengthen instead of weaken Proton Mail’s use case. If Swiss intelligence has easier access to confidential personal data under the new laws, it becomes even more important to encrypt this data, which is exactly what Proton Mail does.

For the non-Swiss Proton Mail users, it is safe to say that these laws have little to no impact. As for Swiss users, unfortunately the privacy environment in our country has gotten worse which increases the need for secure email services like Proton Mail. Even though the new Swiss surveillance law does not fundamentally harm Proton Mail’s usage case (it in fact arguably improves it), we are consistent in our stance of opposing government invasion of personal privacy. For this reason, we are supporting the referendum effort to overturn these laws, and we encourage all Swiss Proton Mail users to also study the laws and sign the referendum. More information about the referendum can be found in our blog post here(new window).

Finally, it is worth noting that even with increased surveillance powers, Swiss surveillance agencies are not the primary threat actors that our security team are worried about. We see better funded and resourced actors such as the US NSA, CIA, and Russian or Chinese state security, and black hat criminal groups operating without the constraints of laws, as posing significantly larger threats. Compared to these actors, Swiss surveillance agencies operating within the confines of Swiss law are simply not the main risks to Proton Mail and Proton VPN users.

If you are interested in better protecting your email privacy, it is possible to get a Proton Mail account here: window)

Secure your emails, protect your privacy
Get Proton Mail free

Share this page

Andy Yen(new window)

Andy is the founder and CEO of Proton. He is a long-time advocate for privacy rights and has spoken at TED, Web Summit, and the United Nations about online privacy issues. Previously, Andy was a research scientist at CERN and has a PhD in particle physics from Harvard University.

Related articles

Even though the Snowden leaks came out 10 years ago, the United States never ended its unconstitutional surveillance program. It now has a chance to close the legal loopholes that allow warrantless spying on US citizens. But Congress needs to act bef
Over the past year, hackers have been using new and clever techniques to steal people’s online data. At Proton, we’ve been monitoring these evolving strategies and updating our defenses to stay ahead of the arms race.  Often, the attacks involve new
password fatigue
Most people in the digital age have dozens, if not hundreds, of passwords, and keeping track of them is tiring, to say the least. If you’re suffering from password fatigue, you’ll be happy to know there’s an easy fix. The short answer is that you sh
are password managers safe?
Password managers are a great way to generate secure passwords, keep them in encrypted storage together with your credit card details, and improve your online security across the board. But you might be worried about keeping so much sensitive data in
Most of us probably wouldn’t consent to sharing photos of our family and friends with random strangers on the internet. But that’s exactly what we do when we automatically sync our pictures to the non-private servers of Big Tech companies, which can
Google Drive is the world’s most popular cloud storage service by far, with over 3 billion people using Google Workspace (which includes Google Drive, Google Calendar, Gmail, and more). But this ubiquity has recently caused concern following several