ProtonBlog(new window)
Swiss laws and encryption protect Proton users from abortion-related data requests

Swiss laws and encryption protect Proton users from abortion-related data requests

Partagez cette page

The United States is notoriously weak on privacy laws. With its secret surveillance courts and all-powerful spy agencies, the US has many tools to collect data on people within its jurisdiction and beyond.

Recently, that power has been used to prosecute women. Even before the US Supreme Court overturned the federal right to abortion in 2022, many states had passed laws restricting abortion rights. 

To prosecute those cases, investigators have used chat logs, location data, and web searches stored on the servers of American companies like Google and Meta, as TechCrunch recently reported(new window). Sometimes these data requests affect people that haven’t broken any laws.

Instead of protecting their users’ data, companies like Google usually surrender it to the police. There are two reasons for this:

  1. They’re based in the US
    Companies are subject to the laws of the country in which they operate. In the case of Google, Meta, and many other tech companies, that means they must comply with any valid court order to provide user data to law enforcement agents.
  2. They don’t use end-to-end encryption
    While end-to-end encryption is now offered in some Big Tech apps, most user data remains accessible to the companies providing the service. That includes things like emails in Gmail, chats in Facebook Messenger with the default setting, and Google searches. If the data were end-to-end encrypted, the companies wouldn’t be able to disclose it to third parties.

When it comes to Proton, because we’re a Swiss company, we don’t comply with US laws. And because of the kind of encryption we use, we don’t have access to the vast majority of user data.

This article explains why people that use Proton are uniquely protected from US data requests.

How data requests work in the US
How data requests work in Switzerland
Data is encrypted by default
What if US police requested data in an abortion case?
Final thoughts

How data requests work in the US

Law enforcement agencies regularly request information from companies when they believe it might help them with an investigation. Google and Facebook each receive hundreds of thousands of requests per year from around the world.

These can include situations ranging from terrorist attacks and missing persons cases to more minor crimes. And the data requests could involve any piece of data a company stores, including:

  • Account information, such as IP logs, account sign-ins, and credit card information
  • Location information, including whether you visited a specific address that was the scene of a crime (known as a geofence warrant)
  • Communications, including emails, chats, calls, and voice messages
  • Search history, including dragnet requests for any user who has searched a particular keyword (known as a keyword warrant)
  • Media, such as images, videos, and documents in your cloud drive

In the US, there are different legal requirements for different types of requests. For example, it’s easier to obtain account information than email contents. In some cases, even when a full-blown search warrant is required, the government can make dragnet requests, scooping up data from random people who are not suspected of a crime.

The US also has a secret court created under the Foreign Intelligence Surveillance Act (FISA), which allows the government to set up electronic surveillance. Google says it grants hundreds of thousands(new window) of FISA Court requests per year.

Google and Facebook say they carefully review every request. If they believe a request is improper or overly broad, they may fight it. But according to their transparency(new window) reports(new window), the two companies comply with most requests.

The consequences of not complying can be fatal to businesses: The email provider Lavabit decided to shut down(new window) rather than turn over private keys that would have given the government access to Edward Snowden’s emails. As we have written before, the lack of oversight, secretive warrants, and lack of strong privacy laws simply rules out the US as a credible home for any company that claims to protect user privacy.

How data requests work in Switzerland

Switzerland is a fundamentally different environment. Two of the things Switzerland is most famous for are also highly conducive to data protection: privacy and neutrality.

When a law enforcement agency in the US requests user data from a Swiss company, it is illegal for that company to provide the data. At Proton, we reject all data requests from foreign agencies.

Proton and other Swiss companies will only hand over user data when ordered to do so by a Swiss authority. And even then, Proton’s general policy is to challenge data requests whenever possible and only comply after all legal remedies have been exhausted. 

Swiss laws are much more protective of individual liberties than US laws. For instance, the US and the EU have the ability to monitor users without the subject’s knowledge. In Switzerland, prosecutors must eventually notify the person being targeted of monitoring so they have a chance to appeal the surveillance. And there are no secret national security courts.

In Switzerland, electronic monitoring is covered under the Swiss Federal Act on the Surveillance of Postal and Telecommunications Traffic. When the law was updated in 2020, Proton challenged the changes and won a court decision(new window) that email services are not required to retain user data for monitoring.

Even though privacy and neutrality are embedded in the national ethos, being in a privacy-friendly legal jurisdiction is not sufficient. Proton uses multiple layers of technological safeguards to further protect user privacy.

Data is encrypted by default

It’s easy to see why law enforcement agencies file millions of data requests to companies like Google and Meta — their entire business models are based on surveillance.

By contrast, Proton’s business model is to provide user-friendly and privacy-focused services to our community. To uphold our commitment to privacy, we have purposely built our products to collect as little user data as possible.

This starts with the end-to-end encryption and zero-access encryption that is included by default in Proton Mail, Proton Calendar, and Proton Drive. Whenever you send an email or create a calendar event, Proton encrypts the data before it leaves your device using your private key. Only your password can unlock your private key, and only you know your password. 

As a result, Proton doesn’t have access to the contents of your emails, calendar items, or drive files. Even if a Swiss court ordered us to hand over data, we would only be able to provide a few categories of information, which you can learn about in our Privacy Policy.

What if US police requested data in an abortion case?

To illustrate the difference between US tech companies and Swiss tech companies, here’s an example of what might happen if police in the US requested data on a user suspected of having an abortion in violation of state law.

  1. Let’s say the police filed a data request to Proton requesting the contents of emails between the suspect and a person from whom they received abortion pills. In that case, Proton would reject the request because it would be illegal for us to disclose user data without a valid Swiss order from Swiss authorities.
  2. If the US police subsequently sought to obtain an order in Switzerland through international legal assistance, the Swiss authorities would almost certainly reject the petition because abortion is legal in Switzerland. Even if somehow the Swiss authorities agreed to order the data disclosure, Proton would challenge the order.
  3. Finally, if all legal measures were exhausted and Proton was forced to hand over user data, the user’s email messages or attachments would be encrypted and inaccessible to the US police.

By comparison, when US authorities have requested similar data from Google and Meta, the companies turned over the unencrypted chats and other info as required by law.

Final thoughts

Whether it’s abortion prosecutions or targeting whistleblowers, the US has demonstrated it can be extremely hostile to privacy. The Snowden disclosures of mass surveillance programs and the subsequent destruction of Lavabit are landmark examples.

While many data requests are meant to investigate serious crimes, the reality is that there’s no such thing as case-by-case data protection. The same weak privacy laws and weak encryption used to prosecute women in abortion cases or terrorists can be used by authoritarian governments to prosecute journalists and political dissidents. 

Therefore, we must fight for strong privacy for all. In that fight, legal jurisdiction matters. As a Swiss company, Proton is proud to offer some of the strongest privacy protections in the world to our community.

Protégez votre vie privée avec Proton
Créer un compte gratuit

Partagez cette page

Richie Koch(new window)

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

Articles similaires

Can you password-protect a folder in Google Drive?
en
Protecting a folder with a password is a simple yet effective way of securing files. You may wonder whether you can password-protect a folder in Google Drive. We explain what access controls Google Drive offers and what you can do to improve your sec
Proton Pass now supports passkeys on all devices and plans
en
We’re excited to announce that Proton Pass supports passkeys for everyone, allowing you to manage and use passkeys across all devices seamlessly. Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing atta
what is a passkey?
en
  • Vie privée, les fondamentaux
Passkeys are a new way to secure your online accounts using cryptographic keys instead of passwords. They offer a high level of convenience and security, and are a real game-changer in the way we access and secure sites. What is a passkey, though, an
en
Apple’s marketing team has built a powerful association between the iPhone and privacy. The company’s ad campaigns claim that “what happens on your iPhone, stays on your iPhone.” And, “Privacy. That’s iPhone.” But Apple’s lawyers are telling a diffe
Une cyberattaque contre France Travail (anciennement Pôle Emploi) a potentiellement exposé les données personnelles de pas moins de 43 millions de citoyens. Cette dernière cyberattaque est la deuxième attaque majeure à se produire en France en un mo
If I share a folder in Google Drive, can anybody see my other folders
en
Google Drive makes it easy to share files and folders, but you may have wondered at some point whether the people you’ve shared a folder with can see your other folders. We answer this question below and also share some tips for truly secure link sha
en
In 2014, Proton Mail was introduced as a web app, revolutionizing how we think about email privacy. Today, we’re excited to broaden the horizons of secure communication by launching the Proton Mail desktop app. Anyone can now use the new Proton Mail