Switzerland has managed to anger privacy advocates, citizens, and some of the country’s most well-known companies, and threatened to destroy its reputation as a pro-privacy jurisdiction.

Switzerland’s Federal Council is considering “a partial revision of two implementing orders for the monitoring of postal and telecommunication correspondence (OSCPT and OME-SCPT).” Swiss VPN provider NymVPN explains what the revisions would require:

The new version of the Ordinance on the Surveillance of Correspondence by Post and Telecommunications (OSCPT) aims to extend surveillance obligations to those offering services such as e-mail, messaging, social networking, and VPNs.

• As of 5,000 users, the ordinance requires operators to identify users by means of a form of identification. The operator must keep this information for 6 months after the end of the relationship (Article 19). For example, an association running a mastodon server would have to identify users if it exceeded 5,000.
• The ordinance seeks to impose the decryption of communications when the operator possesses one of the encryption keys (Article 50a).

What About End-to-End Encryption?

Interestingly, the Federal Council specifically says end-to-end encryption (E2EE) is exempt.

Further details are also given on the deletion of encryptions, on the understanding that these are not explicitly end-to-end encryptions such as those made, for example, by messaging services.

Despite the assurance, Nym co-founder and COO Alexis Roussel told TechRadar that users should not be fooled by the apparent E2EE exception.

“It’s not about end-to-end encryption,” Roussel explained. “They don’t want to force you to reveal what’s inside the communication itself, but they want to know where it goes,” Roussel explains. “They realize the value is not in what is being said but who you are talking to.

“The whole point of security and privacy is not being able to link the usage to the person,” Roussel added. “That’s the most critical thing.”

“Less anonymity online is not going to make things better,” he said. “For example, enforcing identification of all these small services will eventually push to leaks, more data theft, and more attacks on people.”

VPNs Will Be Out In the Cold

VPNs, in particular, will be impacted by the proposed revisions. The most reputable VPNs operate on a no-logs policy, meaning they do not track what users do online or the sites they visit. Some VPNs even give users the ability to sign up completely anonymously.

If the Federal Council’s revision goes through, VPNs would be required to identify its users, and keep those records for six months after the user stops being a customer.

What’s more, the clause requiring service providers to decrypt “communications when the operator possesses one of the encryption keys” directly applies to VPNs. Unlike secure messaging platforms like Signal or WhatsApp, VPNs do not rely on E2EE, since the VPN operate has the key to decrypt the data. Under the revised law, those providers would be legally obligated to decrypt the data when requested.

Needless to say, this requirement is being slammed by the country’s VPN providers, including Proton.

“This revision is trying to put in place something that has been considered illegal in the EU and the US,” Proton founder and CEO Andy Yen told Radio Télévision Suisse in an interview. “The only country in Europe that has a roughly equivalent law is Russia.

“I think we would have no choice but to leave Switzerland,” Yen added. “The law would become almost the same as that in force in Russia today. This is an untenable situation. We would be less confidential as a company in Switzerland than Google based in the United States. So it’s impossible for our business model.”

NymVPN went further, taking aim at how the revision is being considered.

“This ordinance profoundly alters the spirit of the law,” said Roussel. “But the Federal Council has chosen the path not subject the ordinance to a referendum in order to push through its demands. At a time when the Swiss are celebrating the success of leading privacy-preserving companies such as Proton and Threema, when the army itself has chosen to use Threema, and when other promising players, such as Nym, are emerging in the field of privacy-friendly technologies and the protection of people’s digital integrity, this ordinance by the Federal Council is destroying an entire sector.”

Why the Measure Will Destroy Switzerland’s Reputation

Switzerland currently enjoys a reputation as the most privacy-respecting jurisdiction in the world. Although part of Europe, Switzerland is not part of the EU. As a result, the country is not obligated to follow the EU when it tries to pass its own measures to backdoor E2EE.

Similarly, Switzerland is not bound by US law. In fact, many Swiss cloud providers proudly display notices that they are not bound by the US Patriot Act, touting Swiss jurisdiction as one of the primary reasons customers should consider their data safe.

Switzerland’s approach has greatly benefited the country’s tech industry. Companies are free to make their services compatible with US and EU laws, such as HIPAA or the GDPR, while not being forced to implement any measures that would undermine privacy.

What’s more, Swiss law mandates that anyone whose data is subject to a government disclosure order has the right to make a legal case as to why their data should remain private. This is in stark contrast to US laws, where such orders are often carried out in secret, with the relevant company under a gag order that prohibits them from notifying impacted customers.

Roussel was not exaggerating when he said, “this ordinance profoundly alters the spirit of the law.” If the Federal Council has its way, Switzerland will lose one of the main drivers for investment in its tech industry, both from inside and outside the country.

In the meantime, users of Swiss services that count on ultimate privacy should monitor the situation closely. Of course, we will continue to report on future developments.