Swiss Government Looks To Undercut Privacy Tech, Stoking Fears of Mass Surveillance

The Swiss government could soon require service providers with more than 5,000 users to collect government-issued identification, retain subscriber data for six months and, in many cases, disable encryption. From a report: The proposal, which is not subject to parliamentary approval, has alarmed privacy and digital-freedoms advocates worldwide because of how it will destroy anonymity online, including for people located outside of Switzerland. A large number of virtual private network (VPN) companies and other privacy-preserving firms are headquartered in the country because it has historically had liberal digital privacy laws alongside its famously discreet banking ecosystem.

Proton, which offers secure and end-to-end encrypted email along with an ultra-private VPN and cloud storage, announced on July 23 that it is moving most of its physical infrastructure out of Switzerland due to the proposed law. The company is investing more than $117 million in the European Union, the announcement said, and plans to help develop a "sovereign EuroStack for the future of our home continent." Switzerland is not a member of the EU. Proton said the decision was prompted by the Swiss government's attempt to "introduce mass surveillance."

Title correction:

[Sebby]

Swiss Government Looks To Undercut Privacy Tech, Stoking Fears of Mass Surveillance

"Swiss Government Looks To Become Privacy Rapist, Stoking Fears of Mass Surveillance"

There FTFY.

Further Title Correction

[nightflameauto]

Swiss Government Looks To Undercut Privacy Tech, Stoking Fears of Mass Surveillance

"Swiss Government Looks To Become Privacy Rapist, Stoking Fears of Mass Surveillance"

There FTFY.

"Swiss Government Looks to Become Privacy Rapist, Lending Credence to Fears of Mass Surveillance

Now we'll know who owns those bank accounts

[jfdavis668]

Not the place to hide loot anymore

Re:

[Anonymous Coward]

It's been the Bahamas for 20+ years now.

Re:

[NotEmmanuelGoldstein]

Hasn't been for a long time: Not since they 'did a deal' with the USA. I suspect this privacy rape is the next step.

wunderbar

[znrt]

The proposal, which is not subject to parliamentary approval

these people used to hold several referendums a year to ask for every major change. in this one not even the talking puppets will have a say?

Re:

[bsolar]

these people used to hold several referendums a year to ask for every major change. in this one not even the talking puppets will have a say?

That's because there is nothing to vote yet. This is a proposal: basically it's a draft of new legislation being discussed. Stakeholders and the public are officially informed so that those interested can make inquiries or provide feedback and get involved in the process of the draft being refined.

At some point the draft might reach a state where it's considered ready for vote and will be presented to the Parliament. Assuming the Parliament approves it, citizens can still collect signatures to request a ref

Re:

[bsolar]

Correction: a parliamentary vote will be necessary only if the proposal requires new legislation, not if the proposal only modifies existing ordinances without changing the laws they are based upon. I'm not sure which is the case here.

Both the parliament and citizens can still act if they disagree with such new ordinances though or if they believe the laws don't support the modifications.

Re:

[znrt]

Correction: a parliamentary vote will be necessary only if the proposal requires new legislation, not if the proposal only modifies existing ordinances without changing the laws they are based upon. I'm not sure which is the case here.

interesting, something along those lines was my thinking. it is clear that this is still a working document and ratification doesn't make sense yet, so either there is a reasonable assumption that it will circumvent it or the wording in tfa would be very poor or misleading.

from a glance at the documents it indeed appears that these are intended as ordinance changes for the postal and telecommunication services, which considering the implications is quite brazen. sadly, i can't be bothered to read the whole

Re:

[gweihir]

The thing is, Switzerland has its share of surveillance-fascists and xenophobes like any other country. But in the end, they do not need to just convince or subvert the higher-up, but the whole voting population. And once said population gets informed as to what those things actually mean, these assholes may (again) get their wet dreams of spying on everybody rejected.

.bin

[bugs2squash]

So are they going to remove all binary attachments from email ? Really, how would they know if something has encrypted content buried somewhere. I'm not even sure that they know what kinds of message they are trying to intercept.

Re:

[Sloppy]

I haven't read the text of this Swiss law, but if it's anything like USA's, UK's, or EU's laws, then it regulates "providers" and/or "carriers," not software applications themselves.

If you are sending already-made ciphertext through a regulated service, the service won't be in trouble. But if the service offers to encrypt for you, then they will be in trouble.

It just occurred to me that the now-common conflation between web apps and local apps (to a lot of phone users, these two things look the same) matte

Re:

[gweihir]

It just occurred to me that the now-common conflation between web apps and local apps (to a lot of phone users, these two things look the same) matters.

Oh yes. It matters a lot. Any good IT security expert has been saying that for ages.

Re:

[gweihir]

It is only about reliably identifying who pays for an internet connection and storing abstract data. Hence some idiot browsing some extremist website repeatedly over the open internet can likely be identified. Anybody using a VPN not located in Switzerland, the TOR browser or a non-Swiss proxy is still protected, if they are somewhat careful. Hence this whole thing is really useless except for mass-surveillance of the common idiot. Whether the surveillance-fascist instigators know and understand that is a d

Misleading summary and article

[andi75]

Ok, I think the summary and articles are majorly misleading. Not sure where they came up with the "government issued ID", or the 5'000 users (apparently it's a 1'000'000) users, and there's nothing in the proposals about ID. You can check the official government website here: https://www.news.admin.ch/de/n... [admin.ch] (article in german, but I'm sure you can use a translation service if you're not fluent).

At first glance it looks like the removal of encryption concerns only encryption applied by the telecommunications provider itself, not by the user (e.g. encryption that is applied by the cell network to your phone connection). It does not apply to end-to-end encryption done by your apps (e.g. messengers, or your own encrypted voice calls, or HTTPS traffic between your and any servers you access on the internet).

As for the democratic process, this is part of a detailed regulation ("Verordnung") that's already cleared by a law that got voted on. Parliament usually doesn't concern itself with these. If the regulation is on conflict with a law, the courts will shoot it down. If parliament doesn't like the regulation, they can just change the law it's based on to render it moot. If regular folks don't like it, they can collect 50'000 signatures and shoot it down at the ballot box.

Re:

[tabrisnet]

This technically is speculation, not analysis in light of the regulations themselves...
pretending that it doesn't affect E2EE I expect is incorrect. Just define the app-maker as a telecomm provider, and require them to a) keep ID b) provide a backdoor or disable E2EE.
and with ID, rubber-hose cryptanalysis becomes trivial. ditto to the guy above mentioning .bin files.

Re:

[gweihir]

You cannot redefine an app-maker as a telco provider in a country where the law basically works. All they would get is a ton of egg on their faces.

Re: Misleading summary and article

[tabrisnet]

I'm unclear that "telco" and "telecommunications provider" are synonymous. that is, "telco" doesn't mean to me "telecommunications" but "telephone company". thus yes telco is pretty distinct, but arguing that WhatsApp or Signal isn't a "remote communications" product is a hair harder

Re:

[gweihir]

A telecommunications provider provides telecommunication services. A software provider that is not a telecommunications provider as well does not provide telecommunication services. There, that as not so hard, was it?

But let me dumb it down even further: The email software that comes with a browser is software unless the browser maker also bundles it with an email account. If they do not and you get an email account yourself, then the browser maker is not a telecommunications provider.

Re: Misleading summary and article

[tabrisnet]

ok, so your nitpick is "app-maker". I'm sure the lawmakers or bureaucrats didn't consider Thunderbird or Enigmail as relevant to begin with. They only considered Gmail's S/MIME [yes, S/MIME isn't Google specific, but Gmail is still a tightly-coupled service and software combination], ProtonMail, WhatsApp, Signal etc. probably iMessage too. From that perspective, the service and the software are vertically integrated, so well within the scope. So yeah, if mastodon started supporting E2EE, that would poten

Re:

[gweihir]

The only thing that matters is the integration of encryption with the actual telecommunication service, i.e. the email service. If that service in any way provides encryption (e.g. by giving software to the users that does it), then that way is subject to this law, within that provided way. But if I use, say, Thunderbird with, say, MS exchange online, and TB started to offer PGP integration by default, this law would not apply to TB. It would still apply if MS were to do PGP encryption in Outlook. Which wil

Re: Misleading summary and article

[tabrisnet]

I would say then that we're actually in agreement... My use of the term "app-maker" was in reference to Sginal/WhatsApp etc: apps bundled/tied to services. Not to things like Thunderbird, as there is no such service bundled. Users think primarily of apps. Further, saying it's merely about services is a hair misleading, by way of the fact that the E2EE doesn't happen in the backend, by definition. I'm not sure how, given your nit-pick, one should describe an outsourced-app that is bundled/tied with a specifi

Re:

[gweihir]

If the Swiss government tried to outlaw end-to-end encryption, they would probably get destroyed by the voting population. Incidentally, TLS-breakers are found in other places as well. For example, I recently did run into them in two different networks in Austria. They do not block VPN or SSH connections though, because that would cause massive problems, especially for business users. Hence all these can do is surveillance of the incompetent. But apparently, that is a goal here.

Undercut Privacy Tech

[fahrbot-bot]

Swiss Government Looks To Undercut Privacy Tech

Banking privacy on the other hand ...

Re:

[gweihir]

Banking privacy against law enforcement does not exist in Switzerland and has not existed for a long time. The only European country that still has it is Austria. And there is a 30% tax on gains and a limit to Austrian citizens and it is limited to one form that has a rather low maximum amount. So it is essentially irrelevant.

Silence

[Shakes Fist]

"A large number of virtual private network (VPN) companies and other privacy-preserving firms are headquartered in the country"
So why aren't they saying anything??

Re:

[gweihir]

They are. See Proton moving their servers to some other place. But this regulation is not in effect yet and may never go into effect, hence Proton is mostly grandstanding. My take is they wanted to move anyways, because virtual servers and data-center hosting is _expensive_ in Switzerland.

Proton leaving

[Sir Lurkalot]

Swiss time is running out...

Re:

[groobly]

US has already cleaned their clock.

free speech

[groobly]

Free speech is the same as private communication.