Breaking news

Switzerland plans surveillance worse than US

Revision of Swiss surveillance law VÜPF would directly target VPN & encrypted chat and email providers based in Switzerland.

Swiss surveillance law is targeting VPNs and encrypted chat and email providers

In Switzerland, a country known for its love for secrecy, particularly when it comes to banking, the tides have turned: An update to the VÜPF surveillance law directly targets privacy and anonymity services such as VPNs as well as encrypted chat apps and email providers. As an encrypted email provider ourself, we at Tuta Mail call on Swiss politicians to revise this dangerous update!

The proposed update to Switzerland’s Ordinance on the Surveillance of Postal and Telecommunications Traffic (VÜPF: Verordnung über die Überwachung des Post- und Fernmeldeverkehrs) represents a significant expansion of state surveillance powers, worse than the surveillance powers of the USA. If enacted, it would have serious consequences for encrypted services such as Threema, an encrypted WhatsApp alternative and Proton Mail as well as VPN providers based in Switzerland.

While Swiss privacy has been overhyped, legislative rules in Switzerland are currently decent and comparable to German data protection laws. This update to the VÜPF, which could come into force by 2026, would change data protection legislation in Switzerland dramatically.

Turn ON Privacy in one click.

Why the update is dangerous

If the law passes in its current form,

  • Swiss email and VPN providers with just 5,000 users are forced to log IP addresses and retain the data for six months - while data retention in Germany is illegal for email providers.
  • ID or driver’s license, maybe a phone number, are required for the registration process of various services - rendering the anonymous usage impossible.
  • Data must be delivered upon request in plain text, meaning providers must be able to decrypt user data on their end (except for end-to-end encrypted messages exchanged between users).

What is more, the law is not introduced by or via the Parliament, but instead the Swiss government, the Federal Council and the Federal Department of Justice and Police (FDJP), want to massively expand internet surveillance by updating the VÜPF - without Parliament having a say. This comes as a shock in a country proud of its direct democracy with regular people’s decisions on all kinds of laws. However, in 2016 the Swiss actually voted for more surveillance, so direct democracy might not help here.

History of surveillance in Switzerland

In 2016, Swiss Parliament updated its data retention law BÜPF to enforce data retention for all communication data (post, email, phone, text messages, ip addresses). In 2018, the revision of the VÜPF translated this into administrative obligations for ISPs, email providers, and others, with exceptions in regard to the size of the provider and whether they were classified as telecommunications service providers or communications services.

This led to the fact that services such as Threema and ProtonMail were exempt from some of the obligations that providers such as Swisscom, Salt, and Sunrise had to comply with - even though the Swiss government would have liked to classify them as quasi network operators and telecommunications providers as well. The currently discussed update of the VÜPF seems to directly target smaller providers as well as providers of anonymous services and VPNs.

The Swiss surveillance state has always sought a lot of power, and had to be called back by the Federal Supreme Court in the past to put surveillance on a sound legal basis.

But now, article 50a of the VÜPF reform mandates that providers must be able to remove “the encryption provided by them or on their behalf”, basically asking for backdoor access to encryption. However, end-to-end encrypted messages exchanged between users do not fall under this decryption obligation. Yet, even Swiss email provider Proton Mail says to Der Bund that “Swiss surveillance would be much stricter than in the USA and the EU, and Switzerland would lose its competitiveness as a business location.”

Criticism of the law

This reform is widely criticized as an attack on privacy, and secure digital communication. If implemented, it could seriously damage Switzerland’s reputation as a good location for secure and private online services. Using a Swiss app because of its good level of data protection would become obsolete, and this would affect even small companies as well as open source projects operated from Switzerland. All while the big players from Silicon Valley like WhatsApp or Gmail would not fall under this legislation.

The Digitale Gesellschaft tells Heise that

”In the future, it would hardly be possible to use a chat app, for example, without directly or indirectly providing an official ID. The revision represents a frontal attack on our fundamental rights, the rule of law and the possibility of secure and protected communication.”

Legal and data protection experts also criticize that the update of the VÜPF conflicts with the Data Protection Act (e.g. the Act’s data minimization principle) and may violate constitutional rights such as the right to privacy.

We at Tuta Mail are fighting legal attempts to undermine encryption on all fronts such as the EU framework ProtectEU, Sweden’s attempt to backdoor encryption, and now Switzerland’s update of the VÜPF.

Together, we must make sure that our internet stays secure and private!

Illustration of a phone with Tuta logo on its screen, next to the phone is an enlarged shield with a check mark in it symbolizing the high level of security due to Tuta's encryption.