Switzerland plans to ban anonymity and data retention by decree

Contents

The Swiss government in the form of the Federal Council and the Federal Department of Justice and Police (FDJP) want to massively expand internet surveillance. In the future, online services with at least 5,000 users will have to store metadata such as IP addresses and port numbers for six months and help the police and intelligence services to decrypt content. According to the plan, there will also be a new requirement for such operators to identify users. They would have to present a copy of their ID or driving license or at least provide a telephone number. Identification is already required to register a SIM card in Switzerland – as in Germany.

The new surveillance regulations are not to be introduced by law, with parliament having a say, but by way of amendments to the Ordinance on the Surveillance of Postal and Telecommunications Traffic (VÜPF) and the associated implementing provisions. The VÜPF is comparable to the Swiss Telecommunications Surveillance Ordinance (TKÜV), which has also been the subject of fierce controversy for years.

The two Swiss ordinances generally regulate which providers of communication services are subject to which obligations to cooperate and when, particularly in terms of criminal prosecution. Those affected must, for example, eavesdrop on users, provide authorized authorities with information and collect and pass on data about their customers. Until now, the most extensive and comprehensive requirements applied to traditional telecommunications companies such as Swisscom, Salt and Sunrise as well as e-mail providers. With new thresholds, the executive now wants to significantly expand the circle of obligated parties and declare war on anonymity on the Internet.

Protests from many sides

Resistance is forming as part of a consultation on the two drafts from the end of January, which ended on Tuesday. Critics complain that anyone using a Swiss app, software or platform risks becoming transparent and identifiable. Even small and medium-sized companies would have to go to enormous lengths to secure the extensive databases required against cyberattackers. The Digitale Gesellschaft association points out: "In the future, it would hardly be possible to use a chat app, for example, without directly or indirectly providing an official ID."

Cloud services and the sharing and joint editing of documents would also be covered, the Swiss civil rights organization complains. In addition to private individuals, those subject to professional secrecy, such as doctors, lawyers or journalists, as well as other particularly vulnerable groups such as whistleblowers, people with unresolved residence status and activists would also be affected. Pilot projects, non-profit organizations or open-source services could hardly be operated in a meaningful way, as they would fall into the circle of obligated parties too quickly. In addition to contradictions with the actual surveillance law, there would also be violations of the Data Protection Act, which primarily contains the principle of data minimization.

"The revision represents a frontal attack on our fundamental rights, the rule of law and the possibility of secure and protected communication," summarizes Digitale Gesellschaft. Its implementation would cause lasting damage to trust in online services in the Alpine republic and Switzerland would maneuver itself politically and socially onto the sidelines. "Existing monopolies" of international companies such as WhatsApp, on the other hand, would be left out and thus further strengthened.

Threema and Proton in the sights

Jonathan Messmer from the IT law firm Ronzani/Schlauri is also concerned. "In extreme cases, law enforcement authorities could send an automated request to companies with full monitoring obligations every five seconds and thus extract all accesses that have just been registered 'in real time'," he told Republik magazine. In this way, "an entire history can be built up". Online privacy would be "systematically abolished".

With this plan, the Federal Council is primarily targeting the encrypted communication services Threema and Proton. The government had previously wanted to classify both companies as quasi network operators and telecommunications providers, meaning that they would also have been subject to real-time surveillance and data retention. However, both companies successfully defended themselves against this in court. They are now to be included in the scope of the ordinance after all: As they both have more than one million users and an annual turnover of CHF 100 million, they would have to cooperate fully with the authorities.

Encryption to be removed

Threema CEO Robin Simon wants to keep all options open against the initiative. "We are prepared to launch a popular initiative to prevent the expansion of the surveillance state," he announced to the Tagesanzeiger newspaper. Explosive: the Federal Council and the Swiss Armed Forces are among the messenger service's numerous customers, including international authorities. Proton boss Andy Yen stated that he would not be able to comply with the planned regulations under any circumstances. He is threatening to leave Switzerland if necessary.

Article 50a of the VÜPF reform stipulates that providers with reduced and full obligations must remove "the encryption provided by them or on their behalf". To achieve this, they are to "capture and decrypt the telecommunications traffic of the monitored person at suitable points" so that the desired data can be delivered in plain text. End-to-end encryption would not be affected by this. However, only if this takes place "between end customers". The exception for end-to-end encryption would probably not apply at the provider level.

(mho)