How a Small Company in Switzerland Is Fighting a Surveillance Law — And Winning

ProtonMail and its allies have forced the Swiss government to put its new invasive surveillance law up for a public vote in a national referendum in June.

Photo: ProtonMail

A small email provider and its customers have mobilized to force the Swiss government to put its new invasive surveillance law up for a public vote in a national referendum in June. (See correction below.)

“This law was approved in September, and after the Paris attacks, we assumed privacy was dead at that point,” said Andy Yen, co-founder of ProtonMail, when I spoke with him on the phone. He was referring to the Nachrichtendienstgesetz (NDG), a mouthful of a name for a bill that gave Swiss intelligence authorities more clout to spy on private communications, hack into citizens’ computers, and sweep up their cellphone information.

The climate of fear and terrorism, he said, felt too overwhelming to get people to care about constitutional rights when people first started organizing to fight the NDG law. Governments around the world, not to mention cable news networks, have taken advantage of tragedy to expand their reach under the guise of protecting people, even in classically neutral Switzerland — without much transparency or public debate on whether or not increased surveillance would help solve the problem.

But thanks to the way Swiss law works — if you get together 50,000 signatures within three months of the law passing — you can force a nationwide referendum where every citizen gets a say.

“In Switzerland, and overseas, no one really thought to ask the people,” Yen said. “The public opinion, especially from the young people, has shifted to pro-privacy.”

By gathering its users and teaming up with political groups including the Green and Pirate parties, as well as technological and privacy advocates including Chaos Computer Club Switzerland and Digitale Gesellschaft Switzerland, ProtonMail was able to contribute to the effort to collect over 70,000 signatures before the deadline. (See correction below.)

The new law is the first of two surveillance laws that have been circulating through the Swiss Parliament. The NDG law was fully passed in September, but can’t take full effect until after the referendum vote in June. The NDG would “create a mini NSA in Switzerland,” Yen wrote — allowing Swiss intelligence to spy without getting court approval. It would authorize increased use of “Trojans,” or remote hacking tactics to investigate suspects’ computers, including remotely turning on Webcams and taking photos, as well as hacking abroad to protect Swiss infrastructure. It would legalize IMSI catchers, or Stingrays, which sweep up data about cellphones in the area.

The second law, known as the “BÜPF,” might come up for a vote in the Parliament’s spring session, but may be revised or delayed. The BÜPF would expand the government’s ability to retain data for longer, including communications and metadata, as well as deputize private companies to help spy on their users, or face a fine. “What I have heard from insiders is that they will reduce its scope now that they know we have the numbers to also force a vote on that law,” Yen wrote in an email to The Intercept.

ProtonMail, created by scientists and engineers with know-how in particle physics, software, cryptology, and civil liberties, provides unbreakable end-to-end encryption by default to its users for free — making it easy for ordinary people to protect their communications and preserve their anonymity.

With end-to-end encryption, only the person who sends the message and the person who receives it can access the content; not even the company can see what was written. Encryption protects transactions on the internet, so that criminals can’t read messages, steal credit card information, or impersonate others.

The Swiss surveillance bill does not compel ProtonMail to decrypt its users’ communications, so if the Swiss intelligence service forces it to hand over data, all the intelligence service will get is gobbledygook. But ProtonMail still feels the measure threatens Swiss privacy — something the company hopes to defend, regardless of its bottom line.

There are some strong political currents in Europe, as in the United States, beating strongly against encryption and privacy — which law enforcement says prevents them from accessing evidence with a warrant. Lawmakers, government officials, and law enforcement agencies alike have been pushing for a way to gain access into uncrackable end-to-end encryption. Scientists collectively agree this is a bad idea, and would threaten the security of the internet without actually helping anyone catch bad guys.

As of November, 14 countries had passed new laws bequeathing more power to intelligence agencies to spy. France’s upcoming surveillance law, though it will not mandate backdoors in encryption, will allow law enforcement more surveillance powers, including to spy on phone calls and emails without a judge’s approval and install key logger devices on suspects’ computers to retrieve their passwords. The Chinese government passed a law in December requiring companies to turn over encryption keys, and the Cuban government has the power to approve all encryption technology before it hits the market. In Bahrain, where dissenting political speech is condemned, encryption is outlawed for “criminal intentions.”

The U.K.’s Investigatory Powers Bill, or “Snooper’s Charter,” as many call it, could compel companies to help the government circumvent encryption if it becomes law, according to privacy advocates familiar with the draft legislation.

Other countries’ laws might affect ProtonMail’s business overseas, as well as major American companies offering end-to-end encryption, like Apple.

According to Yen, issues of national security and privacy aren’t usually brought to a vote by the entire country. Nationwide referendums aren’t all that common — they happen maybe five or six times a year, usually when the government wants to build something expensive and people don’t want to pay for it. Forcing a referendum is a lengthy, pricey process, he says.

But now, the Swiss want to be an example for the rest of the world by “pushing to make data a cornerstone of the Swiss economy,” he said. “When you talk about data privacy, all our data goes online — we have to find a way to secure it. At the end of the day this privacy comes as a result of security.”

The same fight is brewing in the U.S., where people might have to be more creative and forceful to make their opinions heard. “ProtonMail went out to get signatures, worked with political parties, the Green party, the Pirate party. In the U.S., maybe with non-mainstream political groups, with the support of young people, and a few of the technology companies — there’s a real chance,” Yen said.

“A couple months ago we thought this referendum was totally impossible. Now here we are.”

Correction: An earlier version of this article overstated the role of ProtonMail and understated the role of the parties whose names were on the referendum committee that formally submitted signatures to the Swiss Parliament. The committee was spearheaded by the Young Socialists Party, and included the Social Party, Green Party, the rights groups and Digitale Gesellschaft, the Group for a Switzerland without an Army (GSoA), the Pirate Party, the media syndicate Syndicom, the Labor Party of Bern and Tessin (PDA), Basler Fankurve, Swiss football supporters, and four others. ProtonMail was supportive of the effort but was not formally included on the referendum committee

Top photo: Swiss citizens bring boxes of signatures to the Swiss Parliament. 

Join The Conversation