Email service provider ProtonMail, based in Switzerland, offers assistance for real-time surveillance: Voluntarily!
This insight goes back to public prosecutor Stephan Walder, who heads the Cybercrime Competence Center in the Canton of Zurich in Switzerland:
On 10 May 2019, Walder gave a presentation on the possibilities and limits of criminal prosecution at a continuing education event on the digitization of criminal law and criminal procedure. Walder incidentally mentioned as a positive example that ProtonMail voluntarily offers assistance for real-time surveillance. Public prosecutor Walder had expected that he would have to obtain a federal court decision.
On Twitter, ProtonMail repeatedly avoided to address the question why real-time surveillance was carried out voluntarily. Instead, ProtonMail stressed that the contents of the communication could not be monitored due to end-to-end encryption.
Advertising by ProtonMail: Trust due to Domicile in Switzerland?
ProtonMail aggressively promotes data protection and encryption. The aim is to inspire confidence through the facts that ProtonMail was founded by CERN employees in the Canton of Geneva and that ProtonMail has its domicile in Switzerland.
ProtonMail claims that „all user data is protected by strict Swiss privacy laws“. ProtonMail further claims that it is exempt from the Swiss Federal Act on the Surveillance of Post and Telecommunications (SPTA, German: Bundesgesetz betreffend die Überwachung des Post- und Fernmeldeverkehrs, BÜPF) and the Ordinance on the Surveillance of Post and Telecommunications (SPTO, German: Verordnung über die Überwachung des Post- und Fernmeldeverkehrs, VÜPF).
Both claims are wrong:
- The Swiss Federal Act on Data Protection (FADP, German: Bundesgesetz über den Datenschutz, DSG) is not applicable to pending criminal proceedings and thus to ongoing surveillance measures (art. 2 para. 2 lit. c FADP). In addition, the current data protection laws in Switzerland are not strict but largely a paper tiger and lag behind the General Data Protection Regulation (GDPR) of the European Union (EU) in almost every respect. The current revision of the GDPR is not making progress.
- The SPTA explicitly applies to providers of derived communication services (PDCS, German: Anbieterinnen abgeleiteter Kommunikationsdienste, AAKD), i.e., to „providers of services which are based on telecommunications services and enable one-way or multipath communication“ (art. 2 lit. c SPTA). The SPTA was revised on 1 March 2018, in particular with the aim of being able to monitor Internet services such as providers of email, instant messaging and VPN services. The SPTA does not provide for Internet services to be excluded.
SPTA: Surveillance Obligations for ProtonMail
ProtonMail as a Provider of Derived Communication Services
ProtonMail is a provider of derived communication services (PDCS). ProtonMail must therefore „tolerate surveillance carried out by the Service or by persons it designates of the data that the person under surveillance transmits or stores using derived communications services“. For this purpose, ProtonMail must without delay „grant access to [its] facilities“ and „provide the information required for the surveillance“ (art. 27 para. 1 SPTA). In addition, ProtonMail must „supply the secondary data of telecommunications available to them relating to the person under surveillance“ (art. 27 para. 2 SPTA).
ProtonMail has to tolerate surveillance measures and has to provide information as well as access for this purpose. Metadata or secondary data that is available must be provided. On the other hand, ProtonMail, as a provider of derived communication services, has in principle no obligation for real-time surveillance. Art. 26 para. 4 SPTA provides such obligation only for providers of telecommunications services such as Swisscom or UPC.
Providers of derived communications services which „provide services of major economic importance or to a large number of users“, however, may be subject in whole or in part to the surveillance obligations for providers of telecommunications services (art. 27 para. 3 SPTA). The Swiss Federal Post and Telecommunications Surveillance Service (PTSS) decrees such more extensive surveillance obligations, in particular if surveillance orders have been assigned to 10 different targets in the last 12 months.
There is currently no evidence that ProtonMail is a provider of derived communications services with more extensive surveillance obligations. ProtonMail would therefore not have to voluntarily provide assistance for real-time surveillance.
ProtonMail as a Provider of Telecommunications Services?
ProtonMail argues that it is not a provider of derived communication services, but a telecommunications service provider (TSP) with reduced surveillance obligations (art. 26 para. 6 SPTA). Telecommunications service providers can request reduced surveillance obligations from the PTSS if their annual turnover in Switzerland is less than CHF 100 million and if in the last 12 months less than 10 surveillance orders have been assigned to different targets.
According to the Swiss Federal Council dispatch on the revised SPTA, it is clear that email service providers are considered PDCSs. However, the PTSS uses a reinterpretation of the definition of „telecommunications service provider“ as shown by its information sheet „Distinction between Telecommunications Service Providers (TSP) and Providers of Derived Communications Services (PDCS)“.
In this information sheet, the PTSS claims that email is an over-the-top (OTT) service provided by telecommunications service providers. Simon Schlauri, a fellow Swiss lawyer specialised in telecommunications law and professor at the University of Zurich, finds clear words for this reinterpretation (with emphasis):
„This new interpretation clearly contradicts the […] intentions of the legislator in issuing the revised SPTA. To subordinate OTT services to the regime for normal telecommunications services would mean to throw over the clear order of competence of the SPTA already with the introduction of the revised law.
Such a reinterpretation of terms would also contradict the decades-old practice of the Swiss Federal Supreme Court to give considerable weight to the historical interpretation at least in the first period after the introduction of a new law. […] The reinterpretation by the PTSS of the concept of telecommunications services in the SPTA and the associated arbitrary extension of the obligations of OTT service providers is thus obviously unlawful.“
The Swiss Federal Council supports – unsurprisingly – this reinterpretation by the PTSS, as can be seen from its statement on National Councilor Beat Flach’s interpellation 19.3267. The statement reads as if it had been written by the PTSS itself. ProtonMail is not explicitly mentioned in the interpellation.
Even as a telecommunications service provider with reduced surveillance obligations, ProtonMail would not have to voluntarily offer assistance for real-time monitoring. At the same time, however, telecommunications service providers must identify their users (identification obligation, art. 22 para. 2 SPTA in conjunction with art. 19 para. 1 SPTO). In addition, there would always be a risk that ProtonMail could be upgraded to a telecommunications service provider with all monitoring obligations, including data retention.
Real-Time Surveillance: Transparency by ProtonMail
ProtonMail falsely claims to be exempt from the SPTA, wrongly advertises with „strict Swiss privacy laws“ and trivializes the surveillance state in Switzerland. However, ProtonMail is one of the few Internet companies in Switzerland with a transparency report.
In its transparency report, ProtonMail explicitly mentions the possibility of real-time surveillance („ProtonMail may also be obligated to monitor the IP addresses which are being used to access the ProtonMail accounts which are engaged in criminal activities“). ProtonMail even mentions a current case of real-time surveillance:
„In April 2019, at the request of the Swiss judiciary in a case of clear criminal conduct, we enabled IP logging against a specific user account which is engaged in illegal activities which contravene Swiss law. Pursuant to Swiss law, the user in question will also be notified and afforded the opportunity to defend against this in court before the data can be used in criminal proceedings.“
By writing of a „case of clear criminal conduct“ and of „illegal activities which contravene Swiss law“, ProtonMail violates the presumption of innocence against the monitored suspects.
Such suspects are of course not informed by ProtonMail about ongoing real-time surveillance measures. They will only subsequently receive notification from the responsible public prosecutor’s office (art. 279 para. 1 Swiss Federal Criminal Procedure Code, CrimPC), unless an exception applies (art. 279 para. 2 CrimPC).
Metadata: Nothing to see here, move along?
ProtonMail claims that the contents of emails are protected by end-to-end encryption. At the same time, ProtonMail confirms that at least metadata or marginal data are delivered („Metadata can always be handed over in a criminal investigation“).
Users may believe ProtonMail that the contents of emails cannot be monitored at the present time. ProtonMail, on the other hand, voluntarily offers real-time surveillance of metadata such as IP addresses. Such metadata also includes the sender and recipient as well as the subject of individual emails. Other metadata are the date and time of an email and its length. It is possible to monitor who sent an email to whom, when, with which subject and with which size.
Anyone who believes ProtonMail and consoles himself that the email contents are encrypted underestimates the significance of metadata. In the words of the American National Security Agency (NSA):
„Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content. […] We kill people based on metadata.“
„[…] As in Europe, US citizens should be reassured with the statement that the collection of metadata ‚does not constitute surveillance‘ since ’no contents of communication are captured‘ […]. For Greenwald, this statement is ‚dishonest‘ […]. Because: ‚It obscures the fact that especially the monitoring of metadata represents at least as strong – and often even stronger – an invasion of privacy as the interception of content‘ […]. This enables the government to provide citizens with an amazingly comprehensive picture of their way of life, their connections and contacts, their activities and some of the most intimate and private information.“
„What Is Metadata and Why You Should Care“Jetzt lesen!
Surveillance State Switzerland: How much Trust does ProtonMail deserve?
If you believe ProtonMail’s advertising, the email service is not affected by the surveillance state in Switzerland and benefits from „strict Swiss privacy laws.“
ProtonMail in particular gives the impression of being a suitable service for users looking for a trustworthy email service provider with data protection and encryption. Even the cliché of the data bunker in the Alps is not omitted by ProtonMail („ProtonMail is hosted in a former military command center deep inside the Swiss alps.“) and, of course, the neutrality of Switzerland is mentioned.
The reality looks different. ProtonMail has its domicile in Switzerland and therefore in a surveillance state that is being expanded step by step:
- The revised Swiss Federal Act on the Surveillance of Post and Telecommunications (SPTA) is directed in particular against Internet services such as ProtonMail.
- With the new Swiss Federal Intelligence Service Act (German: Nachrichtendienstgesetz, NDG), the use of ProtonMail is subject to mass surveillance by means of cable surveillance (German: Kabelaufklärung) and many other surveillance measures.
- Data protection laws in Switzerland are a paper tiger or in principle not applicable to surveillance measures by secret services, police authorities and public prosecutors.
- Surveillance measures in Switzerland are approved behind forever closed doors by Compulsory Measures Courts (German: Zwangsmassnahmengerichte, ZMG) and there is no effective supervision of the security authorities.
ProtonMail is – as far as is known – not yet subject to the more extensive surveillance obligations according to the SPTA. Nevertheless, ProtonMail voluntarily offers assistance for real-time surveillance pursuant to art. 26 para. 4 SPTA.
Email contents may not affected by real-time surveillance, but metadata is just as meaningful or even more meaningful. And who guarantees that ProtonMail will not sooner or later enable that email contents can be monitored too, for example when encrypting emails for „zero-access encryption“, where ProtonMail necessarily receives all emails in plain text?
Every user of ProtonMail (or ProtonVPN) must decide for himself whether the email service is trustworthy. The difference between advertising and reality at least speaks against too much trust for ProtonMail.
Public prosecutor Walder of the Competence Center Cybercrime contacted me, saying he had been misquoted. He claims that had not divulged at the above-mentioned event that ProtonMail voluntarily releases real-time data. He had merely described ProtonMail as a potential provider of derived communication services (PDCS).
I was live-tweeting the event, including the interesting presentation by public prosecutor Walder. The remark that ProtonMail was a (potential) PDCS would have been too trivial to be live-tweeted. The insight on the other hand that ProtonMail voluntarily offers assistance for real-time surveillance, was spectacular and I therefore live-tweeted the statement. In its transparency report, ProtonMail – as mentioned above – itself refers to at least one case of real-time surveillance.