Swiss surveillance: the full monty

In recent years, security-obsessed politicians and officials have been busy putting into place surveillance mechanisms while ignoring or even denying and perverting the positive effects of digitisation. The following text shows how far Switzerland's Internet policy – despite elements of direct democracy – has gone astray. A guest article by Digitale Gesellschaft Schweiz (“Digital Society Switzerland”).

Zur deutschen Version des Artikels hier.

Switzerland is world-renowned for its democracy, which is often deemed exemplary. This is especially true for elements of direct democracy such those called Initiative and Referendum. Each Initiative (requiring 100,000 signatures plus a won public vote) can change the constitution. A Referendum (50,000 signatures plus a won public vote) can prevent a law passed by parliament. Roughly once a year, Switzerland makes international headlines with public votes such as “mass immigration initiative”, “Ecopop”, “rip-off initiative”, “1:12 initiative”, and in future possibly with the “popular initiative for the introduction of an unconditional basic income.”

Swiss surveillance: the full monty

There is one topic Switzerland does not make headlines with internationally or nationally, although this would be hugely important: surveillance. While international news is full of reports on the proliferating surveillance of and by Germany and the USA, in many minds there is still an undeservedly positive image of Switzerland as a haven of data protection and privacy. How else can you explain why PGP inventor Phil Zimmermann wants to move Silent Circle to Switzerland citing privacy concerns and legislation on data retention. Protonmail, too, praises Swiss legislation as a locational advantage. According to our lawmakers, however, there are too many surveillance opportunities still unused. They want to make up for this by totally rewriting the relevant laws called BÜPF (“federal law on postal and network surveillance”) and NDG (“intelligence agency law”). A comfortable middle-right majority is rushing these drafts through parliament, and is likely to pass the laws in autumn 2015. What follows is the current state of affairs as well as the intended legislative changes to BÜPF and NDG, ordered by type of surveillance excess.

Waste not, want not: data retention

Switzerland introduced mandatory data retention in 1997. Silently and without much public attention, a six-month data retention period was decreed and later, again without public discussion, passed as a law. The revised BÜPF will extend the retention period from six to twelve months. There is no constitutional court in Switzerland that could repeal a law that it finds to violate the constitution. In spite of this, Digitale Gesellschaft Schweiz addressed a complaint against data retention at the federal administrative court. A – negative – decision is expected in 2015. Via the federal court, the avenue to the European Court of Human Rights (ECtHR) will then be open. It is expected that this court's ruling will not fall short of that of the European Court of Justice (ECJ). A ruling in favour of our complaint would have direct implications for Switzerland, and it would send a strong signal to all countries that have signed the European Convention on Human Rights.

State trojan: state-sponsored malware

The revised BÜPF and NDG laws would allow law enforcement and intelligence agencies to use trojans (euphemistically and misleadingly called “remote forensic software”). Despite the lacking legal basis, authorities have used state trojans since 2004. Recently, the HackingTeam hack revealed that the Zurich cantonal police had paid almost €500,000 to this Italian company for software and support.

IMSI catcher: effortless dragnet investigation

The new BÜPF law would also legalise the use of IMSI catchers by law enforcement agencies. Considering that the registration of SIM cards has been mandatory since 2003, the identities of people participating in a demonstration or others nearby whose mobile phones happen to connect to an IMSI catcher would be revealed at the push of a button. Again, the lacking legal basis has not prevented authorities from using these devices. The Zurich cantonal police have acquired them in 2014. More information is not available.

Expanding the scope: mandatory snooping

In addition to data retention, access providers already have to be prepared to perform active surveillance on behalf of law enforcement agencies. The revised BÜPF would expand this obligation to co-operate vastly. Providers of Web forums, chat rooms, online storage, e-mail, hosting and cloud services, and even hotels, hospitals and shared flats would be required to spy on their users, patients or flatmates – or at least to let it happen. This is reminiscient of the civilian informants (called IM for “informeller Mitarbeiter”) of the East-German Stasi, although those people were paid or pressed to do this, whereas in Switzerland people would be legally required to be informants. Refusal to become complicit in spying or talking about the spying could result in a fine ranging between CHF40,000 and CHF100,000.

Cable reconnaissance: looking for the needle in the haystack

The new NDG law would give the federal intelligence agency a new tool called Kabelaufklärung (“cable reconnaissance”), ie the right to wiretap communication lines. The entire Internet traffic flowing from Switzerland abroad could then be monitored for certain keywords. Since most Internet communications involve servers abroad, the entire population would be affected by this mass surveillance. Of course, any access from abroad to Swiss servers and services would be wiretapped, too.

Cyberwar: Switzerland vs the world

The revised NDG would grant the intelligence agency the power to hack into computer systems and networks abroad which attack critical infrastructure in Switzerland – or which hold or transmit information about external affairs (source).

What is going on in Switzerland (apart from snooping)?

Network neutrality

There is no law mandating network neutrality in Switzerland. A motion submitted bei Green lawmaker Balthasar Glättli passed the first chamber (Nationalrat) but not the second chamber (Ständerat) of parliament. Any binding regulation is unlikely in the foreseeable future.

Web blocking

So far, Web blocking has not entered legislation. However, this does not prevent blocking from happening. While Germany has adopted a “removing instead of blocking” strategy, Swiss Internet access providers volutarily cripple their DNS servers by installing a blacklist compiled by the coordination body for fighting Internet crime, KOBIK (Koordinationsstelle zur Bekämpfung der Internetkriminalität). Some judges order providers to do DNS blocking despite the missing legal basis.

What is technically possible and what has been done before will be done again. DNS and IP blocking are demanded by the working group on copyright who is preparing a revision of copyright law which is expected to be submitted for consulation by the administration in 2015. This consultation process (called Vernehmlassung) is a Swiss peculiarity: the administration invites the population and lobby groups to comment on draft laws before they are discussed in parliament.

Additionally and unexpectedly for the Internet community, networking blocking of all things was chosen as a means to lock down the domestic Internet gambling market in planned legislation that entered the consultation process (Vernehmlassung) on the gambling law in 2014.

Outlook

Given the examples above, it comes as no surprise that the outlook for Internet policy is bleak. Too many politicians view the Internet as a market place or playground for criminals but have no clue about the opportunities it creates for the civil society or about the consequence their Internet political decisions have for society.

Unfortunately, Internet activists are less powerful in Switzerland than in Germany. Despite the availability of direct democratic instruments, Referendums or even Initiatives have not been won. Our group, Digitale Gesellschaft Schweiz, is resolved to make its influence felt. Together with other Internet political organisations, we will pursue the Referendum against NDG and BÜPF. In order to collect 50,000 signatures, we will need a lot of support in late autumn 2015 because after each law is passed, we have only three months to collect signatures. If this succeeds, we still have to win the popular vote. This would delay these laws by one or two years – time we could use to prepare for the battle for votes.

Note: Apart from a certain topical overlap, Digitale Gesellschaft Schweiz is not related to Digitale Gesellschaft e.V. from Germany.

Further reading: