Planned Revision of Surveillance Ordinances Threatens Fundamental Rights and Compromises Encryption

Zurich, May 6, 2025 – The public consultation on the partial revision of the Ordinance on the Surveillance of Postal and Telecommunications Traffic (VÜPF/OSCPT) and the ordinance of Swiss Federal Department of Justice and Police FDJP (VD-ÜPF/OME-SCPT) [1], which ends today, raises major questions and massive concerns. The planned changes not only jeopardize the fundamental right to privacy, but also the security of encryption. VPN and other encrypted communication services in particular are in the spotlight – with potentially devastating consequences for citizens and companies.

Attack on Privacy

The revision of the VÜPF/OSCPT provides for an expansion of the monitoring obligations for providers of telecommunications services (FDA/FST) and derived communication services (AAKD/FSCD), including extended obligations to identify users and data retention. These measures encroach deeply on the privacy of citizens. This also affects medical confidentiality and the protection of journalistic sources.

Risk of Misuse of Unnecessarily Stored Data

Any additional storage of data increases the risk of misuse. Metadata can provide detailed insights into communication partners, locations and habits. The mandatory retention of metadata for six months not only enables mass surveillance, but in principle also other unlawful access by third parties, such as hackers, criminals or employees of the FDA/FST or AAKD/FSCD. For example, if such data falls into the hands of criminals, it could be used for blackmail, telephone fraud, phishing, identity theft or other forms of abuse.

Compromising Encryption

The proposed obligation to remove encryption compromises the security of encryption. Providers would be forced to install backdoors or use other methods that deliberately weaken encryption in order to deliver unencrypted content to the authorities. Creating such security loopholes not only allows the authorities, but potentially also hackers, criminals or other unauthorized persons to access confidential data.

The UK government recently passed similar regulations, which Apple decided not to implement. Instead, Apple announced the withdrawal of encrypted services for their customers in the UK.

Quote (translated from German): “Apple and many IT security experts argue that a backdoor drives any encryption ad absurdum. Once a way exists to decrypt encrypted data, it is only a matter of time before criminals or authoritarian regimes exploit it. End-to-end encryption means exactly that: no one other than the users themselves – not even Apple – can access the data. A backdoor is therefore always a massive security gap.” [2]

In Switzerland, services with privacy-friendly solutions traditionally have a strong position. Swiss providers such as Proton, NymVPN, PVY.swiss or Threema are particularly affected by the new regulation. Proton has already announced that it will leave Switzerland if it can no longer conduct proper business here. [3]

References

[1] https://www.fedlex.admin.ch/de/consultation-procedures/ongoing#https://fedlex.data.admin.ch/eli/dl/proj/2022/21/cons_1

[2] https://www.gizmodo.de/apple-sagt-nein-zu-uk-backdoor-end-to-end-verschluesselung-faellt-weg-2000014910

[3] https://www.watson.ch/digital/wirtschaft/517198902-proton-schweiz-chef-andy-yen-zum-ausbau-der-staatlichen-ueberwachung

[Translated partially by Deepl.]

The post Planned Revision of Surveillance Ordinances Threatens Fundamental Rights and Compromises Encryption appeared first on ISOC Switzerland Chapter.