The Illusion Of "Swiss Privacy" Being The Best

tl;dr: Don't fall for the Swiss Privacy Hype. With similar data sharing agreements like the EU, Switzerland can not protect you if foreign authorities request your data.

Our world has become fully interconnected through vast tangles of cables, humming servers, and wireless communications. After the fallout of the Snowden revelations various rumors have popped up around the internet and wider societal discussion of locations in the world which operate beyond the watchful gaze of the NSA, Five Eyes, and Fourteen Eyes intelligence apparatus. But how true are these claims?

Is there a datahaven in the world that truly offers superior protection from nation states or other advanced persistent threat actors?

Russia seems to be the chosen locale for criminal ransomware groups seeking to evade US legal jurisdiction, micronations have teased the possibility of off-shore data storage and hosting solutions, but what about Switzerland and Swiss Privacy?

The small mountain nation has long been hailed as a bastion of freedom for privacy, namely in banking and finance as Switzerland has offered services to help wealthy individuals evade their local tax laws.

But can they make this same claim when it comes to protecting online data and is it truly possible for any location on the globe to escape the leviathan of digital surveillance?

The Swiss Security Model is Like Their Cheese. Full of Holes.

Many privacy oriented companies based in Switzerland try and promote themselves based upon the premise that somehow, this small country exists in a protective bubble beyond the reach of international intelligence or law enforcement agencies. Beyond the fact that this is easily debunked and that Swiss Privacy is not better than for example German Privacy, there are multiple examples of the Swiss government actively working with US law enforcement agencies, this strange assumption of special protections persists. This begs the question, in the face of easy-to-find evidence that proves the opposite, why do people assume that Switzerland is a data haven?

The answer is three-fold Switzerland isn't in the EU, Switzerland has maintained a long history of neutrality, and they have earned a reputation as a safe haven for storing wealth and tax evasion via the infamous "Swiss Bank account".

Let's examine these to determine whether or not they actually support the conclusion that your data is truly safer if the servers are located in Switzerland and thus protected with "Swiss Privacy".

1. Switzerland isn't in the EU

What role does a country being an EU member play in their cooperation with global intelligence agencies like those in the United States? First, existing beyond the US border does add an element of security in that American authorities cannot immediately arrive at your place of residence and kick the door down. However, multiple bilateral information exchange agreements exist between the EU and United States. Some individual countries have their own specific partnerships with Five Eyes intelligence agencies.

While it might be assumed that because Switzerland is not an EU member that they are not involved in this kind of data sharing, that is not the case. The "Club de Berne" is a voluntary intelligence sharing group between all 27 EU countries, Norway, and, you guessed it, Switzerland. Founded in 1971, the group actively shares data which they collect in order to monitor threats. Following the terrorist attacks on September 11th, 2001 this group also created an off-shoot program called the Counter Terrorism Group which aims to share intelligence in order to prevent future terrorist attacks around the globe. Intelligence analysis gathered by these groups are fed into the European Union Intelligence and Situation Centre which collaborates with the Five Eyes member United Kingdom.

Switzerland is also a member of Interpol and works in active cooperation with Europol, which also includes sharing criminal intelligence with other EU and Schengen nations. The country also works within the European Cybercrime Centre to combat online criminal activity. Another non-EU member of this group is the United States of America. Despite going against the online narrative, this shouldn't be surprising because this is precisely how an intelligence bureau works.

Despite their repeated claims that existing beyond the EU somehow offers greater data protection, this is far from true. The Swiss government is collecting and sharing data with EU member states as well as the UK and US, then data stored within their borders is no safer than data stored in France or Germany. The idea that the Swiss national border provides a special form of privacy is an illusion.

2. Switzerland Maintains Political Neutrality

Following the fallout of a major data theft incident at the Swiss NDB (Federal Intelligence Service) a report from Reuters showed that Switzerland has been directly working with both US and UK intelligence agencies. This comes at no surprise seeing that the Swiss government years ago self-reported receiving 9000 unique pieces of data and sharing 4500 pieces of data with more than 100 different foreign intelligence agencies. This contradicts the oft pushed empty claim that somehow Switzerland manages to operate in political isolation.

Neutrality does not mean that Swiss intelligence operate within their own country either. The Onyx program, awarded the "Big Brother Award", which intercepts telephone, internet, and fax data is stationed in the beautiful mountain towns of Leuk, Zimmerwald, and Heimanschwand. The Onyx system collects this traffic based upon certain keywords requested by intelligence agencies following independent third-party approval. The NDB claims that they are not collecting internal traffic, but any traffic that has a destination beyond the Swiss border is fair game, even if sent by a Swiss citizen. This practice is not unique and the Swiss NDB operates in a similar fashion as other national intelligence agencies.

Onyx Program Data Collection Station

This cross-border traffic collection means that if you are connecting to a Swiss-based service from outside of Switzerland your data is being actively collected and shared with other intelligence agencies around the world.

So much for the value of "Swiss Privacy".

3. Swiss Banks Actively Assist Foreign Citizens in Hiding Money

The first laws protecting Swiss financial institutions from sharing customer data were instituted in 1713 in Geneva. These laws allowed for wealthy persons and corporations throughout Europe to stash money outside of their home countries thus avoiding paying taxes. This became an accepted practice and combined with Switzerland's political neutrality, the nation became a go-to banking destination for money laundering and tax evasion.

This curtain of secrecy fell in 2018 when Switzerland became an active participant in the Common Reporting Standard (CRS) which requires member nations to share financial account information belonging to foreign customers. This means that every tax season banks and financial institutions are required to turn over information related to non-native customers who are liable to pay taxes in another country. Currently there are 38 total nations who take part in CRS including the United States, the entire European Union, Norway, the UK, Canada, Australia, New Zealand, Japan, South Korea, and Israel. A number of these nations should jump out at you seeing as they are members of the Five Eyes and Fourteen Eyes intelligence programs.

Leuk Surveillance Station

With all of this information being funneled to the countries which operate the globes largest and most comprehensive intelligence apparatus, simply having a bank located within Switzerland means nothing. In the digital age, the physical borders of sovereign nation states have little to no deterring power when it comes to protecting data.

Encryption vs Location

With all of these global intelligence sharing agreements, we find ourselves living in a world where there is no single place where it is safe to simply "hide" your data. So don't fall for the promise of Swiss privacy.

It doesn't matter where you are storing your data, should you become interesting enough it is likely that your information can land in the hands of law enforcement or intelligence agencies either through direct surveillance or legal push to share available data. Even secure facilities with air-gapped networks are vulnerable to these advanced persistent threats as evidenced by the (assumed) US and Israeli cyberattacks on the Iranian nuclear facility with Stuxnet.

Is Switzerland good for privacy?

Switzerland is generally considered good for privacy due to its robust data protection laws and a reputation for safeguarding people's bank accounts, on which the country's good reputation in terms of protecting privacy rights is largely based. Like Germany, the small country in the Alps of Switzerland has comprehensive regulations that govern the collection, processing, and storage of personal data, providing a strong legal foundation for privacy protection. But one should note that Switzerland has data retention laws while Germany does not have data retention. Though not perfect for privacy rights, Switzerland has a sound legal framework for privacy protection altogether.

The country's data protection laws are very similar to Germany's laws in its stringent requirements for data security laid down in the Swiss Federal Act on Data Protection (Schweizer Bundesgesetz über den Datenschutz, DSG). Switzerland's legal independence from the European Union, neutral political status, and a history of protecting privacy rights make it seem like an attractive choice for businesses seeking a secure and privacy-conscious operating environment. However, the legal framework is not much different from the European Union or Germany, namely the EU General Data Protection Regulation (GDPR) is one of the best legislation for data protection and it is valid in the EU and Germany, but not in Switzerland.

Switzerland vs US

Switzerland and the United States differ significantly in their privacy legislation, particularly regarding intelligence agency activities and surveillance laws. Switzerland - just like Germany - has comprehensive data protection laws that prioritize individual privacy rights and historically opposes mass surveillance, imposing stricter legal limits on its intelligence agencies the Swiss NDB and German BND. In contrast, the United States, through legislation like the Foreign Intelligence Surveillance Act (FISA) and the USA PATRIOT Act, grants broader surveillance powers to agencies such as the NSA and FBI. FISA is particularly concerning in terms of protecting people's privacy as it allows surveillance of non-U.S. citizens, potentially including communication with U.S. citizens, raising concerns about privacy and overreach.

For instance, the FBI has abused FISA 702 millions of times through warrantless “backdoor” searches of Americans’ calls, texts, & emails. With the recent re-authorization of FISA 702 until 2025, this illegal mass surveillance of Americans' communication will continue.

In summary, Switzerland - just like Germany - is generally considered a favorable location for privacy, both due to its legal framework and the historical commitment to protecting individual privacy rights.

Location doesn't mean your data is safe. Only strong encryption can provide that peace of mind.

Instead of seeking out special storage sanctuaries, the better choice is to encrypt all of your data with secure end-to-end encryption. If data does land in the hands of a given threat actor, the actual content remains secure as they will only be able to view a garbled mash of non-sense. Proper operational security and strong encryption should be norm when it comes to protecting your digital life. Beyond choosing services which protect your data with encryption, you should opt for those currently pursuing new encryption models which include perfect forward secrecy and post-quantum encryption. This will allow you to rest assured that your data doesn't fall victim to the "harvest now, decrypt later" strategy.

Bottom-line: Swiss privacy laws are good and are very similar to the GDPR laws in place in Germany. However, these laws do not protect you from national or international surveillance programs. Instead, end-to-end encryption is the best tool to protect your data.

Stay vigilant and stay safe. Happy encrypting!