Proposed Swiss encryption laws may have a severe impact on VPNs – what you need to know

A proposed change to Switzerland's surveillance laws threatens to undermine people's data privacy, according to VPN newcomer, NymVPN.

The country is looking to extend current surveillance obligations to providers offering the best VPN services, email, messaging, and social networking. The way encryption is handled would have to be changed, as would approaches to user privacy and anonymity.

Specifically, the change would require these companies to collect identification from people using their services, alongside demanding a backdoor on encrypted content. Three types of information and two types of monitoring would also be created.

The fundamental purpose of VPNs is to protect users' privacy by encrypting their data, and the most secure VPNs never log or collect identifiable information. Adhering to this proposed law change would mean Swiss-based VPN providers could not deliver on their commitment to users.

Swiss-based providers Proton VPN and NymVPN are now voicing their concerns alongside the encrypted messaging app Threema.

The proposed amendment is still in its consultation phase. Swiss residents have the opportunity to respond to the consultation until May 6, 2025.

NymVPN speaks out

The Chelsea Manning-backed NymVPN has been vocal in its opposition to the proposed law changes and published a detailed statement from Chief Operating Officer Alexis Roussel.

In the statement it said "a new ordinance issued by the Swiss Federal Council not only puts companies such as Proton, Threema, and Nym at direct risk, but also the security of individuals."

"The new version of the Ordinance on the Surveillance of Correspondence by Post and Telecommunications (OSCPT) aims to extend surveillance obligations to those offering services such as e-mail, messaging, social networking, and VPNs," Roussel stated.

He went on to give examples of how a provider might be impacted. "As of 5,000 users, the ordinance requires operators to identify users by means of a form of identification. The operator must keep this information for 6 months after the end of the relationship (Article 19). For example, an association running a mastodon server would have to identify users if it exceeded 5,000."

"The ordinance seeks to impose the decryption of communications when the operator possesses one of the encryption keys (Article 50a)."

Roussel warned that "this ordinance directly endangers the people who use these services" and accused the Federal Council of attempting to circumvent the case law of the Swiss Federal Court.

"This ordinance profoundly alters the spirit of the law," Roussel warned and he suggested the Federal Council was working against privacy-focused companies.

"At a time when the Swiss are celebrating the success of young privacy-preserving companies such as Proton and Threema, when the Swiss army itself has chosen to use Threema, and when other promising players, such as Nym, are emerging in the field of privacy-friendly technologies and the protection of people's digital integrity, this ordinance by the Federal Council is destroying an entire sector."

NymVPN encouraged people to share the news as widely as possible. It said anyone living in Switzerland should respond to the consultation, as well as writing to their federal elected representative.

It also warned those living in the EU to be on guard against attempts to undermine end-to-end encryption.

Tom's Guide reached out to Proton VPN for comment, but has not received a response at the time of writing.

All eyes on encryption

The Swiss Federal Council's statement (translated from French to English) announcing the law and consultation stated "the OSCPT also specifies the legal obligation for providers to remove the encryption they have implemented."

However it went on to say that end-to-end encryption is "explicitly not affected." This would seemingly include VPNs. The full impact of the law therefore may not be known until the conclusion of the consultation phase.

Speaking to TechRadar, Roussel said: "It's not about end-to-end encryption. They don't want to force you to reveal what's inside the communication itself, but they want to know where it goes."

Historically, Switzerland has very strong privacy laws and this marks a disappointing change in attitudes towards data privacy – regardless of whether the law change is passed or not.