[1cvmask]

I think the Swiss Made Safe Messaging is suspect to those who know about backdoors. In fact the Swiss sold “encrytped” crypto phones with backdoors baked in as a business model. You paid to get spied on:

https://en.wikipedia.org/wiki/Crypto_AG

[tptacek]

A peeve of mine: pretty much all "made outside the US" messaging is sketchy, because one of the most important differences between stuff run in the US and stuff run outside the US is that NSA doesn't need special permission to hack stuff run outside the US --- in fact, hacking stuff outside of the US is basically their whole charter.

I'm not saying you should purposefully select US technology in order to avoid surveillance, just that "hosted or made in Switzerland" messaging in privacy tools isn't very meaningful, and takes advantage of an emotional reaction in prospective customers, not a rational one.

[Youden]

I think you're missing a bigger issue: if the data is in America, nothing needs to be hacked. Your data can be obtained through legal means.

Plus, if you're not an American citizen, you have no rights so far as three-letter agencies are concerned, whether your data is stored in the US or elsewhere.

The choice is between data stored in the US, where data can be obtained through legal means or hacking, and data stored elsewhere, where it can only be obtained through hacking.

[tptacek]

That's true. You do have to make a decision about which protection you feel is stronger: the American legal system, or the current commercial state of the art in computer security lined up against the world's largest consumer of offensive security technology.

[Youden]

That could be true but only applies to people subject to the American legal system, i.e. those with American citizenship or living on American soil.

For the other 96% of us, the American legal system offers no protection whatsoever, as far as I'm aware.

This deficiency is not true of all jurisdictions. As far as I can tell from reading articles 1-3 GDPR, the GDPR applies to all processing that takes place within the EU or on behalf of an EU entity, regardless of whether the subject of the data is a citizen or resident of the EU. Same goes for the Swiss data protection act [0].

So as a non-American, I have a choice between services located in a country where I have no legal rights and services located in countries where I do.

This is also all from a security point of view. From a privacy point of view, I know that American companies have essentially free reign over the data I give them. They can monetize it, sell it, train machine learning models with it or do whatever else they please, regardless of whether they have my explicit consent.

Other jurisdictions have privacy protections, so I know I have some basic level of privacy if I choose say a German email provider, while I know I have essentially none if I choose an American one.

Really, as a non-American, I see no reason why I should treat American services as being any better than say Russian or Chinese services. I'm happy to listen if you have any compelling arguments though.

[0]: https://www.fedlex.admin.ch/eli/cc/1993/1945_1945_1945/en

[tptacek]

I agree with most of what you're saying, and again, I don't want to be taken to have said "you should go out of your way to use US companies". Also, there are other important concerns! If you don't trust how a US company is going to handle your data --- cough Facebook --- you shouldn't use them, no matter what you think NSA is going to do.

But: the protections I'm talking about aren't rights accorded to non-US persons abroad. I agree, you have very few legal protections against the US as a non-US person in (say) Europe. But the US company itself does have protections. It is not lawful for NSA (or the DOJ or CIA or whatever) to hack into Google's servers; on the flip side, it is probably lawful for NSA to have pre-hacked every major information provider and telecom in Europe, if they really wanted to. My point is, if you're overseas, the largest SIGINT agency in the world doesn't even have to ask to get access.

(Obviously, they don't have to ask in the US if they simply ignore the law, but then, if you ignore the law, none of this matters, and everything is up for grabs).

[Youden]

That's fair, I just wanted to explain why "made outside the US" could be a valid selling point.

Regarding hacking Google and ignoring the law, isn't that essentially what PRISM was? Do we have any reason to believe US intelligence will obey the law now?

I do understand your argument but I think we place different levels of confidence in the US legal system. I have zero confidence, so assign it zero value.

[HDMI_Cable]

I'm not really well-versed on US law, but wouldn't that hacked data not be admissible in court?

[saiya-jin]

That might be true if you are US person. If you're not, like 95% of the mankind, using non-US hosted services lowers the threat. Nobody knows how much since the answer lies in NSA capabilities.

But as a smart approach, for folks ie in Europe, US is a big no-no if security is a concern.

[tptacek]

I don't see how it does; if you're a non-US person using a non-US service, you have essentially no formal legal protections whatsoever from NSA surveillance. A non-US person using a US service at least inherits whatever procedural protections US companies have. I'm not saying it's a meaningful barrier, just that going overseas logically can't gain you protection (unless you're more worried about the Swiss or EU's sigint agencies than you are the NSA).

[Barrin92]

As a non-US person I'm not concerned about the NSA, it doesn't have a material impact on me, it's not like the NSA orders a black helicopter to snatch me from Germany. I'm worried about corporate use of my data because that stuff can actually realistically leak or be used for ads or whatever else and in this case I have probably better default protections with a Swiss company than with a US based one. (with some exceptions of course, Signal and so on seem trustworthy).

[tptacek]

Sure, this makes sense to me.

[dgellow]

Though it was a CIA ops. That doesn’t make everything “swiss made” suspect (but it clearly impacted the “Swiss made” brand and Zug’s reputation).

Switzerland has strict data protection laws, that’s why some companies are established there and pushing that branding (also, low taxes).

[nix23]

If your intelligence service let the biggest bank of Switzerland (UBS) buy those product, there is no excuse, and later being proud of the whole thing (as a neutral country) it's a shame and a shit stain on our integrity (which is/was more or less the only real quality of Swiss services)

[fmajid]

CIA and BND (Bundesnachrichtendienst, the German intelligence service). They actually owned the CryptoAG company. It's become a big political scandal there, with accusations that the Swiss intelligence services knew and deliberately misled their parliament.

[acct776]

Of course some of them knew.

[nabla9]

You seem to associate two completely separate things only because they are both incorporated in Switzerland.

Crypto_AG (founded in 1952) was part of secret US/West German government project.

Are you claiming that Andreas Wiebe, Hulbee AG, Swisscows AG are also working for the US government?

[paulryanrogers]

Well if they are leaning on the reputation the Swiss as being neutral or otherwise more trustworthy, then it's relevant.

[nabla9]

They are neutral and trustworthy. Significantly so.

Nobody is absolutely neutral or always trustworthy. It's argumentation error to move from is not completely neutral and has had some issues to saying "it's all bullshit".

[paulryanrogers]

Didn't mean to dismiss them out right. Rather that banking on 'Swiss' as a shortcut isn't wise. Obviously if one does the work to audit those involved or the product/service itself then they can trust it regardless of the marketing.

[saiya-jin]

What does banking has to do with secure messaging? That's pretty basic strawman argument. For example US does Blackwater and did MK Ultra on its own citizens, so what?

Banking en Suisse adheres to Swiss laws, which are heavily influenced by EU and US laws these days. If some private company decides to break the law, they will be handled accordingly.

[paulryanrogers]

Banking as is depending upon, not financial services.

[3327]

I think his association is not far fetched, did you read the post and the Narrative?

Are they not using the “Swiss” brand as a pretext to convey safety and imply security?

OP is pointing out a clear and recent example that the “Hey this is Swiss” therefore must be “safe, secure, reliable” is no longer the truth.

[eganist]

The Swiss Government was (at the latter part of the operation) aware and complicit.

https://www.swissinfo.ch/eng/business/no-official-outcry-in-...

Given this precedent, there's good reason to believe it would happen again. There is not reason to believe that the people behind Teleguard today would be in favor, but there is good reason not to become wedded to the service given the risk that it may change hands or be operated similarly to Crypto AG down the road.

[nabla9]

There is no indication that Swiss Government at the high level was aware. Intelligence agencies were aware.

It's important to understand that the was violation of Swiss neutrality law, and it was not started by Swiss government or government agency.

[eganist]

> There is no indication that Swiss Government at the high level was aware. Intelligence agencies were aware.

I'm not seeing how

1. Swiss intelligence is somehow distinct from the Swiss government.

2. this mitigates the risk I described.

[abc03]

Crypto was founded by a Swede and moved to Switzerland because of taxes. Hardly the Swiss would think of it as a Swiss company. It‘s quite easy to set up a company in Switzerland. Few questions are asked. Swiss intelligence knew from 1993 that it is owned by the CIA and BND and did not rely on their machine. It was suspected for a long time that they are not safe. In addition, there are indications that the Military knew already in the 70‘s it is owned by the CIA through employees working there. The policy seemed to be observing, rather than investigating, so they wouldn‘t have to stop it. But true, the Swiss should have blocked the whole operation.

[WanderPanda]

I think people underestimate how much of a blow this is for Switzerland

[ur-whale]

That and the fact that they sold "banking secrecy" to the whole of Europe for the better part of a century only to betray all those promises in the 21st century.

[saiya-jin]

Banking secrecy was removed due to peer pressure from EU and US, which together form a majority of exports for Switzerland. They just did make keeping the secrecy extremely costly in form of import tariffs on Swiss goods.

Originally intended as a fine example of government actually caring about privacy of its own citizens, then heavily misused by local and international banks, it just stopped making sense anymore at one point. Its still somewhat valid for its own citizens and AFAIK residents.

Banking together is cca 12% of Swiss economy, so the fantasy of some folks who read let's say alternative news about Switzerland ruining itself by losing banking secrecy didn't pan out. Swiss economy is much more reliant on tons of small/medium high quality manufacturing companies, or tourism rather than banking.

[systemvoltage]

There is also this: https://en.wikipedia.org/wiki/Onyx_(interception_system)

> The goal of the system is to monitor both civil and military communications, such as telephone, fax or Internet traffic, carried by satellite.

[idlewords]

We all know Swiss products are full of holes.

[Rochus]

Only the cheese.