56 comments

[ 0.28 ms ] story [ 115 ms ] thread
This is a very old and well-known case https://en.wikipedia.org/wiki/Crypto_AG
Yes, I was surprised when it resurfaced as news recently, having learned about it last millennium. I'm still not clear about what's new here (apart from the Swiss politics angle).
The political angle is pretty significant, it's basically stating the Swiss intelligence agencies were more loyal to the CIA and BND than their own government.
There is no jail time for such a “crime”.
No, but it's reasonable to expect the Swiss government won't happily continue employing you.
(comment deleted)
Yeah, sure, but why is it coming up 25 years later?
As I understand it, one of the things that was only discovered recently is that the Swiss intelligence services knew about this and kept their own government in the dark.
What's new is that (amongst other things) evidence has come to light proving that they were literally owned by the CIA for most of their operational lifetime
The story was broken in 2015, though only the bare outlines were disclosed then. A much fuller disclosure came a year ago. I would doubt that the general public is aware of it at all.

Dismissing this as "old" and "well known" seems highly inaccurate.

Oh, it's way older than that. Here's a story from 1996: https://www.spiegel.de/politik/wer-ist-der-befugte-vierte-a-...
Suspected, as early as 1986. Confirmed via memo in 2015, exposed in 2020.

Degrees of proof and documentation differ among these.

And this still fails to establish the "well-known" aspect.

>>> This is a very old and well-known case

> Suspected

AFAIK in those circles "suspected" creates a "case", and this one was quite big given the suspect (the US) and the period (before the fall of the USSR).

> as early as 1986

AFAIK in those circles 1986 is, from now, "very old".

"Oh the consequences of my own actions!" -- Jean-Philippe Gaudin, most likely.

I am proud that he has been removed from his position. The initial reaction of my beloved government to this case was not so strong and open as I had hoped, but this is at least a "clear" statement that his betrayal is not tolerated / swept under the carpet.

Now let's hope that this is the end of the drama that "Swiss encryption" has been exposed to and the brand "Swiss neutrality" does not suffer more.

How are the Swiss neutral? Chaotic neutral? They are some of the biggest, corrupt money launderers known the world over?
Oh somehow I expected it to be Threema GmbH but it's still just old, plain Crypto AG.
I'm not sure if this is a joke or a legitimate concern about Threema. Care to elaborate?
from Threema own homepage:

"100% Swiss Made"

"Threema is a true Swiss company hosting its own servers in Switzerland."

After Omnisec AG and Crypto AG, how is anyone falling for that cliché again...

In contrast to Omnisec and Crypto AG with their security by obscurity, the Threema apps are fully open source with reproducible builds: https://threema.ch/en/open-source/
1. Only the client apps are open source, not the server side.

2. https://en.wikipedia.org/wiki/Underhanded_C_Contest

So software coming out of Switzerland should be written off completely?
Good question. I don't know. Personally, a company that (1) works on secure encryption and (2) advertises "100% pure Swiss" is a negative signal.
Proton mail does that, not so sure about the negative signal but there is some merit of using a Swiss company as a honeypot.
No, it should be treated as software coming from any other country.

At this point it’s just silly to brand your security product as Swiss made in hopes of looking more legit. In a sense I see it negative, just like some companies brand their products with buzzwords such as AI and blockchain for no good reason other then to look cool. Makes me suspicious.

I think to the swiss market, branding it as 100% swiss is both reasonable, and a positive point. So, not silly.

And for the international market, probably "swiss" is mostly to be understood as "not american/russian/chinese"

> 1. Only the client apps are open source, not the server side.

This shouldn't matter since you can't check what they are running anyways.

> 2. https://en.wikipedia.org/wiki/Underhanded_C_Contest

This is true for any software. What is the point here?

My point is that selling encryption software as "secure" is a difficult position, since nobody can really guarantee the security, even with open source code.

Therefore the decision to choose a particular "secure" software relies 50% on sound cryptographic practices, and 50% on reputation. Yes, reputation.

Just like I wouldn't use a NSA "secure random" algorithm [1], or a product that advertises 32768 bit key encryption, I wouldn't use a product that advertises "100% pure Swiss security" on its home page. It's a negative reputation signal.

[1] https://en.wikipedia.org/wiki/Dual_EC_DRBG

Fair enough, but it looks like you are misquoting them. They never say anything about "100% pure Swiss security".

Their messaging seems to revolve much more around an anti Silicon Valley proposition where you could substitute Swiss for European.

Is Switzerland actually known to screw these kinds of things up more than other countries?

It is crazy that the only consequence for I'm is to by fired.

I would have hoped that he be sent to justice for treason charges or at least for "nefarious incompetence".

I would guess that for CIA operations, it's pretty non-trivial to prove something. On paper everything probably looked neat, and they likely have some basic set of rules that prevents stuff like discussing treason on twitter from happening. But I agree and NBD should be clever too.
The government does not persecute itself. That is how it is able to continuously break the law.
Government persecuting former officials is a tricky problem, because it‘s hard to strike a balance between

* government officials should be held accountable for legitimate issues of legality

* government officials should not be totally paralyzed by fear of being on the wrong side of the law

* government officials should not be targeted for prosecution by vindictive successors just based on disagreement

Government prosecuting citizens is a tricky problem because:

* citizens should be held accountable for legitimate issues of legality

* citizens should not be totally paralyzed by fear of being on the wrong side of the law

* citizens should not be targeted for prosecution by vindictive bureaucrats just based on disagreement

None of these issues, however, are particular to citizens who happen to also be government officials at the time of the alleged incident provoking the prosecution.

FWIW, the "parliamentary audit committee found that there was no legal grounding for the criminal complaint" against Crypto International (previously Crypto AG)]. https://web.archive.org/web/20201111022708/https://www.swiss...

The audit also found that the "collaboration was in principle in accordance with the law in force." https://web.archive.org/web/20201111085259/https://www.parla... And, notably, that the "fact that this collaboration could have been concealed from the Federal Council for so long also highlights shortcomings in the management and supervision exercised by the latter." "Therefore, the Federal Council bears part of the responsibility that the company Crypto AG has exported 'vulnerable' encryption devices for years."

Switzerland has a somewhat unique structure where the presidency rotates yearly among a seven member Federal Council. I can easily believe that some highly sensitive, long-term intelligence matters (particularly operational matters) were effectively and complicitly shared with the president (not to mention the entire council) only on a need-to-know basis.

The audit report also notes that the intelligence cooperation was, at least initially, to the benefit of Switzerland. IOW, that at inception it would have been not particularly contentious and thus (if my above hypothesis about complicit need-to-know status is correct), arguably something that the intelligence department would have thought within its license.

I would expect the President to always be aware of a close relationship with a foreign intelligence agency and the potential for a situation like Crypto AG, but wouldn't be surprised in this context if such specifics were left unstated. You can see a somewhat similar dynamic in the U.S., where for legitimate reasons the Attorney General is sometimes given license to keep many often explosive matters confidential. The reasons are different, but on the other hand the Swiss Federal Council has unique characteristics from an intelligence perspective. Certainly in both cases it would be typically be understood that the President still controls policy by their selection of and delegation to department officials. Which is what the audit report seems to be getting at--that the Federal Council may have been delegating too much, hypocritical in its astonishment.

In general, though, I agree that government agents are given too much benefit of a doubt. See, e.g., qualified immunity. We all live under the thumb of the law. Rightly so. Some amount of anxiety and fear are a natural consequence, and we don't normally consider that fact alone excessively burdensome--at least, not when we're talking about other people, especially people with whom we don't identify.

> The government does not persecute itself

Government isn’t supposed to persecute anybody.

(Prosecute is a different issue.)

Guess it's sort of post cold war operation gladio
Gladio and Echelon are almost forgotten, even Snowden's revelations lose effect.
I guess intelligence and military intelligence live in their own worlds and are above the laymen's world. Back in the 70s and 80s even most politicians didn't know about Gladio, regardless of their political stand (left or right). If you are not proved to be one of them, you won't even hear about it.
I was surprised to learn Switzerland even had a spy agency.
The real news here is the crumbling facade of neutrality and trust that the Swiss have for a while now been allowing to crumble and run right through their fingers. They are playing with fire in many ways, especially since much of their soft defences have also eroded.
> The real news here is the crumbling facade of neutrality and trust that the Swiss have for a while now been allowing to crumble and run right through their fingers.

What else except the Crypto AG case is there? And if it is just Crypto AG it seems folish to assume that a company is good just because it originated in a certain country. But Switzerland still seems like a fairly easy country to deal with.

Rather than rehash all this here, there are a lot of posts about ProtonMail and the foundational claims they make about being a company operated out of Switzerland. I'd suggest reading those critiques. The process of becoming a surveillance state is a slow one, you don't just wake up with government operated/connected cameras on every corner.

Apparently rehashing is what we want to do. Here's some links:

Switzerland's laws are the foundation of ProtonMail: https://protonmail.com/blog/switzerland/

ProtonMail must comply with Swiss law, regardless of what people think, and as Switzerland progressively becomes surveillance state it will have to comply more: https://www.securityweek.com/protonmail-accused-voluntarily-...

This post on Reddit sums up, fairly well, what I usually hear from privacy interested users of ProtonMail: https://www.reddit.com/r/ProtonMail/comments/49u8vy/protonma...

For some more direct points: https://privacy-watchdog.io/truth-about-protonmail/

While it may not be immediately obvious, if you follow each of these points they connect back to compliance in some way

> Rather than rehash all this here, there are a lot of posts about ProtonMail and the foundational claims they make about being a company operated out of Switzerland. I'd suggest reading those critiques.

Looking at the top ten posts on HN about ProtonMail does not give any such articles or top comments. So at least a link would be nice.

> The process of becoming a surveillance state is a slow one, you don't just wake up with government operated/connected cameras on every corner.

Can you give any indication that this is more of an issue in Switzerland compared to other countries?

This is very vague and looks like it is more of a critique of ProtonMail instead of Switzerland as a whole.

I'm a paying ProtonMail user, so no, not really a critique of ProtonMail.

Switzerland's laws are the foundation of ProtonMail: https://protonmail.com/blog/switzerland/

ProtonMail must comply with Swiss law, regardless of what people think, and as Switzerland progressively becomes surveillance state it will have to comply more: https://www.securityweek.com/protonmail-accused-voluntarily-...

This post on Reddit sums up, fairly well, what I usually hear from privacy interested users of ProtonMail: https://www.reddit.com/r/ProtonMail/comments/49u8vy/protonma...

For some more direct points: https://privacy-watchdog.io/truth-about-protonmail/

While it may not be immediately obvious, if you follow each of these points they connect back to compliance in some way.

I would need more credible evidence. For example,

> https://privacy-watchdog.io/truth-about-protonmail/

Skimming through it, it displays a lot of ignorance which undermines its credibility for me, and the credibility of the other evidence. As examples, these statements seem to lack understanding of the technology:

> Protonmail even has an SSL cert for that onion address even though it’s completely unnecessary.

> Leaked documents at Wikileaks show that the CIA requires emails to be stored as an EML filetype. There are several ways to store emails, and Protonmail has selected the format that the CIA requires.

> Subject and metadata encryption are not difficult to provide.

Switzerland has long been something of a playground for spies because of it's neutrality. Their intelligence agency basically ignoring what US and German spies were doing won't change the opinion of those in power, and the public opinion of their neutrality has already been tainted by Nazi gold.
> public opinion of their neutrality has already been tainted by Nazi gold.

For someone looking for a jurisdiction to turn a blind-eye, Switzerland's complicity wrt Nazi plunder is a definite pro, not a con. As far public sentiment is concerned, that's what "neutrality" implies, not the legalist meaning that often requires a neutral party to affirmatively reject such dealings.

This is bad for the image of Switzerland. How can you trust them with security sensitive issues ever again?
I think you're overreacting. If the Snowden leaks thought us anything, is that countries can spy on other countries and their own citizens and eventually most people will forget about it.

Same with this story. Eventually, people will forget about it ever happening, and everyone will have the same view of Switzerland as they had before.

Why would you have trusted them before?