Yes, I was surprised when it resurfaced as news recently, having learned about it last millennium. I'm still not clear about what's new here (apart from the Swiss politics angle).
The political angle is pretty significant, it's basically stating the Swiss intelligence agencies were more loyal to the CIA and BND than their own government.
As I understand it, one of the things that was only discovered recently is that the Swiss intelligence services knew about this and kept their own government in the dark.
What's new is that (amongst other things) evidence has come to light proving that they were literally owned by the CIA for most of their operational lifetime
The story was broken in 2015, though only the bare outlines were disclosed then. A much fuller disclosure came a year ago. I would doubt that the general public is aware of it at all.
Dismissing this as "old" and "well known" seems highly inaccurate.
Crypto AG had already earlier been accused of rigging its machines in collusion with intelligence agencies ((...)) Suspicions of this collusion were aroused in 1986
AFAIK in those circles "suspected" creates a "case", and this one was quite big given the suspect (the US) and the period (before the fall of the USSR).
> as early as 1986
AFAIK in those circles 1986 is, from now, "very old".
"Oh the consequences of my own actions!" -- Jean-Philippe Gaudin, most likely.
I am proud that he has been removed from his position. The initial reaction of my beloved government to this case was not so strong and open as I had hoped, but this is at least a "clear" statement that his betrayal is not tolerated / swept under the carpet.
Now let's hope that this is the end of the drama that "Swiss encryption" has been exposed to and the brand "Swiss neutrality" does not suffer more.
In contrast to Omnisec and Crypto AG with their security by obscurity, the Threema apps are fully open source with reproducible builds: https://threema.ch/en/open-source/
No, it should be treated as software coming from any other country.
At this point it’s just silly to brand your security product as Swiss made in hopes of looking more legit. In a sense I see it negative, just like some companies brand their products with buzzwords such as AI and blockchain for no good reason other then to look cool. Makes me suspicious.
My point is that selling encryption software as "secure" is a difficult position, since nobody can really guarantee the security, even with open source code.
Therefore the decision to choose a particular "secure" software relies 50% on sound cryptographic practices, and 50% on reputation. Yes, reputation.
Just like I wouldn't use a NSA "secure random" algorithm [1], or a product that advertises 32768 bit key encryption, I wouldn't use a product that advertises "100% pure Swiss security" on its home page. It's a negative reputation signal.
I would guess that for CIA operations, it's pretty non-trivial to prove something. On paper everything probably looked neat, and they likely have some basic set of rules that prevents stuff like discussing treason on twitter from happening. But I agree and NBD should be clever too.
"According to a Swiss parliamentary investigation, "Swiss intelligence service were aware of and benefited from the Zug-based firm Crypto AG’s involvement in the US-led spying""
Government prosecuting citizens is a tricky problem because:
* citizens should be held accountable for legitimate issues of legality
* citizens should not be totally paralyzed by fear of being on the wrong side of the law
* citizens should not be targeted for prosecution by vindictive bureaucrats just based on disagreement
None of these issues, however, are particular to citizens who happen to also be government officials at the time of the alleged incident provoking the prosecution.
The audit also found that the "collaboration was in principle in accordance with the law in force." https://web.archive.org/web/20201111085259/https://www.parla... And, notably, that the "fact that this collaboration could have been concealed from the Federal Council for so long also highlights shortcomings in the management and supervision exercised by the latter." "Therefore, the Federal Council bears part of the responsibility that the company Crypto AG has exported 'vulnerable' encryption devices for years."
Switzerland has a somewhat unique structure where the presidency rotates yearly among a seven member Federal Council. I can easily believe that some highly sensitive, long-term intelligence matters (particularly operational matters) were effectively and complicitly shared with the president (not to mention the entire council) only on a need-to-know basis.
The audit report also notes that the intelligence cooperation was, at least initially, to the benefit of Switzerland. IOW, that at inception it would have been not particularly contentious and thus (if my above hypothesis about complicit need-to-know status is correct), arguably something that the intelligence department would have thought within its license.
I would expect the President to always be aware of a close relationship with a foreign intelligence agency and the potential for a situation like Crypto AG, but wouldn't be surprised in this context if such specifics were left unstated. You can see a somewhat similar dynamic in the U.S., where for legitimate reasons the Attorney General is sometimes given license to keep many often explosive matters confidential. The reasons are different, but on the other hand the Swiss Federal Council has unique characteristics from an intelligence perspective. Certainly in both cases it would be typically be understood that the President still controls policy by their selection of and delegation to department officials. Which is what the audit report seems to be getting at--that the Federal Council may have been delegating toomuch, hypocritical in its astonishment.
In general, though, I agree that government agents are given too much benefit of a doubt. See, e.g., qualified immunity. We all live under the thumb of the law. Rightly so. Some amount of anxiety and fear are a natural consequence, and we don't normally consider that fact alone excessively burdensome--at least, not when we're talking about other people, especially people with whom we don't identify.
I guess intelligence and military intelligence live in their own worlds and are above the laymen's world. Back in the 70s and 80s even most politicians didn't know about Gladio, regardless of their political stand (left or right). If you are not proved to be one of them, you won't even hear about it.
The real news here is the crumbling facade of neutrality and trust that the Swiss have for a while now been allowing to crumble and run right through their fingers. They are playing with fire in many ways, especially since much of their soft defences have also eroded.
> The real news here is the crumbling facade of neutrality and trust that the Swiss have for a while now been allowing to crumble and run right through their fingers.
What else except the Crypto AG case is there?
And if it is just Crypto AG it seems folish to assume that a company is good just because it originated in a certain country. But Switzerland still seems like a fairly easy country to deal with.
Rather than rehash all this here, there are a lot of posts about ProtonMail and the foundational claims they make about being a company operated out of Switzerland. I'd suggest reading those critiques. The process of becoming a surveillance state is a slow one, you don't just wake up with government operated/connected cameras on every corner.
Apparently rehashing is what we want to do. Here's some links:
> Rather than rehash all this here, there are a lot of posts about ProtonMail and the foundational claims they make about being a company operated out of Switzerland. I'd suggest reading those critiques.
Looking at the top ten posts on HN about ProtonMail does not give any such articles or top comments. So at least a link would be nice.
> The process of becoming a surveillance state is a slow one, you don't just wake up with government operated/connected cameras on every corner.
Can you give any indication that this is more of an issue in Switzerland compared to other countries?
This is very vague and looks like it is more of a critique of ProtonMail instead of Switzerland as a whole.
Skimming through it, it displays a lot of ignorance which undermines its credibility for me, and the credibility of the other evidence. As examples, these statements seem to lack understanding of the technology:
> Protonmail even has an SSL cert for that onion address even though it’s completely unnecessary.
> Leaked documents at Wikileaks show that the CIA requires emails to be stored as an EML filetype. There are several ways to store emails, and Protonmail has selected the format that the CIA requires.
> Subject and metadata encryption are not difficult to provide.
Switzerland has long been something of a playground for spies because of it's neutrality. Their intelligence agency basically ignoring what US and German spies were doing won't change the opinion of those in power, and the public opinion of their neutrality has already been tainted by Nazi gold.
> public opinion of their neutrality has already been tainted by Nazi gold.
For someone looking for a jurisdiction to turn a blind-eye, Switzerland's complicity wrt Nazi plunder is a definite pro, not a con. As far public sentiment is concerned, that's what "neutrality" implies, not the legalist meaning that often requires a neutral party to affirmatively reject such dealings.
I think you're overreacting. If the Snowden leaks thought us anything, is that countries can spy on other countries and their own citizens and eventually most people will forget about it.
Same with this story. Eventually, people will forget about it ever happening, and everyone will have the same view of Switzerland as they had before.
56 comments
[ 0.28 ms ] story [ 115 ms ] threadDismissing this as "old" and "well known" seems highly inaccurate.
See https://en.wikipedia.org/wiki/Crypto_AG#Compromised_machines
Excerpt:
Crypto AG had already earlier been accused of rigging its machines in collusion with intelligence agencies ((...)) Suspicions of this collusion were aroused in 1986
Degrees of proof and documentation differ among these.
And this still fails to establish the "well-known" aspect.
> Suspected
AFAIK in those circles "suspected" creates a "case", and this one was quite big given the suspect (the US) and the period (before the fall of the USSR).
> as early as 1986
AFAIK in those circles 1986 is, from now, "very old".
I am proud that he has been removed from his position. The initial reaction of my beloved government to this case was not so strong and open as I had hoped, but this is at least a "clear" statement that his betrayal is not tolerated / swept under the carpet.
Now let's hope that this is the end of the drama that "Swiss encryption" has been exposed to and the brand "Swiss neutrality" does not suffer more.
"100% Swiss Made"
"Threema is a true Swiss company hosting its own servers in Switzerland."
After Omnisec AG and Crypto AG, how is anyone falling for that cliché again...
2. https://en.wikipedia.org/wiki/Underhanded_C_Contest
At this point it’s just silly to brand your security product as Swiss made in hopes of looking more legit. In a sense I see it negative, just like some companies brand their products with buzzwords such as AI and blockchain for no good reason other then to look cool. Makes me suspicious.
And for the international market, probably "swiss" is mostly to be understood as "not american/russian/chinese"
This shouldn't matter since you can't check what they are running anyways.
> 2. https://en.wikipedia.org/wiki/Underhanded_C_Contest
This is true for any software. What is the point here?
Therefore the decision to choose a particular "secure" software relies 50% on sound cryptographic practices, and 50% on reputation. Yes, reputation.
Just like I wouldn't use a NSA "secure random" algorithm [1], or a product that advertises 32768 bit key encryption, I wouldn't use a product that advertises "100% pure Swiss security" on its home page. It's a negative reputation signal.
[1] https://en.wikipedia.org/wiki/Dual_EC_DRBG
Their messaging seems to revolve much more around an anti Silicon Valley proposition where you could substitute Swiss for European.
Is Switzerland actually known to screw these kinds of things up more than other countries?
> Threema, die «Antithese des Silicon Valley-Modells»
https://www.srf.ch/news/wirtschaft/whatsapp-alternative-thre...
I would have hoped that he be sent to justice for treason charges or at least for "nefarious incompetence".
https://en.wikipedia.org/wiki/Crypto_AG
* government officials should be held accountable for legitimate issues of legality
* government officials should not be totally paralyzed by fear of being on the wrong side of the law
* government officials should not be targeted for prosecution by vindictive successors just based on disagreement
* citizens should be held accountable for legitimate issues of legality
* citizens should not be totally paralyzed by fear of being on the wrong side of the law
* citizens should not be targeted for prosecution by vindictive bureaucrats just based on disagreement
None of these issues, however, are particular to citizens who happen to also be government officials at the time of the alleged incident provoking the prosecution.
The audit also found that the "collaboration was in principle in accordance with the law in force." https://web.archive.org/web/20201111085259/https://www.parla... And, notably, that the "fact that this collaboration could have been concealed from the Federal Council for so long also highlights shortcomings in the management and supervision exercised by the latter." "Therefore, the Federal Council bears part of the responsibility that the company Crypto AG has exported 'vulnerable' encryption devices for years."
Switzerland has a somewhat unique structure where the presidency rotates yearly among a seven member Federal Council. I can easily believe that some highly sensitive, long-term intelligence matters (particularly operational matters) were effectively and complicitly shared with the president (not to mention the entire council) only on a need-to-know basis.
The audit report also notes that the intelligence cooperation was, at least initially, to the benefit of Switzerland. IOW, that at inception it would have been not particularly contentious and thus (if my above hypothesis about complicit need-to-know status is correct), arguably something that the intelligence department would have thought within its license.
I would expect the President to always be aware of a close relationship with a foreign intelligence agency and the potential for a situation like Crypto AG, but wouldn't be surprised in this context if such specifics were left unstated. You can see a somewhat similar dynamic in the U.S., where for legitimate reasons the Attorney General is sometimes given license to keep many often explosive matters confidential. The reasons are different, but on the other hand the Swiss Federal Council has unique characteristics from an intelligence perspective. Certainly in both cases it would be typically be understood that the President still controls policy by their selection of and delegation to department officials. Which is what the audit report seems to be getting at--that the Federal Council may have been delegating too much, hypocritical in its astonishment.
In general, though, I agree that government agents are given too much benefit of a doubt. See, e.g., qualified immunity. We all live under the thumb of the law. Rightly so. Some amount of anxiety and fear are a natural consequence, and we don't normally consider that fact alone excessively burdensome--at least, not when we're talking about other people, especially people with whom we don't identify.
Government isn’t supposed to persecute anybody.
(Prosecute is a different issue.)
What else except the Crypto AG case is there? And if it is just Crypto AG it seems folish to assume that a company is good just because it originated in a certain country. But Switzerland still seems like a fairly easy country to deal with.
Apparently rehashing is what we want to do. Here's some links:
Switzerland's laws are the foundation of ProtonMail: https://protonmail.com/blog/switzerland/
ProtonMail must comply with Swiss law, regardless of what people think, and as Switzerland progressively becomes surveillance state it will have to comply more: https://www.securityweek.com/protonmail-accused-voluntarily-...
This post on Reddit sums up, fairly well, what I usually hear from privacy interested users of ProtonMail: https://www.reddit.com/r/ProtonMail/comments/49u8vy/protonma...
For some more direct points: https://privacy-watchdog.io/truth-about-protonmail/
While it may not be immediately obvious, if you follow each of these points they connect back to compliance in some way
Looking at the top ten posts on HN about ProtonMail does not give any such articles or top comments. So at least a link would be nice.
> The process of becoming a surveillance state is a slow one, you don't just wake up with government operated/connected cameras on every corner.
Can you give any indication that this is more of an issue in Switzerland compared to other countries?
This is very vague and looks like it is more of a critique of ProtonMail instead of Switzerland as a whole.
Switzerland's laws are the foundation of ProtonMail: https://protonmail.com/blog/switzerland/
ProtonMail must comply with Swiss law, regardless of what people think, and as Switzerland progressively becomes surveillance state it will have to comply more: https://www.securityweek.com/protonmail-accused-voluntarily-...
This post on Reddit sums up, fairly well, what I usually hear from privacy interested users of ProtonMail: https://www.reddit.com/r/ProtonMail/comments/49u8vy/protonma...
For some more direct points: https://privacy-watchdog.io/truth-about-protonmail/
While it may not be immediately obvious, if you follow each of these points they connect back to compliance in some way.
> https://privacy-watchdog.io/truth-about-protonmail/
Skimming through it, it displays a lot of ignorance which undermines its credibility for me, and the credibility of the other evidence. As examples, these statements seem to lack understanding of the technology:
> Protonmail even has an SSL cert for that onion address even though it’s completely unnecessary.
> Leaked documents at Wikileaks show that the CIA requires emails to be stored as an EML filetype. There are several ways to store emails, and Protonmail has selected the format that the CIA requires.
> Subject and metadata encryption are not difficult to provide.
For someone looking for a jurisdiction to turn a blind-eye, Switzerland's complicity wrt Nazi plunder is a definite pro, not a con. As far public sentiment is concerned, that's what "neutrality" implies, not the legalist meaning that often requires a neutral party to affirmatively reject such dealings.
Same with this story. Eventually, people will forget about it ever happening, and everyone will have the same view of Switzerland as they had before.