Tutanota team here, we saw this post and need to share our view as well:
We apologized on Reddit that this post was perceived as an attack on ProtonMail. This was not our intention, but we do see now that the original blog post could be read as such and we are sorry about this. The real aim of the post was to stress the fact that Swiss Privacy is as good as German Privacy, but the way it was written did not make this clear.
That's why we have updated our blog post as follows:
1. We have removed the mention of ProtonMail in the original post.
2. We have included a conclusion that Swiss Privacy laws are good, and very similar to German privacy laws.
We hope that this settles the issue; in the end Proton and us are in the same fight against Big Tech as well as state surveillance and must work together to achieve more privacy for everyone!
---
*Why this post on Swiss Privacy?*
We'd also like to explain why we published the post on Swiss Privacy in the first place.
Some Swiss companies like to stress that their level of privacy is better than the competition because they are *based in Switzerland*. However, ProtonMail even claims that Tuta Mail is less private stating "Tutanota is based in Germany, which is one of the Fourteen Eyes intelligence-sharing countries" (quoted from the Proton website) or even suggesting that Tuta email could be accessible to the NSA (which is wrong): "Tutanota emails are protected by the German Federal Data Protection Act, which prohibits the use of personal data without permission absent a court order. However, Tutanota is based in Germany, which is a member of the SIGINT Seniors of Europe (SSEUR) intelligence-sharing alliance which intelligence agencies such as the NSA." (quoted from the Proton website)
*But our original post is about Swiss Privacy, so let's look at these facts.*
> On their blog Proton says "Claims such as 'Switzerland also has warrantless surveillance'" making it look like we've made this claim.
Please read the Tuta blog post carefully: *We never made that claim.*
All we said was that Swiss Privacy is no better - or as good as - for instance German Privacy because Switzerland - just like any country shares data with other countries. *Yes, a Swiss warrant is needed for Proton to hand out any data to foreign authorities, but the same is true for Germany where a German warrant is required.*
> Proton also says that "Tuta makes the completely unsubstantiated claim that “if you are connecting to a Swiss-based service like Proton from outside of Switzerland your data is being actively collected and shared with other intelligence agencies around the world”. Not only is this completely speculative, but there is also no basis to claim that this is an issue specific to Switzerland."
*Correct, this is not specific to Switzerland and that was exactly the point that we were making. In addition, we do back up the claim with evidence and cite our sources:*
1. In reference to the assertion that Switzerland regularly works with the US and UK intelligence agencies we cite [Reuters](pgeorgi↗
The "look how Swiss we are" meme died when Crypto AG was exposed as a BND/CIA front shipping deliberately weakened crypto to "bloc-free" countries.
That doesn't mean that they're (plural, because Threema is also milking its Switzerland-based operation for all it's worth) worse than non-Swiss providers but if that's your main selling point, it's not really a selling point at all.
Yes, I have some Swiss friends who wish I would use Threema, I politely declined and we've agreed to use Signal. After a while it becomes difficult to distinguish the difference between these applications with the noteable exception of WhatsApp which is owned by Meta who I absolutely don't trust.
(Disclaimer: This is not at all meant as a negative against Tutanota/ProtonMail/et all.)
```We have included a conclusion that Swiss Privacy laws are good, and very similar to German privacy laws.```
This is weird to me in that these are laws of man, and therefore ignorable or lopphole-able by other humans if they can. Usually, by sneaky buggers in the intelligence agencies. It is, after all, their job.
Rather, I would want the standard to be something akin `Our laws do not force weakening of efforts to establish and maintain privacy.` which is to mean no meddling in E2EE, forcing VPN providers to keep logs, etc.
The original version of this blog post included information on the encryption in Tuta Mail and ProtonMail which we took out because it had nothing to do with the actual topic of the post.
I wouldn't be too surprised if any other "sphere" also has its Swiss front to sell neutral tech that totally doesn't support the mothership.
Switzerland is relatively consistent in offering equal treatment, so maybe it'll eventually turn out that some outlet or another is controlled and manipulated in sinister ways by China, India, or maybe the Vatican or Bhutan.
Proton lost my trust when every time you open their webmail they shove PLEASE UPGRADE TO A BETTER PLAN in your face or YOU CAN NOW HAVE PROTON VPN AND PROTON DRIVE FOR $9 PER MONTH if you have the free plan.
It's a very sketchy behavior for a company that says they care about your privacy.
>Switzerland isn't special, they're in the NATO sphere of influence and (behind the scene) can't say no to big brother.
As you can read the owner was the CIA and the BND [1] and NOT FIS. BUT:
>>According to a Swiss parliamentary investigation, "Swiss intelligence service were aware of and benefited from the Zug-based firm Crypto AG’s involvement in the US-led spying".
[1]The company was secretly purchased for US $5.75 million and jointly owned by the American Central Intelligence Agency (CIA) and West German Federal Intelligence Service (BND) from 1970 until about 1993.
This case in fact proves that we provide privacy by default, as it shows that no legal request can bypass the encryprion we provide. The email content (including attachments, calendars, files on Proton Drive and items on Proton Pass) stored encrypted on our servers remains inaccessible to us due to zero-access architecture we use ( https://proton.me/blog/zero-access-encryption ), and therefore, we are not able to share it with any third-parties in an unencrypted form.
We are a team of former astrophysicists from NASA, which makes us the most qualified people to operate email infrastructure.
Our infrastructure operates from Panama, a jurisdiction well-known for its secrecy.
Soon we will also introduce QuasarVPN and other sciency-sounding privacy things, with privacy, from your privacy-loving friends at BlackHoleMail.
23 comments
[ 4.3 ms ] story [ 60.9 ms ] threadWe apologized on Reddit that this post was perceived as an attack on ProtonMail. This was not our intention, but we do see now that the original blog post could be read as such and we are sorry about this. The real aim of the post was to stress the fact that Swiss Privacy is as good as German Privacy, but the way it was written did not make this clear.
That's why we have updated our blog post as follows:
1. We have removed the mention of ProtonMail in the original post.
2. We have included a conclusion that Swiss Privacy laws are good, and very similar to German privacy laws.
We hope that this settles the issue; in the end Proton and us are in the same fight against Big Tech as well as state surveillance and must work together to achieve more privacy for everyone!
---
*Why this post on Swiss Privacy?*
We'd also like to explain why we published the post on Swiss Privacy in the first place.
Some Swiss companies like to stress that their level of privacy is better than the competition because they are *based in Switzerland*. However, ProtonMail even claims that Tuta Mail is less private stating "Tutanota is based in Germany, which is one of the Fourteen Eyes intelligence-sharing countries" (quoted from the Proton website) or even suggesting that Tuta email could be accessible to the NSA (which is wrong): "Tutanota emails are protected by the German Federal Data Protection Act, which prohibits the use of personal data without permission absent a court order. However, Tutanota is based in Germany, which is a member of the SIGINT Seniors of Europe (SSEUR) intelligence-sharing alliance which intelligence agencies such as the NSA." (quoted from the Proton website)
Proton continues this story after the publication of our blog post on their [subreddit](https://www.reddit.com/r/ProtonMail/comments/18ninzh/is_this...) and on their blog: Proton makes it look like we are spreading fake news and blaming us of unfair competition. What is more Proton wrongly [claims that there is a vulnerability in our encryption](https://www.reddit.com/r/tutanota/comments/18nob4c/i_sincere...).
*But our original post is about Swiss Privacy, so let's look at these facts.*
> On their blog Proton says "Claims such as 'Switzerland also has warrantless surveillance'" making it look like we've made this claim.
Please read the Tuta blog post carefully: *We never made that claim.*
All we said was that Swiss Privacy is no better - or as good as - for instance German Privacy because Switzerland - just like any country shares data with other countries. *Yes, a Swiss warrant is needed for Proton to hand out any data to foreign authorities, but the same is true for Germany where a German warrant is required.*
> Proton also says that "Tuta makes the completely unsubstantiated claim that “if you are connecting to a Swiss-based service like Proton from outside of Switzerland your data is being actively collected and shared with other intelligence agencies around the world”. Not only is this completely speculative, but there is also no basis to claim that this is an issue specific to Switzerland."
*Correct, this is not specific to Switzerland and that was exactly the point that we were making. In addition, we do back up the claim with evidence and cite our sources:*
1. In reference to the assertion that Switzerland regularly works with the US and UK intelligence agencies we cite [Reuters]( pgeorgi ↗ The "look how Swiss we are" meme died when Crypto AG was exposed as a BND/CIA front shipping deliberately weakened crypto to "bloc-free" countries. dano ↗ Yes, I have some Swiss friends who wish I would use Threema, I politely declined and we've agreed to use Signal. After a while it becomes difficult to distinguish the difference between these applications with the noteable exception of WhatsApp which is owned by Meta who I absolutely don't trust. Observer3082 ↗ Threema is a hell lot sketchy. rumori ↗ Who are “some Swiss companies” exactly? T3OU-736 ↗ (Disclaimer: This is not at all meant as a negative against Tutanota/ProtonMail/et all.) Tutanota ↗ The Proton post by OP was a rebuttal against our blog post on "The Illusion Of "Swiss Privacy" Being The Best": https://tuta.com/blog/swiss-privacy-is-an-illusion
That doesn't mean that they're (plural, because Threema is also milking its Switzerland-based operation for all it's worth) worse than non-Swiss providers but if that's your main selling point, it's not really a selling point at all.
```We have included a conclusion that Swiss Privacy laws are good, and very similar to German privacy laws.```
This is weird to me in that these are laws of man, and therefore ignorable or lopphole-able by other humans if they can. Usually, by sneaky buggers in the intelligence agencies. It is, after all, their job.
Rather, I would want the standard to be something akin `Our laws do not force weakening of efforts to establish and maintain privacy.` which is to mean no meddling in E2EE, forcing VPN providers to keep logs, etc.
The original version of this blog post included information on the encryption in Tuta Mail and ProtonMail which we took out because it had nothing to do with the actual topic of the post.
Exhibit A your honor: https://en.wikipedia.org/wiki/Crypto_AG
I have a Proton account by the way, but I'm not under the illusion that my emails are safe from 3 letter agencies.
Switzerland is relatively consistent in offering equal treatment, so maybe it'll eventually turn out that some outlet or another is controlled and manipulated in sinister ways by China, India, or maybe the Vatican or Bhutan.
Absolutely correct.
Nor are they safe from the Swiss government either.
It's a very sketchy behavior for a company that says they care about your privacy.
As you can read the owner was the CIA and the BND [1] and NOT FIS. BUT:
>>According to a Swiss parliamentary investigation, "Swiss intelligence service were aware of and benefited from the Zug-based firm Crypto AG’s involvement in the US-led spying".
[1]The company was secretly purchased for US $5.75 million and jointly owned by the American Central Intelligence Agency (CIA) and West German Federal Intelligence Service (BND) from 1970 until about 1993.
I’m not under any illusion that there’s any “Swiss exceptionalism” when it comes to privacy.
https://techcrunch.com/2021/09/06/protonmail-logged-ip-addre...
We are a team of former astrophysicists from NASA, which makes us the most qualified people to operate email infrastructure. Our infrastructure operates from Panama, a jurisdiction well-known for its secrecy.
Soon we will also introduce QuasarVPN and other sciency-sounding privacy things, with privacy, from your privacy-loving friends at BlackHoleMail.