A question we often get asked is, Why is ProtonMail based in Switzerland and are there any real advantages?
We believe there are and in this article, we will share why. The first thing that comes to mind is that Switzerland is outside of US and EU jurisdiction. Unless you host your servers on a boat in international waters, you will need to be under some legal jurisdiction and in the post-Lavabit environment, this choice is particularly important. A common misconception is that the EU offers more legal protection than the US, but many of the same surveillance directives that exist in US law also have EU counterparts, in particular, German law may actually offer less legal protection than American law.
Switzerland however, is NOT part of the EU (a fact they like to remind the EU of every once in a while), and Switzerland applies a very different set of privacy laws. In the US and EU, gag orders can be issued to prevent an individual from knowing they are being investigated or under surveillance. While these type of orders also exist in Switzerland, the prosecutors have an obligation to notify the target of surveillance as soon as possible, and the target has an opportunity to appeal in court. There are no such things as National Security Letters and all surveillance requests MUST go through the courts (this is not the case in Germany). Furthermore, while Switzerland is party to international assistance treaties, such requests for information must hold up under Swiss law which has much stricter privacy provisions.
Nearly every country in the world has laws governing lawful interception of electronic communications. In Switzerland, these regulations are set out in the Swiss Federal Act on the Surveillance of Postal and Telecommunications Traffic (SPTT) last revised in 2012. In the SPTT, the obligation to provide the technical means for lawful interception is imposed only on Internet access providers, so ProtonMail, as a mere Internet application provider, is completely exempt from the SPTT’s scope of application. This means that under Swiss law, ProtonMail CANNOT be compelled to backdoor our secure email system. Furthermore, any attempt to extend the SPTT will inevitably fail because the Swiss public is strongly opposed to any extension and an extension could be subject to a public referendum.
This combination of factors means that a Lavabit like situation cannot occur with ProtonMail. However, ProtonMail has taken the Lavabit concept one step further and actually does not even possess the keys required to decrypt user data. As a result, even if ProtonMail was forced to turn over all our computer systems, user data is still safe.
We believe that comprehensive security can only be achieved through a combination of technology and legal protections and Switzerland provides the optimal combination of both. By coupling Switzerland advanced IT infrastructure with its unique legal environment, ProtonMail can deliver a service that is both reliable and secure.