The Swiss authorities are planning to revise the Data Protection Act in keeping with modern technology and means of communication.
Some proposals would require service providers to record and release client data. Others would allow the government to install Trojan viruses on computers and use mobile phone network data to ease dragnet investigations.
The concept goes too far, according to the Swiss platform Digitale Gesellschaft – or “digital society”, which warns of risks if private information lands in the wrong hands. swissinfo.ch spoke to lawyer Victor Györffy from the organisation Grundrechte.ch (fundamental rights), a member of Digitale Gesellschaft.
swissinfo.ch: You have issued a warning about a proposal from the Swiss government, which wants to monitor the internet more closely.
Viktor Györffy: The federal government has proposed a number of innovations related to the surveillance of criminal proceedings. In some areas it veers towards the total surveillance of citizens. In other countries, data retention has triggered a very heated debate. This has already been the case in Switzerland and the debates will now be expanded.
swissinfo.ch: What does it mean if data is stored for longer?
V.G.: Let's take the example of a mobile phone. The proposal to revise the current surveillance law would allow the authorities to note the direction of the antenna. That way you could determine more precisely where a person was during a conversation and where they went.
Another proposal would have investigators asking telephone providers to give them the data of everybody who had moved within a network cell at a specific time. That would be a kind of retrospective computer search via mobile phone.
swissinfo.ch: But as an ordinary citizen I can say I don’t care what they do with my information; I have nothing to hide – I'm not doing anything illegal.
V.G.: The problem is that it stores the data of all citizens. So my data is recorded, regardless of whether I have done something illegal or not. It puts me under general suspicion, so to speak.
If I have a conversation via a Swisscom antenna, and six months later, the authorities are trying to pinpoint who was on the phone in that network at that time, then suddenly I could find myself in the middle of a dragnet investigation.
swissinfo.ch: What sort of dangers could arise from the government proposals?
V.G.: We communicate more and more via digital channels. This leaves an increasing number of data trails. If you collect this data, it is easy to create a profile of an individual’s actions. You can glean information about a person’s communication behaviour: with whom and when they communicate and how, as well as the content if that is saved, too.
swissinfo.ch: But do you have to worry about it if you are not doing anything unlawful?
V.G.: People accept [reduced privacy] as part of technological innovation, but that is only one side of the coin. The other is that more and more of our communication data is being gathered: email when something is downloading from a website, but also other forms of communication such as chat forums, Skype and similar services.
More data has been collected over the past few years – for example, the IP number of the computer you use to get online. Or details regarding the sender and recipient, as well as the subject line and other information. The authorities want to require more parties to provide data – not just mobile telephony operators and internet providers – basically anybody offering some kind of service on the internet. The idea is that they would be obliged to either store the information or send it directly to the prosecuting authorities in the event of an investigation.
swissinfo.ch: So would internet-based Skype have to record the conversations it hosts or just the addresses involved?
V. G.: Different levels are conceivable here. To start with you could record the boundary data and draw some conclusions about who is talking to whom.
Verbal communication services such as Skype are encrypted, so it is not easy for the authorities to determine who is speaking. And the content cannot be recorded without prior notice.
However, this would be possible to a degree if one analyses the incoming data stream through the internet.
In an effort to block unmonitored digital communication, it has been suggested that the state place Trojan viruses on computers so that data could be recorded on the spot. This goes too far! It would be a drastic invasion of privacy.
On your PC you store photos, addresses, files with letters and the like. If the government gets access to your computer via a virus, then this data is open to the authorities. It can record everything you type on the keyboard as well as everything that appears on the monitor, not to mention the whole hard disk.
swissinfo.ch: But surely this applies only to persons who are suspected of wrongdoing? The government said that Trojan viruses would be placed only in the context of criminal proceedings.
V.G.: But even an innocent person could be a suspect. Therefore we reject this proposal.
Switzerland’s Data Protection Act may be revised following an independent evaluation of its effectiveness and efficiency.
"In view of the rapid pace of development in the area of communication technologies, there is a need for greater transparency in the processing of personal data,” according to a statement summing up the Swiss data protection commissioner’s annual report, which was published in June.
“Data protection principles must be included in all projects and taken into account from the very outset (privacy by default).”
The evaluation, commissioned by the Federal Justice Office, is to be completed this year.
The report says the data protection commissioner, Hanspeter Thür, had handled a large number of data protection cases over the year relating to new technologies.
One issue of concern is so-called evercookies, which are virtually impossible to remove from a browser. The commissioner is monitoring the implementation of a European Union e-privacy directive which provides an opt-in clause for cookies.
The report says the Federal Data Protection Office had received a large number of enquiries about the introduction of a new health insurance card, which had “clearly unsettled” the population.
In compliance with the JTI standards