Is ProtonMail's legal jurisdiction really Switzerland?

If @ProtonMail is incorporated in California, even though there may be other international incorporated pieces of the company, and that's where at least some of the employees are located, why do they think the server location of Switzerland matters?



To me the ProtonMail situation is different from some of their competitors, such as @Tutanota, where all of their employees and servers are located together in Germany.

If the FBI shows up in California with a subpoena or some other legitimate order to do something, what happens next?

The following is a quote from a lawyer that has not spent a lot of time researching ProntonMail's specific situation. I intend for the quote to be used to help get the discussion going and generate additional questions.

This is an ambiguous question, it depends upon many different factors and what they mean by “being safe”. For example, it depends upon the country. Can the US go into another country and seize something – NO. Can they cooperate with the other government and have them seize it – YES. The US has mutual cooperation agreements with many countries for criminal behavior.

As for the data “being safe”. I don’t know what that means? Are they just worried about “loosing” the data or having the data used against them? Can the data be read by the US – Maybe? Is anything “safe” on the internet when SONY in the US can be hacked by North Korea on the other side of the world. If all the data is “off shore” then how does the company utilize it? This is a rhetorical question. They access it over the internet or some other dedicated connection. The data is obviously located in CA when they are reading it, because their machine is located in CA. In other words, the US government may not have to get to the server, there may be cached copies locally on hard drives or other devices.

Think about all the off shore gambling sites, child porn sites, and criminal sites (like silk roak) that the US is currently shutting down and prosecuting people under. For a quick overview of how the government is able to prosecute these types of cases:

Silk Road 'darknet' boss found guilty of running massive drug website

I realize this answer has not been very helpful, but I would need to understand what they are trying to protect and who they are trying to protect it from. Additionally, it may not matter whether the company is a US company. If they are a foreign entity, but are doing business in the US, the US government would have jurisdiction under long arm statutes.

Click to expand...

Apparently a company in California has the same name as ProtonMail.

The image in the above post is not the ProtonMail service with servers in Switzerland.

This is the detail for their company - Registre du Commerce du Canton de Genève



That takes the issue of an incorporation within the U.S. off the table as far as I can tell, but still leaves me with the questions about at least one office and employees within the United States.

I'm curious, if/when ProtonMail receives an order about an account, will they fight it, turn over encrypted data, build in an interception mechanism on a per account basis, something else?

The following is additional comment from a lawyer and not my own:

Now that we know the country is Switzerland, I can tell you that this is an extremely complicated answer and would take many hours of research to give you an answer that was somewhat confident. The reason that this is so complicated is because the US can subpoena evidence (records and data) from Swiss companies and businesses. Here is a good article on Swiss data storage. It says right in the article that data in Switzerland is still subpoenable - Practical Law

“They constantly claim that's some sort of magic shield for user privacy.” - They are likely referring the Swiss Laws on Data Protection and Ordinance. The primary laws and regulations governing data protection in Switzerland are the Swiss Federal Data Protection Act (DPA), the Swiss Federal Data Protection Ordinance (DPO), the Swiss Federal Ordinance on Data Protection Certification (DPCO) and Guidelines of the Federal Data Protection and Information Commissioner on the minimum requirements for a data protection management system (DPMS-Guidelines). The latest revisions of the DPA and the DPO as well as the DPCO entered into force on January 1, 2008. The DPMS-Guidelines entered into force on September 1, 2008.

However, I do not know whether the data is subpoenable. The US and Switzerland have a Mutual Legal Assistance Treaty (MLATs) for Mutual Assistance in Criminal Matters, but whether that will cover the current situation at hand, I do not know.

For example, Switzerland has some very restrictive non-disclosure laws when it comes to banking. So much so, that if you comply with the subpoena, you are violating Swiss Law and can be arrested for giving the US the information. It is a very Catch-22 situation. I do not know if the Swiss laws applies to non banking data. However, the US has had various success in obtaining records from the Swiss government when it comes to criminal activity in banking. There are no longer the “it is in a Swiss bank account” safety like back in the 70’s. That was when many mobs were hiding their illegal gains from the US government. Eventually, the Swiss government subpoenaed the records and turned them over to the US.

Remember, just because the Swiss laws (magic shield) exists, that does not necessarily mean that the data cannot be obtained through one of the US/Swiss treaties.

“If the FBI knocks on the door in San Francisco and wants access to an account (even if it's an encrypted thing and not easily readable, assuming it really is secure), a backdoor, whatever, with the proper subpoena, what happens next?” – Data that is not located in the US will need to have a subpoena served in compliance with the MLAT Treaty. I do not know what the requirements are for the MLAT with Switzerland are.

In summation, if you have data that is either illegal (like child porn) or the data is evidence of criminal activity, there is no guarantee that the US government will not be able to get the data from Switzerland. If it does not have to do with a criminal activity, and you just have Intellectual Property stored on Swiss servers, than it is much more unlikely the US government would have any “legal” recourse to obtain the data. The North Korean’s had the ability to get to SONY’s data, not legally, but they were still able to get the data. If you believe that the US government always operates within the law, then so be it.

Some additional resources are:

Practical Law

dataprotection.ch - Walder Wyss Ltd.

US and Switzerland do have a Mutual Legal Assistance Treaty (MLATs)

Treaties and Agreements

http://www.rhf.admin.ch/etc/medialib/data/rhf/recht.Par.0010.File.tmp/sr0-351-933-6-e.pdf

History of evidence relations with Switzerland:

http://digitalcommons.wcl.american.edu/cgi/viewcontent.cgi?article=1636&context=auilr

The Swiss-American Chamber of Commerce plays a vital and active role in assisting Swiss companies in the United States and U.S. companies in Switzerland to expand their business. The Swiss-American Chamber of Commerce is a not-for-profit organization.

Business in Switzerland|AmCham Switzerland

Bloomberg BNA (Bureau of National Affairs), is a leading source of legal, tax, regulatory, and business information for professionals and produces a World Data Protection Report

World Data Protection Report | Bloomberg BNA

BNA Search | Bloomberg BNA

http://www.haynesboone.com/~/media/files/attorney publications/world data protection report u s district court treats french blocking statute differently grosdidier 42415.ashx


https://www.amcham.ch/publications/downloads/2009/obtaining_evidence_in_switzerland.pdf

Obtaining Evidence in Switzerland - The Dilemma and the Stumbling Blocks of Art. 271 and Art. 273 Swiss Penal Code

The Association of Certified Financial Crime Specialists (ACFCS)

ACFCS | MLATs are powerful weapons in financial crime combat, even for private sector