Back when he was still a National Security Agency contractor, Edward Snowden chose the privacy-minded e-mail provider Lavabit for his correspondence. It was from that account that he ultimately divulged his secrets to American journalists. Since Snowden became a household name, Lavabit shut down under legal pressure from a US court to hand over the keys to its kingdom as a way to get at Snowden’s data.

Inspired by that episode over two months ago, I kicked the tires on a couple of privacy-minded e-mail providers, one based in the United States and another based in Germany. My conclusion? Europe won’t save you. In particular, German law wouldn’t offer more legal protection—and it could possibly offer less than an American provider.

Of course, not all of Europe is created equal—28 countries are part of the European Union. But there are many strong, privacy-minded countries that sit apart, like Switzerland. The Swiss Confederation is well-known for its Alpine air, chocolates, clocks, neutrality, secrecy, and privacy—particularly in banking. (Plus, it has a special place in my heart as I spent a year in high school living there from 1997 to 1998.)

So can a Swiss company provide better e-mail security and privacy than many European Union countries or the United States? Again, it’s a tough question, but after examining the relevant Swiss law and talking with Swiss lawyers and one privacy-minded Swiss e-mail provider, the answer is probably yes, but with one big caveat: user notification of surveillance is not always transparent. (Still, making a definitive call on the most secure e-mail service is difficult, as there are few real-world legal scenarios to examine.)

Switzerland, like nearly all of its European neighbors, has a de facto gag order on user notification. Meaning that if I have my e-mail at Swiss Company X and I’m being investigated, there’s essentially no chance that I will find out about such surveillance until after the investigation is complete. In the United States, while there are often court-ordered restrictions on companies alerting their users to surveillance or data handovers, it's not an inherent restriction. The Electronic Frontier Foundation and other related groups worldwide have called for the principle of user notification.

“The big difference is that [in Switzerland] there is an obligation by the prosecutor to notify the target [of surveillance] as soon as possible, but the latest before the end of the investigation,” Sylvain Métille, a Swiss data protection lawyer, told Ars. “Then the target will have 10 days to appeal and will begin a new appeals process with a separate court to challenge after the fact.”

The Swiss Penal Code (Article 279) also provides a means to defer or waive that notification if the case is not brought to trial or if it is “essential to protect public or private interests.” American law (18 USC § 2705 - Delayed notice), by contrast, says that notice must be given unless there is imminent harm to a person or investigation, and that can only be delayed for 90 days (which can be renewed).

In other words, American companies have the option to disclose surveillance far sooner than Swiss companies would. To be fair, American companies not under a mandatory gag order can (and do) say frustratingly little about the legal pressures that they face. While Google, Facebook, Twitter and other companies continue to fight the government at the highest level, Verizon, AT&T, and other telcos have told the public hardly anything. Google, for example, takes the policy that it will notify a target while an investigation is going on unless explicitly forbidden from doing so.

Further, thousands of secret surveillance orders are signed every year by judges in the US, and the vast majority of those targets may never be charged with a crime. Additionally, American companies facing surveillance orders can challenge them prior to complying, a right that appears to not exist in many other countries.

As we wrote previously, properly encrypted e-mail offers the best security for messages both in transit and at rest. But as many Ars readers who have acted as informal tech support for their non-techy friends and family can attest, relatively few people are going to be encrypting all their e-mails by default anytime soon. So the next best thing might just be to choose an e-mail provider that will collect as little of your information as possible and will not readily turn over what other information it does have, such as IP logs or even user e-mail accounts themselves. (And yes, you can roll your own mail server or have proper hosting—but a lot of people just want turnkey e-mail. Again, think about what your family members use.)

“In terms of privacy, anything is better than Google, I'd guess,” Ralf Bendrath, a senior policy advisor to a German member of the European Parliament, told Ars earlier this year. “In terms of usability, of course not. Everybody has to decide for himself or herself where the priorities are.”

Meet MyKolab

So why examine Switzerland? Following my October 2013 article, the head of Swiss e-mail provider MyKolab got in touch, both e-mailing me and leaving a comment on the story.

Among other things, CEO Georg Greve wrote:

And there is one country which you do not explore that has a much stronger legislative framework than most other countries, which is Switzerland. Abusing data is a criminal offence, no exceptions. Even if the CEO of a hosting business would learn of abuse among their staff and not report it to the proper authorities, they would likely look at jail time. Secondly, unlike in the US or Germany, *all* requests must go through a judge and be publicly documented in anonymized form and with proper attribution to the criminal code. Secret service has been explicitly stripped of all powers inside the country and there is no other legal way for foreign powers to obtain the data than through the international assistance treaties where requests for information must hold up under *Swiss* law.

MyKolab has been the object of a lot of attention in recent months: it was endorsed by Pamela Jones of Groklaw, whose approval made the rounds in the tech press. Following that surge of attention, MyKolab began offering a “lite” (and less expensive) version of its services, starting around $5 per month. By early December 2013, it even began accepting Bitcoin as payment. The chief executive told Ars recently that the company has seen a lot of interest; MyKolab has gained thousands of paid accounts in recent months.

The Zürich-based company certainly sounds like a good option. Its Frequently Asked Questions page includes questions like:

Some other providers claim to use server side cryptography to store my data encrypted so they cannot access it. Do you do that as well?



While the hard disks themselves do not store data in plain format, we currently have no plans for user-based encrypted storage. The reason is simple and has been explained very well by Moxie Marlinspike. In short: With server-side encryption, the provider holds the encrypted data, the key, and the passphrase, as all three need to pass through the web interface and be available on the server. So the provider does have access to all the data despite the encryption, it's just a matter of whether the provider chooses to make use of that capability, just as if the data were not per-user encrypted. We don't believe in misleading our users in this way. … Do you strip identifying information from email headers?



Yes. If you use a local client to send mail via MyKolab.com, we strip your IP address and the mail program you have been using. Recipients will only be able to tell that you sent mail as a valid MyKolab.com user, but not from where and with which software. The same is true when you use the web client.

Judicious use of wiretaps

Part of MyKolab’s entire value proposition (and presumably that of other Swiss e-mail providers) is that not only does it have a privacy-minded setup on the company’s own technical side, but Swiss law is apparently not permissive of the types of wholesale access that has been proven to occur in the United States.

“If [Swiss authorities] would say, 'We want to break into your system and install a surveillance system to have even better access to your customers,' this would not be allowed, because the way it is foreseen by the law—handover of SSL keys would not be possible to request in Switzerland,” MyKolab’s attorney, Simon Schlauri, told Ars.

There are two primary elements that appear to buttress the argument that storing data in Switzerland is a great idea: firstly, the Swiss Criminal Procedure Code puts strict limits on what type of digital surveillance (French) may or may not be used. Case in point: Swiss law enforcement is not allowed to use a given technique unless it is specifically authorized and regulated under the law. By comparison, American law enforcement tends to take the attitude that it will use whatever tools are at its disposal until that tool is reined in.

According to a newly published legal academic paper, “Reforming Surveillance Law: The Swiss Model,” published by an American and a Swiss tech lawyer team:

Swiss law significantly deters violations of [the Swiss Criminal Penal Code]. Only government officials may use one of the surveillance measures listed under [the Criminal Penal Code], and only after satisfying its statutory requirements. The Criminal Code prohibits the use of surveillance without authorization and treats any information gathered by such surveillance as illegally obtained and subject to the exclusionary rule when challenged by the subject. In addition, officials who conduct surveillance in violation of [the Criminal Penal Code] risk disciplinary measures and prosecution.

Further, it’s a crime for corporate representatives or law enforcement agents to access data on an unauthorized basis, punishable by a fine of up to 10,000 Swiss francs ($11,100) or three months in prison. (Ars hasn’t been able to find out any statistics showing how often that law is actually enforced.) Under the Swiss Criminal Penal Code Article 321 (French), a representative of a telecom firm can be punished for up to three years in prison for disclosing user data improperly.

“That's the reason why there is not a lot of court cases—police officers know that they will be personally liable [if caught,]” Sylvain Métille, the Swiss lawyer, and one of the co-authors of that paper, told Ars. “If he's convicted, that's the end of his career, so he will be much more cautious.”

Secondly, beyond that, surveillance of any kind is pretty rare, and there are only a handful of cases each year that have to do with Internet surveillance. According to the Swiss Federal Department of Justice and Police, in 2012 there were only 20 instances (XLS) of real-time Internet wiretapping in Switzerland and 26 instances of retroactive Internet metadata collection. (That’s out of a broader total of a few thousand cases annually of telecommunications surveillance.)

“The Swiss system is more comprehensive, and simpler,” said Susan Freiwald, the paper’s other author and a law professor at the University of San Francisco. “One of the hurdles here is how complicated our system is. My overall take is that if you look at all the factors together, their system is simpler, more comprehensive, and more protective overall. They treat records almost as [equally] as content, and it is easier to understand by the public and the courts. They have this proportionality rule which we don’t have. They have meaningful remedies that we don’t have.”

Trust, but verify

All of that sounds pretty good, right? Still, moving all your correspondence to a Swiss company is no panacea. Along with many of its other European counterparts, Switzerland also has mandatory data retention by telecommunications firms for six months, and it has a mutual legal assistance treaty with the United States.

But more so than anything else, Switzerland, like European Union countries, has a mandatory gag order on companies who serve the targets of surveillance. So if a company like MyKolab were to be served with a judicial order to hand over a user’s data, it couldn’t tell anyone about it.

That’s not the case in the United States, according to Nate Cardozo, a staff attorney at the Electronic Frontier Foundation. (Full disclosure: he's a friend of the author).

“In the US, it is indeed the case that the vast majority of wiretap requests come with a mandatory gag order,” he said. “But not so of other sorts of requests for user data. For instance, warrants directed at Google for access to a suspect's e-mail may not be gagged. Nor are the majority of requests for subscriber information.”

“But in all cases, law enforcement seeking a gag must make an additional showing to the judge before the gag issues. It's not simply automatic, even for wiretapping. And even in the case of a wiretapping gag, the gag is not permanent. The target will get notice of the wiretap after 90 days (which can be extended, but again, such extension takes additional action by the judge).”

In other words, the way Swiss law is set up at present is that members of the public (you and me) can’t know if MyKolab, Swisscom, Orange, or any other Swiss tech company has been ordered to hand over user data. So while it’s nice that Swiss authorities provide a specific number of the times that Internet surveillance is undertaken, it’s impossible to verify if that number is indeed accurate.

“There’s no surveillance of the surveillance.”

For Métille, though, this notification issue isn’t his biggest problem with the Swiss setup. He feels that Swiss data protection law probably provides the strongest legal security for e-mail compared with any other country—but he still has a quibble with how it works in his home country. Mainly, there’s little enforcement to make sure that the user notification takes place, even after the fact.

“For me, the weakness of the Swiss law is more that nobody controls the fact if you've been notified or not,” he noted.

“If the evidence is not used, you have to trust the prosecution that they will inform people. The surveillance court doesn't have a way to look in all cases if it's been notified or not. There should be some commission that should receive a copy of all surveillance orders and all notifications forms and to match them. There's no surveillance of the surveillance.”

That’s why MyKolab has set up a warrant canary on its website, noting:

What we do know is that Kolab Systems has received a total of

0 requests to access customer data

0 such requests were granted, and

0 such requests were denied. Should these numbers change we'll update this page accordingly. It was not necessary to update it since August 1st 2013.

Warrant canaries work like this: a company publishes a notice saying that a warrant has not been served as of a particular date. Should that notice be taken down, users are to surmise that the company has indeed been served with one. The theory is that while a court can compel someone to not speak (a gag order), it cannot compel someone to lie. The only problem is that warrant canaries have yet to be fully tested in court, in Switzerland or in the United States.

“The entire country is under a closer level of scrutiny [than the United States,]” Georg Greve, the CEO of MyKolab, told Ars. “The system works well enough that you can rely on it. Switzerland, unlike the US, cannot conduct espionage without the government knowing about it. [Our national security services] have no mandate in the country and there is not a single case or hearsay or documented at any point in time of any agency coming to any provider. None of us have heard of a case like that in 20 years. We have a high degree of certainty that this is not happening at all.”

So, should you move all your e-mail to the snowy, mountainous confines of Switzerland?

Maybe. As always, caveat e-mailor.