"A war against online anonymity" – why Switzerland wants to change its surveillance law and what's at stake

For a long time, privacy-seekers have regarded Switzerland as a secure haven, praising its strong data protection laws and care for people's privacy. Yet, this may be about to change as the country is considering amending its surveillance law.

Swiss-based Proton, the provider behind one of TechRadar's best VPN and secure email solutions, is one of the companies warning that online anonymity is at risk if the law is passed. Proton CEO even compared these new rules to those in place in Russia and said its services would become "less confidential than Google," vowing to be ready to quit Switzerland instead.

Another Swiss cloud firm, however, Infomaniak, criticized Proton's stance. The company slammed Proton and similar tech privacy firms for advocating for total online anonymity. Nonetheless, Infomaniak is also positioned against the ordinance to change the surveillance law in its current form.

So, why does Switzerland want to change its surveillance law? How will it affect people in the country and beyond? And most importantly, can we really have privacy on the internet without online anonymity?

What's Swiss surveillance amendment about?

On January 29, 2025, the Swiss Federal Council opened the consultation to partially modify the current Ordinance on the Surveillance of Correspondence by Post and Telecommunications (OSCPT).

Specifically, the amendment seeks to expand surveillance obligations that are now reserved for telecom networks and internet service providers (ISPs), to target so-called "derived service providers." This categorization would include any online service with a turnover of $100 million or more than 5,000 active users.

Crucially, this means virtual private networks (VPNs), messaging apps, cloud services, and social network companies will have to start complying with surveillance requirements.

The revision also wants to create three new types of information and two types of monitoring.

As per the official announcement, this aims to "standardize certain information and retroactive monitoring used to identify users and which were previously treated as special cases." It will also create "the possibility of monitoring only part of the content data during real-time monitoring."

Put simply, the ordinance could require online service providers to collect specific metadata – which includes all the data around the content of communications transmitted by users – to enable authorities to use these details to reactively identify users of internet connections.

Clarifications are also provided regarding the removal of encryption. While this obligation remains in a few specific cases, lawmakers ensure that end-to-end encryption is "explicitly not affected."

What the experts are saying?

Despite the reassurance, some experts are still concerned that the revision may compromise the security of encryption technology.

According to the Internet Society, for example, issues can arise even if only some providers are forced to weaken encryption to favor law enforcement.

They wrote in a blog post: "If these flaws exist, they exist for everyone: their installation would allow hackers, criminals, or foreign entities to access all data circulating in the country. You can't encrypt for some and not for others."

That said, for the COO of NymVPN, Alexis Roussel, the main issue here may not be encryption backdoors, but that's more of a "play on words."

"It's not about end-to-end encryption. They don't want to force you to reveal what's inside the communication itself, but they want to know where it goes," Roussel told TechRadar. "They realize the value is not in what is being said but who you are talking to."

Commentators are primarily concerned with greater data retention obligations aimed at metadata tracking.

According to Amnesty Switzerland, "the requirement to identify users and the systematic retention of metadata for six months constitute disproportionate invasions of privacy." The human rights group also pointed out that similar measures were previously ruled out by the EU Court of Justice for weakening citizens' rights.

"This revision would be a particularly serious blow to those who rely on confidential communications to exercise their rights or their profession: human rights defenders, journalists, lawyers, doctors, and whistleblowers," said digital rights expert at Amnesty Switzerland, Illan Archer.

Proton and NymVPN have warned that this will make the work of no-log VPN and other software impossible, and vowed to leave the country if the ordinance passes.

Another Swiss privacy tech company, Infomaniak, appears to have a more moderate position toward the new rules.

On one side, the company says to oppose this revision of the law in its current form.

"We believe that the proposed changes must be better regulated legally and, above all, openly debated to avoid any drift towards generalized surveillance in the name of security. In particular, requests for data access should always go through a judge," Infomaniak's Communication Manager, Thomas Jacobsen, told TechRadar.

That said, Infomaniak has a different view regarding the need for online anonymity. The company believes that it is legitimate for authorities to look for ways to "reconcile privacy with accountability" for what we all do online.

Jacobsen said: "Just like in the real world, the web must not become a Wild West. Confidentiality must not be used as a pretext to create a zone of digital impunity."

Contrary to the likes of Proton and NymVPN, Infomaniak plans to remain in Switzerland and comply with the new rules if passed.

Do we need online anonymity?

Swiss tech privacy is emerging from the digital surveillance debate split – so, do we need online anonymity to have privacy?

The mandatory identification provision is certainly what most concerns Nym and many others in the Swiss privacy tech industry right now. "The whole point of security and privacy is not being able to link the usage to the person. That's the most critical thing," Roussel told TechRadar.

Roussel, in fact, strongly rejected the idea that getting rid of online anonymity is necessary to facilitate the work of law enforcement. He said: "Online anonymity is at the core of the balance of power in a democracy. When the government has access to all your metadata, that's completely reversed."

Under the current system, Swiss authorities need to make a specific inquiry to force online services to record all their data. If the new ordinance passes, though, this data collection will become mandatory and preemptive to any potential illicit activities. Measures of surveillance that, according to Roussel, could only end up undermining democratic values in Switzerland.

"An obligation to store the data in case, maybe, one day a judge will ask for it – that's not ok," said Roussel. "It's a war against anonymity, which is happening in Switzerland at the federal level."

On the contrary, Infomaniak reiterates that the company aims to protect the privacy of its users without promising them impunity.

"This is not about choosing sides, but about society finding a fair balance. Digital technology plays a major role in our lives, and it is appropriate that rules exist to prevent abuse," Jacobsen told TechRadar.

Infomaniak requires a real identity check upon registration, in fact, and previously criticized Proton and similar companies for offering free VPN, email, and other services. That's something, according to the provider, that enables anyone to remain out of the reach of law enforcement.

"Fundamental freedoms must be guaranteed, but they cannot become a shield for impunity," Jacobsen added.

Many experts, including NymVPN and the Internet Society, are also pointing out the inherent security risks of greater data retention requirements, as more data can lead to more leaks, data theft incidents, and, ultimately, more attacks on people.

Jacobsen from Infomaniak agrees, but he believes some more context is needed. "The know-how to manage these data securely already exists. So this is not about introducing a new vulnerability, but about demanding the level of control that responsible providers already have," he said.

What's next?

Lawmakers ran a public consultation until May 6, 2025, and now they are going to make a decision based on the feedback received.

Roussel from NymVPN confirmed to TechRadar that there has been significant push-back from political parties and many Swiss companies alike.

Swiss Cantons like Geneva have even called on the "right to digital integrity" as an argument against these rules. Roussel was the main originator of the initiative that introduced this new right to protect citizens' online privacy and data – in Geneva in 2023 and Neuchâtel in 2024 – with over 90% consensus.

"I think they didn't expect that many negative answers, and most importantly, they received negative answers from governments, which didn't happen in the first revision," said Roussel.

However, we still have to wait for a little longer to see who will end up being the winner in the fight for online anonymity.

You might also like

• Cloud service Infomaniak steps up fight with Proton over controversial Swiss surveillance law
• Chat Control – Poland's EU Presidency gives up on the voluntary scan of your encrypted chats
• "A dangerous precedent" – The VPN industry reacts to France’s order to block illegal streaming sites