Surveillance of Instant Messaging:
Swiss Federal Supreme Court Provides Clarity

 

LAUX LAWYERS Policy Alert, May 28, 2021

The Swiss Post and Telecommunications Surveillance Service (PTSS) must not oblige providers of instant messaging services to actively monitor communications (real-time or retrospective interception). The same applies to Internet video conferencing or telephone services, or pure email services. A new leading case by the Swiss Federal Supreme Court provides clarity in this regard and puts the PTSS in its place.

What it is about

At the request of the Swiss police, public prosecutors or intelligence service the PTSS carries out real-time or retrospective interception and provides data in response to information requests. For this purpose, it relies on the active cooperation of Telecommunications Service Providers (TSP).

Theema LLC is the provider of the instant messaging service and Internet video conferencing and telephone service Threema. The PTSS qualified Threema as a TSP and wanted to oblige Threema to actively cooperate in the surveillance (including the removal of end-to-end encryption). Against the respective order of the PTSS, Threema successfully appealed to the Federal Administrative Court (judgment A-550/2019 of May 19, 2019) and was also proven right before the Federal Supreme Court (judgment 2C_544/2020 of April 29, 2021).

The Federal Supreme Court’s Ruling
Instant messaging services and Internet video conferencing or telephone services such as Threema, WhatsApp, iMessage, Zoom, Teams, Chime or Skype only function in conjunction with Internet access to transmit the communication content. The service therefore does not consist of transmitting information from one customer (subscriber) to other subscribers by means of electronic communication (wireline or radio). Rather, the communications services are based on Internet access services. They are therefore also referred to as OTT (over-the-top) services.

The transmission of information by means of electronic communication is an essential characteristic of a telecommunications service within the meaning of the Federal Act on the Surveillance of Post and Telecommunications (SPTA). The Federal Supreme Court therefore holds that Threema and other providers of OTT services are not TSPs under the SPTA, but fall into the category of Providers of Derived Communications Services (PDCS).

The appellant (Federal Department of Justice and the Police) argued that, at the latest when the revised Telecommunications Act entered into force, OTT communication services will be considered telecommunications services under the Telecommunications Act. For the sake of consistency, the same must apply to the SPTA. The Federal Supreme Court rightly did not follow this argument. It is true that Art. 2 lit. b of the SPTA currently still refers to the definition of telecommunications service provider in the Telecommunications Act. However, the reference to the Telecommunications Act will be omitted in the future (the revised Telecommunications Act has been in force since January 1, 2021, but the amendment to Art. 2 lit. b SPTA has not yet entered into force). In doing so, the legislator intended to prevent PDCS from being subject to the same additional surveillance and information obligations as are TSPs.

What this means for OTT services providers
The legislator thus accepts that a provider of OTT communications services is a telecommunications service provider within the meaning of the Telecommunications Act, but is a PDCS under the SPTA and thus only has passive duties to cooperate in carrying out surveillance measures and less extensive duties to provide information under the SPTA.

Specifically, the following applies to providers of OTT communication services (chat, instant messaging, Internet video conferencing or telephone services, or email services) as PDCS under the SPTA and the Ordinance to the SPTA (SPTO):

  • OTT providers have to tolerate surveillance measures of the PTSS in principle, but do not have to remove existing end-to-end encryption (which ultimately makes surveillance impossible).
  • OTT providers do not have to store traffic data in order to allow retroactive surveillance.
  • OTT providers only have to provide information and data they hold (available data) in response to information requests from the PTSS (no catalog of mandatory data).
  • OTT providers are not required to use the PTSS’s platform (ISS platform) for receiving requests for information and transmitting responsive information and data.

The following should be noted:

  • The Federal Council may impose all or parts of the TSP obligations on certain PDCS of great economic importance or with a large user base (PDCS with more extensive obligations to provide information pursuant to Art. 22 SPTO or with more extensive surveillance obligations pursuant to Art. 52 SPTO).
  • Swiss law does not contain a legal basis for direct cross-border data collection. The Swiss law enforcement authorities and the PTSS must therefore, as a matter of principle, request legal assistance from the authorities in the country in which the data is held for cross-border requests for disclosure or information. This also applies to requests for information from the PTSS – and corresponds to the deliberate decision of the legislator to respect the principle of territoriality under public international law. The only exception to the principle of territoriality is the voluntary cooperation of TSPs and PDCS within the scope of their contractual authorizations. In such cases, Swiss law enforcement authorities and the PTSS are allowed to access data provided by the TSP or PDCS abroad on the basis of Art. 32 lit. b of the Cybercrime Convention.

Further information and contact

Please feel free to contact us with any questions regarding this Policy Alert or for assistance in handling requests from the PTSS.
Contact: thomas.steiner@lauxlawyers.ch