Frequently Asked Questions FAQ
Do providers now have to store credit card data for every customer?
No, these details only have to be passed on to the PTSS if the provider has received them anyway from a customer. This was also the case under the former law. Providers must supply this information if the prosecution authorities issue an order to this effect in a criminal investigation. There is now a new standardised procedure which reduces the workload for providers and the authorities.
Is the decision of 8 April 2014 of the Court of Justice of the European Union (CJEU) regarding data retention binding for Switzerland?
No, Switzerland has not adopted the Data Retention Directive in its bilateral agreements with the EU. This Directive is therefore not applicable in Switzerland. Data retention does not involve the content of conversations, only information about who communicated with whom, when, for how long, where and by what technical means (metadata). This information can help in tracking criminal behaviour retroactively or in establishing the whereabouts of missing persons. The CJEU’s decision does not prohibit data retention as such, but it does require that storage, use and access to metadata be strictly regulated. These general principles are not contained in the Directive, but they are present in Swiss law. Thus, the Federal Office of Justice considers that the CJEU’s decision does not call into question the storage of metadata in Switzerland, not even indirectly.
Why should data retention be permitted in Switzerland?
In Switzerland, interference in a person’s basic rights through the storage of metadata is kept to an absolute minimum. Although data is retained even when there is no suspicion of an offence having been committed, the police and the prosecution authorities do not have unlimited access to the data, as it remains in the possession of the TSPs, not of the state. The law also sets in place high barriers to access: the law enforcement services, for example, can only access the data if several preconditions are met. In criminal and mutual legal assistance proceedings, surveillance may only be ordered if there is strong suspicion that a serious crime has been committed, and that it is serious enough for surveillance to be warranted. Finally, previous investigations must have been unsuccessful or the enquiries would otherwise have little prospect of success or would be made disproportionately more complex.
What would happen if data were not retained?
If data were not retained, it would be harder to prosecute crimes and so there would be an undesirable impact on public security. The police would no longer be able to evaluate suspects’ phone and internet activities in cases of cybercrime, child pornography, drug trafficking, homicide, property crime or terrorism. If metadata were not stored, the search for missing and convicted persons would also be more difficult; for example, it would be hard to reconstruct where someone had last made a phone call.
In what circumstances can GovWare (‘Government Ware’) be used, and by whom?
The Federal Council has decided to create a clear legal basis for the use of GovWare. Its use will only be permitted for certain serious offences, rather than all the offences subject to conventional postal and telecommunications surveillance measures (Art. 269 ff. CrimPC). These are serious offences for which an undercover investigation may also be ordered (Art. 286 para. 2 CrimPC). GovWare may only be used to intercept telecommunications. Online searches of computers or room surveillance by means of a computer microphone or camera are not permitted. Furthermore, the use of such equipment must always be ordered by the prosecution services and approved by the compulsory measures court.
Why is GovWare actually necessary?
GovWare is necessary in the prosecution process in order to keep pace with technical developments. It is not a question of doing more surveillance, and certainly not of conducting surveillance or searching a computer at will. But the prosecution authorities must have all the means necessary to be able to investigate serious offences. Otherwise criminals can use modern means of communication and the prosecution authorities are left far behind. For example, drug dealers may use encrypted internet telephony to conduct their business, safe in the knowledge that their calls will not be intercepted.
What do the prosecution authorities do to make the use of GovWare as secure as possible and prevent its misuse?
A combination of technical and procedural measures is necessary to prevent the misuse of GovWare. On a technical level, the prosecution authorities define the required security functions, an independent agency verifies that these functions are complete and that they are installed according to recognised standards. On an organisational level, the prosecution authorities draw up a detailed procedure for the use and operation of GovWare, in which they define the access rights of the users and how the IT system is to be handled. Finally, all the steps from the application to use GovWare through authorisation to the end of the surveillance process are logged to ensure traceability, as this may be required by the courts. All of this minimises the possibility that GovWare may be misused. In a court of law, any information gathered when telephone calls are intercepted may only be used as evidence if the surveillance was ordered and correctly authorised for the collection of this specific evidence.
Are fears that Switzerland is turning into a ‘spy state’, in which attacks on our privacy are the norm, really unjustified?
- Yes, such fears are unjustified, because the surveillance measure can only be ordered by the authorities in implementation of the law (CrimPC or IntelSA) and must also be approved by a compulsory measures court or the Federal Administrative Court.
- A prosecution authority can only order surveillance in the context of a criminal investigation and if a serious offence has been committed (see list of offences [in DE, FR, IT]).
- The Federal Intelligence Service (FIS) may order surveillance on a preventive basis and outside of criminal proceedings; however, approval must first be given by the Federal Administrative Court and the head of the DDPS (after consultation with the heads of the FDFA and FDJP).
Ordering surveillance measures
Who can order surveillance measures?
- In civilian criminal proceedings, the public prosecutor’s office can order surveillance measures (Art. 269 para. 1 CrimPC).
- In military criminal proceedings, surveillance measures can be ordered by a military examining magistrate (Art. 70 para. 1 MCPC).
- The Federal Intelligence Service (FIS) can also order surveillance measures (Art. 26 ff. IntelSA).
- Outside of criminal proceedings, the designated cantonal authorities – often this is the cantonal police – or designated federal authorities can order surveillance measures to establish the whereabouts of criminal suspects or missing persons (Art. 37 para. 3 SPTA).
Scope of application
Does the law now allow for more widespread surveillance?
- Persons obliged to cooperate as defined in Art. 2 SPTA are:
- postal service providers (let. a)
- telecommunications services providers (TSPs; let. b)
- providers of derived communications services (PDCSs; let. c)
- operators of internal telecommunications networks (let. d)
- persons who make their access to a public telecommunications network available to third parties (let. e) and
- professional retailers of cards and similar means which permit access to a public telecommunications network (let.f).
- Providers of derived communications services include:
- online storage services (cloud storage, file hosting, sharehosting, online storage, file sharing)
- services for uploading and sharing content (e.g. videos)
- cloud computing
- online marketplaces (but: communications services within the online marketplaces are considered telecommunications services)
- social media (but: social media communications services are considered telecommunications services)
- Location Based Services
- Further information can be found in the Information Sheet on TSPs and PDCSs on the PTSS website.
Showing ID when buying a SIM card
Why do I have to show ID when I buy a new SIM card?
When you buy a SIM card you must show an identification document (ID) to the telecom provider, who will make a copy of it. If you can be identified by means of a valid electronic identity (eID) or online identification, you do not need to purchase the SIM card in person. Previously, you were also required to show ID when purchasing a prepaid SIM card, although no copy was made. Since some providers did not always fulfil this obligation and registered customers with made up names (such as Donald Duck from Duckville), the current SPTO (Art. 20) requires providers to file a clearly legible copy of the purchaser’s ID so that the police and prosecution services can use this information when investigating a crime. All customers (pre-paid and with a contract) are now required to show ID. It is still not necessary to produce ID when registering on a public WiFi network.
Is surveillance ordered in all criminal investigations?
Statistics (www.li.admin.ch/en/stats) show that surveillance is carried out in around 1.5 percent of offences. In 2019 surveillance was conducted in 8,666 out of a total of 544,781 offences, whereby several surveillance measures may relate to one person, e.g. when a drug dealer has a landline and several mobile phones that need to be monitored.
How long may metadata be stored?
Metadata are stored by TSPs for six months (Art. 26 para. 5 SPTA).
Wifi, free internet access
Will the new rules mean that free internet access is no longer possible via a public WiFi connection?
No. Public WiFi access is of course still permitted. But the police and prosecution authorities, with the approval of the court of authority, are now permitted to intercept and evaluate communication via these WiFi access points in order to investigate serious crimes. Where the legal requirements for such investigations are met, they should also be able to identify internet users – as they can now do for people with a landline or mobile phone contract. Otherwise criminals can simple disappear into anonymity.
How does identification via public WiFi take place?
In their investigations, police and prosecution authorities also need to be able to identify users of public WiFi access points where the legal requirements are met. This is only possible when the users log onto the WiFi network with access data and identify themselves, at least indirectly. There are already solutions in use for doing this which are user-friendly and inexpensive for providers, and which do not require users to show a physical piece of ID. We are used to such systems on public transport, in stations and at airports, for example, where users can log into the WiFi network and identify themselves using a code sent via text message to their mobile phone. Other methods of identification include a credit card, boarding pass at an airport or, in a hotel, a voucher linked to a person’s room number. Many providers already use such simple and rapid identification systems, for example text message. This means the prosecution authorities have a realistic chance of discovering who is using or has used a particular WiFi network to plan or commit a crime.
How does this indirect identification method help the prosecution authorities?
For the prosecution authorities this is an improvement over the former situation, in which there was no requirement for users to identify themselves in public WiFi networks. However, there is still a gap wherever users are not required to identify themselves. This identification requirement only applies to professionally operated WiFi networks.
What does identification mean for the users?
- Only users of professionally operated WiFi networks need to be identified, for example at railway stations or airports. Systems which involve quick and easy identification such as via text message are already used by many providers.
- Persons who operate their own public WiFi network do not have to take any measures or identify anyone, even in places such as open-air festivals. They just have to release the data available if requested to do so by the prosecution authorities and with approval from the courts. The same applies to restaurant and hotel owners who provide a WiFi network for their guests.
- Internet providers of minor economic importance or in the field of education and research may be exempt from surveillance duties. They do not have to keep metadata on internet connections to public WiFi networks. They only have to store a user’s identification data for as long as their access rights to the public WiFi network are valid and six months thereafter.
- Nothing changes for the users. They are not restricted in their use of the internet in any way.
Do private individuals have to identify people living in the same household when they share the WiFi network with them?
No. Private individuals who provide internet access to third parties do not have to monitor anyone and do not have to store data specially so it can be made available to the police and the prosecution authorities for their criminal investigations. However, they are required to hand over available data and provide information if the prosecution authorities order this from the PTSS. They must also allow the PTSS to carry out ordered and authorised surveillance.duals have to identify people living in the same household when they share the WiFi network with them?
WiFi, user data
If I allow other people to use my private WiFi connection, do I have to store user data and provide this on demand?
No. If you make your internet access available to third parties, you are just required to deliver any data available to the PTSS, provide information and allow it to conduct surveillance – which it will only do if the police and prosecution authorities are conducting enquiries into an offence and if surveillance has been ordered by the prosecution authorities and approved by the courts.