 Internet politics in Switzerland, and the organization Digital Society Switzerland must always be mentioned in the same breath. The Digital Society is an organization that Here we have three representatives of the Digital Society, the CEO Kira, who is on the right hand side as far from your point of view, Patrick in the middle and then Martin. Actually it's the other way around. Martin is on the right hand side and Kira is on the left hand side. Hello and thanks a lot. I welcome you to our presentation about Internet politics in Switzerland and we will talk to you about the current state of affairs and new topics for the new year. First off, the topics we'll talk about. In Switzerland too, the police state and the surveillance laws are being expanded and Kira will be telling you more about the surveillance law. We also are taking legal measures against mass surveillance and against network and data retention and in Switzerland, even though it takes longer, we are now starting to introduce network bands and e-voting and an electronic ID is also coming. The implementation is not quite perfect, but it's coming. And last but not least, the revised data protection laws. The EU is working on revisions of that and Switzerland is going to take over these revisions. And now I hand over to Kira for the surveillance law. So the completely reworked law on surveillance of post and telecommunications will take, will come into power in March 2018. There are various transition periods for various aspects at the longest 24 months. Okay, so the current law applies to access providers and the services provided by them, that's email, voice over, Raupy, etc. The revised law will also, will be expanded and will also apply to suppliers of derived communication services, which includes services that allow for an exchange of information, which basically means anyone. And it will also apply to people who allow third parties to use their network. This generally applies and is targeted at suppliers of public Wi-Fi. These providers of derived communication services are, have the same duties as access providers if either of these two conditions apply, either 10 surveillance requests in a year or the provider earns a yearly, not profit but the other thing, of 100 million francs with at least 5000 users. And that means they have a duty to actively be able to surveil something and to retain data of their users. Everybody else, when these two criteria do not apply, they have to tolerate surveillance. And this tolerance includes that they have to provide access to buildings, devices, cables, systems, networks and services, which, to the surveillance services like police or the specific service, so that they can do surveillance. Who has this duty to surveil, must be able to identify the participants. In Switzerland, it will no longer be as easy to just click together an e-mail account. But the duty to identify yourself with a proper identification only applies to cellular services. For every other service, for example sending a token VISMS is enough of an identification. This now also applies to professional providers of public Wi-Fi. Professional in this case means if the service has been delegated to a dedicated provider of Wi-Fi. On the other hand, if I as a restaurant owner say, buy my own Wi-Fi access point and provide that to people, then I do not fall under this duty to identify participants. Still what that means is that public Wi-Fi's without SMS registration are going to die out even more. At least Freifunk is not affected because they are not professionally provided. But it's now also allowed for the services to check Wi-Fi's and look through these access points to find people. Then one important question that's still open is Govware, which we'll get with the new surveillance law. The question is about the infection. So how does this state-sponsored trojan get onto the device that should be surveilled? We see here the variants, so through a bug in a software. So this method, of course, begs a couple of questions. Or then there's the option to intrude into the room where the device is located. This is the variant that's discussed in the law. Or then there's the option to do it with the help of a third party. For example, a proxy at the provider, an update server, a personalized app, or a download of, for example, tax software. So now we have the important question. Who un-involved third parties? May they be involved to install the state trojan on target devices? So the question is, do we have a right to identify or the duty to testify in court? This is consistent with the Federal Justice Department, but we'll have to see what the prosecution actually kind of wants in terms of measures. Okay, so let's go to part two. Mass surveillance and cable wiretapping. Both of these core proceedings are kind of strategic decisions. We want to have know where the line to the sand is between surveillance of individuals and just surveilling everyone, which impacts the privacy of every individual. Switzerland doesn't have a constitutional court, so we can't really in an abstract way have determined if such a law is legal or not. So we have to start a court case ourselves and sue through the instances of the courts. So the first one of these is for the Secret Service Law. This law went into power in September 2017 and has a lot of gifts, the Secret Service in Switzerland, a lot of new powers. So for example, using state trojans or this is important in our case, the wiretapping, which is now legal for the Secret Service. So that went into effect on the 1st of September. So we sent some questions to the Kabul Aufklärungsdienst and we asked them to not introduce wiretapping because this surveillance will affect everyone and we're just put under general suspicion and it's because it's just kind of impossible to look for something when you don't know what it is exactly. So we demanded also to not do the wiretapping for wireless services, so satellite phones and so on. We combined these two requests because the wiretapping is an evolution of the wireless and satellite reconnaissance that they are doing that used to be a military surveillance of foreign proceedings and satellite surveillance was introduced through a secret project from wireless reconnaissance. They went to satellite surveillance through a secret project in 2000. It came to light during two reports in 2003 and 2007 by the government watchdog which describes the system, including some breakages of human rights. Since this is mostly about foreign communication, of course not only, but mostly, and civilian targets, it was kind of difficult to get any support against that. Since more and more communication is not going through satellites anymore but through a fiber, this surveillance is now being expanded to wires and this wiretapping targets the border crossing wires because opposed to foreign satellites, foreign cables cannot be surveilled. But almost in every case when the border crossing cables are involved, somebody in Switzerland is involved and obviously of course human rights do not stop at the border. The answer to our request by the cyber service was rather surprising. It was just a single page and the secret service presents itself as a simple part of the government and they have no choice in this matter and of course the whole surveillance does not violate any human rights at all. Of course our next step was to complain to the federal administrative court and the secret service now has time for a response until 15th of January and either the court is going to decide materially on our complaint or send it back to the secret service which will then also have to decide on our complaint and then we are back to the beginning for now. We have a second proceeding going on which is about a complaint about data retention. This one's a bit older. We started in 2014 and currently the proceeding is stuck at the federal court, the highest court of Switzerland and there have been written statements since this spring that the services from the data protection organization of Switzerland from the providers from ourselves and the decision is expected to be reached next year. Since we do not have a constitutional court and the Supreme Court does not have the competence to decide whether something is contrary to our constitution, the decision from the European Court of Human Rights is likely to be necessary. These proceedings take a long time. The complaint against data retention is probably halfway done and with the complaint against wiretapping we are at the very beginning and these proceedings cost a lot of money and are completely funded by donations and are dependent on help from others. This brings us to the third part, the network bans. Those of you who were here last year should already know this image. The problem is that in the moment the politicians in Switzerland assume that network blocks are a reasonable technical way to solve social problems but as you can see in this picture these blocks are not very effective. We've had three laws that we looked at. We had the gambling law which is really focused on poker and casinos. Then we have the copyright law and the communication services law. In the gambling law the gambling addiction should be kept in check and the money for this has to come from the cantons currently and not from the casinos that actually cause the gambling addiction. For the first time online gambling is legal but only if it's hosted in Switzerland. The point is that the market in Switzerland is currently too small to even start a big poker game at all. They want to kind of force the creation of this market by protecting the Swiss market by blocking foreign gambling service providers online. With the gambling law the referendum is running currently. The law was passed by the parliament but many of the young parties seized the referendum and we're now collecting signatures. Still thousands of signatures are coming in these days and we really need the signature of every Swiss person who is here if you haven't yet signed the referendum please do and send in the form or bring it by at our stand. It's going to be a really close one. Also what we did beforehand is we tried to influence the commissions of the parliament discussing this law but it's very hard to explain to a politician that net blocks aren't effective even when you actually demonstrated life to them on their computer. Now to the copyright law it's about rewriting it completely. It should be rewritten completely. The good thing is the legal private copy is going to stay including the free legal downloads but what happens now is that protection of images is going to be anew. Previously you had to have a certain artistic contribution so that an image could be protected but now basically every picture that's taken is protected by copyright law. This is going to be interesting what happens with this. I mean you in Germany have already had a bit of experience with this kind of rule then regarding abandoned works the regulations get a bit better. It's a bit more clear how to kind of put books that are out of print back into print then we extended some protection periods to 70 years. It's kind of a technical adjustment that's not really necessary. Then we have take and state down rules for providers of contents by users so this means that if a user from a provider if a user uploads a file and a film distributor says this is our content take this town then the service provider has to provide means which is economically reasonable so that this content will never be available again. Which then specifically means we'll probably have to be dealt with by the courts. One of the court decisions of the federal law will be overwritten and before it was not available to request the data of a file share to then be able to prosecute them and that has now been changed and is now explicitly possible. We will see how these things develop. The premise for this revision was to adapt it to the internet age except they just didn't do that. There's no right to remix, there's no explicit fair use so anybody who makes memes or uploads memes can technically be fined up to 10,000 Swiss francs. Currently, the feedback, the massive feedbacks up to 100 pages each have been processed but the input from civil society mostly ignored. Well, there is one way of hope. The network bands have been thrown out but the music industry will still demand them and they will find politicians, parliamentarians who will work on making them happen. Currently, this law will get into the commissions and interestingly, there are two different commissions in the States Council and in the National Council in charge of this. I don't know how often that happens, it just seems odd to me. So what do we try to do against it? Or at least what do we do so that it gets better if not stop it entirely? Of course we try to influence the commissions. We try to explain to politicians that the measures they try to take are not effective and we formed a working group which brings people from different parties together and tries to form them so that they can send people to others from their party so that they can argue hey, this actually goes against our own party line and try to influence them that way. We had a first meeting this month and later one is going to be out our own congress. We'll see when the others the next ones are. On the telecommunications law, we talked about it last year a little bit. We're a little bit further ahead now. This again is about network bands in this case to suppress pornographic content. So far there was a bit of a codex that several providers adhere to. They set up DNS band for certain websites which they were informed of by the Justice Department and now this should apply to all access providers. The number of banned DNS will be much bigger but we'll see how much bigger it is. They want to regulate the last mile of fiber. We wanted that to be separate of the medium but the big Swisscom provider is trying to have that the way they like. Roaming fees are going to be regulated. Probably we had a motion in the States Council two years ago but that didn't materialize because of course the market is in charge and of course we know from looking at the Swiss mobile provider landscape the market is not really regulating this. There is no fixed net neutrality, no explicit net neutrality. There is a codex that the providers have set up which has been accepted as the current state of things. It's been hyped in the media while we argued that it doesn't do anything and kind of goes in the exact opposite direction of the EU and Germany. People in Switzerland just don't really see it and they don't do anything against offers that include zero rating. We're trying to get our opinion heard in the commissions in the parliament that net neutrality should really clearly be a legal requirement. So this is the current state of the telecommunications law. The call for public opinion is completed. There was a discussion in the commissions. We were invited to discuss the law in the commissions and try to invite ourselves in some of the meetings and well the commission still has to vote on the individual articles and our input. There are still going to be more hearings in the commissions on the telecommunications act and probably in the spring session of the parliament and in the summer it's going to be in the big chamber of the parliament. So let's go to the EU government strategy of the federal government. There are two big parts here. There's e-voting and electronic identification. We have to do something here. The Department of Justice quickly does things here but they don't do it really thorough. The politicians in Bern use these topics to kind of position themselves as ICT politicians. Well, but of course many of them don't really have a lot of technical background on these topics. So let's have a look at the electronic identity. So there should be multiple identity providers who can provide verified data such as name, birth date, address and with these addresses for example it can be used for adept collectors or uniquely identify a person for example when they want to open a bank account or something like that. So from the postal service to Swisscom and the train service they pushed through their variant together with the Justice Department. This builds on the Swiss ID. So private companies issue these electronic forms of identity. So does anyone here have a Swiss ID? Well, okay. So you can tell three people here so that's how well adopted the Swiss ID is. So the idea is that banks for example can use this form of identification and pay per identification times they need this data. So we have a lot of problems now. We think only a state-run institution can really do this form of electronic identification. The Swiss ID hasn't worked because the enrollment process was too complicated and the current form of electronic identity is not really planned with the customer in mind. I mean, I'm not going to open a new bank account just because I have an EID and I can do this now with an EID. But then having interactions with the government as a normal person such as filing a tax receipt is already possible without an electronic ID. I mean, I can't really understand who should be using this and it's probably going to be too expensive because the administrative overhead is huge for these probably like 10,000 of cards that are given out. So it's going to be discussed in the commissions next. There is a central concept from the Swiss data alliance and the thing I'm missing from that is the ability to do digital signatures in encryption. With that, I would see rather more of a spread for that. On e-voting, just quickly. The systems of the first generation are dead. The system that the cannibal Zurich used cannot be used any longer. Only the systems of the next generation are being used of the second generation. They cannot be used everywhere because the laws as a base are missing for the entire population of a canton to vote using these systems. Then there is a rather weird motion where one million Swiss francs shall be provided for hacking the e-voting system, which is of course utter bullshit because somebody who has the option to hack these systems will make a much larger profit than one million. That's of course very different from something like a... They'll make a lot of profit because they'll just hack the vote on a big project like a new Gotthard. And of course, even if nobody finds it, even if nobody collects the bug bounty, then it's not clear that the system is actually secure. You can't prove that. Our demands are still the same. It's the same as last year. That e-voting is verifiable by everybody who casts a vote, that their vote counts as they cast, and that's just not possible. Even I cannot verify these cryptographic protocols that are being used entirely. And even if I couldn't prove that the software system that I looked at is the one that is being used, and everyone who had to reset the computer of their sister or their parents knows how vulnerable these devices are. And they are supposed to be the clients for these voting systems, and well, that's just... That's not going to work. And now Martin is going to tell you something about the data protection law. Thank you, Paki. So everybody wants to become digital and everybody wants to harvest this data bounty. And in Germany we have a Swiss privacy protection law when it was enacted in 1992, but of course the internet looked completely different. The services from the US that we now use every day didn't exist. And so in May 2018 the new EU data protection regulations are going to come into power. And in Switzerland we have to decide... The EU has to decide if the Swiss law is kind of compatible with the EU Privacy Protection Act. And we need this so that we can still exchange data with EU companies. So our first draft was a catastrophe, and now we have a second one, which is a bit better. That's now discussed in parliament. So this basic idea of... So you can process personal data unless it's prohibited. This is our basic idea. And in the EU it's the other way around, actually. So for example there you need explicit permission to process personal data. So if you look at this draft in Switzerland now, a lot of things that are there are missing. In the EU they have this marked-out principle, which means all data that is processed has to be processed under EU law. In Switzerland this is not part of the law. So for example if you're a Swiss person living in Switzerland, then Facebook doesn't have to apply Swiss privacy laws to your data. Then there's the explicit right to forgetting. I mean, we know this in practice in Switzerland, but it's not in the new draft of the law. Then there's... which we don't have in the Swiss law. We first want to see how the EU handles this. And then companies don't have to prove that they act according to law, only when there is a legal action they have to provide this. And in the EU companies can be fined up to 4% of their revenue, or 20 million euro, that's kind of targeted towards US services. This is not part in the Swiss law. But we have a few good things. So we have self-regulation of certain industries. That's good, so that industries can decide for themselves how they are complains with the law. Then there are kind of... companies have to do risk management when data are stolen for high-risk things. And we have more sanctions and fines up to 250,000 francs, but not against companies, only against natural persons. And then the privacy officers get new competencies and can at some point even initiate legal action. Well, of course, if he has the resources to do this at all. So the big problem is we can't really enact this into practice. So of course self-regulation is good and certifications is good. But how will all these companies and the economy do this? What happens when something goes wrong? What can basically affected people do when something goes wrong? Or if I want to have data on me deleted then there's no legal remedy for this. So this is important for us. We have these, the following things that we want. So it should be possible to have sanctions against companies without criminal legal action. Want to be able to... Currently only individuals can be prosecuted when the company just basically finds a scapegoat and the company gets off scot-free. So we had this case of a bank cope recently where they did an investigation internally and then nobody really was at fault and they took an intern to take the fall there. And so basically she had to give her head. So nobody was sanctioned but she was just picked as a scapegoat in this case. Then of course these 250,000 francs fine are not high enough. They're lower than in the EU. We want to have them on the European level. Then there are no class action lawsuits in Switzerland. It would be nice if an organisation such as us, the Digital Society could file such class action lawsuits. Then in Switzerland we also have the issue that you as the affected person have to prove that your rights have been violated and it should be the other way around. And then also we don't want that you have to discuss which countries laws apply for Swiss people. Swiss privacy should apply by default. There are hearings in the parliament, for example in the State Political Commission and in the beginning of the year the parliament will take up this notion and the data protection officers of the cantons say this is really bad draft, re-write it. And also from the economy think tanks there is a lot of pushback against this law. But probably Switzerland will just pass this law quickly because the European Union doesn't give us any problem. So these were current topics that we are working on and we are here on the congress having more programme. Directly after the presentation we invite you to come over to the Rights and Freedom Assembly in Hall 3 and visit us, talk to us, we can discuss stuff about internet politics in Switzerland now and in the future. We also have our own place there and we invite you to visit us there and talk for example about the gambling laws or you can just or you can then inscribe to the newsletter quite all-fashioned pencil and paper or you can visit us on our very first winter congress 24th of February in Zurich. There were a few places left and you are very welcome there. Thanks a lot and we are now ready for questions. You are very welcome. Thank you for the presentation. First of all, I would like to invite you to the microphone and the first question, if there is any, from the internet. Please line up at the microphones. There are many questions from the internet. Okay, so I think the votes can now not really be done correctly or you can check this, so why is this different for e-voting? I strongly disagree. I have done this for years and I helped out with the counting and yes, it's not perfect, but there are a lot of people. There are many small moving parts. You can if you want to watch and if you suspect an error you can restart, which happens from time to time and probably that a single person can manipulate an election or a vote is minuscule and you'd need too many people. Whereas with e-voting there would be a black box and you could do what everyone, but in the end almost nobody understands that it's a black up, you get a result and you can't verify it. And even then, what happens if I think, no, it was counted wrong, trust in the system is gone really soon, which you can provide very well with the current system. And of course there are improvements to be done, especially with voting by millen. Thanks for the talk. I have a question about net neutrality. So the Americans are suffering here because they don't have a market as far as internet service providers are concerned. They only have one provider usually. The fiber networks are owned privately. In Europe this isn't usually the case. So I understand your argumentation a bit that you want a legal basis for net neutrality, but it's not very urgent, right? So, I mean, how should net neutrality look in the law according to you? So the violations on the last mile, the zero rating already exists quite in a big way in cellular services from most providers. And even today I can't really choose a provider who does not at all try to do zero rating at all. And especially with zero rating, the problem is that it's from the point of view of the consumer it's actually a benefit because I have this data which is not being countered against my cap. And sort of through that sneakily you introduce a violation of net neutrality. And in the first moment it doesn't really hurt me and that's why there needs to be regulation to prevent this sneaky add-in of these limitations. And for example, zero rating for Netflix makes it almost impossible for a second provider to get into this market, because especially in Switzerland it's already a small market. Is there another question from the internet? No, no further questions from the internet. Thank you very much to Kyrie, Pacqui and Martin from Switzerland. So thanks to Kyrie, Pacqui and Martin from Switzerland.