Trustless Computing Association

View Original

Swiss private banks, digital privacy and the need for legal access by the state.

Original Article: Behind a paywall in French (link, pdf).
Follows an English translation via deepl.com:


The Crypto AG scandal has shown that the privacy of the Swiss banking center may have been at risk. Purely software-based IT security solutions cannot offer the same level of protection as hardware-based solutions, as an application can never be more secure than the device it runs on.

On November 25, a report on SRF's Rundschau program made public the fact that Omnisec AG, a major Swiss manufacturer of encryption systems, was also controlled or compromised by the U.S. and German secret services. We also learned how the confidentiality of the computer systems used by UBS, the world's largest asset manager, could have been affected. Rundschau is the same media that co-led the report on Crypto AG and InfoGuard AG last February.

This is not news or a surprise to the experts. Yet, until today, few media articles have made the connection between the proven fact that some major Swiss banks were for decades customers of InfoGuard AG, until 2018 a sister company of Crypto AG. Most media outlets did not explore what this information meant for the confidentiality of the Swiss banking center. In fact, little information was publicly available about the nature and scope of these business relationships.

While the banks may have been unaware of this type of foreign espionage, they indirectly benefited from an invaluable and unparalleled KYC (Know Your Customer) service, allowing them to avoid engaging with the most dangerous criminals or rogue states. This was ultimately beneficial for the banks, for Switzerland and for world peace and security.

Less effective software solutions

Two years ago, Omnisec AG was shut down while ownership of InfoGuard AG was formally transferred to some of the company's long-time executives. In response to these changes, some of these banks appear to continue to use InfoGuard AG for their most sensitive communications - and it remains to be seen whether the influence of foreign nations has been maintained - while others have partially or fully switched to other solutions based on homegrown or Swiss-made ultra-secure messaging applications, such as Threema - running on consumer mobile devices secured by advanced anti-malware systems.

These purely software-based solutions cannot offer the same level of protection as hardware-based solutions, as an application can never be more secure than the device it runs on. This leaves these solutions vulnerable not only to powerful nations - allied or not - but also and especially to advanced criminal organizations and less powerful nations.

It is estimated that a large majority of privacy hacks remain undiscovered (because the longer the undiscovered espionage goes on, the more valuable it is to the attacker) or unreported (because both the victim and the attacker have no interest in making themselves known). Nevertheless, these new software approaches came to public attention in the recent internal spying scandal at Credit Suisse. This scandal has caused considerable and irreversible damage to the image of the company.

Deep democratic control

Paradoxically, these software solutions sometimes prevent law enforcement from accessing evidence due to strong encryption, which may have been previously acquired by criminals through malware running on the device while in use, with serious risks of blackmail or worse.

This less-than-ideal situation offers these banks the opportunity to explore new avenues to achieve greater privacy in internal and customer communications, while allowing for legitimate international law enforcement. This alternative could be based on thorough democratic oversight and transparency applied to both the IT systems and the mechanisms used to enable legitimate lawful access.

With this alternative, Swiss private banks can not only better protect their privacy and that of their clients, while ensuring legitimate international lawful access, but they can also become their clients' digital trust providers, deepening their trust relationship, increasing client comfort, offering additional services and improving their public relations in times of global crisis.