Switzerland is updating its telecommunications surveillance ordinance (VÜPF) to drastically expand state powers over VPNs and encrypted services.

According to analysis by encrypted email provider Tuta Mail, the draft would:

Force Swiss email and VPN providers with ~5,000+ users to log IP addresses for 6 months

Mandate user identification (ID/driver's license/phone number), effectively ending anonymous accounts

Require providers to "remove encryption provided by them or on their behalf" so data can be handed over in plain text (end-to-end encrypted messages are exempt, but VPN tunnels are not)

Proton told Swiss newspaper Der Bund this makes Swiss surveillance "stricter than the USA and the EU" and has already begun moving infrastructure out of Switzerland due to legal uncertainty. Other Swiss VPNs (PrivadoVPN, etc.) face the same conflict between "no-logs" promises and mandatory logging obligations.

The article breaks down what this means for VPN threat models, why "Swiss jurisdiction" as a privacy selling point is now in question, how the 5,000-user threshold and ID requirements reshape risk profiles, and what options Swiss providers have: relocate infrastructure, re-architect services, or accept logging obligations.

Questions for discussion:

If this passes unchanged, does "Swiss privacy" retain any meaning?

Has the EU become a better jurisdiction than Switzerland for privacy services, given CJEU precedent striking down mass data retention?

When choosing a VPN, how much do you weight jurisdiction vs. audits/open-source/protocol design?