For some of the "how" explanation - you can configure mirror ports so all traffic going in and out a single port (for instance, the main uplink port) is essentially copied and sent to another port. The secret service could plug their listener device into such a port, and it will gather all packets sent through that device. If you consider the ISP network as "local" it will need to leave the "local" network to access Internet resources. Basically, the secret service could be monitoring the device which represents the "edge" of the network, where traffic from any ISP customer leaves the network of the ISP and all traffic intended for ISP customers touches first.

As others mentioned, this is only gathering data in transit and if the data is encrypted it will not be readable (in theory).

Proton's response in other discussion about this:

>Proton analyzed this revelation and found it doesn't impact Proton users due to the way that Proton's encryption and infrastructure works. While the reported practices have long been legalized in the US and Germany, they are very likely illegal in Switzerland and are therefore subject to legal challenge. It would not be entirely surprising if this got overturned by the courts.

https://news.ycombinator.com/item?id=38939045

https://www.reddit.com/r/ProtonMail/comments/1930vnh/breakin...

Not a security expert, so take everything with a grain of salt.

Traffic between your browser and a website using HTTPS is encrypted. Large scale plain text sniffing could happen by enforcing government owned certificates like Kazakhstan[^1] does.

Another possibility is getting access to root certificates, issuing valid certificates for domains and redirecting traffic. This attack is expensive and I don't know if it's possible to perform at scale.

The ISP has connection records and metadata (how much time, how many connection, what time of day). That is enough to re-construct internet activity and extract valuable information (e.g. build a user profile).

DNS records can be protected by using DoH and DNS records featuring DNSSEC can be used an counter-measures for DNS spoofing. DoH and DNSSEC play well together (e.g. dnscrypt + unbound).

Non compliance with a country's laws will surely lead to some sort of punishment, but I'm pretty sure it's legal to use a VPN in Switzerland so if you are worried about your privacy you can use a VPN service. Install the VPN server to your router. Just FYI, many government, service (e.g. audio/video streaming services) and such block access to their service based on GeoIP.

ps. "Operation Rubicon"[^2] is a very interesting read and somewhat related.

[^1]: https://www.f5.com/labs/articles/threat-intelligence/kazakhs...

[^2]: https://en.wikipedia.org/wiki/Operation_Rubicon

Pretty sure some of these laws are illegal in regard to many constitutions anyway. So sometimes these laws exist because they were not challenged yet and as a means to scare people. Switzerland might be different, but another country should and would enact a law that would force the removal of any CA roots connected to Swiss government because those would then pose an extreme risk to security.

It's almost certainly a multi-layered approach.

While fiber splitters, DPI gear and compelled cooperation are all old news and have been employed at scale for decades now, those methods sound like what you're describing.

Compromising the larger web infra companies (read: DNS/CDN/DDoS protection) is one of the more interesting theories I've heard lately for bypassing TLS at scale:

https://news.ycombinator.com/item?id=38987074

> Decrypt https traffic?

HTTPS/TLS prevents MITM attacks, but rogue certificates can be installed to sniff the plaintext, but that's exceedingly rare and hard to do. IANAC (I am not a cryptographer) and that's the best 2 cents I can manage, sorry. But things like DNS can be sniffed off the wire easily, and anything in plaintext HTTP is fair game.

> but that's exceedingly rare and hard to do

It could be possible that the government just requests certificate keys from the relevant tech company.

There's an actual test you can run, There's a specific HTTP Status Code for it.

https://github.com/tg12/RUBC

https://en.wikipedia.org/wiki/HTTP_451

Today, a large part of Internet traffic is HTTPS. It would be extremely hard for the government to do large-scale HTTPS MITM without people noticing.

>Soooo can you help me understand what's happening here?

They can't decrypt proper https (proper meaning your computer does not have a fake CA cert installed that is owned by them, which in itself is HIGHLY unlikely). So your privacy is safe in this regard.

However, they can intercept traditional DNS queries, which are plaintext and not encrypted. And likewise, they can see the ip address destination in all TCP/UDP packets. The latter of which gives them the ability to filter for people who are potentially suspicious.

For example, if your computer is talking to a known Tor node, or a known VPN node, you can get flagged for additional investigation of things like finances, travel, e.t.c.

Or for example, they can see that you are doing a lot of crypto transactions because of the network connections to networks, and then that can get flagged for a more thorough tax investigation.

>How can Swiss people protect themselves?

You really don't need to.

In general, there is nothing really to worry about if you aren't doing something against the law in the first place. You could make the argument that ignoring this is essentially handing your rights over to authorities who are going to use it to control you, but that argument has 2 big holes.

First, generally with government, there really isn't any government in existence that will do authoritarian stuff like mass spying without having other authoritarian structures in place to control its citizens. Its either full on 100% authoritarian regime (like North Korea), or its not really mass spying for population control and more for things like terrorism, money laundering, or anything else that is illegal, and has legal processes in place to protect its citizens even from itself. This is the case for USA and Switzerland. It wouldn't make sense for them to want to spy on all the citizens when there are significant barriers in place in them being able to just round up anyone they want based on any and all suspicions and throw them in jail without due process.

Secondly, in the sense of what is being collected, there really isn't an expectation of privacy here from even a functional view. From the ground up, packets get bounced around through different countries, so if your own country doesn't keep track of who you are talking to, some other country can. On a level higher, you depend on a lot of services for ease of life, and its not really an valid argument to make to say that you trust those services with your data, but not the government. Sure companies like Apple have less power over your life, but you have no idea who they are sharing that data with (and no, their own statements on it do not count).

If you truly want to be private on the web, you need to understand how internet works from the ground up in the first place. For example, in my past job with cybersecurity, we build software that used linguistic steganography and internet forums for secure communication. Until you understand how that would work and why, you can't really expect to be private.

> In general, there is nothing really to worry about if you aren't doing something against the law in the first place.

I think this is worrying that a state agency can make you that transparent. It won't help fighting crime for that matter. The Swiss government can be pretty criminal itself for that matter.