Swiss government submits criminal complaint over CIA Crypto spying scandal

US and German intelligence deliberately implemented backdoors in Crypto AG systems to eavesdrop on governments worldwide.
Written by Charlie Osborne, Contributing Writer

The Swiss government has filed a criminal complaint relating to the alleged practices of US and German intelligence agencies in spying on other governments over the course of decades. 

The complaint in question is centered around Operation Rubicon, the focus of a recent investigation by the Washington Post, ZDF, and SRF into Swiss company Crypto AG. 

Crypto AG is a seller of encoded and encrypted devices deemed suitable -- and secure enough -- for confidential government communications. It is estimated that over 100 governments worldwide have been counted as Crypto AG clients over the course of decades. 

See also: Cybersecurity 101: Protect your privacy from hackers, spies, and the government

Rumors concerning the CIA and its German counterpart BND being able to crack these devices have been around for some time, and now the recent inquiry -- which reveals that Crypto AG was owned by these authorities until recently -- claims that the agencies deliberately introduced backdoors and weaknesses in products sold by Crypto AG to intercept and eavesdrop on users. 

The report says that governments were paying "good money to the US and West Germany for the privilege of having their most secret communications read by at least two (and possibly as many as five or six) foreign countries," which further suggests that communication records may have been shared between Five Eyes members -- being the US, UK, Canada, Australia, and New Zealand.

Codenamed Operation Rubicon, this covert practice has shaken Switzerland due to its long-term standing as a neutral country in political matters, a reputation which has jealously defended for years. 

Crypto AG split into two companies in 2018; CyOne AG which serves the local Swiss market and Crypto International AG. After the investigation was published, the Swiss Ministry of Economic Affairs prohibited exports of Crypto AG products. CyOne AG maintains it is independent of its international counterpart. 

CNET: Four steps you should take to secure your Gmail account right now

The government has also appointed Niklaus Oberholzer, a former supreme court judge, to investigate the matter, as noted by The Guardian. Oberholzer's report is expected in June. 

The Swiss attorney general's office said on Sunday that the criminal complaint -- currently recorded under "persons unknown" -- has been formally filed by the State Secretariat for Economic Affairs (SECO). 

As reported by Reuters, the attorney general's office will review the complaint and will ultimately decide whether or not to open a criminal investigation. It is possible that an investigation could be focused on finding out who in the country knew about the surveillance practices, in effect to mitigate the damage caused to Switzerland's neutral position. 

TechRepublic: Infosys CISO: Being good at technology is no longer enough

Local publication SonntagsZeitung reports that the complaint refers to the Swiss Goods Control Act, legislation designed to control product sales in both civilian and military capacities. 

Those who fall foul of the act, such as by providing false or incomplete information on petition for a sales license, could face a decade behind bars and fines of up to five million Swiss francs. 

SECO was potentially hoodwinked and misled into permitting the sale of Crypto AG goods, the complaint says, and would not have granted a license if the authority knew of the surveillance scheme. 

10 worst hacks and data breaches of 2019 (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards