Switzerland: Data Protection Officers Impose Broad Cloud Ban for Authorities
Key topics
Regulars are buzzing about Switzerland's data protection officers imposing a broad cloud ban on authorities, sparking a lively debate on the trade-offs between security, convenience, and privacy. Commenters riff on the encryption requirement, with some pointing out that it essentially nullifies the benefits of SaaS, while others highlight Proton, a Swiss company that offers end-to-end encryption without sacrificing features like search. The discussion reveals a nuanced understanding of the challenges, with some arguing that local providers may not be a panacea for privacy concerns, and others countering that they can be a more trustworthy alternative. As the debate unfolds, it becomes clear that there's no one-size-fits-all solution, and the conversation feels particularly relevant now as governments and organizations grapple with the complexities of cloud security.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
4m
Peak period
43
0-12h
Avg / period
15
Based on 45 loaded comments
Key moments
- 01Story posted
Nov 28, 2025 at 7:00 AM EST
about 1 month ago
Step 01 - 02First comment
Nov 28, 2025 at 7:04 AM EST
4m after posting
Step 02 - 03Peak activity
43 comments in 0-12h
Hottest window of the conversation
Step 03 - 04Latest activity
Dec 3, 2025 at 11:23 AM EST
about 1 month ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Which is fine for IaaS use cases - spin up VMs, encrypt your disks, manage your own keys. But for productivity software like M365? The Swiss government is basically saying "yeah you can use it but only in a way that makes it almost pointless."
The Cloud Act part is what really matters here though. US providers can be compelled to hand over data regardless of where it's physically stored, and they've been pretty clear they'll comply with US law over local data protection rules when push comes to shove. For a foreign government storing legally confidential citizen data, that's a real problem. I suspect this will get quietly ignored like the previous declarations, because the alternative is either building everything in-house or relying on local providers that frankly don't have the same feature set or reliability.
Proton has all of these features, despite being end-to-end encrypted. Search works well with their Mail and Calendar solutions, real-time collaboration is a core offering of their Document editor. It surely is harder to implement, but not impossible for many use cases.
https://www.swissinfo.ch/eng/ai-governance/proton-does-not-t...
> Click Enable to confirm. Your messages will then be downloaded from Proton Mail’s servers, decrypted, and indexed locally in an encrypted state.
They just download your emails into your browser and make them locally searchable.
I battled the same issue, in the end I have unencrypted data for fulltext search. But none of these are sensitive. I was thinking that maybe with AES, which is just a XOR, you could do search if you have the key as you just need to know how to XOR the search query and which phrases you can include. So instead of "hello" the XOR would yield "arpe5," and you just look for that in the db. But this could only work with exact matches or prefixes, it would not allow elastic search or anything complex like that.
There are obvious UX/performance issues, but it's an honest approach.
Neither of these seem like a terrible outcome. Relying on local providers would be better for privacy and would help the local economy. It would also push them to implement the remaining feature set and work on reliability - though I must sincerely question the idea that local providers cannot reach the same level of reliability - particularly when you throw in global network problems that affect the largest cloud providers but don't always affect the smaller guys.
This is a massive leap. Switching to local providers can eliminate a lot of imaginary threats, but opens the door to a lot of real ones, since most service providers outside of the big clouds have extremely weak or non-existent countermeasures against insider threats.
> most service providers outside of the big clouds have extremely weak or non-existent countermeasures against insider threats.
Another claim that needs some citations, please.
Anyway, many of those concerns can be addressed by security regulations, hiring processes, etc - which, I would guess, is a pretty critical part of why the large-scale providers supposedly don't have such threats.
Also, this thread is talking about the effects of US companies having access to sensitive data that they're more than willing to hand over to the US government. In other words... there are 2 major insider threats at every US cloud provider, from the perspective of a foreign government: the company, and the US government. That's mostly what I was referring to with the privacy bit.
Good. It's high time to flip the status quo on its head - instead of data being something we ship to specific cloud services, for them to lock it away and charge for access, it should be code that should be a commodity, shipped to servers of our choosing and granted access to operate on our data without owning it.
Just like regular, old-school desktop software, back in the day before SaaS was a thing. The provider didn't get to "see plaintext", because the software was operating on your hardware and not communicating with the provider. And if it tried to communicate back to the "mothership", we'd rightfully call it spyware, tell people not to use it, and wonder if there's legal action that could be taken.
this is the typical way governments ban things
they write the rules such as the thing they want are explicitly targeting can't meet them (rather than explictly banning something)
> relying on local providers that frankly don't have the same feature set or reliability.
what, as microsoft?
Realtime collaboration — assuming you use CRDTs — can be achieved with e2e encryption as well, with backend acting like a mere router of requests.
"Swiss Government Moves Back to Cloud After Discovering Cleaning Staff Had More Physical Access Than IT Security Team"
My hunch is telling me there could be a couple positions with decent money (by normal person standards) for little work in that direction. Wouldn't be the first time I've been wrong though.
https://en.wikipedia.org/wiki/CyberBunker#Documentary
There's still a lot of mischief you could pull off with a cleaning crew, but facilities maintenance beyond housekeeping has a lot more opportunities.
There is no need for the SBB (Swiss national railway) to use cloudflare or AWS when the same can be provided by a local provider that also has the ability to deal with large DDOS and cap off the outside when it comes down to the wire. It is more important for someone in Switzerland to be able to purchase a ticket than someone planning a trip from abroad.
Obviously without talking specifics it's hard to discuss, but I'd hate to be a Swiss who was traveling abroad and had to access the gov website deemed "not 24/7" in an emergency of some kind (planning travel for the next day for the railway for example), or to finish something due to a goverment imposed deadline.
Local providers often can be 2-3x to 10x+ expensive compared to hyperscalers for the same featureset. If you're willing to compromise on features, you can get down to 2x but with basically vendor lock-in and Swiss German support (!= German - which in Switzerland can fly if you're a medium-small company, but if you want to attract talent you'll need also English). I'm not sure there's any local provider capable of mitigating large-scale DDOS either.
Hyperscalers understood the need for local presence despite being located right across the border and in EU (Germany, Italy, France): Azure, AWS and Google all opened up locations in Switzerland in the past 3-4 years.
Basically every medium/big Swiss client I've worked for was or is still in the process of migrating away from local providers (even the big-S one) due to costs. Add to that that most companies use some form of AD and most were already using Outlook or the Office suite, you can integrate everything with less costs via Azure. If you are a big company and have multiple locations all over the world, you anyway also need hyperscalers to allow the team in Spain, US or India to interact with familiar tools.
considering how relevant SBB is to a functioning Switzerland it really feels like they should be in control of their own Infra.
https://www.lemonde.fr/en/international/article/2025/11/19/n...
Bush issued penalties for Brazilian judges that condemned corrupt ex president Bolsonaro
USA also stole Russian assets (as did before with Cuba and Venezuela)
I disagree with your guess. This judge was making a statement about how it's wrong for Netanyahu to judge the people of Gaza by its political leadership. It wouldn't make sense then for the Swiss government to judge the people of America by its political leadership. Such a hypocrisy would make the opposite political statement.
I think it's most likely because of the recent AWS and Cloudflare outages having exposed the fragility of SaaS.
I don't see any reason to project anti American sentiment onto the article where there was none.
They started stealing user data, at first discrete, then a bit more shameless and, this days, without even the slightest care.
prior to that the risk of the US regime turning off its allies IT systems was purely theoretical
national data protection agencies will now ban their companies from storing data in AWS, Azure on GCP (eagerly egged on by their local competitors)
> a de facto ban on the use of these services as comprehensive Software-as-a-Service (SaaS) solutions whenever particularly sensitive or legally confidential personal data is involved. For the most part, authorities will likely only be able to use applications like the widespread Microsoft 365 as online storage
Since when is Microsoft 365 the bastion of modern privacy?
At EPFL we observe worrying trends that all services are moved to Microsoft (e-mails, cloud).
What happened to universities to host elemental services themselves?
EPFL also partnered up recently with Omnissa Work Space One to strengthen security of IT on campus. Mandatory (American) software which EPFL IT office wants to install on machines...