Swiss government says give M365, and all SaaS, a miss as it lacks end-to-end encryption

Monday 1st December 2025 01:57 GMT billdehaan

End to end encryption is not enough

“Most SaaS solutions do not yet offer true end-to-end encryption that would prevent the provider from accessing plaintext data”

I sincerely hope that doesn't mean that if/when Microsoft does enable full end to end encryption in M365, that the Swiss government would then start using it for confidential government data.

The fact that the Swiss government is talking about end-to-end encryption rather than zero trust is a bad sign.

All end to end encryption does is prevent the data from being decrypted in transit. The SAAS recipient, in this case Microsoft, still has access to the unencrypted data.

People aren't concerned about Windows Recall because they're worried about man in the middle attacks, they're worried that Microsoft will have access to their data. Even with end to end encryption, Microsoft could still access M365 data. There can be all sorts of legalities stopping them, and internal processes, but physically, Microsoft employees could access the M365 data.

Unless they're committing to zero trust systems, I wouldn't trust any SAAS vendor. And I'd only trust them with zero trust because, by definition, zero trust assumes they can't be trusted.

19 2 Reply
1. Monday 1st December 2025 03:06 GMT Anonymous Coward
  
  Re: End to end encryption is not enough
  
  Yeah, hopefully they learned something from the 1.3 million files stolen by the Play ransomware gang through Xplain AG, and the most notorious 3 million-strong toothbrush botnet that nonstop DDoS-ed the whole place last year ...
  
  0 1 Reply
  1. Monday 1st December 2025 06:11 GMT Dinanziame
    
    Re: End to end encryption is not enough
    
    According to the article you linked, the toothbrush story was fake.
    
    3 0 Reply
    1. Monday 1st December 2025 15:45 GMT Anonymous Coward
      
      Re: End to end encryption is not enough
      
      (I know, but couldn't resist in view of its deliciously absurd character. It was both fantastic, and Swiss ... memorable!)
      
      0 0 Reply
2. Monday 1st December 2025 06:52 GMT Anonymous Coward
  
  Re: End to end encryption is not enough
  
  Oh, there is much, much more, and it's Europe wide, not just in Switzerland. It'll be fun when that comes out..
  
  3 0 Reply
  1. Monday 1st December 2025 07:26 GMT Pascal Monett
    
    I am sincerely looking forward to this coming out.
    
    I remember when I was giving training courses on Windows 1 0 for the European Commission in Luxembourg, OneDrive was explicitely forbidden. It was not even accessible in that abomination called the Ribbon.
    
    I perfectly understand the decision : the European Commission had obviously no interest in posting internal documents on Microsoft servers hosted in the USA.
    
    I totally applaud Switzerland's decision, especially since the CEO of Microsoft France was incapable of honestly claiming that the US Government could not access data hosted by Microsoft on European servers.
    
    No European government body should use anything Microsoft, it's as simple as that. The transition is going to be painful, for sure, but it is necessary.
    
    17 0 Reply
    1. Monday 1st December 2025 09:48 GMT Like a badger
      
      I totally applaud Switzerland's decision,
      
      Hold your horses. This isn't a decision taken or ratified by the Swiss government, is it?
      
      AFAICS Privatim is an association of public sector ITsec officers, although I welcome any corrections from the better informed. If that's near enough correct, then they can pass any resolutions they want, but nothing happens until their employing body is in a situation where it can make the choice, and if the body then chooses to move away from (or not move to) cloud and SaaS.
      
      As we've seen elsewhere, it is notoriously difficult to wean most large organisations off Teams and Sharepoint, and even more challenging to prise any finance team out of the evil clutches of Excel.
      
      11 0 Reply
      1. Monday 1st December 2025 11:42 GMT Evil Auditor
        
        You are, unfortunately, mostly right. Privatim is the association of public sector privacy officers and their resolution doesn't mean any decision really. They do, however, have some influence in their respective jurisdiction. Let's hope they exert the power they have and that public administration follows... (Not holding my breath though.)
        
        3 0 Reply
      2. Monday 1st December 2025 11:54 GMT Anonymous Coward
        
        I suspect the Swiss FDPIC is already looking at this.
        
        They may speak a bit slower in Bern, but they're not slow on the uptake there.
        
        4 0 Reply
    2. Monday 1st December 2025 15:24 GMT billdehaan
      
      No European government body should use anything Microsoft, it's as simple as that.
      
      I'm not reflexively opposed to everything Microsoft automatically, but their telemetry, user tracking, and increasingly strongarm tactics forcing users to register an online account in order to use a supposedly offline operating system certainly disqualifies Windows from consideration for anything confidential or private.
      
      One of the issues that was raised in Canada recently was the issue of warrants. If the police want to look at your PC as part of an investigation, whether of you personally or of a person or institution you may have interacted with, they require a warrant. However, they can also make an informal request. Since it's just a request, doesn't have to be recorded in the public record, whether it's agreed to or rejected.
      
      The thing is, that request doesn't have to be made of the PC owner, It does if they want access to the physical computer, but if all they want are files on the computer, then CSIS/RCMP/OPP/local police can call Microsoft, and informally ask if they have the files in question. Microsoft can, and by policy should, reject requests that aren't accompanied by warrants, but there's nothing stopping them from turning over your unencrypted online backups to the authorities if they ask.
      
      And even if they do say "come back with a warrant", obtaining a warrant for a third party, like Microsoft, is granted much easier than a warrant to search an individual premises.
      
      If the police serve a warrant to Microsoft to get your OneDrive backups, neither they, nor Microsoft, have any obligation to tell you about it.
      
      I've had non-technical friends be absolutely horrified to discover that confidential customer data from "their" PC was uploaded to OneDrive without their knowledge or consent, because they stored those files in "My Documents" folders, which Microsoft backed up to OneDrive without being asked. And once they're in the cloud, they're staying in the cloud.
      
      A lot of my friends are lawyers or doctors, they are bound by client and patient confidentiality laws. Microsoft isn't, however. And if you don't want discussions of your client's medical histories to be online, you damned well don't want your governments nuclear launch codes to be one warrant away from showing up in a twitter post.
      
      6 0 Reply
      1. Monday 1st December 2025 18:46 GMT Ken Hagan
        
        "A lot of my friends are lawyers or doctors, they are bound by client and patient confidentiality laws."
        
        This. Either Microsoft provide an obvious switch to prevent any and all automatic upload of data to their servers, or using Windows counts in court as negligence with respect to privileged client data. And if we go down the former route, it needs to work and it needs to stay on across updates.
        
        This stuff is important and TBH I see no evidence that either Microsoft or their customers are taking it seriously.
        
        2 0 Reply
3. Monday 1st December 2025 14:55 GMT dirigible
  
  Re: End to end encryption is not enough
  
  As usual, it depends on your exact definition, that of „end-to-end“ in this case.
  
  This definition has been muddled in the past, mostly by marketing concerns pushing a specific solution. That is even more the case for „zero trust“ which I posit to have lost any meaning whatsoever.
  
  I guess privatim’s idea is that the citizen is one end of the transaction, the other being the public office. Mind that privatim’s members are all lawyers, their technical lingo may not be fully up to snuff.
  
  (Actually paragraph 2 of the resolution („too little transparency“) would be a strike against any closed-source software, regardless of where it runs.)
  
  Finally, if Switzerland works somewhat like my country, the data protection offices are political leightweights. They may offer advice, words of warning, wagging of fingers … but if a few thousand Francs could perhaps, maybe be saved by moving to the cloud, this would trump any concern, every time.
  
  2 0 Reply
4. Monday 1st December 2025 16:45 GMT hoola
  
  Re: End to end encryption is not enough
  
  The crucial part here is "End to end".
  
  If you have the appropriate access at one or other end you will always be able to read the content. If you could not then the entire thing is pointless.
  
  The wider issues surround the (mostly US) security services requesting access.
  
  All providers have slight variations on the same wording.
  
  https://www.microsoft.com/en-us/corporate-responsibility/reports/government-requests/customer-data
  
  Microsoft reviews every legal demand to ensure it is valid and complies with applicable laws. A subpoena or its local equivalent is required to request non-content data, and a warrant or its local equivalent is required for content data.
  
  Microsoft discloses customer data only when legally compelled to do so.
  
  Microsoft does not provide any government with direct or unfettered access to customer data.
  
  Microsoft does not provide any government with our encryption keys or the ability to break our encryption.
  
  https://aws.amazon.com/compliance/data-privacy-faq/
  
  We will not disclose customer content (see How does AWS classify customer information? below) unless we're required to do so to comply with the law or a valid and binding order of a government body. If a governmental body sends AWS a demand for your customer content, we will attempt to redirect the governmental body to request that data directly from you. If compelled to disclose your customer content to a government body, we will give you reasonable notice of the demand to allow you to seek a protective order or other appropriate remedy unless AWS is legally prohibited from doing so.
  
  https://www.oracle.com/cloud/sovereign-cloud/data-sovereignty/
  
  Read this if you have time and want to increase you blood pressure.
  
  I lost the will to live trying to find one for Google......
  
  0 0 Reply
Monday 1st December 2025 06:25 GMT Bebu sa Ware

[Israel military] banned use of Android smartphones by top brass.

I was imagining the brass carrying big button senior's "feature" phones. ;)

But the Jerusalem Post makes it clear that they will be specially buggerized iPhones (defintely no added Semtex.)

4 0 Reply
Monday 1st December 2025 07:06 GMT Anonymous Coward

SOothat's Strava's "fix"?

Well, that's a cheap fix. For the company, that is, not so much for its users who ought to leave in droves after this effort.

The way Strava addresses its security problems is thus updating its Terms by saying "íf anything leaks, you accept it's your problem". No effort is spent protecting the users, no further thinking on product improvements, no, it changes a text file on its webserver and in the app. Problem solved.

Knowing the US, I suspect this money saving idea will spread like wildfire. I expect Musk to already be talking to his lawyers if they can do this too for Tesla, for instance. Shame he's fallen out with his orange buddy, but a few billion will no doubt fix that.

IANAL, but I am not sure this will actually work everywhere. A bit of legalise may not absolve the company from legal obligations. Even with "permission" as it could be argued it's obtained under duress.

7 3 Reply
1. Monday 1st December 2025 07:29 GMT Pascal Monett
  
  Re: SOothat's Strava's "fix"?
  
  On the other hand, what the fuck are Macron's bodyguards doing using an exercise app ?
  
  Can't they just time their run with their undoubtedly fancy and expensive watches, or is that too complicated for them ?
  
  Because if that is the case, the President needs to find better bodyguards.
  
  12 2 Reply
  1. Monday 1st December 2025 10:25 GMT MiguelC
    
    Re: SOothat's Strava's "fix"?
    
    And where do you think those expensive watches send their activity data to be stored and processed? If not Strava, then at least the maker's cloud...
    
    The problem doesn't seem to be using Strava per se, but publicly sharing those activities. So stop trying to show off, maybe?
    
    2 0 Reply
    1. Monday 1st December 2025 11:55 GMT Anonymous Coward
      
      Re: SOothat's Strava's "fix"?
      
      If they're proper military they will be wearing mechanical watches. Can't have an op go wrong because a battery ran out.
      
      3 1 Reply
  2. Monday 1st December 2025 11:01 GMT Doctor Syntax
    
    Re: SOothat's Strava's "fix"?
    
    If the watch is fancy enough then it's the stopping sending data that's too complicated. It's also going to be too complicated buying a non-connected watch - not so much a complication of doing the actual buying as in working out that that's what they should be doing.
    
    0 1 Reply
2. Monday 1st December 2025 19:07 GMT Ken Hagan
  
  Re: SOothat's Strava's "fix"?
  
  I don't see how Strava can possibly protect themselves against some Muppet disclosing their location data and still offer the service, just as WhatsApp can't defend against a different Muppet sending military secrets to random journalists.
  
  At some point, if you give people the ability to publish stuff, the responsibility for that stuff has to fall on the end-user. The provider's only option is the retrospective one of cancelling the user's account on the grounds of "Apparently you're too stupid to use this service.".
  
  0 0 Reply
This post has been deleted by its author
Monday 1st December 2025 10:44 GMT Anonymous Coward

You're conflating 2 separate security paradigm. End to end does include encryption at rest, i.e. disk/file encryption, as well as encryption in transit. Zero trust revolves around centring your security around users and resources, as opposed to perimeter defences utilised in traditional campus networks. You can still apply zero trust to SaaS and Cloud. In fact zero trust services like zscaler and Netskope are SaaS cloud offerings.

3 0 Reply
Monday 1st December 2025 11:09 GMT spireite

Israel?

Reducing the attack area on their secrets of what areas they will attack next.

3 0 Reply
Monday 1st December 2025 17:17 GMT JimmyPage

It would stil be Someone Elses Encryption

Which is as good as having none, if you are really serious. Otherwise it's all posturing.

Or, to put it another way (for the less bright).

Whose E2E encryption would *you* trust ?

2 0 Reply
Monday 1st December 2025 20:58 GMT J.G.Harston

So one government bans the use of systems without end-to-end encryption, while the UK partners up with the EU to try and ban the use of systems *with* end-to-end encryption.

0 0 Reply