Quad9, the privacy-focused domain resolver, announced Wednesday it would move its offices to Zurich, Switzerland to subject itself to stricter privacy laws.
The Switzerland move will place the company under a European Union-like privacy regime. Though Switzerland is not part of the EU, it has adopted the provisions of the General Data Protection Regulation with one major difference: the Swiss privacy law applies to all global users of a Swiss-based service, not just those in the region.
So why would a company choose to relocate to a country with more stringent standards?
"We've always said that we don't collect any personal information – that's always been a promise from us. The problem is that a lot of people don't necessarily believe promises, because promises can easily be broken," said John Todd, executive director of Quad9.
"We wanted to put ourselves in a position where people didn't simply have to believe us on our word; they actually could believe us based in some statements of law."
Quad9 is a non-profit offering a free recursive DNS service that does not log user data. It offers additional privacy and security features, including screening for malicious domains and encryption. Other alternatives in the same space include Cloudflare's 220.127.116.11 and Google Public DNS.
The company received a finding of law from the Swiss government that it will not be treated as a telecommunications provider, exempting it from laws that would mandate data collection.
The move is being facilitated by SWITCH, a Swiss center of excelance in cybersecurity.
Todd believes that users, particularly those outside the U.S., are wary of U.S. surveillance and accept GDPR as a global "gold standard" of privacy protections.
"All the big resolver operators of significance are based in the United States ,and furthermore, they're based in California. We're setting ourselves apart by saying, 'now there are two options in the world: the Northern California, United States option, and the GDPR Swiss option.' I know what option most people who aren't in the United States would take," said Todd.
"I'm also going to suggest that I know what most people United States would take if they're looking for a truly private solution," he added.
In that sense, the move by Quad9 is actually quite shrewd, providing a proof point to customers that other companies can't offer. Indeed, Quad9 has considered moving to the EU to add a legal imperative to its privacy promises since before its launch in 2017. They chose to stay in the United States then for convenience – it was where the founding organizations were based.
The location of its operations will not change. Quad9 uses a global development force, who will continue to share work remotely. Quad9 now offers 155 resolver clusters in more than 90 countries. Last year, it claims to have blocked 20 billion malicious events.
Todd believes that a Switzerland move could benefit commercial operators as well as non-profits like Quad9.
"If they have customers that are interested in privacy, moving into a GDPR framework allows people to believe that their promises are backed by law and not just contracts," he said. "It is our hope that what we are doing with Quad9 will give an incentive to commercial organizations to try to follow in the same path."
That said, other companies in the privacy community argue that building trust is more complicated than hopping a plane to Geneva. A representative of a Swiss company that develops privacy-oriented products said that their privacy engineering, not their location, was their key attractor: "You have to convince through truly secure and privacy-friendly products, not through the company's location."
That company does, however, advertises its location as a product feature in marketing material.
Amy de La Lama, head of the data privacy and cybersecurity practice at the law firm Bryan Cave Leighton Paisner, said that for many companies, uprooting a firm to take advantage of privacy laws without careful deliberation may not have the desired effect.
"Privacy laws at a location are certainly something that companies should factor in, but I wouldn't normally advise companies to make a decision solely based on" those standards, whether they be stricter to drive customer trust or more lenient to allow some degree of flexiblity.
"You're still often going to be subject to other privacy rules," he said.
GDPR, for example, extends to European users anywhere on the globe. Moving to a more lenient locale, she said, won't shed that protection. Vice versa, moving to a stricter privacy regime takes work, said de La Lama. If not planned properly, a company could find itself regulated by both the old and new country, with laws that may not necessarily be compatible.
Quad9 says that work is worth it.
"If you're in the United States, promises about privacy are only as good as the paper they're written on," Todd said. "You can change your mind. We wanted to put ourselves into a position where people didn't simply have to believe us on our word."