The Swiss eID law has flaws, but is another version worth the wait?
The eID is billed as a long-overdue key to the digital world, a single access point for services provided by a range of public and private-sector organisations. But the model proposed by Switzerland – being put to a nationwide referendum in March – is far from watertight.
On the Web, each of us has many “identities”, or logins, which we use to access e-commerce sites, e-mail services or social media, to name but a few. But no law protects or verifies these credentials. Supporters of the eID technology say a controlled and regulated digital identity would bring some order and increased security to the chaos on the Web.
“The electronic digital identity is fundamental for all practical issues and for interactions between the population and governments,” says Jean-Henry Morin, professor of information systems at the University of Geneva. Online tax payments or e-health, for example, could be accessed with an eID.
He and many other digitisation experts in Switzerland and Europe consider its implementation a priority and believe that eID will greatly help the digitisation of public administration.
The European Union leads the way in this field. In 2014, it adopted the eIDASExternal link regulation for electronic identification, with the aim of strengthening user trust, security and coordination among online services. Today, almost all European countries, with a few exceptions, offer digital identity solutions.
In Switzerland, on the other hand, there is still no certified and state-controlled eID. Attempts by the SwissSign Group, which launched SuisseID in 2010, ended in a flop. But the group, a public-private venture that includes companies like the Swiss Post, the Federal Railways and the country’s largest banks and insurers, still aims to be able to provide an officially certified eID for Switzerland.
The new Law on Electronic Identification Services of 2018External link (e-ID Act), which is up for a national referendum on March 7, effectively puts the task of issuing electronic identities in the hands of private companies, tasking them with as so-called identity providers (IdPs).
A committee of civil society groupsExternal link has challenged this private-sector management and is opposed to an eID that is not issued by the state. If the referendum’s challenge to the eID law fails, companies such as SwissSign will have the golden opportunity they were looking for – an official mandate by the federal authority to run the entire country’s eID system and manage people’s personal data, with the state acting as a mere data provider.External link
Does opportunity only knock once?
Some think Switzerland would miss an opportunity if it rejected this law, which is a first step towards regulating digital services.
Matthias Stürmer, head of the Research Center for Digital Sustainability and lecturer at the University of Bern, points out that Google and Facebook also aspire to act as informal identity providers, and in part already do, by providing a login that we use to access many other websites.
“But without rules, they can do whatever they want with our identities using the meta data for advertisements and other commercial services,” Stürmer says. He believes it is essential for industry to accept and support an eID project because its value-added to the end user comes through the services the economy decides to provide.
Gian-Reto Grond, head of the digital health section at the Federal Office of Public Health, also believes that the new law will bring significant improvements. In the area of e-health, it would allow access to a patient’s digital file via an eID that is controlled and approved by the government.
“In the case of medical data, the level of security required is very high. That’s why it’s essential to have an eID that is verified and protected by law,” says Grond, who thinks this law could open up a new ecosystem of medical functionalities beyond the electronic patient record, such as mobile applications. (Switzerland lags behind many other countries in the area of digitised health data, as we’ve previously written).
Researcher Kevin Andermatt of Zurich’s University of Applied Sciences, who was involved in the evaluation of the eID system implemented in the Swiss canton of Schaffhausen, points out that nearly no government has the IT capacity and the resources to develop an eID on its own in the appropriate time and quality. That’s why governments usually develop the technology together with private companies or buy the end product through public procurement.
According to the researcher, public-private collaboration is generally very promising. “Private companies have the specific know-how, the state-of-the-art technology required and are closer to the market and customers,” he argues. However, in this very trust-sensitive case, Andermatt thinks it’s likely that Switzerland would have spared itself a referendum if the government had also put a fully state-run eID solution on the table.
“Now, if the law is rejected at the ballot box, we will have to wait many years before we have another solution,” he says.
eID at all costs?
Despite the gap between Switzerland and other European countries when it comes to electronic identification, IT science expert Morin is convinced that the country should not make up for lost time by developing a hasty solution at any cost. Morin is one of the staunch opponents of the eID law passed by the Swiss parliament, and he hopes the referendum will sink it.
“eID should remain in public hands and not be managed by an obscure consortium of private companies such as banks and insurance companies, which would reduce identity to a business matter,” he says. “Better to wait and engage in something responsible and sustainable that can win people’s trust.”
According to Morin, it’s not too late to catch up and take a cue from leading European examples, such as Estonia, which has implemented a fully publically-run eID, considered state-of-the-art and secure. The Swiss eID law, he says, is already outdated and lacks security. For example, the law stipulates that user data must be stored on the providers’ servers for six months. Although data misuse is prohibited, this window of time makes the system less focused on user privacy and more vulnerable to data manipulation, leaks and cyber-attacks.
“This law is not advanced in terms of data protection principles, technology and even interoperability with other countries,” Morin says. “If it passes, Switzerland will be even more backward than before.” He thinks it would be better to scrap it and get a group of brilliant scientists and sociologists, with which Switzerland is teeming, to come up with a truly innovative and forward-looking system that focuses on people and the protection of privacy.
A system full of holes
The “people’s” hackers of the Chaos Computer Club SwitzerlandExternal link (CCC-CH), who work in the service of civil society, also warn that the eID system proposed in the current law is vulnerable.
“We don’t like this law. It is bad from the point of view of the architecture of the system, which is centralised and therefore very exposed to cyber-attacks. We see more security and privacy risks than benefits,” says Hernâni Marques, a sociologist and neuroinformatics specialist who is a board member of the CCC-CH. In a centralised architecture with a single login, attacks are also centralised, which means a single threat could compromise and block the entire system, according to Marques. This exposes users to greater danger of data loss, breach or theft.
Pragmatism as a solution?
Why has Switzerland opted for this system if it has security and privacy flaws? Florian Forster, CEO of the IT and cloud services company CAOS, thinks that lobbying by identity providers has borne fruit and influenced the adoption of a solution that can be easily integrated with any service on the internet by using established but less privacy-friendly protocols. The lack of real digital expertise in parliament when drafting the law did not help, nor did the absence of an open discussion with established specialists in the field, says Forster.
“The solution proposed by the Swiss government may not be perfect, but it is a pragmatic, strongly regulated public-private-partnership approach that will work,” argues Stürmer of the University of Bern.
Despite its shortcomings, he and other supporters of the law claim that Switzerland can’t afford to wait for the perfect solution. The Web is only becoming more complex and vulnerable, they say, and the time to act is now.
“We are in a race and we don’t have time to wait other two or three years for a new law,” Stürmer thinks. “The authentication market is too competitive and the Swiss eID is better than the identification platforms by the big tech companies because it prevents the use of meta data for commercial purposes.”
More
In compliance with the JTI standards
More: SWI swissinfo.ch certified by the Journalism Trust Initiative
You can find an overview of ongoing debates with our journalists here . Please join us!
If you want to start a conversation about a topic raised in this article or want to report factual errors, email us at english@swissinfo.ch.