Controversial alternative to the password jungle
The Federal Council and parliament want to introduce an electronic identity (e-ID) scheme that would make it easier and more secure for us to use online services. But the plan is controversial. It will be put to the people on 7 March.
You can have six, sometimes eight characters, sometimes more. A jumble of letters and numbers. If you spend a lot of time on the internet, you will doubtless have to enter countless passwords, not to mention other login data like your name, email address or customer number. It’s the same rigmarole for anyone who wants to pay online, although security procedures often vary depending on the website.
In 2019, parliament approved new legislation aimed at “clearing the password jungle” and setting out clear rules. The Federal Act on Electronic Identification Services (E-ID Act), which will be put to voters on 7 March 2021, establishes the basis for electronic IDs. “We want to regulate the way people log in,” said Federal Councillor Karin Keller-Sutter in parliament, adding that people who use online services must be confident that statutory parameters are protecting them. What it certainly is not is a digital passport.
A way to conduct e-voting
E-ID is designed to make it easier and more secure to carry out online transactions and use e-government applications, preventing confusion and offering protection against hacker attacks. It incorporates three security levels. The highest of these, facial recognition, would be used for sharing particularly sensitive data, e.g. health information or in relation to online tax statements or online voting. Indeed, e-voting could become fully digital through e-ID. In other words, all official voting papers and access data would be available online. Authorities would no longer have to send PINs by post, as was the case during the previous, now-aborted e-voting scheme. E-voting providers as well as voters would, in any event, be free to choose whether to make use of this government-approved identity scheme.
Implementation of the scheme would see the public and private sector work together. The government would check and register people’s identity and identifying characteristics. Private companies would issue e-IDs, as would cantonal and municipal authorities. Identity providers (IdP) would be responsible for cards, USB sticks and e-ID applications. An independent panel of experts, the Federal E-ID Committee (Eidcom), would approve and monitor IdPs.
Better solutions from the private sector?
By allocating responsibilities in this way, the Federal Council and a majority in parliament hope to ensure that e-services are workable and consumer-friendly. They argue that the private sector has greater customer proximity and can respond more flexibly to advances in technology. Karin Keller-Sutter: “Experiences in other countries show that exclusively government-driven solutions are less effective and successful, because the private sector chooses not to use them.”
This form of cooperation is not without its critics. It is the reason why Digital Society Switzerland, the campaign group Campax, the signature-gathering platform WeCollect, and civil society organisation PublicBeta have forced a referendum. They say that the government is failing in one of its key responsibilities and “bowing to the interests of the private sector”. Big banks, insurers, and firms with government links would be “acting like a passport office”. The initiators of the referendum believe that granting the private sector access to sensitive data is risky. In their opinion, companies primarily look out for their own interests and cannot be trusted. The government would have relatively little power to control them. Opponents of the new legislation also have doubts as to how voluntary the scheme would be. They fear that online services could pressure people into using e-ID. The SP and the Greens have already represented this view in parliament. It is a view which is shared by the Pirate Party, Switzerland’s public-sector trade union VPOD/SSP, senior citizens’ organisations, and other bodies.
Switzerland’s top data-protection official supports the E-ID Act
Supporters of the new legislation dismiss these security concerns, insisting that the government will not lose control of the people’s data. They say that the E-ID Act goes above and beyond current provisions. For example, personal information cannot be used for other purposes or forwarded without prior consent. Selling such information would be against the law.
The Federal Data Protection and Information Commissioner, Adrian Lobsiger, believes that the E-ID Act offers benefits with regard to data protection compliance. He explains that the E-ID Act would make things simpler, because banks, companies and authorities would no longer have to develop their own secure login systems. “It would lead to uniform statutory standards being applied to technical security and data protection,” he says. Lobsiger says that the good thing about what is being proposed is that the private sector would be funding and operating the e-ID scheme but the government would be setting the rules. If voters rejected it, Switzerland might have no other option but to recognise e-IDs offered exclusively by the private sector – also including providers unable to ensure the same type of data protection, e.g. Apple and Google. Lobsiger mentions that some cantonal authorities are already collaborating with SwissSign. These authorities use the company’s SwissID digital key to provide access to online government services.
SwissSign Group is part of a joint venture involving Swiss Post, SBB, Swisscom, Six and a number of major banks and insurance companies. It would be keen on issuing its own e-ID – but sceptics such as Anita Fetz (SP/Basel-Stadt) are critical. In a parliamentary debate, the former member of the Council of States said that a private monopoly is the last thing that Switzerland needs. Justice Minister Karin Keller-Sutter dismissed these comments as “illogical”. “If that is a monopoly, what would you call the government?” A number of providers from the private sector competing to develop their own applications is exactly what we want, she said.
E-ID is a cornerstone of the digital transformation, say supporters of the E-ID Act. Switzerland cannot afford to miss the digital boat and not make up ground on other countries. Switzerland is indeed lagging behind comparable countries in e-government. It risks falling even further behind, warn experts. This is Switzerland’s very last chance to keep control of its citizens’ identification data, declared Ruedi Noser (FDP/Zurich) in the smaller chamber, adding that any delay would play into the hands of Apple, Google, Facebook and Amazon.
On 10 July 2020, the Council of the Swiss Abroad (CSA), referred to as the “Parliament of the Fifth Switzerland”, decided to back the new legislation and vote yes in the referendum. However, with 37 to 26 in favour (and 18 abstentions), the decision was far from unanimous.
How much money would E-ID cost the government?
Implementing e-ID would involve a one-off outlay of 7.9 million francs. This money would fund development of the system as well as the establishment of a federal service in charge of transmitting identity and verification information. According to the Federal Office of Justice (FOJ), operating the system is likely to cost around 3.5 million francs a year. However, this would be covered by administrative fees and would therefore have no effect on the government’s balance sheet.