The Swiss electronic identity
Switzerland is a federation of the Confederation, cantons and municipalities. Federated systems correspond to the character of Switzerland. The federal law on electronic identity should take into account the interests of the cantons and municipalities and treat them equally. In this article, expert Hubert Rötzer contrasts the federalist approach with the centralist model preferred today. Anyone who travels knows the fear of having forgotten their passport at home. In the real world, you can move around unmolested for a while, but sooner or later you get into a situation where you have to prove your identity. The right to identity is a fundamental human right. Issuing an identity to its citizens is the sovereign task of every state. Digitalisation means that most people also roam digital worlds. As soon as they use digital services, make purchases or become active on social platforms, a digital identity is necessary. In the simplest case, it is sufficient to give one’s name and check one’s email address. In more complicated cases, you have to show up or deposit a certified photocopy of your passport or identity card. In the future, the state would also like to shift government services to citizens into the digital world. But e-government does not work without an electronic identity (E-ID). At first glance, it seems reasonable that there would have to be a singular nationwide E-ID issued by a federal authority. In autumn 2019, the Federal Electronic Identity Act was passed by parliament. Immediately, resistance was formed from various sides. A referendum against the E-ID law has come about. It is expected that citizens will be able to vote in the second half of this year. Apart from the fundamental rejection of an E-ID, the responsibility for issuing the E-ID is one of the main reasons for the referendum. Politicians came to the conclusion that in view of technical progress and the speed of technological development, a state solution could not keep up. Therefore, partnerships with private companies should be sought for the technical implementation. This would also be conducive to competition for the best technology. The framework conditions would be regulated by the state. The implementation of the issuing of the E-ID should be carried out by private identity service providers in compliance with state requirements. In designing the E-ID solution, the legislator assumes a purely centralised approach. The Confederation, which already has a certain set of a person’s data, would deliver it to certified private identity providers. This approach prejudices an IT architecture that collects the data at a central location and passes it on from there, i.e. a classic register application. Such information systems are familiar to computer scientists and are technically feasible. However, the question arises whether a central instance that hierarchically controls and steers the entire system is necessary at all. It would also be conceivable to set up a self-organising distributed system. Self-organising systems work by setting standards and providing a minimal infrastructure. Other performance-providing systems can then integrate dynamically into this infrastructure. Such a construct would be flexibly configurable and would fit very well with Switzerland’s state-agency structure. A thought experiment may be permitted here. Let us assume that the identity card is also provided with the cantonal coat of arms. Each canton has a body that manages the identities of its inhabitants and issues the identity cards. The basis for this is the population register. The citizen registers in the municipality of residence, is recorded in the residents’ register and reaches the canton via the municipal data. The passport office is cantonal. Data management is federalist, working from the bottom up. Cantons are already identity service providers and would also be suitable as identity providers for the E-ID. If one imagines that the identity card could certainly also transport the electronic identity, then such an idea seems obvious. Compared to the construct with a central register, however, such a distributed system is more complex. There are significantly more actors involved, and often in a dynamic configuration. There are several identity providers operating with different technical systems. Identities would have to be federated across system and organisational boundaries. Furthermore, an intermediary is needed to coordinate the processes (identification, authentication, authorisation) between the identity bearer, the identity provider and the service provider. In short, a construct is needed for the intermediary-based federation of electronic identities. True to the principle “structure follows process”, the IAM business architecture must first be designed. Standards for the technical components involved are derived from this, and the rules of the game for the participants are determined. Designing the overall system is more of an organisational challenge than a technical one. The advantage of such a system is that it can be flexibly adapted to the social situation. You thus get an e-ID infrastructure that adapts to the conditions in Switzerland, an intermediary-based federated electronic identity. The eCH-0107 standard describes the design principles for identity and access management (IAM). In eCH-0219 “IAM Glossary”, the terms are defined and explained. Other standards describe the technical implementation, as well as quality and maturity models. Such a standardised business architecture is optimal for the successful implementation of the e-ID, because it corresponds to Switzerland’s federal political system.