There is a need for usable and trustworthy electronic identification. It is a pillar of digital democracy and will also be used for the exercise of popular rights. Accordingly, we need a digital extension of ID, passport and alien registration card, not an e-commerce ID. Like the issuing of the already existing ID documents, this public task must therefore also be carried out by the state. The right to privacy must also be strengthened and not undermined. The law that was passed does not fulfil this. That is why the referendum against it was taken.
Why an E-ID?
The inhabitants of Switzerland should be given an electronic identity. E-government solutions in particular would benefit from this, because until now there has been no simple way for municipalities and cantons to authenticate people on their online portals. An e-ID would also make it possible to conclude contracts for which identification is mandatory. Examples of this are the opening of a bank account or the conclusion of a mobile phone contract. Thus, a state E-ID must also be usable on corresponding private online portals. In most cases, however, neither ID nor signature are required by law in order to use a service or conclude a contract. This must also remain the case online. Even if the E-ID is currently not an internationally recognised travel document, it assumes the same function on the Internet as an official identity document does when collecting registered letters or an extract from the debt collection register. The E-ID is the electronic equivalent of the identity card and must first and foremost be secure and trustworthy. In addition, every person in Switzerland should have a right to it.
The E-ID law
The federal government ‘s plans are different, however: the state E-ID is to be issued by private companies. The passport office would not be responsible for the application procedure. Instead, it would be possible to choose between different commercial providers. Furthermore, there would be different security levels. Not all providers would have to offer all security levels. The middle level would require two-factor authentication. The highest level must be based on a biometric feature. Typically, this would be a fingerprint on the smartphone. Those who do not have or do not want to use a suitable device risk being excluded. Nor does the adopted E-ID law provide for an electronic signature.
Issuer of the E-ID
Although the law provides for a market for E-ID issuers, a monopoly by SwissSign is emerging. SwissSign is a joint venture consisting of 20 Swiss corporations that do not want to leave the big business to Facebook, Google and other tech giants and will have the power to successfully defend the E-ID monopoly. SwissSign already offers a central login for various services, such as for the media/tracking alliance. In this way, the boundaries between official ID control and a simple login process are blurred. Although the E-ID is supposed to be free of charge for individuals, SwissSign is paid by the platforms per login process. A lively use of the E-ID would therefore be in SwissSign’s interest. Identification is likely to become necessary for more and more services and tracking on the internet more and more seamless. This simplifies the linking with profile information obtained elsewhere to form an increasingly sharp personality profile. This is problematic from the point of view of data protection. Furthermore, a kind of digital cluster risk arises: if one loses a password or if the login provider is hacked, all connected services are affected. In addition, the login for e-commerce applications focuses on user-friendliness and not on security. These two requirements contradict each other. Also, a large part of the logins cannot be replaced by a Swiss E-ID because it is not an international solution. Swiss residents will not be able to log in to Amazon or other international services with a Swiss E-ID in the future. For a secure and distributed general login, there is no need for a Swiss federal law – but for international standards.
First, the Federal Office of Police must create a new database. To do this, it will merge the various personal identification data from different registers. This database will then be used for issuing and updating the E-ID by the identity providers. Furthermore, every time the E-ID is used, data accumulates at the provider. Accordingly, the provider knows exactly when and where we identify ourselves with the E-ID. The E-ID Act prohibits the commercial use of “data generated by the use of the E-ID”. However, the usage profiles based on this data may be stored for six months. A data protection-friendly solution would provide for a system architecture in which this data does not accrue at a central office in the first place. In this way, additional personal data is collected at several locations without being withheld from international companies. A new e-ID law will not help to increase data protection. What is needed instead are effective data protection provisions.
The population wants a state E-ID
A representative survey by Demoscope from May 2019 shows that 87% of the population would like to obtain the E-ID from the state. Only 2% would like the planned E-ID to be issued by private companies. When it comes to data protection in particular, the population lacks trust in private companies. 81% of the people surveyed also consider the legally binding electronic signature to be important. The survey also clearly shows that, among the desired applications, administrative procedures and political participation are at the top of the list. Issuing an e-ID is a central element of e-government and also of digital democracy. Accordingly, it is important that this task be performed by the state. The state must not shirk its responsibility. On the contrary, it must ensure the necessary trust.
In the canton of Schaffhausen, a state smartphone-based E-ID is already in successful use. Other cantons want to follow suit. However, certified identification features and a qualified certificate for the signature could also be securely stored on IDs, passports or alien registration cards. In this way, the official ID cards would become smart cards that could also be used as a second factor for authentication. A smartphone could serve as a card reader. The open-source AusweisApp2 offers this for the identity card in Germany. Such a solution would already be possible today with the existing ID card law.
A referendum was successfully launched against the adopted law. Behind the e-ID referendum is a broad coalition of organisations and networks. These include the Digital Society, the campaign organisation Campax, the democracy platform WeCollect and the association PublicBeta. The referendum is expected to take place on 27 September 2020.
The Digital Society is a non-profit and broad-based association for civil and consumer protection in the digital age. The NGO has been working as a civil society organisation for a sustainable, democratic and free public sphere since 2011. It defends fundamental rights in a digitally networked world.