“How can the state ensure cyber security?”
Why the state’s lack of digital competence can lead to a loss of control and why Min Li Martithinks the Schaffhausen E-ID is good is explained by the SP National Councillor in an interview with Societybyte editor Dr Reinhard Riedl. Societybyte: Does Switzerland need a state-recognised E-ID? Min Li Marti: Yes. I see the benefit above all in administrative procedures. Here, services for the population can be simplified digitally and bring added value. But I also think there is a benefit in other areas, such as e-banking. However, it would bring real added value if it were really intended as a digital identity card, as is the case in Estonia, for example. Does it make sense to issue this E-ID in three quality levels? Yes, in principle it does. But it remains to be seen which security levels will actually be in demand. A central point of discussion is the question of who should issue the E-IDs. In your view, what characteristics should companies or institutions that issue a state-recognised E-ID fulfil? The issuing of an ID, the administration of identity, is clearly a sovereign task. It is in the public interest and should not be taken over by profit-oriented actors. There is a reason why public service and interest goods were nationalised in the 19th and 20th centuries. Because public interest goods should also be used and distributed for the common good. The comparison with the physical ID is quite valuable here. Who can imagine ordering an ID at the bank counter or the Migros checkout? Why should it be any different with an e-ID? This does not necessarily mean that an administrative unit has to take over the programming and development itself. It’s about responsibility. If we disregard the question of the state or the private sector: Are the legal, organisational and technical requirements in the law sufficient to ensure the intended use of E-IDs and to prevent misuse? There are two major problems within the law: Firstly, the burden of proof in the event of misuse lies with the holders of the E-ID, which places a great deal of responsibility on them. If there is identity theft, the holders are doubly screwed in the end: Firstly, their identity is misused and secondly, they are still liable for it. The second problem is the question of usage data. The E-ID is not designed according to the principle of “privacy-by-design”. It is not decentralised or data-saving. Usage data is collected, stored centrally and kept for six months. Now the law stipulates that the data must be kept separately and may not be passed on. So why store it for six months? Does the present law sufficiently prevent the misuse of user data? This is not sufficiently regulated in the law, but it is probably also beyond the legislative scope. Will the introduction of the E-ID be successful without accompanying measures, as Denmark and other countries have provided? That depends, of course, on how it is used. As it stands, the SwissSign consortium is an IDP on the market that includes all the major players such as banks, insurance companies and state-affiliated businesses. They cover quite a lot of ground, and if the digital official procedures are added to that and there is practically no alternative to the SwissID, then it will become established. So if you can only fill out your tax return online with an E-ID or if postal services are only accessible online with an E-ID, then there will be hardly any alternatives to the E-ID, at least if you want to use online services. You can still go to the counter, but that is being dismantled everywhere. Apart from the problems you have described, what negative consequences would the adoption of the E-ID law have? For me, the central question is the role of the state and the public sector in digitalisation, in the digital public service and in digital democracy. If the state’s response to every new digital challenge is that it is overwhelmed and incompetent, then this leads even more to the total privatisation and commercialisation of all public services in the digital space. This can have potentially dangerous consequences, for example in the area of health data. This is a self-abandonment of the state and potentially dangerous. We are already in many ways at the mercy of the power of the platform and tech giants. This needs smart regulation and non-profit alternatives. None of this can be done if the state has no competence. Secondly: How can we believe that the state is capable of ensuring cybersecurity when it has no competence in digital issues? In the case of a rejection of the E-ID law, what should happen next? The Federal Council or parliament can very quickly set up a public solution, for example based on the model of the Schaffhausen E-ID, which is a public E-ID and is designed to be decentralised and data-saving. Looking to the future: Should Switzerland strive in the long term – regardless of whether the E-ID law is adopted or rejected – to become part of the single European identity space governed by the eIDAS regulation? That would be highly desirable. The E-ID is far more than a login. No law is needed for that. The private sector could simply do that if it would bring so many efficiency gains. The E-ID will be interesting if it actually moves more and more in the direction of a digital passport with which one can also travel. The digital signature would also be important, both for the economy and for direct democracy. Our traditional final question: Which E-IDs will exist in Switzerland in the long term and what role will they play? That depends on the outcome of the vote. If it is rejected, there is a chance for a good government solution. If not, SwissSign will probably prevail. With all the disadvantages that a private monopoly entails.
About the person
Min Li Marti is a member of the National Council for the SP. She is a member of the preliminary advisory committee of the legal commission. Since the end of 2014, she has been the publisher of the left-wing weekly newspaper P.S.