“With the E-ID law, Switzerland is taking a pioneering role”
For Nicolas Bürer, Managing Director of digitalswitzerland, the Swiss e-ID is indispensable. In an interview with Prof. Dr. Reinhard Riedl, he explains why voters should approve the e-ID law Societybyte: What are the benefits of a state-recognised e-ID? How important is the E-ID for Switzerland? Nicolas Bürer: In Switzerland, there is currently no framework for a verified and state-recognised electronic identity. Consequently, no one can securely identify themselves on the internet or verify the identity of another person. The lack of secure and simple identification is at odds with current needs. The e-ID law thus creates a long-awaited legal and structural framework for action. With a Swiss e-ID, Swiss citizens can benefit from the advantages and opportunities of the digital world in a simple and secure way. The e-ID law creates clear rules for more transparency and data protection and guarantees independent controls. As far as US technology corporations like Apple, Facebook, Amazon and Google are concerned: we should not make ourselves dependent on third parties and preserve our digital sovereignty. The E-ID Act stipulates that the federal government should only issue E-IDs if there is no functioning private-sector solution. In your view, is it sufficient for the state to limit itself to technical-organisational specifications and control? With the current state of technological development, it is also important to concentrate on one’s own strengths. The state still retains sovereignty and is the sole issuer of the e-ID, and verifies all identity service providers, so-called identity providers (IdP), via the Federal Office of Police (fedpol) and the Federal E-ID Commission (EIDCOM). However, the state does not interfere in the technological solution. This is the task of the private sector and the administrative units of municipalities or cantons, which will act as E-ID providers. What does it take in addition to an E-ID law for the E-ID to be a success in Switzerland – or is the law enough? No, a law alone is not enough. But it is an important start that provides the legal framework. In a second step, good providers are needed who provide efficient and user-friendly solutions. This also includes a transparent and strong communication campaign. We have seen this with the SwissCovid app. With 2.5 million users: inside, a first milestone was set, but the hoped-for user rate of 70% was unfortunately not reached. Again and again, doubts were raised about data security. It also needs a well-functioning ecosystem with reliable partners, such as online service providers at the cantonal or private sector level that have integrated an e-ID system. Are the liability issues sufficiently regulated in the e-ID Act? In connection with liability issues, much is already regulated in the Code of Obligations OR. This is therefore not formulated separately or differently in the e-ID Act. Liability is anchored in Article 32 of the e-ID Act: it is governed by the Code of Obligations (para. 1) for the holder of an e-ID, the operator of e-ID-using services and the IdP; the liability of the Confederation is governed by the Liability Act. See also section 2.11 of the dispatch (BBL 2018 3967). Who is liable and how exactly must be clarified in each individual case. If, for example, after an attack, it should turn out that the IdP does not guarantee the secure operation of his EID system, he is liable. For this purpose, he must take out insurance (cf. Art. 13 para. 2 let. f. BGEID) in order to be able to pay for the damage incurred. In addition, depending on the severity, the guilty IDP also risks recognition. If the holder of an EID has made it accessible to third parties or has not taken the necessary and reasonable measures according to the circumstances to ensure that their EID cannot be misused, they would be liable according to the rules of the CO. Finally, it should also be pointed out that in Switzerland various criminal offences could come into question in this context or in the case of identity theft, such as fraud (Art. 146 SCC), in the case of phishing forgery of documents (Art. 251 SCC) or unauthorised data procurement (Art. 143 SCC), as well as hacking (Art. 143bis SCC), data damage (Art. 144bis SCC), fraudulent damage to property (Art. 151 SCC), threats (Art. 180 SCC), coercion (Art. 181 SCC) or defamation (Art. 173 ff. SCC). Criticism is heard from the engineering community that the law focuses too much on trust and control and too little on the technical prevention of data misuse. Is it contemporary to rely solely on regulations for such sensitive issues? The law provides the framework and specific regulations are added in the ordinances. Technological restrictions should not be integrated into the ordinance under any circumstances, otherwise it will have to be constantly adapted. The e-ID providers have a vested interest in always being up to date in terms of cyber security. The users’ transaction data is automatically deleted after 6 months and the e-ID providers have no access to the content of the online service providers. Should Switzerland seek recognition of its e-ID abroad, for example in the EU? The e-ID law is formulated in such a way that it is interoperable with the European system. It is not only sensible but also desirable for Switzerland to join the regulations that are binding throughout Europe, the eIDAS Regulation of the EU. In a few years’ time, it is quite conceivable that the Swiss e-ID could be used for administrative procedures or for e-commerce in Germany. Apart from Scandinavia, the EU is only just evaluating its models. It is watching very closely what Switzerland is doing and how it is going about it. Should the planned EIDCOM align its specifications in principle and already now in such a way that Switzerland would be E-ID eIDAS-compatible? This is exactly the case. In Switzerland, two state bodies will be responsible for the verification of the e-ID: fedpol and the newly created EIDCOM, which will supervise the e-ID providers. The law stipulates that EIDCOM should ensure that the Swiss e-ID is eIDAS-compatible. What is the vote about? What will happen if the law is adopted and what if the law is rejected? With the adoption of the e-ID law, the ordinance will be finalised and the new law will enter into force in the next few months. EIDCOM will be constituted, fedpol will align its processes and the market will organise itself. New e-ID providers will possibly appear and existing providers such as SwissSign and the canton of Schaffhausen will apply to become official IdPs. A “No” would set us back 2-3 years before action would resume. Only in 3-4 years would a new draft law be expected, whereby it is then not certain whether it will even be capable of gaining a majority in parliament. In the meantime, some players like Apple, Google or Amazon will establish themselves on the market. However, this will happen without increased security and without a corresponding legal framework. What, in a nutshell, is digitalswitzerland’s voting recommendation? We recommend a clear YES! Switzerland needs an e-ID law and such an innovative public-private partnership. It is timely, it is forward-looking. It would put Switzerland in a pioneering role in Europe. What is your long-term prognosis: Which E-IDs will exist in Switzerland in 2035 and what role will they play? In 2035, 90% of the Swiss population will have an e-ID. The e-ID will have many possible applications: With authorities, but also in online commerce, for insurance, banking transactions, loans or leasing. In 2035, the European systems will be interoperable, so that we Swiss will benefit from numerous possibilities of use abroad. In 2035, the e-ID will not yet serve as a travel document. The e-ID will remain something for the online world. It is the key to digitalisation. It will not replace the existing identification as we know it in the form of the passport, but will be a supplement within the online world.
About the person
Nicolas Bürer has been managing director of the Digitalswitzerland location initiative since 2016. He studied physics at EPFL and previously held various positions at Deindeal.ch, Movu.ch, and the former interactive TV station Joiz Schweiz.