Interpellation Fiala (18.4169): Issuing digital identities is a state task
Submitted text
Currently a new Federal law on electronic identities negotiated in the National Council. The core of the new approach is to transfer responsibility for a functioning elD to private providers. This approach falls short. If electronic identity is to be used for comprehensive e‑government transactions, including fully dematerialized e‑voting, this must be have a sovereign character and are issued by the state. A unified login tool for private services (e.g. eBanking, SwissPass, etc.) would never gain the necessary credibility for sovereign transactions. This raises the following questions:
1. what strategies and benchmarks is the Federal Council pursuing to catch up in the area of eGovernment?
2 Does the state really want to hand over one of its elementary tasks – that of identifying its citizens and residents? If not, doesn’t the state have to take responsibility for the electronic identity by Performs the role of an Identity Provider (IdP) (output & authentication of personal data) and offers suitable electronic platforms, interfaces and applications?
3) How does the Federal Council assess the data protection risks that would arise if private providers were to be ldPs for the official electronic identity?
4. if the Federal Council relies on the current de facto candidate for the official electronic identity (SwissID): What are the Governance risks to evaluate which at the complex consortium arise? It should be borne in mind that several large banks are currently members of the consortium and act as IdPs in this capacity, but at the same time they do not themselves accept SwissID as a fully-fledged replacement for their own login tools.
5 The law provides for three different security levels, but leaves open which level is intended for which area of application. What requirements can be expected in the context of e‑government and e‑health transactions between citizens and the state (C2G), companies and the state (B2G), and between state actors (G2G)? What requirements can be expected in the case of fully dematerialized e‑voting?
Statement of the Federal Council from 13.2.2019
On June 1, 2018, the Federal Council approved the Message on the Federal Law on Electronic Identification Services (cf. BBl 2018 3915). The business is currently being discussed in parliament.
The Confederation, cantons and municipalities have been pursuing a joint eGovernment strategy since 2008. Based on the current eGovernment strategy (2016−2019), they are developing, among other things, the legal framework for a state-recognized electronic identity. However, compared to countries where eGovernment services are already available nationwide, the EID and other important basic services such as the shared use of registers are not yet available in Switzerland. According to international studies, this is one of the main reasons why Switzerland is lagging behind in eGovernment. The development of further basic services should therefore be continued on the basis of the eGovernment Strategy 2020 – 2023, which is currently in progress.
2. as the Federal Council stated in its dispatch of June 1, 2018, the following shall continue to apply only the state to officially verify and confirm the existence of a person and his identity characteristics such as name, gender or date of birth.
In view of technological change and the variety of possible technical solutions, the Federal Council deems it not consider it expedient to opt for a technology today.. This would entail the risk that other technologies would prevail in the market and the regulated federal solution would remain unused. The solution now proposed, Recognize and supervise applications that prove themselves under certain conditions and to ensure security in this way is more promising. He therefore proposes a cooperation between the state and the private sector that offers optimal conditions for the simple and user-friendly use of the EID by the administration, private individuals and companies.
3. the bill takes data protection into account and ensures that data protection risks are kept as low as possible. The draft e‑ID law goes in various points beyond the requirements of the Data Protection Act.
4. the Federal Council is not relying on a single de facto candidate, but rather is working with the draft law towards a Plural IdP toward. However, the number of IdPs that will effectively seek recognition and offer E‑IDs is open. The internal organization is basically the responsibility of the IdP. In doing so, however, it must comply with the legal framework, such as the requirement that personal identification data must be kept separate from usage data (Art. 9 Para. 3 Letters a and b of the draft law).
5 According to the Federal Council’s draft, the E‑ID Act and its implementing provisions should not prescribe which Safety level is required for which areas of application. This must be specified in the respective special decrees or defined by the private operators of e‑ID-using services. The dispatch explains in section 1.2.5 (cf. BBl 2018 3926 et seq.) the purpose and requirements of each security level: for government services such as obtaining register extracts or for opening a bank account online, the security level “substantial” will probably be prescribed.
For access to the electronic patient dossier, for example, the Federal Electronic Patient Dossier Act prescribes strong authentication, which largely corresponds to the “substantial” security level.
It is not possible to say (at least at present) what requirements would have to be met by a fully dematerialized e‑voting system.