Inter­pel­la­ti­on Fia­la (18.4169): Issuing digi­tal iden­ti­ties is a sta­te task

Inter­pel­la­ti­on Fia­la (18.4169): Issuing digi­tal iden­ti­ties is a sta­te task

Sub­mit­ted text

Curr­ent­ly a new Fede­ral law on elec­tro­nic iden­ti­ties nego­tia­ted in the Natio­nal Coun­cil. The core of the new approach is to trans­fer respon­si­bi­li­ty for a func­tio­ning elD to pri­va­te pro­vi­ders. This approach falls short. If elec­tro­nic iden­ti­ty is to be used for com­pre­hen­si­ve e‑government tran­sac­tions, inclu­ding ful­ly dema­te­ria­li­zed e‑voting, this must be have a sove­reign cha­rac­ter and are issued by the sta­te. A uni­fi­ed log­in tool for pri­va­te ser­vices (e.g. eBan­king, Swis­s­Pass, etc.) would never gain the neces­sa­ry cre­di­bi­li­ty for sove­reign tran­sac­tions. This rai­ses the fol­lo­wing questions:

1. what stra­te­gies and bench­marks is the Fede­ral Coun­cil pur­suing to catch up in the area of eGovernment?

2 Does the sta­te real­ly want to hand over one of its ele­men­ta­ry tasks – that of iden­ti­fy­ing its citi­zens and resi­dents? If not, does­n’t the sta­te have to take respon­si­bi­li­ty for the elec­tro­nic iden­ti­ty by Per­forms the role of an Iden­ti­ty Pro­vi­der (IdP) (out­put & authen­ti­ca­ti­on of per­so­nal data) and offers sui­ta­ble elec­tro­nic plat­forms, inter­faces and applications?

3) How does the Fede­ral Coun­cil assess the data pro­tec­tion risks that would ari­se if pri­va­te pro­vi­ders were to be ldPs for the offi­ci­al elec­tro­nic identity?

4. if the Fede­ral Coun­cil reli­es on the cur­rent de fac­to can­di­da­te for the offi­ci­al elec­tro­nic iden­ti­ty (Swis­sID): What are the Gover­nan­ce risks to eva­lua­te which at the com­plex con­sor­ti­um ari­se? It should be bor­ne in mind that seve­ral lar­ge banks are curr­ent­ly mem­bers of the con­sor­ti­um and act as IdPs in this capa­ci­ty, but at the same time they do not them­sel­ves accept Swis­sID as a ful­ly-fled­ged repla­ce­ment for their own log­in tools.

5 The law pro­vi­des for three dif­fe­rent secu­ri­ty levels, but lea­ves open which level is inten­ded for which area of appli­ca­ti­on. What requi­re­ments can be expec­ted in the con­text of e‑government and e‑health tran­sac­tions bet­ween citi­zens and the sta­te (C2G), com­pa­nies and the sta­te (B2G), and bet­ween sta­te actors (G2G)? What requi­re­ments can be expec­ted in the case of ful­ly dema­te­ria­li­zed e‑voting?

State­ment of the Fede­ral Coun­cil from 13.2.2019

On June 1, 2018, the Fede­ral Coun­cil appro­ved the Mes­sa­ge on the Fede­ral Law on Elec­tro­nic Iden­ti­fi­ca­ti­on Ser­vices (cf. BBl 2018 3915). The busi­ness is curr­ent­ly being dis­cus­sed in parliament.

The Con­fe­de­ra­ti­on, can­tons and muni­ci­pa­li­ties have been pur­suing a joint eGo­vern­ment stra­tegy sin­ce 2008. Based on the cur­rent eGo­vern­ment stra­tegy (2016−2019), they are deve­lo­ping, among other things, the legal frame­work for a sta­te-reco­gnized elec­tro­nic iden­ti­ty. Howe­ver, com­pared to count­ries whe­re eGo­vern­ment ser­vices are alre­a­dy available nati­on­wi­de, the EID and other important basic ser­vices such as the shared use of regi­sters are not yet available in Switz­er­land. Accor­ding to inter­na­tio­nal stu­dies, this is one of the main rea­sons why Switz­er­land is lag­ging behind in eGo­vern­ment. The deve­lo­p­ment of fur­ther basic ser­vices should the­r­e­fo­re be con­tin­ued on the basis of the eGo­vern­ment Stra­tegy 2020 – 2023, which is curr­ent­ly in progress.

2. as the Fede­ral Coun­cil sta­ted in its dis­patch of June 1, 2018, the fol­lo­wing shall con­ti­n­ue to app­ly only the sta­te to offi­ci­al­ly veri­fy and con­firm the exi­stence of a per­son and his iden­ti­ty cha­rac­te­ri­stics such as name, gen­der or date of birth.

In view of tech­no­lo­gi­cal chan­ge and the varie­ty of pos­si­ble tech­ni­cal solu­ti­ons, the Fede­ral Coun­cil deems it not con­sider it expe­di­ent to opt for a tech­no­lo­gy today.. This would ent­ail the risk that other tech­no­lo­gies would pre­vail in the mar­ket and the regu­la­ted fede­ral solu­ti­on would remain unu­sed. The solu­ti­on now pro­po­sed, Reco­gnize and super­vi­se appli­ca­ti­ons that pro­ve them­sel­ves under cer­tain con­di­ti­ons and to ensu­re secu­ri­ty in this way is more pro­mi­sing. He the­r­e­fo­re pro­po­ses a coope­ra­ti­on bet­ween the sta­te and the pri­va­te sec­tor that offers opti­mal con­di­ti­ons for the simp­le and user-fri­end­ly use of the EID by the admi­ni­stra­ti­on, pri­va­te indi­vi­du­als and companies.

3. the bill takes data pro­tec­tion into account and ensu­res that data pro­tec­tion risks are kept as low as pos­si­ble. The draft e‑ID law goes in various points bey­ond the requi­re­ments of the Data Pro­tec­tion Act.

4. the Fede­ral Coun­cil is not rely­ing on a sin­gle de fac­to can­di­da­te, but rather is working with the draft law towards a Plu­ral IdP toward. Howe­ver, the num­ber of IdPs that will effec­tively seek reco­gni­ti­on and offer E‑IDs is open. The inter­nal orga­nizati­on is basi­cal­ly the respon­si­bi­li­ty of the IdP. In doing so, howe­ver, it must com­ply with the legal frame­work, such as the requi­re­ment that per­so­nal iden­ti­fi­ca­ti­on data must be kept sepa­ra­te from usa­ge data (Art. 9 Para. 3 Let­ters a and b of the draft law).

5 Accor­ding to the Fede­ral Council’s draft, the E‑ID Act and its imple­men­ting pro­vi­si­ons should not pre­scri­be which Safe­ty level is requi­red for which are­as of appli­ca­ti­on. This must be spe­ci­fi­ed in the respec­ti­ve spe­cial decrees or defi­ned by the pri­va­te ope­ra­tors of e‑ID-using ser­vices. The dis­patch explains in sec­tion 1.2.5 (cf. BBl 2018 3926 et seq.) the pur­po­se and requi­re­ments of each secu­ri­ty level: for govern­ment ser­vices such as obtai­ning regi­ster extra­cts or for ope­ning a bank account online, the secu­ri­ty level “sub­stan­ti­al” will pro­ba­b­ly be prescribed.

For access to the elec­tro­nic pati­ent dos­sier, for exam­p­le, the Fede­ral Elec­tro­nic Pati­ent Dos­sier Act pre­scri­bes strong authen­ti­ca­ti­on, which lar­ge­ly cor­re­sponds to the “sub­stan­ti­al” secu­ri­ty level.

It is not pos­si­ble to say (at least at pre­sent) what requi­re­ments would have to be met by a ful­ly dema­te­ria­li­zed e‑voting system.




Rela­ted articles