E-ID marching through. Supposedly, it has nothing but advantages.

What risks need to be considered?

by Philipp Kruse, attorney-at-Law, LL.M., ABF Schweiz

(25 October 2024) “Switzerland wants and needs an E-ID card”. That was the general consensus in the Federal Palace. On 10 September 2024, the Council of States almost unanimously approved the E-ID law. “The E-ID enables people to prove their identity in the virtual world. It will be comparable to an ID card or passport in the physical world. However, the E-ID will not replace either of these two documents.” [...] It will “meet the highest data protection requirements.” This is what Federal Councillor Beat Jans said on 10 September 2024 in the Council of States.¹ Critical dissenting voices are currently few and far between. Reason enough for “ABF Schweiz” to take a closer look.

I. Status of parliamentary deliberations

The new E-ID Law (“Federal Act on Electronic Proof of Identity and Other Electronic Proofs”)² was discussed in the Council of States on 10 September and was clearly adopted by 43 votes to 1. The National Council had already given the green light for the introduction of the E-ID in the spring session by 175 votes to 12. The only thing left to be resolved are certain differences between the two councils on data protection and cyber security issues. It will be interesting to see how this plays out, as we will show below.

The software and infrastructure for the new E-ID are to be provided by the FDJP by the end of this year. This is with the stipulation that the E-ID “guarantees a high level of privacy protection and can be used internationally” (see Federal Council press release from 14 June).³ Numerous security concerns remain unresolved (see IV. below).

From 2026, the E-ID is to be available free of charge both online and at passport offices. It will be voluntary and will not replace current identity cards and passports.

II. Preliminary version of the E-ID law rejected by a landslide in 2022

A preliminary version of the E-ID law was clearly rejected by the people in the referendum vote of 7 March 2022⁴ with 64.4%.

At the time, a broad alliance of organisations and left-wing parties had mobilised against the law. General mistrust prevailed. The critics were particularly opposed to the fact that, for the first time, an official ID was to be issued by private providers. Instead of state passport offices, companies such as banks and insurance companies would now be able to exploit their market power (abusive hoarding and commercialisation of data). Furthermore, older people feared being coerced into using the E-ID by private companies (as a prerequisite for obtaining services and goods). In addition, there were major security concerns. ABF Switzerland doubts that these have been completely eliminated.

III. New edition of the E-ID law

The new edition of the E-ID law is supposed to eliminate all previous points of criticism:

• The E-ID should not be issued by private individuals, but by a federal agency (FEDPOL, see also Art. 1 I c; 2; 12 E-ID Law);
• Security is sufficiently guaranteed by the fact that software development and infrastructure are operated exclusively by the federal government (see also Art. 2 and 3 E-ID Law).
• Data protection is ensured by the fact that users manage their data themselves and keep it stored on their mobile phones (not the state or third parties; Art. 6; 7 E-ID Law);
• The federal government is not supposed to have any official insight into the digital ID and is also not supposed to learn which data is ultimately used by the owner. The control is exclusively with the user (Art. 2 III, IV; 9 II; 16 II E-ID Law).
• The E-ID should therefore officially meet the highest standards of security and data protection. The new E-ID should only have advantages in other respects too:
• It is more than just a digital ID. It can be used to store or link other passes, certificates, documents, driving licences and tickets of all kinds;
• It serves as a basis for identification when obtaining official documents and services, as well as private goods and services (Art. 23 E-ID Law).
• The information stored on this digital ID should also be able to be released individually by users on a selective basis (Art. 9 I E-ID Law).

IV. Assessment and critique of “ABF Switzerland”

The practical use of an E-ID is indisputable. The list of advantages sounds good. If the federal government can truly guarantee a secure solution for voluntary use, that would be wonderful. However, personal data (including biometric facial images) must be effectively protected from misuse and use by unauthorised third parties. Whether the promised data infrastructure of the federal government (“basic register”; “trust register”) will really be secure, however, is totally in the lap of the gods. The final IT solution will not be available until the end of the year (see press release from 14 June).⁵

“Not trustworthy enough”

In the debate on 10 September, Councillor of States Pirmin Schwander (SZ, SVP) expressed fundamental concerns about the security of the E-ID: “The people rejected the first draft for security reasons and a lack of trust [...] I [...] am amazed that we are not giving enough thought to the question of security in a new bill.

In my opinion, the procedures as they are currently being considered are not trustworthy enough, especially regarding the electronic patient file or the signatures. In my opinion, the online identification procedure as it has been presented to us is not secure enough from a technical point of view. I would just like to have said that to you in general. The procedures are not compatible with eIDAS, and above all, they lead to the mass collection and storage of biometric data. All four of these points lead me to take a very critical look. [...]”

What specific reasons are there to take a critical look?

Lack of user protection from the market power of large corporations

When concluding a contract online using an E-ID, users are allowed to decide which individual data they release (Art. 9 II E-ID Law). However, which data users ultimately and effectively transmit to the contractual party is left to the forces of the market. The draft law contains no provisions for consumer protection against unnecessary or abusively requested information (“over-identification”). Companies with great market power (banks, insurance companies, software corporations, etc.) can easily coerce weaker customers into disclosing private data (including facial recognition) and then exploit it commercially.

Security concerns of expert groups

In a worthwhile article dated 10 September,⁶ the Pirate Party, which has been politically active in this area for years, points out to a series of concrete scenarios which can lead to systematic interference with digital integrity:

• Even with the collection of biometric data, there have been security breaches in the past. It is therefore only a matter of time before unauthorised third parties access biometric data in the future.
• Big Companies and business sectors will use the political process to obtain legal exemptions (under the guise of a “legitimate interest”) to gain access to the E-ID data of their customers. Concrete proposals for the use of biometric data are already on the table:

– Airports and airlines want to use facial recognition to speed up processing;

– The Conference of Cantonal Justice and Police Directors want to use it to monitor sports fans;

– Furthermore, the intelligence service and various cantonal police forces are already using facial recognition software without a legal basis;

– fedpol wants facial recognition.

• Tenders for the online verification procedure for the E-ID are being invited without any possibility of scrutiny by experts, parliamentarians, journalists or other interested parties. Even the tender documents are top secret (see parl. enquiry Reimann 24.1001).⁷

In particular EU law

The Federal Council wants to implement an E-ID that is compatible with EU law.^8,9 This means that pro futuro it must ensure that EU law does not allow the digital integrity of citizens to be compromised.

Even based on current EU international law, Switzerland’s biometric data is already automatically compared with that of the EU in police cooperation. This was negotiated in the so-called Prüm II Regulation (Regulation “on the automated exchange of data for police cooperation”).

Major risks on the horizon: global control network

The E-ID Act creates a basic technology which, in combination with ongoing international developments, could pose a significant threat to fundamental rights. Even if such links do not yet exist in Switzerland as specific projects, they are unmistakable internationally (ID 2020; EU digital strategy; UN “Pact for the Future” and “17 Sustainable Development Goals”; World Bank “ID4D”, etc.; see links in sources 11. [–16.] below).

There is a very real danger that the E-ID will become the central key element for linking a variety of digital systems, for example with a digital vaccination certificate, a digital organ donor card and possibly even with digital central bank money (CBDC). In this way, an all-encompassing control network could quickly emerge that would deeply interfere with the lives of every individual and, in times of crisis, could be misused to withdraw the most essential fundamental freedoms. Hints in this direction can be found in strategy papers of WEF, UN and the ID2020. More on this in a future article.

Questions from ABF Schweiz

The key questions regarding the protection of digital integrity remain unanswered. How are the Federal Council and the parliament ensuring:

1. that the data of this E-ID is not involuntarily stolen from users?

2. that users are protected from disclosing non-mandatory data?

3. that users with traditional (physical) identification methods are not discriminated against?

4. that the electronic traces of the E-ID use cannot actually be “tapped” and evaluated by third parties?

5. How are we preventing the global expansion of a global control network based on the E-ID according to the concepts of the UN, World Bank, ID2020, GAVI, etc.?

Our demands

Thus, ABF Schweiz demands from the National Council and the Council of States:

• Secured protection of digital integrity against arbitrariness and misuse.
• Self-determined individual control over one’s own data.
• Protection from discrimination and from exclusion of persons without an E-ID when purchasing goods and services and participating in social life.

Source: © ABF Schweiz Aktionsbündnis freie Schweiz, Lättichstrasse 8a, 6340 Baar, kontakt@abfschweiz.ch, www.abfschweiz.ch, 12 September 2024

(Translation ‘Swiss-Standpoint’)

1 https://www.parlament.ch/de/ratsbetrieb/amtliches-bulletin/amtliches-bulletin-die-verhandlungen?SubjectId=65325

2 https://www.fedlex.admin.ch/eli/fga/2023/2843/de

3 https://www.bj.admin.ch/bj/de/home/aktuell/mm.msg-id-101414.html

4 https://www.bj.admin.ch/bj/de/home/aktuell/mm.msg-id-101414.html

5 https://www.bj.admin.ch/bj/de/home/aktuell/mm.msg-id-101414.html

6 https://www.piratenpartei.ch/2024/09/10/18764895/

7 https://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20241001

8 Discussion paper EJPD «Zielbild E-ID» from 27 August 2021: https://www.bj.admin.ch/dam/bj/de/data/staat/gesetzgebung/staatliche-e-id/diskussionspapier-zielbild-e-id.pdf.download.pdf/diskussionspapier-zielbild-e-id-d.pdf

9 EU regulation 910/2014: https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32014R0910