With 64.4% voting against, the Swiss electorate rejected the E-ID law more emphatically than expected in the referendum in early March 2021. The federal government has now launched a second attempt. Is there any chance that the new E-ID will be more successful?
Following the voting fiasco in spring 2021, in this article I’ll be looking at a few questions around security architecture and perceptions. But I’ll begin by saying that things seem to be working well in this second attempt.
First, let’s take a look at what happened after the clear defeat at the ballot box. The Swiss Confederation presented the ‘Discussion paper on the E-ID target vision’ just half a year later. This began an informal consultation process on possible approaches in autumn 2021 – an unexpected, yet positive development for the expert community in terms of speed, content and quality. It put three different technical approaches for an E-ID relaunch up for discussion. Alongside the established, classic approaches ‘idP – State Identity Provider’ (technically comparable with the first E-ID start-up) and ‘PKI – Public Key Infrastructure’ (something like SuisseID), a more modern yet less established minimal-data method was also put forward – ‘SSI – Self-Sovereign Identities’. With three proposed ambition levels, the report launched further discussion on the issue of whether to provide the E-ID on its own (ambition level 1) or to create an entire digital verification ecosystem. This in turn led to the question of whether government stakeholders (ambition levels 1 and 2), should be joined by private stakeholders (ambition level 3) in this ecosystem, which could greatly expand the ways it can be used.
After evaluating the public consultation and the comments received, the Federal Council decided on a direction shortly before Christmas 2021: SSI would provide the technical basis for the future E-ID ecosystem and they would implement ambition level 3, which would enable a much wider range of uses and the incorporation of private providers.
At this point, I’d like to elaborate on my positive assessment above using three questions on security architecture and perception. Let’s take a look at the questions, which were often associated with misunderstandings or concern during the referendum battle in early 2021:
The most crucial change with the transition to SSI is that it no longer requires an E-ID provider to manage my data and forward it to services as needed. This function is now covered by a user-managed wallet, usually in the form of a mobile app. This approach is referred to as ‘self-sovereign’, as it involves each person managing their own data transfer and transmitting it to the service directly from their wallet without the need for an intermediary. So what does that mean for our three questions?
By deciding to pursue the SSI approach, the Federal Council has chosen an option that addresses the fears raised and goes to their roots. But we also recognise that it attaches a lot of importance to the key new component of the wallet. One major challenge for everyone involved in the digital verification ecosystem now lies in presenting these correlations clearly to establish trust. This will provide a foundation for a successful second attempt to establish an E-ID for Switzerland.