From a legal point of view, meanwhile, the case of an incorrect attribute is more interesting. Imagine that information used to verify a person's authorisation proves to have been wrong. The question that arises here is whether the service operator, the user or the source of the attribute (the attribute authority) is liable.
The Level of Assurance
The answer depends on the attribute's level of assurance or LoA, a measure of quality in terms of the extent to which it has been checked and found to be correct. Put simply, the LoA is rather like the star rating given to a hotel or the energy efficiency categories A to G for household appliances. Each category corresponds to a set of predefined quality criteria. At present, however, neither national nor international identity federations in the higher education sector have a shared and binding level of assurance. This would require a universally known set of requirements for the quality of attributes.
In the absence of such a standard, research is needed to ascertain what information an attribute actually conveys. Can third parties assume that this information is correct, or do they have to verify it themselves?
The Code of Obligations
As long as no binding LoA exists, the legal norm in Switzerland will be determined by the usual liability provisions as set out in the Code of Obligations. Increased liability for damage in connection with an authenticated electronic signature (Art. 59a Code of Obligations) does not apply here. In its capacity as service operator, therefore, SWITCH is only likely to be liable to third parties for attributes from verified sources (currently AAI, although no binding LoA exists for that either) and attributes generated by SWITCH itself. The contracts SWITCH enters into with the universities must stipulate that the universities are liable towards SWITCH for the correctness of the attribute values they supply in their capacity as attribute authorities.
Users, meanwhile, will be liable to third parties for the use of the Swiss edu-ID with attributes they have supplied or verified themselves.
Further articles on legal issues concerning the Swiss edu-ID:
