This story is from the category Innovation and the dossier Identity Management

Who is liable for the Swiss edu-ID?

What happens if the academic passport is misused? What if an attribute is incorrect?

Text: Esther Zysset, published on 03.11.2015

One of the questions arising in connection with the Swiss edu-ID, a kind of academic passport, is that of liability. Who will be held liable for any damage caused by its use, for example as a result of incorrect attributes or misuse? In the latter case, it is the user who is liable in principle. It is assumed that the user has failed to protect his or her access details sufficiently, thus allowing a third party to gain access to the Swiss edu-ID – unless the misuse of the identity can be blamed on a security issue on the part of the service operator (SWITCH), in which case SWITCH will most likely be held liable.

 

From a legal point of view, meanwhile, the case of an incorrect attribute is more interesting. Imagine that information used to verify a person's authorisation proves to have been wrong. The question that arises here is whether the service operator, the user or the source of the attribute (the attribute authority) is liable.

The Level of Assurance

The answer depends on the attribute's level of assurance or LoA, a measure of quality in terms of the extent to which it has been checked and found to be correct. Put simply, the LoA is rather like the star rating given to a hotel or the energy efficiency categories A to G for household appliances. Each category corresponds to a set of predefined quality criteria. At present, however, neither national nor international identity federations in the higher education sector have a shared and binding level of assurance. This would require a universally known set of requirements for the quality of attributes.

In the absence of such a standard, research is needed to ascertain what information an attribute actually conveys. Can third parties assume that this information is correct, or do they have to verify it themselves?

The Code of Obligations

As long as no binding LoA exists, the legal norm in Switzerland will be determined by the usual liability provisions as set out in the Code of Obligations. Increased liability for damage in connection with an authenticated electronic signature (Art. 59a Code of Obligations) does not apply here. In its capacity as service operator, therefore, SWITCH is only likely to be liable to third parties for attributes from verified sources (currently AAI, although no binding LoA exists for that either) and attributes generated by SWITCH itself. The contracts SWITCH enters into with the universities must stipulate that the universities are liable towards SWITCH for the correctness of the attribute values they supply in their capacity as attribute authorities.

Users, meanwhile, will be liable to third parties for the use of the Swiss edu-ID with attributes they have supplied or verified themselves.

Further articles on legal issues concerning the Swiss edu-ID:
About the author
Esther   Zysset

Esther Zysset

Esther Zysset has been General Counsel at SWITCH since 2012. Prior to that, she was a lawyer at a firm specialising in corporate law.

E-mail

Swiss edu-ID

SWITCH is currently working with Swiss universities to create a lifelong digital identity that will allow the holder to access all university services with one login instead of needing different logins for different services. The Swiss edu-ID is an evolution of SWITCHaai, which has been in operation for ten years and is used by over 400,000 people. The Swiss edu-ID goes a step further in a number of key areas. SWITCHaai was designed for using web-based resources and presupposes membership of an institution. The Swiss edu-ID, on the other hand, is geared towards lifelong use of a wide range of applications.

http://projects.switch.ch/eduid/
Other articles