What happens if the academic passport is misused? What if an attribute is incorrect?
One of the questions arising in connection with the Swiss edu-ID, a kind of academic passport, is that of liability. Who will be held liable for any damage caused by its use, for example as a result of incorrect attributes or misuse? In the latter case, it is the user who is liable in principle. It is assumed that the user has failed to protect his or her access details sufficiently, thus allowing a third party to gain access to the Swiss edu-ID – unless the misuse of the identity can be blamed on a security issue on the part of the service operator (SWITCH), in which case SWITCH will most likely be held liable.
From a legal point of view, meanwhile, the case of an incorrect attribute is more interesting. Imagine that information used to verify a person's authorisation proves to have been wrong. The question that arises here is whether the service operator, the user or the source of the attribute (the attribute authority) is liable.
The answer depends on the attribute's level of assurance or LoA, a measure of quality in terms of the extent to which it has been checked and found to be correct. Put simply, the LoA is rather like the star rating given to a hotel or the energy efficiency categories A to G for household appliances. Each category corresponds to a set of predefined quality criteria. At present, however, neither national nor international identity federations in the higher education sector have a shared and binding level of assurance. This would require a universally known set of requirements for the quality of attributes.
In the absence of such a standard, research is needed to ascertain what information an attribute actually conveys. Can third parties assume that this information is correct, or do they have to verify it themselves?
As long as no binding LoA exists, the legal norm in Switzerland will be determined by the usual liability provisions as set out in the Code of Obligations. Increased liability for damage in connection with an authenticated electronic signature (Art. 59a Code of Obligations) does not apply here. In its capacity as service operator, therefore, SWITCH is only likely to be liable to third parties for attributes from verified sources (currently AAI, although no binding LoA exists for that either) and attributes generated by SWITCH itself. The contracts SWITCH enters into with the universities must stipulate that the universities are liable towards SWITCH for the correctness of the attribute values they supply in their capacity as attribute authorities.
Users, meanwhile, will be liable to third parties for the use of the Swiss edu-ID with attributes they have supplied or verified themselves.