- Story
e-ID between data protection and transparency
08.09.2024 Second attempt for the e-ID: although rejected by the population in 2021, electronic identification will nevertheless become possible in Switzerland from 2026. BFH expert Annett Laube addresses open questions.
Key points in brief
- The e-ID is coming. Probably in 2026.
- The implementation can prioritise either ease of data exchange with other systems, or strong data protection.
- The BFH is advising politicians and putting the e-ID through rigorous testing.
Professor Annett Laube is a computer science lecturer at BFH and has been actively involved in the development of the e-ID with her research group. As a dedicated member of the federal Technical Advisory Circle, she has played a part in drafting the e-ID Act in various hearings and participation meetings at the parliament building. We ask her about the current status of the dossier.
Professor Laube, what exactly is an e-ID?
The e-ID is the electronic equivalent of the plastic identity card that you carry in your wallet. The idea is that it will replace the plastic card, at least to some extent.
And why does Switzerland need that?
One advantage is that at some point, the State will no longer need to issue plastic cards. People will only need their device and can leave everything else at home. That’s definitely an advantage. And of course, the e-ID lets you prove your identity not only in the real world, but in the digital world too. That’s something the plastic card can’t do.
In clear terms: the e-ID explained
Not a login
An e-ID is a proof of identity and not a login tool. In other words, it is used for onboarding, e.g. to create the account. Then the login takes place with normal two-factor authentication.
No passport
The e-ID is not suitable for travelling or passenger transport. Passports are not going to become redundant. You will continue to use your passport or ID card at the border. But if you want to open a bank account abroad, you could use the e-ID.
No cloud
Ideally, you need a smartphone with a Secure Element. The e-ID is stored on the phone. If it is deleted, the wallet app is uninstalled or you lose your phone, you have to reapply for the e-ID. There is no cloud from which everything can be restored at the touch of a button.
Where do we stand in Switzerland with the e-ID?
Switzerland is lagging behind somewhat. A few attempts have been made, but they were perhaps a little premature (SuisseID). And the first e-ID initiative, which came more from the business sector, was defeated by popular vote in 2021.
Setting up the e-ID is going to cost 100 million Swiss francs. Is it worth it?
One thing’s for sure: the e-ID has not become established anywhere yet. An exception is countries like Estonia, where citizens are required to use the e-ID. I still don’t see the ‘killer use case’ for the e-ID.
But there are already a number of digital identities in Switzerland, e.g. Edu-ID, SwissPass, Swiss-ID, logins of the cantonal tax authorities, etc. All of these could one day be replaced by the e-ID. However, I expect that we will only see this consolidating effect of the e-ID in about 20 years from now.
How should a functioning e-ID be configured?
There are basically two technological approaches to configuring an e-ID. One emphasises transparency more strongly, the other privacy.
The approach currently being pursued by the EU, for example, favours transparency and assigns a unique number that is included with every instance of identification. This can be used for profiling and increases the potential for abuse, because the individual e-ID applications can theoretically be linked.
And the other approach?
The second approach uses technologies that make it more difficult to link the individual instances for the purpose of abuse. The e-ID Act in Switzerland is now requiring that the Swiss system both protects privacy and is compatible with e-ID systems outside the country’s borders. This poses a challenge for the implementers, because a system cannot both be EU-interoperable and protect citizens’ privacy. The law imposes two requirements that cannot be met simultaneously.
Aspects of the e-ID currently under scrutiny at BFH
Verifiable Credentials
We’re examining approaches that enable people’s credentials to be verified without leaving a clear data trail.
Holder Binding
We’re examining ways of proving that the owner of a phone is authorised to use the e-ID on their device – if possible, without disclosing clearly identifiable data.
Revocation
We’re looking into what happens if an e-ID is lost. Currently, lost e-IDs are placed on a blacklist of what are called ‘revoked’ identities. We are researching ways to make this possible without creating data protection risks.
How do you deal with this contradiction?
You have to favour one of the two aspects. At the participation meeting on 4 July 2024, it was decided that the development of electronic identity in Switzerland should lean towards interoperability – and thus towards the European model.
What contribution is the BFH making to the e-ID?
The e-ID is still at the concept and prototype stage in the EU too. No matter which technology ultimately prevails: there are still a lot of intriguing questions to be answered.
At BFH, we take a closer look at the often still fairly abstract concepts mentioned in legislation and see how they can be implemented using the latest technologies. We ask: is this even technically possible? Can a smartphone do that? Can people understand it? With our applied research, we perform field testing.