A secure path to the new E-ID

Following the voting fiasco in spring 2021, in this article I’ll be looking at a few questions around security architecture and perceptions. But I’ll begin by saying that things seem to be working well in this second attempt.

First, let’s take a look at what happened after the clear defeat at the ballot box. The Swiss Confederation presented the ‘Discussion paper on the E-ID target vision’ just half a year later. This began an informal consultation process on possible approaches in autumn 2021 – an unexpected, yet positive development for the expert community in terms of speed, content and quality. It put three different technical approaches for an E-ID relaunch up for discussion. Alongside the established, classic approaches ‘idP – State Identity Provider’ (technically comparable with the first E-ID start-up) and ‘PKI – Public Key Infrastructure’ (something like SuisseID), a more modern yet less established minimal-data method was also put forward – ‘SSI – Self-Sovereign Identities’. With three proposed ambition levels, the report launched further discussion on the issue of whether to provide the E-ID on its own (ambition level 1) or to create an entire digital verification ecosystem. This in turn led to the question of whether government stakeholders (ambition levels 1 and 2), should be joined by private stakeholders (ambition level 3) in this ecosystem, which could greatly expand the ways it can be used.

After evaluating the public consultation and the comments received, the Federal Council decided on a direction shortly before Christmas 2021: SSI would provide the technical basis for the future E-ID ecosystem and they would implement ambition level 3, which would enable a much wider range of uses and the incorporation of private providers.

At this point, I’d like to elaborate on my positive assessment above using three questions on security architecture and perception. Let’s take a look at the questions, which were often associated with misunderstandings or concern during the referendum battle in early 2021:

• Third parties: Why should I entrust my data to an E-ID provider (IdP) from the private sector as an intermediary when I use the state-issued E-ID?
• Usage profiles: These E-ID providers pass my data onto the services I visit and, as a result, they also receive usage profiles. Is there a possibility of this data suddenly awakening interest in the E-ID provider or even in the state, and being used for purposes that I don’t consent to?
• Honeypots: We don’t want to accuse anyone of negligence here, but there is a risk that user data stored centrally can be stolen. This includes both the data in the E-ID and the usage profiles outlined above. And the more usage data these ‘honeypots’ contain, the more attractive they are as a target. All too often, stolen goods of this nature re-emerge as a commodity on the Darknet. Does the E-ID make these centralised honeypots inevitable?

The most crucial change with the transition to SSI is that it no longer requires an E-ID provider to manage my data and forward it to services as needed. This function is now covered by a user-managed wallet, usually in the form of a mobile app. This approach is referred to as ‘self-sovereign’, as it involves each person managing their own data transfer and transmitting it to the service directly from their wallet without the need for an intermediary. So what does that mean for our three questions?

• Third parties: The SSI approach means we don’t need to trust the E-ID provider, because this role no longer exists. What is new, however, is that correct operation requires users to have a wallet they can trust. At this point, we assume that this will be a wallet provided by the state, but also that other wallets may be valid.
• Usage profiles: So users would forward the data directly from their self-managed wallet to querying services, meaning only the wallet collects usage data – not an intermediary. In this case, users have to trust the wallet app not to further utilise the usage data without reason and, in particular, not to share it.
• Honeypots: Eliminating the E-ID provider gets rid of the centralised data records that contain personal and usage data from numerous users. Individual wallets are less attractive as targets, as they only contain data belonging to individual users. However, we have to take a look at the wallet app here as a new component. If the wallet software were manipulated, there is the potential for compromising a large volume of usage data at one time.

By deciding to pursue the SSI approach, the Federal Council has chosen an option that addresses the fears raised and goes to their roots. But we also recognise that it attaches a lot of importance to the key new component of the wallet. One major challenge for everyone involved in the digital verification ecosystem now lies in presenting these correlations clearly to establish trust. This will provide a foundation for a successful second attempt to establish an E-ID for Switzerland.