Update: On 22.2. the federal government has published the draft of a “Federal Law on Recognized Electronic Identification Units (E-ID Law)”, in which the same old mistakes are made: Private industry is supposed to fix it. One can only shake one’s head!
Full-bodied announcements by UBS, Swiss Post and Swisscom over the past few days have raised eyebrows. Once again, the digital signature is invented and everything becomes easier! An unknown startup from Latvia is apparently working on the technology that will bring us the future. Unfortunately, this future has long since become a thing of the past. The subject of digital signatures has been technically settled for 20 years. We (r3 security engineering / Entrust / Verisign) pioneered this field in the 1990s, conducting extensive research, organizing conferences and implementing solutions. Since 1995 there have been hundreds of companies in this environment, some have been able to sell successfully and have made enough money to fund rocket launch projects and electric cars (Elon Musk). None of the hundreds of initiatives launched on the subject of digital identity have really been successful. Especially none in Switzerland: all PKI providers in Switzerland are fighting for their existence and can only save their business case by selling SSL certificates (a dying business). Certainly, poor technology and customer-unfriendly processes have also contributed to the lack of acceptance of systems like Suisse ID. But this cannot explain the many flops of the last 20 years. Clearly, it’s not because of technology that digital identities haven’t made the breakthrough. Now this is not an assumption, but a clear statement.
We have calculated several times what the business case of a PKI operator could look like. Conclusion: It is obvious that it is not possible to work economically with digital identities alone. What has the lawyer and economist learned when this constellation is given? Then the central question arises: is this an important task in the public interest that should be carried out by a government agency? In my opinion, the answer to this question is YES. The fact is that in Switzerland we can conduct over 95% of all legal acts informally. This means that the need for an electronic signature is in such a small place that the average user simply does not see the need to acquire a technology that generates additional effort in handling. Anyone who has ever done innovation assessment knows exactly what this means. We are right in the middle of the pain-gain quadrant, i.e. the technology has medium added value, but the effort to use it sucks. So anyone who doesn’t urgently need to use such a part should leave it alone. If society believes that it really needs digital identities, then this is a classic public service task. Such a system can only be successfully established and deployed on a large scale if every citizen is given a digital identity from birth. I don’t mean implanting a chip, but at least putting a private key on the identity card.
In a nutshell, digital identities will only catch on if the state pays for them and actively promotes them, while at the same time adapting the laws to make their use mandatory. We should finally ensure that we replace our stone age processes with electronic processes and for some (unfortunately) this can only be done with legal pressure. There are plenty of possible starting points, and the electronic patient dossier would be one of them. Because there, flawless identification is key to the success of the overall system, and no private operator can bear the liability risks involved. On the other hand, I would keep my hands off topics like e-voting, where the expense is too high and the economic benefit far too low. So dear UBS, dear Swiss Post, dear Swisscom, instead of producing another investment flop: Make yourselves strong on the political level and make sure that digitization is finally pushed forward in earnest!