The Swiss E-ID and Trust Infrastructure

Good afternoon everybody. It's a pleasure to take you on a little journey to Switzerland for next 20 minutes. I know that in this room there are quite a few people who know a lot about the Swiss case and have some very specific questions, which I hope to have answered. And then obviously there are also people who do not know so much about Switzerland so far. So I will try to bridge these two demands. And there is the Stone. Yeah.

Oh, that's all good. That's all good. So my speech will be in two parts. First I will talk about the Swiss case in general, where we coming from, what are we trying to achieve and how do we achieve it or how we wanna achieve it. And then I would like to address the Swiss elephant in the room, or at least one Swiss elephant in the room.

Now, I guess you all agree when you look at nature, it looks nice, perfect, maybe even poetic. And if you take some well-written lines of code, it can be also a piece of beauty.

However, the codes does not live in a vacuum, it lives in a reality. And please don't get me wrong, I have a PhD in philosophy on democracy. So I am not going to talk to talk badly about democracy. But in the Swiss case, that's really, really a relevant part. And maybe the most important point I would like to drive home today is exactly the fact that, you know, there has been a lot of talk about user centricity and I fully get it, it's very important. But there is also another centricity, and this is the citizen centricity. What do I mean by that?

Three years ago, the parliament has passed a EID law, however, any federal law in Switzerland is subject to a optional referendum. And this referendum has been triggered and it was successful. The law was rejected by a quite big margin. The reasons, mainly the proposal was that not the government would issue the eids, but private IDPs and also the architecture with a classic centralized IDP architecture was not very appreciated when privacy concerns were in play. So Again, I said you have user centricity and you have citizen centricity.

And in Switzerland, in order to be able to start issuing electronic identity, we first have to have a law which has to pass the ballot. And obviously people think and act differently when they can vote at the ballot as citizens or when they use their smartphone as user. So this paradox or trade off is really a challenge that we have to tackle and which is maybe a little bit different in comparison to other countries where there's no public referendum on, on the law itself. What are we trying to achieve?

So obviously due to fact that the idea of private ID IDPs was rejected, now we are setting up a infrastructure where the state is the issuer of the electronic identity. Since it is quite a complex architecture, the government has decided to open this architecture, this infrastructure, so that other credentials can be issued as well. I believe it is a concept by the EU on the diff three levels of the EID as credential issued. Then second level would be other governmental VCs issued, and on the third level private VCs.

So this, this shall be enabled by this trusted infrastructure that the government is setting up as well. Then I mentioned it, privacy concerns are very important in particular for the first step in the political debate, debate. If we risk another referendum, it might be that we are again on square one, which is definitely not what we hope, but then Switzerland is a small country in a large world we have a lot of connections both privately, commercially, politically and so on. So interoperability is also very important to us so that we can interact with you on the globe also digitally.

So these are the main goals that we are trying to achieve with our trust infrastructure and the EID Now, since I've heard some questions about, you know, how do you issue, I would like to quickly talk about that. We propose two different ways on how we will issue the electronic identity on the one hand, and we hope that this will be the, the main procedure is a online issuing process where we will compare your face with the database we have based on your passport or ID card so that we can make a match there.

People who do not want to do this or who are not feeling comfortable with it can also proceed via a onsite issuing process. And there, just to give you an example on, on how concerned people are about privacy and biometrics and so on, the onsite process shall be designed in such a way that they will be absolutely no recording of any biometric data, no filming or whatever to, to really keep the amount of data flowing around to to to ab absolute minimum. Then a comment on the registries.

We envision two registries on the one hand, a base registry, it's a self declaration portal so to speak, where you depose your public key. And on this base registry you also can revoke as issuer your potential VCs that are not valid anymore. So that is the, the first layer. And on top of it we will have the so-called trust registry. There a human controlled verification process will be done to actually be sure that a public key actually belongs to a specific organization, be it a governmental organization or a private company.

With this, we wanna really build up this trust that has, is required for, for the success of this whole endeavor. Now so far I've been talking about what we wanna achieve in very brief strokes. Now I would like to make a few comments also on how we do it and trust, trust, trust. We have to build trust. Obviously it was actually quite a paradox in this referendum. I mentioned in the beginning the position of the government was that the people should adopt this law with private IDPs Exactly, because the position of the government was we the government, we are not able to do that.

It's too difficult. The private sector is more apt to do so, and the people said no, that's not the way it works. You have to get up to speed and you have to have the competence. So we have now to build up these competencies obviously, and, and then also to create the trust that the government is actually able to do so.

And, and for that we give a lot of weight on transparency. We have almost monthly video conferences where we give an update on the project where also external speakers can present their cases. We are on GitHub since about two years with a lot of documentation, with debates since recently also with code to be really transparent and so that people do not have to trust us based on belief but based on facts. So that is the first point, how, how we build trust. Then we also build trust with mechanisms of participation.

Here you have the general assembly of one of the cans, which decides once a year all matters relevance to them on a public square. And exactly in a similar way we are working, we have had already two informal consultations, one formal consultation on the pre draft of the EID law. And we also operate a public sandbox where a number of organizations both public and private, can work with a initial draft, let's say, of this infrastructure that we are building up. In addition to that, we have launched just recently a pilot project.

Now I know Switzerland from most points of view is small, but you can go even smaller if, if you see up there, the very small red surface that is one state, one canton up until we have launched their pilot project with the provisional electronic driver's license. Now this narrows the population even more down because only a few people are currently learning how to drive. But still it is the, the first productive test case or use case that we are now implementing or that has been implemented and so far has been great success on the one hand, let's put it that way from a technical point of view.

However, when we see how well people understand decentralized identities and so on, we we see that there's still quite some work to be done. This has been mentioned by a number of other speakers before me as well.

Okay, so now you have more or less an idea on what Switzerland is doing. Maybe just one additional word. The the new EID law is already in the parliament. It has been, it has been passed by the, the, the National Council and now is in the council of the States.

So the, the political debate is going forward quite nicely. What is the elephant in the room?

It is the, so-called we, we call it the decision on technology. The law is what we call neutral towards technology. It does not say you have to use this protocol or that signature. It just says you have to use one. And obviously we want to implement the whole thing, we wanna run with it. And there are many different approaches on how to address this. And we have, we, we see each other us in front of a decision between either favoring technical interoperability with the eu, mainly meaning to apply SDO and EECD, CA, CEC Ds SA signatures.

That would be one way how we could go or we could say no, we wanna further enhance privacy, the protection of privacy. And that would mean we would go for chase ND and BBS plus. These are the two main options that we, we, we consider The main difference is the second provides linkability there as we believe the first one not. And in that context we have made a public consultation, as I mentioned to you in the end of last year, beginning of this year. And this was the result out of 97 participants in this consultation.

Some are in present in the room, 46 were in favor of the EU approach, 46 were in favor of the linkability approach, let's put it that way. And five said, well, it's too early to decide. And we actually promised a decision in the first quarter of this year.

Now we are almost at the end of the second quarter and no decision has been taken unfortunately also today I cannot communicate to you what the result will be, but given you know, the political complexities we have to tackle and in the same time obviously this very dynamic landscape, we are in any way I hope we understand the challenge that we are facing. But the interoperability is really something very close to our heart. If you look at this map, Cland is not part of the EU but it's surrounded by the eu not to, not to say in encircled.

And obviously we have a lot of good relationships with the EU and the member states we, we really have to make sure that we are interoperable. But we have to distinguish there is the technical interoperability and then there's also the regulatory interoperability, meaning that there will be required a treaty between Switzerland and the eu, which is not an easy task in particular when you consider the complicated relationship between Switzerland and eu. So that is something that will not happen in the very short run anyway.

However, I would like also to mention that Switzerland is part of the large scale project DC for EU in particular with regard to the European, how do you say that? The insurance, health insurance card and also the form A one. So we are really already working on this. And with my almost last slide, I would like to really stress again the fact that Interopability is very important. EU is a very important reference for us, but obviously this, the world is larger than EU and we are very happy to be part of the open wallet initiative.

I say initiative because obviously there's the foundation and now also the plan to have some of these activities under the umbrella of the ITU. One of our federal counselors has made an announcement on that topic last week in Geneva at the world summit on the informational society that Switzerland is currently the chair of. And Switzerland is very much supporting this initiative to create a much multilateral space for topics around open code, relevant for the wallets and also open hardware in particular with regard to crypto processes.

I have not enough time to go into details, but obviously the holder binding is a very important topic. And in particular, I what I say the, the handling or the regulation or whatever of crypto processes is, is something that we have to address. This is not something that will be done quickly, but we have to start and we have to get together in order to really remain credible. When we talk about self-sovereign stuff, as long as you don't have really the control over your, over your key management, this is, yeah, not so credible. And with this I come to my last slide and the outlook.

So on our side, the obvious to-dos are, first of all we have to make a decision on technology. I can promise to you that we are working very hard on that and things will be communicated as quickly as possible.

In 25, we plan to launch a second sandbox, then already with the technology that will be used also for the productive trust infrastructure. Also, in 25 we plan to roll out this provisional driver's license to all S and also all types of vehicles, which will take us to about 100,000 VCs issued in that respect. And if everything goes well, first we have to pass the parliament, then the ballot, if the referendum is triggered and obviously we have to be ready also technically then we could start launching electronic identities or issuing electronic identities by 26.

I know a few of you got a ticket for dice in Zurich in two weeks. I am looking forward to seeing you there again. Everybody else and, and anyway is also very kindly invited to attend our participation meetings. Our next one, it's online, will take place on the 4th of July. Subscribe to our newsletter. You will get the link a few hours before and then hopefully more news can be given to you. And with this I would like to thank you for your, your intention and if there's time, I'm happy to answer questions. Thank you very first, this room is haunted.

So we're running five minutes late, but nevertheless, there's one quick question. Maybe you can provide a quick answer if there is one. Will there be interoperability regarding the QES, the qualified electronic signature? That was a question that I received from, from the audience and hope you can make sense of it. Yes. So in Switzerland we have a different federal law on electronic signatures that will not be really touched much. But with the electronic identity issued by the government, it'll be very easy to actually access these certificates to then sign something. Perfect. Yes.

Thank you much. And what's a quick answer? Thank you very much again, Rolf. You're welcome.