Posted by Thersites on  UTC 2018-08-13 11:25 Updated on UTC 2019-07-28

Today's example of ideas that should never have got beyond the back of an envelope stage comes from Switzerland: the SwissID.

SuisseID: gone, but unfortunately still remembered

Do not confuse this with the SuisseID, which left the back of the envelope in 2010, swallowed 20 million CHF of taxpayers' money then turned belly up last year. The SuisseID was an attempt to create a legally secure electronic ID. Its physical form was a smartcard or a USB-stick with a few certificates on it.

To get one you had to fill in a paper application form, take it with your passport to a post office, who would then confirm that you were who you were – that vexed question! – post it off then wait a week or two. One day a registered letter would arrive with the card and then the world was your oyster: you could fill in your VAT returns online and buy postage stamps online. Er… that was it.

In the interests of exploring the new world order (and paying my company's VAT, which you could only do online using a SuisseID) I signed up for this dog's breakfast. The card cost me 147 CHF, the accreditation of my existence by the Swiss Post cost me 40 CHF.

I was now a digital citizen of Switerland with a verified online identity. So for two and a half years I filled in my VAT returns every quarter online (accessible weekdays and business hours only!) and bought the odd postage stamp.

With only about three months to go to its normal expiry date the card decided it didn't love me any more and self-harmed its certificates. The fee for reissuing a new certificate would be around 100 CHF I seem to remember. I also seem to remember that the card would have to be renewed anyway three months later for another 147 CHF.

The now defunct SuisseID smartcard is on my desk still as a reminder of two things: 1) never be an early adopter; 2) never trust officialdom.

SwissID: the brave new world of data aggregation

The next IT disaster, the SwissID, has now left the envelope back. For the user it has two great advantages over the old SuisseID: it's free and it is not time-limited. Unfortunately the downside list is a long one and stretches from the questionable to the foolishly evil.

Firstly, we sniff the rank vapours steaming up from the backers of the system: the Post, Swiss railways, Swisscom, big banks (UBS, Credit Suisse, Raiffeisen, Zürcher Kantonalbank) and other financial monsters (the Swiss Stock Exchange and Mobiliar insurance) – money has changed hands here and someone is going to make money one way or other. Apart from ordering its subservient lackeys, the Post and the Railways, to support the scheme, the Swiss government is keeping its head down this time round.

Secondly, we already feel the acceptance lever being applied: if you want to buy stamps or any other online services from the Post and the Swiss Railways you will have to have the new SwissID. The lever is doing its job: around half a million Swiss – a large number of whom are happy to cooperate with the powers that be – have already got a SwissID.

Thirdly we come to the downright foolish, potentially evil aspects of the SwissID. 2018 was the year that IT simpletons (a.k.a. politicians) became aware of the accretion of user data that was practised in the dark recesses of the web by shady companies with the open assistance of Google, Facebook et al.

At the moment, these organizations have to create user profiles by cookie crunching and sophisticated pattern matching of numerous logins under numerous identities at numerous websites. Poor lambs, how they must labour! Let's make everything much simpler for them. Let's force the entire online population of Switzerland to have only one identity each – how easy will that be!

With SwissID, stamp buyers, train travellers, online shoppers, online bankers and social media users will all be brought under one shared data umbrella.

Not only that, but the proponents of SwissID have learned from Google, facebook and co. All the user's data will be offered by default to web organizations. Users themselves will have to make the effort to disallow certain data for particular sites. Whether the organizations allow the user to do this is another matter.

The small print

SwissSign, the company behind SwissID, tells us helpfully in their FAQ that everyone requiring a SwissID signup can get at all your data. It tells you this by not answering the question it itself asks – who can access my data?:

You retain control over your data at all times: you determine who may know what about you and when. In order to guarantee this, SwissID differentiates between different trust levels. They enable you yourself to decide which data you want to disclose to whom. You can also withdraw approvals at any time.

The short answer to the question is therefore 'everyone'.

Those with some ID experience will burst out laughing at the response to the question 'What happens if my SwissID account is hacked?'

SwissSign protects your data according to the highest e-banking standards, does not pass it on to third parties without authorisation and keeps it in Switzerland. If you suspect that your SwissID account has been hacked, you can block this immediately.

How the first sentence of the answer is related to the question is a mystery. Anyone who requires a SwissID login gets your data and can do with it what they will. Passing your data on to third parties is the essence of SwissSign's business.

Those who read the Terms and Conditions will realise that SwissSign essentially accepts no liability for anything whatsoever, unless you can prove negligence. As far as protecting your precious data, the 'approval' for personal data transfer means the 'approved transfer of data which have been confirmed by the user or by third parties'. In other words the user is required to confirm nothing: what a third party wants a third party can get. What happens after your data has been passed to another website is an issue that remains untouched in the document.

Fourthly, the next step is even worse. The next time Swiss citizens visit the local authority or go the the post office or want to deal with a bank, they will be encouraged to convert their SwissID into the new E-ID which the government has just dreamed up. The conversion will cost money, but the goody-two-shoes of Switzerland will be happy to pay it.

The E-ID will be what the SuisseID tried to be but failed: a complete and unambiguous identification of its owner, in effect, a digital version of the owner's passport. Since it will now be eternally linked to its junior partner the SwissID, the entire web of online services will be joined up under this unique identification.

Bleating our resistance

How do Swiss citizens resist this monstrous invasion of their privacy? If they are low-level IT users there is little they can do. As usual the sheep are efficiently fleeced and kebabed and their data will be aggregated and sold on whether they like it or not.

Those who have more IT knowledge will note that the user-key is an email address and the SMS authentication can be replaced by a cross-off list – that should be enough for you. The terms and conditions of use also make interesting reading for the subversively minded. Aux armes, citoyens!

FoS image, size 708x936

Ferdinand Hodler, Wilhelm Tell 1896/97. Image ©Kunstmuseum Solothurn.

Update 28.07.2019

After much sunny optimism – all government IT projects around the world start off like that – the Swiss Federal Government has pulled back from its E-Voting project (which would have ultimately intersected with the SwissID). The IT experts who were not feeding at the government trough were all agreed from its inception that the project was a crock – and a very insecure and opaque crock at that.

They haven't cancelled the project – the Swiss voting addicts would love to have some relief from this annoying duty – but instead have gone off to have a little think about it all.

Politicians are useless at specifying and running IT projects because a) they know nothing about IT and 2) they think of IT systems as integral products, that is, objects such as houses or cars, when, in fact they are Protean blobs that are never finished – they are in a state of permanent adaptation to new environments and technologies and therefore need permanent maintenance and development.

In contrast, politicians like to write everything down in advance and hold developers to iron specifications, never thinking of change and that most important discipline in IT: change management. In such a context, security will always be a problem: a bank will invest millions every year to keep its systems secure and attack proof; politicians have no stomach for spending money on things no one can see.

0 Comments UTC Loaded:

Input rules for comments: No HTML, no images. Comments can be nested to a depth of eight. Surround a long quotation with curly braces: {blockquote}. Well-formed URLs will be rendered as links automatically. Do not click on links unless you are confident that they are safe. You have been warned!

Name  [max. characters: 24]
Type   into this field then press return:
Comment [max. characters: 4,000]