Digital disorientation in Bern

Lesen Sie die deutsche Version hier.

The vaccination status of almost 1.5 million Swiss citizens was openly available on the Internet. The first half million had been leaked in spring 2021 due to security holes in the Meineimpfungen.ch platform. The rest followed at the end of 2022 after a technical glitch occurred at a St. Gallen Covid test center. The third major case of data loss, which came to light in early 2022, is no less serious. A technical error allowed people to be entered into Swisstransplant’s National Organ Donation Register without their knowledge or consent. This rendered the register worthless.

Because independent IT security specialists had found and reported the breaches, they could be closed before something bad happened and the data was compromised. Fortunately. It would have been unthinkable if this delicate information had fallen into the wrong hands. Not only was it openly available on the Internet, but it could also be manipulated – injected or non-injected vaccinations could be deleted or added. And with Swisstransplant, one could unexpectedly be made an organ donor. Because it could no longer be ascertained which entries were «genuine,» the platform was discontinued in October 2022, and all entries were deleted. Thus, at least theoretically, 130 000 potential donor organs that would be urgently needed were and are still missing today. Incidentally, the successor platform will not be ready until 2025 at the earliest – and it is far from certain that it will be operated securely and that all those who have been willing to donate up to now will again register neatly.

Trust squandered

The federal government has not covered itself with glory in the health sector of all places – hardly anywhere else is more sensitive data at stake. And that is a complete understatement. The Federal Office of Public Health (FOPH) has failed to protect citizens› most personal data because it has not selected service providers carefully enough and has not monitored their work enough. Yet it is the central task of the state to protect the data entrusted to it from loss and unauthorized access. It failed to do so in all three cases described.

Worse still, the actions of the federal government are protected by parliament. The National Council’s Business Audit Committee (Geschäftsprüfungskommission, GPK) gives the FOPH good marks in the case of Meineimpfungen.ch and finds that the federal office «acted appropriately» with regard to data security. The politicians judge that sufficient attention was paid to the data protection aspect. If I may say so, that is ridiculous. In a press release dated April 2023, the Foundation for Consumer Protection describes this verdict as «appalling». Such «approval of irresponsibility» when it comes to the security of personal data is all the more worrying because the federal government has several extremely sensitive digitization projects in the pipeline, including the e-patient dossier, electronic identity (e-ID) and e-voting, said Sara Stalder, managing director of the consumer protection foundation. And she is absolutely right.

One really wonders how the GPK can reach such a verdict when it can be proven that the simplest of data protection requirements have not been complied with and hundreds of thousands of data have ended up on the net. Is it ignorance or even intent? Probably neither. Much more likely is disinterest and a lack of competence in the digital sphere. Many parliamentarians can barely spell «IT,» but their digital competence ends there shortly thereafter. There are indeed politicians like Jacqueline Badran or Mauro Tuena who have the relevant know-how by virtue of their profession, but they do not have digital policy on their agenda at all. Others, on the other hand, are politically active in this field, but by nature they work in completely different areas. Federal parliamentarians with expertise in digital policy can be counted on one hand.

Everything digital is packed into the data protection law

Digital cluelessness is not only problematic when it comes to IT security, but also in terms of legislation. Here are two examples:

The European Union and many of its member states are pushing a law known as «Chat Control.»¹  Superficially, the legislators are concerned with the fight against images of abused children on the net. A problem that needs to be addressed and solved, no question. However, the path being taken is the wrong one. If you look closely, chat control is about something completely different: the prohibition of encrypted communication and thus ultimately the abolition of citizens› privacy. Citizens must have the right to communicate privately online in messenger apps such as WhatsApp, Facebook Messenger or Threema – just as they can do in their own homes or in the café around the corner. In Bern, however, the law is not a political issue. Because there is hardly any resistance to it, Swiss citizens will also be affected by the EU chat control. After all, a U.S. company will hardly launch a separate Swiss version of an app if it is available in the rest of Europe without encrypted communication.

A second example is artificial intelligence (AI): Everyone agrees that the opportunities and risks associated with AI are equally huge and that the technology has the potential to transform numerous industries. The debate about it centers on two related questions. Is too much regulation holding back innovation? And how much regulation is needed to prevent discrimination and abuse? But no matter which side you lean toward, the problem is different. Namely, Parliament packs almost all legal paragraphs that have a digital component into the Data Protection Act (DSG). Although, for example, discrimination caused by AI has nothing whatsoever to do with data protection, there is a passage in the new DSG on automated decisions in the administration. Authorities are to be allowed to use AI, but must, for example, inform applicants if they have been rejected by a computer. Such rules make sense, but the fact that they are inserted in the DPA is more than a systematic legal unsightliness. The example is anecdotal for the fact that in the digital area, politics does not understand many things and does not address them properly.

Electronic ID offers hope

This digital disorientation in Bern is a problem, and it harms all citizens. There is no need for a ‹digital enthusiast› at the federal level who digitizes everything that can be digitized. Rather, what is needed is expertise and interest in digital projects so that they are not shuffled back and forth between the administration and parliament, but are implemented. And that means the expertise must be available at the highest level, in the Federal Council. It’s like that in every company: If the boss doesn’t lead by example, at some point no one will follow.

Federal Councillor Alain Berset, who will be stepping down at the end of the year, is no role model in this respect. Since taking office in 2011, he has been head of the Federal Department of Home Affairs (FDHA) and is therefore responsible for the many digital problems in the area of e-health. With a Federal Council that would push digital issues, the electronic dossier of patients would not be in such a disastrous position as it is today. The data protection problems described above could also have been prevented or reduced with better supervision by the FOPH, which is based in the FDHA.

Is there hope after all? Indeed. One positive example in the federal administration is the e-ID. After the resounding «No» from the electorate in March 2021, the project was pushed and relaunched under the leadership of Green National Councilor Gerhard Andrey – and from a technical perspective, it was exemplary in every respect. There exists a 100 percent state solution in which citizens retain control over their own data. In addition, data is only stored when it is really necessary. The project’s program code is public and can be viewed and checked by anyone who wants to.

This project must set an example. And in the parliamentary elections in the fall and the general elections for the Federal Council in December, Switzerland has the chance to strengthen digital competence in the Federal Parliament. Let’s take advantage of this opportunity – it’s important for the future of our country.