Digital disorientation in Bern

Lesen Sie die deutsche Version hier.

The vaccination status of almost 1.5 million Swiss citizens was openly available on the Internet. The first half million had been leaked in spring 2021 due to security holes in the Meineimpfungen.ch platform. The rest followed at the end of 2022 after a technical glitch occurred at a St. Gallen Covid test center. The third major case of data loss, which came to light in early 2022, is no less serious. A technical error allowed people to be entered into Swisstransplant’s National Organ Donation Register without their knowledge or consent. This rendered the register worthless.

Because independent IT security specialists had found and reported the breaches, they could be closed before something bad happened and the data was compromised. Fortunately. It would have been unthinkable if this delicate information had fallen into the wrong hands. Not only was it openly available on the Internet, but it could also be manipulated – injected or non-injected vaccinations could be deleted or added. And with Swisstransplant, one could unexpectedly be made an organ donor. Because it could no longer be ascertained which entries were «genuine,» the platform was discontinued in October 2022, and all entries were deleted. Thus, at least theoretically, 130 000 potential donor organs that would be urgently needed were and are still missing today. Incidentally, the successor platform will not be ready until 2025 at the earliest – and it is far from certain that it will be operated securely and that all those who have been willing to donate up to now will again register neatly.

Trust squandered

The federal government has not covered itself with glory in the health sector of all places – hardly anywhere else is more sensitive data at stake. And that is a complete understatement. The Federal Office of Public Health (FOPH) has failed to protect citizens› most personal data because it has not selected service providers carefully enough and has not monitored their work enough. Yet it is the central task of the state to protect the data entrusted to it from loss and unauthorized access. It failed to do so in all three cases described.

Worse still, the actions of the federal government are protected by parliament. The National Council’s Business Audit Committee (Geschäftsprüfungskommission, GPK) gives the FOPH good marks in the case of Meineimpfungen.ch and finds that the federal office «acted appropriately» with regard to data security. The politicians judge that sufficient attention was paid to the data protection aspect. If I may say so, that is ridiculous. In a press release dated April 2023, the Foundation for Consumer Protection describes this verdict as «appalling». Such «approval of irresponsibility» when it comes to the security of personal data is all the more worrying because the federal government has several extremely sensitive digitization projects in the pipeline, including the e-patient dossier, electronic identity (e-ID) and e-voting, said Sara Stalder, managing director of the consumer protection foundation. And she is absolutely right.

One really wonders how the GPK can reach such a verdict when it can be proven that the simplest of data protection requirements have not been complied with and hundreds of thousands of data have ended up on the net. Is it ignorance or even intent? Probably neither. Much more likely is disinterest and a lack of competence in the digital sphere. Many parliamentarians can barely spell «IT,» but their digital competence ends there shortly thereafter. There are indeed politicians like Jacqueline Badran or Mauro Tuena who have the relevant know-how by virtue of their profession, but they do not…