The federal government cannot protect our data

Lesen Sie die deutsche Version hier.

The case of the IT company Xplain startled the Swiss public. The Bern-based company was the victim of a hacker attack at the end of May, and data amounting to around 900 gigabytes ended up on the darknet, including sensitive information from the Federal Office of Police (Fedpol), Customs and Border Protection, and cantonal migration offices, among others. Anyone who is now surprised that a private IT company is providing services for the public sector and cries «Scandal!» does not know what is really the case. Xplain is not the exception, Xplain is the rule.

«Anyone who is now surprised that a private IT company

is providing services for the public sector and

cries «Scandal!» does not know what is really the case.

Xplain is not the exception, Xplain is the rule.»

The largest IT contractor in Switzerland is the federal government. None of the large, internationally oriented companies can keep up with its volume of commissions. The Swiss Confederation has its own Federal Office of Information Technology and Systems (FOITT) with around 1100 employees. According to its own statements, the FOITT supports the administration by means of information technology to «develop and implement economical, secure, user- and citizen-friendly solutions». However, this is only half the truth. The majority of IT projects are realized and implemented by external third-party suppliers. Often, the operation of the systems and the services also run entirely through third-party providers. Is that a bad thing? The question is superfluous: the federal government has neither the know-how nor the resources. As I said: Xplain is the rule, not the exception.

This close interlocking between the state and private service providers, which has long since become a reality, means that the latter also share the cyber risks. It is of no use if the federal government has high security requirements, but these are not also implemented by third-party providers. The National Cyber Security Center (NCSC) is doing a good job and has brought Switzerland a great deal of progress in the area of cyber security. But there is still a lot of homework to be done. Namely, this includes clear guidelines and security requirements for third-party IT providers. Another example of this: The magazine «Swiss Review» produced by the Federal Department of Foreign Affairs for the Swiss abroad is printed in an external print shop. The Confederation supplied the addresses to the company, whereupon data was stolen in a cyberattack on the print shop; the company did not pay a ransom, and so 425,000 addresses ended up on the darknet in June. Now, both interested and less interested circles can see where the Swiss abroad live.

Distrust as a sign of a mature democracy

This brings us to the core questions: How are gigantic amounts of data changing the relationship between citizens and the state? What do data protection, transparency and information justice mean in the digital age?

There is a high level of mistrust among the population, but also an awareness that data can be misused. The Swiss are comparatively skeptical when it comes to the state and rights of inspection or access, which is a sign of a mature democracy. They want to know what this rather intangible juggernaut of a state stores. The fact that individuals are informed about what data the state collects about them should be a self-evident fundamental right, especially when it comes to such huge amounts of data.

The federal government’s annual budget for IT totals around CHF 1,2 billion, and the trend is rising. This shows that digitization has gained enormous importance in the administration. There is hardly an area in which huge IT projects have not already been implemented and corresponding projects are underway – or have failed disastrously. The Federal Tax Administration recently completed the electronic recording of value-added tax (to name a successful project for a change).

As in the private sector, the goal for the federal government is to increase efficiency and optimize processes through digitization. Which is certainly happening. Unfortunately, however, one never sees that the increase in efficiency at the federal level leads to a reduction in personnel expenses, because new positions are immediately created in other areas. In addition, digitization is triggering pressure for centralization. The cantons are in the thrall of standardization and often lean on the federal government. This is an understandable process, but it also undermines important federal structures. One thing is clear: digitization and centralization are making the state more vulnerable and increasingly the object of cyberattacks. That’s why I consider efforts toward e-voting, for example, to be naïve and even dangerous. We must not expose our direct democracy to such risks of manipulation, and certainly not because of a spreading sense of convenience.

«As in the private sector, the goal for the federal government is to increase efficiency and optimize processes through digitization. Unfortunately, however, one never sees that the increase in efficiency at the federal level leads to a reduction in personnel expenses.»

What is not confidential should be public

The result of all these government IT projects is that much more data is being collected and is available digitally. Of course, this data also represents a value; the evaluation of such large volumes of data was previously not possible at all manually, or only with a great deal of effort. The public sector has financed these projects. Derived from this, further questions arise: Who has a legitimate right to access this data? Who does not? How is the data protected?

There are data that must be available to the public. Classic examples are topographical data (Swisstopo) or weather data (MeteoSwiss app). However, when it comes to personal and company data that is worth protecting, the state has a special responsibility to ensure that this data is not simply freely accessible.

The state will not be able to avoid classifying its huge volume of data. Data protection law does not have to be reinvented in the process. It is enough if the principle of «open government data» applies in principle: Everything that does not fall under personal data protection should be publicly accessible. The Federal Act on the Principle of Publicity in Administration (Publicity Act) goes in this direction: what is not confidential is public. The order is important: the federal government must first declare data, information and documents as confidential. For everything else, there is the right of inspection, if necessary upon request. The media in particular make use of this possibility, which is important for the checks and balances of state powers.

Europe is fervently regulating

Digitization has enormously expanded the possibilities for accessing and collecting data. The only thing is that it must be possible to store these gigantic volumes of data somewhere. This is where the next clash with reality takes place: All cloud providers come from abroad because a self-sufficient Swiss cloud solution with comparable performance would never be economically viable. As long as it’s a matter of storing innocuous information, that’s not a problem. But sensitive areas such as taxes, finances or persons must remain a sovereign task and the corresponding data must be stored in Switzerland. What is foreseeable is that the already immense volumes of data will become much larger again as a result of artificial intelligence (AI). Data will be collected, analyzed and processed from everywhere and will become even more important.

In the EU and also in Switzerland, the discussion focuses on one point: What new regulation is needed in connection with AI development? To put it more pointedly: Europe is more fervently concerned with regulatory issues and risks than with innovation. In a few years, people will rub their eyes again and realize that the forefront of AI is somewhere else entirely.

«Europe is more fervently concerned with regulatory issues and risks than with innovation.»

Today, the best and biggest tech companies are almost exclusively in the US or China. And the next fast train is already in danger of leaving if we don’t start talking more about opportunities in the digital realm. Of course, issues like information justice, privacy, transparency, data protection are important. But if we – and by that I mean Switzerland and, downstream, Europe – are de facto largely dependent on digital superpowers or tech giants, these debates become superfluous.