<style> .reveal { font-size: 28px; } .reveal h1, .reveal h2 { text-transform: line-height: 0.95; } .reveal small { font-size: 0.7em; } .reveal ul { line-height: 1.25em; } .reveal p { line-height: 1.2em; } .reveal blockquote { font-size: 1.1 em; line-height: 1.1 em; } </style> # The Swiss e-ID ## <u>Five Anchors</u> to Preserve<br/>Digital Autonomy &<br/>Democratic Sovereignty _Christopher Allen — Trust Architect_<br/> <small>swiyu 2025-10-02</small> Note: Thank you to the Swiss e-ID team for giving me the opportunity to speak today. I also appreciate all of you who have joined — your presence demonstrates the importance of protecting digital identity in our world today. The Swiss e-ID represents a HISTORIC OPPORTUNITY. Your democratic processes have created this moment. (pause) But it's just a first step. In this presentation, I'm going to introduce Five Anchors to align your new Swiss e-ID with Swiss values of autonomy and democratic participation. My name is Christopher Allen. I'm an INTERNET TRUST ARCHITECT - let me explain why I'm qualified to guide this critical discussion. --- ### Who am I? * **Technologist & Trust Architect** * Co-author of **IETF TLS 1.0** (the 🔒 lock in your browser) in the 1990s > ### “We believed that technology could protect people by preserving dignity and autonomy. That it could be a shield against coercion, rather than a conduit for it. That it could preserve choice and agency for individuals and communities.<br/>We were wrong.” * Originator of **Ten Principles of Self-Sovereign Identity** * Co-author of the **W3C DID Standard** for decentralized identifiers * Advisor on **digital identity & digital asset law** in the US & abroad **TLS still secures billions of connections daily, 25+ years later** Note: I've spent my career designing digital trust infrastructure that lasts for DECADES. In the 1990s, I led the effort to make TLS - the LOCK in your browser - into an international standard. TLS still secures billions of connections daily, 25+ years later. (pause) However... _We believed that technology could be a SHIELD against coercion, rather than a conduit for it. That it could preserve choice and agency for individuals and communities._ (long pause) WE WERE WRONG. This failure led me to author the _Ten Principles of Self-Sovereign Identity_ and become the architect and co-author of the W3C Decentralized Identity international standard. (pause) It is this HARD-WON WISDOM that can help Switzerland avoid the traps I fell into. --- ## Important Clarification on SSI **The Swiss e-ID is NOT _Self-Sovereign Identity_** * **Self-Sovereign Identity**: Citizens control their digital identity infrastructure - a focus on personal agency to protect civil and human rights * **Swiss e-ID**: Government controls issuance, revocation, infrastructure - government-managed for institutional trust - with democratic oversight * **This isn't criticism** — it's clarity about what you're building **The Swiss e-ID is a _government digital identity system_**. Note: To be clear, the Swiss e-ID is not a _Self-Sovereign Identity_ system. There's been confusion because Swiss e-ID uses technologies originally designed for self-sovereign identity. But the government has never called it SSI. (pause) With Swiss e-ID, you're using Decentralized Identifier and Verifiable Credential technologies in a GOVERNMENT-CONTROLLED system. We need to be CLEAR about what you're actually building so we can govern it appropriately. **The Swiss e-ID is a _government digital identity system_**. ---- ### ANNOTATION: What IS Self-Sovereign Identity? (1/3) **Self-Sovereign Identity Definition:** * Individual controls their own digital identity and credentials * No central authority required for identity verification * Citizens own their data and decide what to share, when, and with whom * Identity works across different services and platforms **Key SSI Characteristics:** * **Decentralized**: No single point of control or failure * **Portable**: Identity works everywhere, not locked to one service * **Private**: Minimal disclosure of personal information * **Persistent**: Identity survives even if organizations disappear ---- ### ANNOTATION: Ten Principles of Self-Sovereign Identity (2/3) **Christopher Allen's Ten Principles (2016):** 1. **Existence**: Users must have an independent existence 2. **Control**: Users must control their identities 3. **Access**: Users must have access to their own data 4. **Transparency**: Systems must be transparent 5. **Persistence**: Identities must be long-lived 6. **Portability**: Information must be transportable 7. **Interoperability**: Identities should be widely usable 8. **Consent**: Users must agree to the use of their identity 9. **Minimalization**: Disclosure should be minimized 10. **Protection**: Users' rights must be protected ---- ### ANNOTATION: Why Swiss e-ID Uses SSI Technology Differently (3/3) **Key Differences:** * **SSI**: Citizens control issuance, revocation, and infrastructure * **Swiss e-ID**: Government controls issuance, revocation, and infrastructure * **SSI**: No central authority required * **Swiss e-ID**: Government serves as trusted central authority **Why This Distinction Matters:** * Different governance requirements for government vs. citizen-controlled systems * Understanding the architecture helps design appropriate democratic safeguards * Clarifies what you're actually governing and how to do it effectively --- ## Government Digital Identity **Swiss Legal Foundation:** Current regulation requires citizens to REQUEST e-ID issuance - voluntary by design. ### The Critical Question: Can this voluntary principle survive when: * Private sector creates speed/price advantages for e-ID users? * Platform dependencies make alternatives second-class? * Economic reality pressures citizens into "voluntary" adoption? _As other countries learned:_ **legal voluntary ≠ practical voluntary** Note: Switzerland has already established a good legal foundation - citizens must REQUEST an e-ID. But here is the CRITICAL QUESTION that shapes everything: (pause) Can being voluntary survive when the private sector creates advantages for Swiss e-ID users, an economic reality that can pressure adoption. As other countries like India have learned: LEGAL voluntary does NOT equal PRACTICAL voluntary. ---- ### How "Voluntary" Gets Eroded: International Case Studies **Estonia: 99% Adoption Makes Refusal Impractical** * Digital-first government services create speed advantages * Physical alternatives become second-class citizen experience * Social pressure: "Everyone has one, why don't you?" * Result: Legally voluntary, practically mandatory **Ireland: Public Services Card Controversy** * Started voluntary for welfare services * Gradually required for driver's license, passports, employment * Citizens forced to choose: get card or lose access to essential services * Court challenges took years to resolve **India: Aadhaar "Voluntary" Expansion** * Initially voluntary biometric ID for welfare * Banks, schools, telecom required it for service * Supreme Court had to intervene to limit scope * Economic coercion made legal voluntary meaningless **Switzerland's Advantage:** * Democratic institutions can prevent this erosion * Five Anchors create systematic protection * Learn from others' mistakes before implementing, not after **The Pattern:** 1. Start voluntary with good intentions 2. Private sector creates advantages for adoption 3. Economic pressure makes voluntary meaningless 4. By the time courts intervene, infrastructure dependency is entrenched --- ## Individual Autonomy **Personal and family resilience supports choice and agency** * _“I can choose how much to share, when, and with whom.”_ * _“We can protect our family's privacy and security across generations.”_ Note: Your implementation must reflect practical Swiss values: individual responsibility and family resilience. (pause) You must be able to say: "I can choose how much to share, when, and with whom." and you need to be able to say: "We can protect our family's privacy and security across generations." The Swiss e-ID should STRENGTHEN these traditions. But individual autonomy alone isn't going to be enough for Swiss democracy. --- ## Swiss Democratic Sovereignty **Constitutional principle that sovereignty resides in the people** * Swiss democratic institutions enable meaningful oversight * “We collectively govern the systems that govern us” Note: Because in Swiss democracy "SOVEREIGNTY RESIDES IN THE PEOPLE" - this is the foundation of Swiss constitutional order. You may delegate authority but you NEVER SURRENDER IT. (pause) "We collectively govern the systems that govern us." But it is this democratic sovereignty that without individual choice can ring HOLLOW. --- ## Why Both Matter * Individual autonomy gives substance to democratic sovereignty. * Without meaningful personal choice, democratic control rings hollow. _These must work together for Swiss e-ID to succeed._ Note: Think of it this way: if citizens can't meaningfully say "NO" to the system, then democratic oversight becomes THEATER. (pause) Real democratic control requires citizens to have genuine alternatives and real agency. THIS is what these five anchors are designed to preserve. --- ## The Swiss Advantage Your democratic institutions can preserve individual autonomy and resilience. Other countries may copy your technical architecture but lack this governance foundation. _**The moment is now:**_ Your referendum has passed. Choices you make today influence the world for 20 years. Note: It is this that makes Switzerland UNIQUE in the world. Your advantage is that you can deploy a government digital identity that preserves rather than erodes individual autonomy by building on your democratic institutions AND your cultural values. Now this does raise another concern: other countries may copy your technical architecture but they LACK your strong foundation. As a result, the technical choices you make today, because you have a trustworthy Swiss government, could become tools of OPPRESSION elsewhere. Be aware of this. --- ## The TLS Warning * We finished **TLS 1.0** in 1996, but only ratified in 1999 * We knew about problems, we thought we'd fix them in **3-5 years** * Those fixes didn't ship until **TLS 1.3** in 2019 — **20 years later** * 38% of websites **still** don't use this more secure version * More do not fully enable or support all features **Lesson**: Once you ship, “good enough” becomes “stuck with it” Note: Another warning from personal experience: We finished TLS 1.0 in 1996 and we thought we'd fix some major problems in 3-5 years. Those fixes took over TWENTY YEARS because "GOOD ENOUGH" became "STUCK WITH IT." Even today, 38% of websites STILL don't use the more secure version finished in 2019. (pause) Democracy moves slowly, technology moves fast. Build now for a 20-year architecture, NOT a 2-year Minimum Viable Product. --- ### Five Anchors for Swiss Digital Autonomy 1. **Preserve Choice by Design** - Voluntary must mean voluntary-in-practice 2. **Build a 20-Year Architecture, Not 2-Year Product** - Infrastructural thinking 3. **Maintain Platform Independence** - Resistance to technical capture 4. **Require Duties for Non-Governmental Parties** - Private sector accountability 5. **Implement Institutional Safeguards** - Democratic oversight of digital power Note: With that being said, here are MY Five Anchors for ensuring that Swiss e-ID remains aligned with Swiss values: Preserve Choice by Design, Build a 20-Year Architecture, Maintain Platform Independence, Require Duties for Non-Governmental Parties, and Implement Institutional Safeguards. Each of these anchors addresses a gap that technology ALONE will not fix. Together, they can preserve Swiss democratic values in digital systems. (pause) I'll go through each of them systematically. Let's start with preserving choice by design. Let's make voluntary actually mean "voluntary-IN-PRACTICE". --- ## 1) Preserve Choice by Design _The Individual Autonomy Anchor_ _**Problem Statement:**_ Choice disappears when alternatives become second-class _**Swiss Reality:**_ Will the e-ID become mandatory in practice, even if voluntary in law? Note: Choice disappears when alternatives become SECOND-CLASS. We need to examine how something being voluntary gets eroded - not necessarily through legal changes, but through ECONOMIC and TECHNICAL pressures. Voluntary only works if it's voluntary-in-PRACTICE, not just voluntary-in-LAW. --- ### 1) Preserve Choice by Design _How Digital Choice Erodes_ Trust builds gradually. Show your age, not your address; your eligibility, not your identity; what's needed now, not everything you have. *This is how physical identity works — digital should match.* You _shouldn't_ have to hand over your entire personal profile to be copied just to prove you're over 18. > ### "We now face systems that presume compliance by default<br/> and eliminate meaningful choice." Note: Voluntary choices can erode. You shouldn't have to hand over your ENTIRE personal profile just to prove that you're over 18. In the physical world, trust builds GRADUALLY: you show your age, not your address; you demonstrate your eligibility, not your identity. (pause) Digital systems should match these patterns of physical systems. But instead WE NOW FACE DIGITAL SYSTEMS that presume compliance by DEFAULT and so eliminate meaningful choice. ---- ### ANNOTATION: Swiss Digital Service Erosion Examples (1/3) **International Context:** * Banking sector globally shifting to digital-first with physical branch closures * Government services worldwide adopting "digital by default" policies post-COVID * Payment systems transitioning from cash-optional to digital-preferred models **Problems/Issues:** * **Swiss banking consolidation**: UBS closing 85 branches (1/3 reduction) by 2025 after Credit Suisse merger * **Government service digitization**: easyGov platform expanding, QES signatures required for employment contracts * **Payment infrastructure shift**: TWINT now accepted by 81% of stores, creating speed/convenience advantages over cash ---- ### ANNOTATION: Digital Service Erosion Impact Analysis (2/3) **Implications:** * Legal voluntary status maintained while practical voluntary erodes through convenience and scarcity * Citizens face increasing economic pressure to adopt digital services for basic needs * Physical alternatives becoming second-class through reduced availability and efficiency * **Swiss Choice Point**: This pattern can be prevented through proactive design, not just accepted as inevitable ---- ### ANNOTATION: Swiss Choice Preservation Opportunity (3/3) **Swiss Application:** * e-ID risks following same pattern: legally voluntary, practically mandatory within 5-10 years * Current digitization trends demonstrate both the risk and the opportunity for intervention * Swiss democratic advantage: institutions can enforce meaningful choice preservation where other countries cannot * Swiss scale enables maintaining dignified alternatives if designed systematically from the start --- ### 1) Preserve Choice by Design _Solutions for Meaningful Choice_ * **Governance structure with enforcement power:** * **Essential service inclusion** — no services (government OR private) limited to digital-only * **Economic neutrality** — similar price, speed, dignity for physical alternatives * **Legal accountability** — real penalties for coercive practices * **User-controlled technical architecture:** * **Progressive revelation** — citizens control what they share, when, and with whom * **Progressive trust UX** — "no, not now, maybe later" instead of "accept or cancel" Note: Solutions for choice by design have TWO LAYERS: A governance structure with ENFORCEMENT POWER and then user-controlled technical architecture. Essential service inclusion ensures that NO SECTOR—government OR private—can force digital adoption through economic pressure. User-controlled architecture includes progressive trust, which supports "NO, NOT NOW, MAYBE LATER" instead of "accept or cancel." ---- ### ANNOTATION: Progressive Trust Implementation Models **Progressive Trust Success Cases:** * Apple's "Ask App Not to Track" — simple, clear choice without penalties * GDPR consent interfaces (when done right) — granular, revocable permissions * Swiss banking: graduated disclosure for different transaction types **Progressive Trust Design Principles:** * "No, not now, maybe later" instead of "accept or cancel" * Citizens control what they share, when, and with whom * Trust builds gradually through voluntary interactions * Physical identity model: show age not address, eligibility not full identity --- ### 1) Preserve Choice by Design _Implementation & Enforcement_ * **Without enforcement, voluntary becomes meaningless** * **Need-to-Know schedules** - clearly define what data is legitimate for what purposes * **Hold all sectors accountable** - government and private sectors live by similar standards * **Dark pattern auditing** - public transparency on coercive practices Note: Without enforcement, voluntary becomes MEANINGLESS. Thus we must offer well-defined "Need-to-Know" schedules with what data is legitimate and for what specific purpose, with REAL PENALTIES for coercive practices. Because Swiss citizens need REAL PROTECTION, not just policy promises. --- ## 2) Build a 20-Year Architecture,<br/>Not a 2-Year Product _The Infrastructure Anchor_ _**Problem Statement:**_ MVP thinking optimizes for shipping, not decades of democratic evolution _**Swiss Reality:**_ Democracy moves slowly, technology moves fast — and technical debt can quickly get entrenched **Remember TLS:** "Good enough" becomes "stuck with it" for 20+ years Note: Our second anchor is about the importance of architecture. Minimum Viable Product thinking optimizes for shipping, NOT for decades of democratic evolution. Democracy moves slowly and deliberatly, while technology moves fast. Importantly, early technical debt can become ENTRENCHED for 20+ years. You're building Switzerland's DIGITAL INFRASTRUCTURE, not a startup app. --- ### 2) Build a 20-Year Architecture _Infrastructural Thinking_ * **You're building Switzerland's digital infrastructure, not a startup app** * **Minimum Viable Architecture, not MVP** — plan now for 20 years, not 2-year shipping * **Open development practices** — transparency, participation, stewardship * **Invest in commons** — fund standards participation and library development Note: So instead, you need to design a MINIMUM VIABLE ARCHITECTURE, not a MINIMUM VIABLE PRODUCT. Plan NOW for 20 years of democratic change, not a 2-year shipping deadline. (pause) As my research shows: "We don't always know the right solutions... the best we can do is create architectures that won't lock us in." Thus the first thing you need to do is to determine the MINIMUM architecture needed to support the next 20 years of democratic evolution. ---- ### ANNOTATION: MVA vs MVP - Architectural Design (1/3) **International Context:** * **US Federal Government**: $7 billion technical debt from MVP-style decisions that became permanent * **TLS/SSL success**: Modular plug-in architecture enabled 25+ years of cryptographic evolution * **Estonia e-ID**: Successful but locked into specific technical choices, difficult to evolve **Problems/Issues:** * **MVP approach** optimizes for immediate shipping, creates inflexible technical debt * "Good enough" solutions become permanent when replacement costs are prohibitive * Architectural decisions lock governments into specific vendors and technologies for decades ---- ### ANNOTATION: MVA Research Foundation (2/3) **Core MVA Principle:** * **Quote from MVA research**: "We don't always know the right solutions... the best we can do is create architectures that won't lock us in to specific decisions about the future" **Implications:** * Swiss e-ID architectural choices will constrain democratic evolution for 20+ years * MVP thinking creates competitive vulnerabilities and limits future innovation * Without modular design, Switzerland becomes dependent on current technology assumptions ---- ### ANNOTATION: Swiss MVA Implementation Strategy (3/3) **Swiss Application:** * **MVA principles**: "Hollow out spaces in architectures for future development" * **Modular and expandable design**: Separate core identity specifications from implementation details * **Swiss open source strategy**: EMBAG law enables collaborative "coopetition" development * **Architectural flexibility**: Design identity system to accommodate future, currently unanticipated developments * **Democratic timeline advantage**: Switzerland can afford slower, more thoughtful architectural choices that serve 20-year democratic evolution --- ### 2) Build a 20-Year Architecture _Focus on Architectures of Data Minimization_ * **Secure data at rest** — transport security alone is insufficient * **Need-to-Know by design** — technical architecture should enforce legitimate purpose limits * **Verify and forget capability** — no silent data retention, cross-service linking, or logging of authentication * **Future-proof selective disclosure** — architecture must support evolving technology * SD-JWT + VCs have good intentions for privacy, but called “dead end” by many standards and cryptographic experts * _Be prepared to swap it out soon!_ Note: I recommend you first focus on architectures of data minimization, where you reveal the minimum amount of data possible. This isn't just a privacy feature, it's the FOUNDATION of voluntary-in-practice systems. Your current published choices do attempt to offer this, and clearly have good intentions. However, many experts call them a "DEAD END" for long-term deployment. Transitioning to something better will be difficult. (pause) Thus you really need to be be prepared to swap them out SOON! Remember, the technical choices you make NOW will determine future Swiss citizens' ability to CONTROL their digital interactions. ---- ### ANNOTATION: SD-JWT Critical Assessment (1/3) **International Context:** * Hash-based selective disclosure provides solid privacy foundation for digital credentials * SD-JWT represents one specific implementation approach with known limitations * Cryptographic experts have identified significant architectural constraints in current SD-JWT specification **Problems/Issues:** * **Rigid Structure**: Hard-coded format makes evolution difficult for 20-year systems * **No Unlinkability**: Signatures correlate across different verifications, limiting privacy * **Cryptographic Lock-in**: Each new crypto method requires rebuilding entire payload structure ---- ### ANNOTATION: Expert Consensus on SD-JWT Limitations (2/3) **Expert Assessment:** * **Expert Consensus**: Multiple cryptographic specialists note these as "serious flaws" for long-term deployment **Implications:** * BBS+, zero-knowledge proofs, other advances require complete reimplementation in SD-JWT * Cannot evolve cryptographically without replacing entire credential format * A 20-year timeline exposes these architectural limitations more than short-term deployments ---- ### ANNOTATION: Swiss Architectural Decision Point (3/3) **Swiss Application:** * Switzerland's democratic deliberation advantage allows time to address these architectural issues * Better architectural approaches exist that preserve privacy benefits with more flexibility * Swiss technical choices will influence global democratic digital identity for decades * **Critical Decision Point**: SD-JWT's architectural limitations conflict with Swiss 20-year infrastructure requirements --- ### 2) Build a 20-Year Architecture _Architectures of Resilience_ * **Resilience-first design** — function offline, like physical cards - Network failures, emergencies, conflicts cannot disable Swiss identity - Maintains Swiss tradition of preparedness and independence - *Technical options:* vc-barcodes or animated QRs (QR-UR) for resilient offline verification * **Technical preparedness**: Prepare for changing to quantum-safe infrastructure now Note: To be truly resilient, Swiss e-ID needs to be able to function offline like physical cards. Network failures, emergencies, and conflicts CANNOT disable Swiss identity. For instance, in California you can swiftly obtain a paper QR-code credential in case of wild-fires. Switzerland should be able to do this for avalanches and other disasters. This maintains the Swiss tradition of preparedness and INDEPENDENCE. Make choices NOW based on Swiss resilience values and long-term sustainability, NOT short-term convenience. ---- ### ANNOTATION: Swiss Resilience Infrastructure Models (1/3) **International Context:** * **Alpine data centers**: Swiss providers embed infrastructure deep in solid rock for physical protection * **Geographic redundancy**: Swiss cloud systems maintain copies in both Zurich and Geneva (100km+ separation) * **Telecommunications resilience**: Dual fiber paths and automatic failover systems across Switzerland **Problems/Issues:** * Digital identity systems typically have single points of failure * Network dependencies make government services vulnerable during emergencies * Most identity systems cannot function without internet connectivity * Physical verification often unavailable when digital infrastructure fails ---- ### ANNOTATION: Emergency Resilience Requirements (2/3) **Implications:** * Swiss preparedness traditions require digital systems to match physical resilience standards * Emergency situations expose critical infrastructure vulnerabilities * Citizens lose access to essential services during network disruptions * Network failures, emergencies, conflicts cannot disable Swiss identity **Swiss Preparedness Heritage:** * **Physical resilience tradition**: 7,200 emergency sirens, universal bomb shelters, wired mountain defenses * **Historical emergency examples**: Japan 2011 tsunami (digital systems failed, physical ID cards enabled evacuation), Puerto Rico 2017 hurricane (power out for months), Texas 2021 winter storm (digital infrastructure disabled) ---- ### ANNOTATION: Offline Independence Implementation (3/3) **Swiss Application:** * **Technical implementation requirements**: Physical verification must work when digital infrastructure fails * **Emergency preparedness integration**: Digital identity systems must function during natural disasters * **Emergency ID models**: California's Instant Identity Card for wildfire victims - enables immediate access to services when documents destroyed * **Swiss Emergency models**: Identity verification needed after earthquake, flood, landslide, without network connectivity * **Offline-first architecture**: QR codes and cryptographic signatures working without network connectivity * **Swiss preparedness culture**: "Trust but verify" includes verifying systems work when infrastructure fails --- ### 2) Build a 20-Year Architecture _Swiss Pathway to Greater Autonomy_ * **Today**: Government digital identity with democratic safeguards * **Future**: Start researching alternative models where citizen-control is more appropriate: - LESS (legally enabled self-sovereign) Identity - State-endorsed but citizen-controlled systems (Utah model) * **Swiss advantage**: Democratic foundation enables smooth transition Note: With Swiss e-ID today, you are designing government digital identity with democratic safeguards. In the future, you need to research alternative models that support more citizen control. (pause) For instance, consider models like LESS Identity (Legally enabled self-sovereign identity) or Utah's state-endorsed identity system. Switzerland's unique advantage is that its democratic institutions provide UNIQUE pathways to evolve toward greater citizen autonomy over time. IF you plan for it. ---- ### ANNOTATION: Government-to-Citizen Identity Evolution Models (1/2) **International Context:** * **Utah model**: State-endorsed but citizen-controlled digital identity systems * **Estonia lessons**: Government e-ID success but limited citizen control over long-term evolution * **LESS Identity research**: Legally Enabled Self-Sovereign Identity as bridge between government and citizen control **Problems/Issues:** * Government-issued digital identity can become government-controlled digital identity * Citizens have limited input on long-term digital identity system evolution * Technical choices made for government convenience may conflict with citizen autonomy ---- ### ANNOTATION: Government-to-Citizen Identity Evolution Models (2/2) **Implications:** * Democratic institutions need pathways to evolve toward greater citizen control * Switzerland's federal structure enables gradual autonomy increases * Technical architecture today determines citizen empowerment possibilities for decades **Swiss Application:** * **Swiss democratic foundation**: Federal system with cantonal experimentation enables smooth transitions * **Phase 1**: Government digital identity with strong democratic safeguards (current e-ID implementation) * **Phase 2**: Research LESS Identity models with state endorsement but citizen control * **Phase 3**: Evaluate full citizen-controlled systems based on democratic feedback and technical maturity * **Swiss advantage**: Democratic institutions can manage identity evolution better than authoritarian or purely market-driven systems --- ## Three Layers of Swiss Digital Sovereignty **The next three anchors address different sovereignty vectors:** * **3) Maintain Platform Independence**: - TECHNICAL sovereignty (platform infrastructure control) * **4) Require Duties for Non-Governmental Parties**: - COMMERCIAL sovereignty (private sector constraints) * **5) Implement Institutional Safeguards**: - INSTITUTIONAL sovereignty (democratic checks and enforcement) All are about Swiss digital sovereignty but from different angles of control. Note: My next three anchors address DIFFERENT sovereignty vectors. * Platform Independence for TECHNICAL sovereignty. * Private Sector Duties for COMMERCIAL sovereignty. AND * Institutional Safeguards for DEMOCRATIC sovereignty. Each addresses a different way Swiss digital sovereignty could become UNDERMINED. --- ## 3) Maintain Platform Independence _The Technical Sovereignty Anchor_ **Problem Statement:** * Dependence on Apple/Google OS app stores * Government wallets risk becoming surveillance tools * Platform vendors become unelected gatekeepers of identity **Swiss Reality:** Platforms profit from lock-in, not user autonomy Note: Thus our third anchor is platform independece. Your use of smart-phone app technology creates a dependence on Apple and Google app stores. This makes these platform vendors UNELECTED GATEKEEPERS for identity. On those platforms, government wallets risk becoming surveillance tools. Remember, platforms profit from LOCK-IN, not from citizen autonomy. --- ### 3) Maintain Platform Independence _The Surveillance Risk_ * **Imagine:** - Someone gets a ping when your hotel room door opens - An accusation of spam disables your Google account, and thus your phone - A plagform locks you into their other proprietary services - OR, you lose access to these services when you change platforms **If platforms can arbitrarily cut off access,<br/>they control Swiss digital sovereignty!** **This must be a line in the sand!** **Swiss Principle:** Make digital occupation costly and temporary, like the Réduit strategy Note: So Imagine: * Someone gets a ping when your hotel room door opens. OR * A spam accusation disables your phone. OR * You lose credentials and services when you try to change platforms. (pause) Because if platforms can arbitrarily cut off access, they CONTROL Swiss digital sovereignty. THIS MUST BE A LINE IN THE SAND! We need a Réduit strategy – we must make digital occupation COSTLY and TEMPORARY. ---- ### ANNOTATION: Digital Wallet Implementation Risks and Swiss Advantages (1/2) **International Context:** * **EU Digital Identity Wallet**: Privacy advocates warn of "farming citizen data" by governments and corporations * **Japan My Number Card**: 80% of citizens distrust government's ability to protect digital ID information * **Singapore/Nigeria**: Elderly populations locked out of services due to biometric system failures **Problems/Issues:** * Digital wallet implementations can create unintended surveillance capabilities * Platform telemetry combines with government data to enable comprehensive citizen tracking * "Feature creep" - systems expand beyond original purpose without citizen consent * Cross-border data sharing agreements can expose citizens to foreign surveillance ---- ### ANNOTATION: Digital Wallet Implementation Risks and Swiss Advantages (2/2) **Implications:** * Digital identity architectures require careful design to prevent misuse * Even well-intentioned systems can be repurposed by future administrations * Switzerland's international reputation creates responsibility for democratic digital identity models **Swiss Application:** * Swiss democratic institutions provide stronger safeguards than most countries can offer * Comprehensive oversight design can make Swiss e-ID a positive template for other democracies * Swiss federal structure and transparency traditions enable citizen-protective architecture * Democratic oversight mechanisms can evolve with technology to maintain protection over decades --- ### 3) Maintain Platform Independence _Technical Actions_ * **Prohibit platform telemetry** during identity transactions - and not just in the e-ID stack! * **Mandate dignified alternative app distribution** - beyond Apple/Google stores - accessible to all citizens buying phones retail in Switzerland * **Require platform accountability** — demand transparency reports on denials of service, timely fixes for critical bugs, etc. - *Enforcement mechanism: See Anchor 5, Government Enforcement Capabilities* Note: At minimum we should: * Prohibit any platform telemetry during identity transactions. But we also need to: * Mandate dignified alternative app distribution beyond Apple and Google; * AND; Require platform ACCOUNTABILITY with transparency reports. But these technical solutions alone AREN'T ENOUGH ... ---- ### ANNOTATION: Platform Alternative Implementation Models (1/2) **International Context:** * **Japan's App Store Law**: Forces Apple/Google to allow third-party app stores and payment systems * **EU Digital Markets Act**: Requires "gatekeeper" platforms to allow alternative distribution methods * **F-Droid Model**: Open-source app distribution used by privacy-focused European governments **Problems/Issues:** * Platform gatekeeping prevents government control over critical identity infrastructure * Native app dependencies create single points of failure for national services * Platform updates can break government functionality without warning or consent ---- ### ANNOTATION: Platform Alternative Implementation Models (2/2) **Implications:** * Swiss digital sovereignty requires technical independence from foreign platforms * Citizens need guaranteed access regardless of corporate platform decisions **Swiss Application:** * **Heterogeneous architecture**: Multiple independent access methods prevent single points of failure * **Direct APK distribution**: Government-controlled app distribution bypassing platform stores * **Progressive Web Apps**: Browser-based access as one option among many * **Offline QR codes**: Identity verification works without internet or platform services * **Multiple verification paths**: Citizens can choose from several independent methods --- ### 3) Maintain Platform Independence _Governance Actions_ * **Acknowledge surveillance risks** beyond the e-ID stack * **Mandate Swiss jurisdiction** — independent oversight with enforcement power **Swiss Reality:** This requires contractual obligations, not just technical solutions. Note: We also need to acknowledge that there are surveillance risks BEYOND just the e-ID stack. You Need to Mandate Swiss jurisdiction with independent oversight and ENFORCEMENT POWER. To fix this requires contractual obligations, NOT just technical solutions. ---- ### ANNOTATION: Swiss Jurisdiction Enforcement Models (1/2) **International Context:** * **UK Competition Authority**: Forcing platform openness through market power investigations * **EU GDPR**: Extraterritorial jurisdiction compelling foreign company compliance * **China Cybersecurity Law**: National data sovereignty requirements overriding platform terms **Problems/Issues:** * Platform terms of service currently override Swiss law in practice * No direct government leverage over platform operational decisions affecting citizens * Swiss courts cannot enforce decisions against foreign platform companies ---- ### ANNOTATION: Swiss Jurisdiction Enforcement Models (2/2) **Implications:** * Platform control over identity infrastructure undermines democratic sovereignty * Citizens have no legal recourse when platforms restrict government service access **Swiss Application:** * **Government procurement power**: Require Swiss jurisdiction compliance for public contracts * **Market access requirements**: Platform services must accept Swiss legal authority * **Financial penalties**: Sanctions must be sufficient to change corporate behavior (not token fines) * **Service guarantee bonds**: Platforms post collateral ensuring continued service availability --- ## 4) Require Duties for Non-Governmental Parties _The Commercial Sovereignty Anchor_ **Problem Statement:** * Private sector will likely dominate e-ID usage * High risk of profiling and surveillance by businesses * Existing data protection law advises data minimization, however… - FADP enforcement fragmented across cantonal prosecutors, lacks consolidated oversight - Business surveillance models adapt faster than enforcement can respond - Even EU with stronger penalties sees continued massive violations **Swiss Reality:** The bigger risk isn't government surveillance — it's commercial profiling Note: Our fourth anchor is duties for others who leverage the Swiss e-ID. The Private sector is going DOMINATE Swiss e-ID usage. Hotels, employers, landlords are going to use this DAILY. Today's data protection enforcement is fragmented across cantonal prosecutors, each with LIMITED penalties. The bigger risk today isn't government surveillance - it's COMMERCIAL PROFILING. ---- ### ANNOTATION: Swiss FADP vs EU GDPR Enforcement Reality (1/2) **Swiss FADP Enforcement Gaps:** * No direct fining power for Federal Data Protection Commissioner (FDPIC) * Enforcement scattered across 26 cantonal prosecutors * Maximum fines CHF 250,000 vs GDPR's 4% global revenue * FDPIC can only "file grievances" and "participate as private plaintiff" **EU GDPR Despite Strong Penalties:** * €5.88 billion in cumulative fines by 2025 * Meta alone fined €1.2 billion in January 2025 * Yet surveillance capitalism business models persist and adapt * Some member states create "regulatory safe zones" ---- ### ANNOTATION: Swiss FADP vs EU GDPR Enforcement Reality (2/2) **Business Intelligence Reality:** * Hotels, employers, landlords will use e-ID daily for verification * Without clear rules, becomes profiling and tracking goldmine * Current retention laws actually conflict with privacy goals * "Verify and forget" requires legal reform, not just technical solutions **Private Sector Economic Coercion Patterns:** * Airlines charging "paper ticket fees" for non-digital transactions * Banks requiring smartphone apps for basic services access * Apartment rentals demanding "digital verification only" creating housing discrimination * E-ID verification becoming defacto requirement for employment, services, housing --- ### 4) Require Duties for Non-Governmental Parties _Core Principles_ Private sector dominates usage, but no obligations for privacy protection **Your technology choices become theirs — but with different incentives** Required Duties: * **Purpose limitation** — strict limits to stated business needs * **Verify and forget** — businesses should not store e-ID data - Requires legal reform - current liability and retention laws conflict with privacy * **Unlinkable** — no silent pings, no tracking across services Note: Remember, YOUR government technology choices will become THEIRs, but they have DIFFERENT INCENTIVES. Thus you need to carefully create purpose limitation for specific business needs. You need to require VERIFY AND FORGET capabilities and unlinkable transactions with NO SILENT TRACKING. This also means legal reform. Your current liability and retention laws CONFLICT with these privacy goals. ---- ### ANNOTATION: Technical Implementation of "Verify and Forget" (1/2) **International Context:** * **Zero-Knowledge Proofs**: Google's open-source ZKP for EU age verification without revealing birthdates * **Differential Privacy**: US Census Bureau injects noise to protect individuals while releasing statistics * **Privacy-Preserving Credentials**: Systems enable age verification without disclosing unnecessary personal data **Problems/Issues:** * Most business verification systems store complete credential data permanently * "Verify and forget" lacks standardized technical implementation models * Current Swiss retention laws conflict with privacy minimization goals * Businesses have economic incentives to retain data for profiling ---- ### ANNOTATION: Technical Implementation of "Verify and Forget" (2/2) **Implications:** * Without technical enforcement, "verify and forget" becomes voluntary compliance theater * Swiss e-ID could become business intelligence goldmine without architectural protection * Legal requirements need technical implementation standards to be enforceable **Swiss Application:** * **Cryptographic verification**: Use ZKP-based age/identity verification without data storage * **Automatic deletion protocols**: Technical enforcement of immediate deletion after verification * **Audit-friendly architecture**: Verification events logged without retaining personal data * **Legal reform requirement**: Update Swiss retention laws to support "verify and forget" mandates --- ### 4) Require Duties for Non-Governmental Parties _Private Sector Accountability_ * **Temporary storage only** — default to immediate deletion * **Best practices defined** — clear guidance, lose trusted status if caught profiling * **Public transparency** — audit and publish violations **Reality:** Business adoption will be rapid — rules must be ready before widespread use. Note: We also need: * Requirements for temporary storage ONLY, with immediate deletion by default. We need * Clear best practices on profiling, with LOSS of trusted status for violations. * AND; We need Public transparency with published audit results. Because business adoption will be RAPID and rules must be ready BEFORE widespread use. ---- ### ANNOTATION: International Business Accountability Models (1/2) **International Context:** * **Singapore Singpass**: 97% citizen adoption, 1,700+ private sector services with government oversight * **UK Digital Identity Framework**: 34% of firms international, strict accountability standards * **GDPR enforcement**: €5.88 billion in fines, but Meta still paid €1.2 billion and continued surveillance practices **Problems/Issues:** * Private sector digital identity integration lacks standardized accountability frameworks * Current enforcement models reactive (post-violation) rather than preventive * Businesses prioritize convenience over privacy when government doesn't mandate standards * Audit and transparency systems often lack real-time oversight ---- ### ANNOTATION: International Business Accountability Models (2/2) **Implications:** * Swiss e-ID private sector adoption will be rapid but accountability frameworks lag behind * Without proactive accountability, businesses will optimize for data collection * International experience shows fines alone insufficient to change behavior **Swiss Application:** * **Preventive accountability**: Regular audits and published violation reports before problems escalate * **Trusted status system**: Clear guidance with loss of trusted verifier status for profiling violations * **Real-time monitoring**: Automated compliance monitoring rather than reactive investigation * **Swiss procurement leverage**: Government contract requirements for private sector accountability standards * **International cooperation**: Learn from Singapore's oversight model while maintaining Swiss privacy standards --- ## 5) Implement Institutional Safeguards _The Democratic Sovereignty Anchor_ **Problem Statement:** * **Revocation power concentrated** — Office of Police can disable citizen's digital access * **Administrative separation only** — appeals handled by different office, but same Federal Councilor (Beat Jans) * **No guaranteed human review timeframes** — citizens may be locked out indefinitely * **What happens when political winds change?** — both offices under same political leadership **Swiss Principle:** Sovereignty resides in the people **The Balance:** Swiss democracy requires both empowering government to protect citizens from private sector abuse AND constraining government overreach. Note: Our fifth anchor is about Institutional Safeguards. One issue is that revocation power is planned to be CONCENTRATED in the Office of Police. Appeals may be handled by a different office, but BOTH of them report to same Federal Councilor, Beat Jans. There also are no guaranteed human review timeframes. Switzerland is trustworthy TODAY, but as I have learned as an US citizen, democratic institutions must be able to survive POLITICAL TRANSITIONS. ---- ### ANNOTATION: Swiss Federal Authority Structure & International Safeguards (1/2) **Current Swiss Structure (per Rolf Rauschenbach):** * Federal Office of Police: e-ID issuance and revocation * Federal Office of Justice: appeals for overidentification, impersonation, illegitimate use * Both offices under Federal Department of Justice and Police (FDJP) * Both report to same Federal Councilor: Beat Jans * Third office (FOITT) runs infrastructure but limited authority over policy **Revocation Risks:** * Immediate loss of access to e-ID dependent services * Could affect housing, employment, banking if private sector adopts widely * Appeals process may be too slow for time-sensitive needs * Political pressure could influence both issuance and appeals ---- ### ANNOTATION: Swiss Federal Authority Structure & International Safeguards (2/2) **International Separation Models:** * UK: Independent Information Commissioner separate from government departments * Germany: Federal Commissioner for Data Protection reports directly to Parliament * Canada: Privacy Commissioner independent from executive branch * Estonia: e-Residency appeals handled by courts, not administrative offices **Revocation Safeguards (Other Countries):** * Two-party authorization required for revocation * Mandatory court review within 48 hours * Automatic temporary restoration pending appeal * Public transparency reports on revocation statistics and reasons --- ### 5) Implement Institutional Safeguards _Revocation Safeguards_ * **Two-party authorization required** — no single office can revoke e-ID credentials * **Mandatory court review within 48 hours** — judicial oversight of revocation decisions * **Automatic temporary restoration pending appeal** — citizens not locked out during review * **Public transparency reports** — revocation statistics, reasons, and appeal outcomes published quarterly Note: More specifically, I suggest you need safeguards when e-ID credentials are revoked. I recommend that * Two-party authorization must be required: NO SINGLE OFFICE can revoke credentials. And if there is a complication: * Court review must be mandatory within 48 hours. AND * Temporary restoration must be automatic pending appeal. Because revocation is the NUCLEAR OPTION - it can instantly cut off digital access and human rights. It is just too easily abused. --- ### 5) Institutional Safeguards _Political Independence_ * **Independent oversight authority** — reports to Parliament, not Federal Councilor * **Cross-party appointment process** — prevents single-party control of digital rights * **Fixed terms with cause-only removal** — insulates from political pressure * **Separate data governance** — government departments cannot share e-ID transaction data Note: Your political independence must also be instituted. You need * An independent oversight authority that reports to Parliament, NOT the Federal Councilor. And You need * A cross-party appointment process that prevents single-party control with fixed terms and cause-only removal. * Even Beat Jans won't be Federal Councilor FOREVER. --- ### 5) Implement Institutional Safeguards _Institutional Enforcement Capacity_ * **Guaranteed human review across all sectors** — no automated denials of core rights by government or private entities * **Clear explanations required** — citizens deserve to know why decisions were made * **Service level commitments** — response times guaranteed by law * **Sustained enforcement budget** — 20-year capacity to investigate and remedy violations * **Cross-agency coordination** — institutional framework to enforce all five anchors Note: Finally, we need transparency and accountability. This includes: * guaranteed human review across ALL SECTORS. * clear explanations required for all decisions. * and service level commitments with response times GUARANTEED by law. Because without institutional capacity to enforce the other anchors, they all become EMPTY PROMISES. ---- ### ANNOTATION: International Enforcement Models (1/3) **International Service Protection Models:** * **Germany**: Onlineausweis-Gesetz requires government services maintain offline alternatives * **Canada**: Digital Charter ensures "right to disconnect" from digital services * **EU Accessibility Directive**: Physical access required alongside digital services **Cross-Sector Enforcement Authority:** * **EU GDPR**: €5.88 billion in fines across government and private violations * **UK ICO**: Authority over both public and private sector data processing * **Australian Privacy Commissioner**: Oversight of government agencies and businesses ---- ### ANNOTATION: Enforcement Reality Requirements (2/3) **Enforcement Effectiveness Standards:** * **Real penalties**: Without substantial sanctions, voluntary compliance becomes theater * **Legal binding standards**: Need-to-Know schedules must be legally enforceable, not suggestions * **Systematic auditing**: Dark pattern detection requires dedicated resources and public transparency * **Cross-sector accountability**: Government and private sectors held to equivalent standards ---- ### ANNOTATION: Swiss Institutional Capacity Framework (3/3) **Swiss Institutional Capacity Requirements:** * **Human Review Guarantees**: No automated denials of core rights by any sector * **Service Level Commitments**: GDPR-style "without undue delay" response requirements with specific timeframes * **20-Year Sustainability**: Independent budget allocation prevents political defunding * **Professional Standards**: Career protection for oversight personnel ensures institutional memory * **Democratic Accountability**: Treaty-level commitments ensure sustained enforcement capacity ---- ### ANNOTATION: International Revocation Safeguards Examples (1/2) **Two-Party Authorization Models:** * US Data Protection Review Court: Two-level redress mechanism with independent review * EU GDPR: Supervisory authorities require transparent procedures for appointment/dismissal * Australia: Draft legislation prevents law enforcement access without warrant **Court Oversight Examples:** * Sri Lanka: District-level Registration of Persons Tribunals for ID card appeals * US DPRC: Independent court reviews intelligence agency determinations * EU: Court of Justice emphasizes independent authority control as "essential component" ---- ### ANNOTATION: International Revocation Safeguards Examples (2/2) **Automatic Restoration Practices:** * EU institutions: DPOs cannot be dismissed without EDPS consent * GDPR: Dismissal only for "serious misconduct" or failing to meet qualifications * Fixed terms (3-5 years) with limited removal grounds **Transparency Requirements:** * GDPR requires transparent appointment procedures to minimize political influence * Philippines: Legislation prevents sharing personal information with third parties * Brazil: Digital ID adopted through legislative reform, not executive action ---- ### ANNOTATION: Independent Oversight: International Models (1/2) **Appointment Process Best Practices:** * EU: Transparent procedures, professional qualifications, experience requirements * Cross-party involvement prevents single-party control * Independent from "any direct or indirect external influence" (GDPR standard) **Fixed Term Protections:** * EU institutions: 3-5 year terms, reappointment possible * Dismissal only with consent of independent authority (EDPS model) * "Complete independence" with decision-making power free from external influence ---- ### ANNOTATION: Independent Oversight: International Models (2/2) **Structural Independence Examples:** * EU Data Protection Authorities: Independent from three branches of government * UK Information Commissioner: Reports to Parliament, not executive * German Federal Commissioner: Direct parliamentary reporting relationship **Resource Protection:** * GDPR requires "sufficient resources" allocation * Independent budget authority prevents political pressure through funding * "Meaningful decisions without external interference" standard --- ## The Vision: Swiss Digital Autonomy **Success Looks Like:** * **Choice preserved:** Digital and physical options remain equivalent * **Architecture sustainable:** 20-year thinking, not 2-year shipping * **Technical sovereignty maintained:** Platform independence with democratic oversight * **Commercial sovereignty secured:** Businesses verify and forget, not profile and hoard * **Institutional sovereignty protected:** Appeals, explanations, and human review guaranteed **This reflects one fundamental principle...** Note: So what does e-ID success ultimately mean? It means that: * Choice is preserved through equivalent digital and physical options. * That your Architecture is sustainable with 20-year thinking. * That Technical, commercial, and institutional sovereignty are MAINTAINED. These five anchors work together to preserve Swiss values in digital systems. (pause) All of this reflects one fundamental principle... --- ## The Right to Refuse **The Foundation:** > "If a system cannot hear you say no, it was never built for **us**. It was built for **them**." **The Swiss e-ID must preserve the right to refuse — that's what makes it Swiss** **Because in Switzerland, sovereignty resides in the people.** Your digital identity must reflect this constitutional principle: you delegate authority to systems, but you never surrender it. Note: The right to refuse. (long pause) And I quote: "If a system cannot hear you say NO, it was never built for US. It was built for THEM." (pause) The Swiss e-ID system must preserve this right to refuse - THAT'S what makes it Swiss. Because in Switzerland, SOVEREIGNTY RESIDES IN THE PEOPLE. --- ## Thank You! <img src="https://avatars.githubusercontent.com/ChristopherA?s=150"> **Christopher Allen** _\<ChristopherA@LifeWithAlacrity.com>_ <small> _**Available for policy review, technical consultation, and trust architecture**_ - _**Schedule with me**_: - Technical deep-dive on complexities of minimal and selective disclosure - Moving toward alternative models: - LESS (legally enabled self-sovereign) Identity - State Endorsed Identity (Utah is exemplar) - UX issues and Progressive Trust prototypes - Threat-model wallet designs for Swiss democratic values </small> Note: I'm here as a PARTNER to help the Swiss e-ID team succeed while preserving your democratic values. I'm available for technical consultation on minimal disclosure, alternative models, and threat-model wallet designs. (pause) THE MOMENT IS NOW. Your choices today will influence the world for the next 20 years. The world is WATCHING. Let's schedule some follow-up discussions.