“We are relieved that the e-ID Act was rejected”
Interview // Police Measures Act, e-ID Act, e-voting: The Chaos Computer Club has repeatedly weighed into important political debates when it considers the right to privacy and freedom of information to be under threat. We spoke to Board Member Hernâni Marques about the political situation and the status of cyber security in Switzerland.
Mr. Marques, over the past 40 years the Chaos Computer Club in Germany has emerged as an important voice in society in the fight against cybercrime, as well as for data security and online civil liberties. How is the organization positioned in Switzerland currently? What are its objectives?
The objectives of the Swiss CCC are similar to those of the German CCC. We call for action to ensure future-proof digitalization where it makes sense to do so. Our members generally work on their own projects and get together at public meetings to discuss computer technology. We exchange experiences and debate the societal impacts of computerization, which has now come to affect society as a whole. This has frequently resulted in gross violations of our right to privacy – which is laid down in Art.
13 of the Swiss Federal Constitution. When this happens, we fight back with public interventions and campaign for a change of course in terms of policy. We take part in events, such as panel discussions, join calls for referendums, help to launch popular initiatives, and call attention to risks by demonstrating attacks. In short: Whenever the State or corporations restrict citizens’ right to privacy or freedom of information, we act. Increasingly we are now invited by political institutions to take part in consultation procedures, which we usually do in order to highlight weaknesses in legislation. What is important for all CCC(-CH) work is that our facts are correct with regard to technical issues, even if our statements and interventions are not always dispassionate. That is because we passionately defend our principles, as set out in our Hacker Ethic. (For the Hacker Ethic, see the link at the end of the interview.)
Which political initiatives and societal developments are you currently monitoring? What do you find concerning? What do you find perhaps even encouraging?
The thing that concerns us most is the constant expansion of the surveillance state, as we recently saw with the Police Measures Act, the purpose of which is supposedly to combat terrorism. In reality, the law threatens to put large swathes of the politically active population on file. After the “secret files scandal”, which sent shock waves through Switzerland at the end of the 1980s, we really should know that that’s a bad idea. Almost one million people were classed as a potential threat to Switzerland.
What are the main focuses of your work currently? Have specific initiatives been planned?
We will certainly be taking part in the consultation procedure on the resumption of electronic voting, or “e-voting” as it is known. We want to prevent e-voting from being implemented in Switzerland again. Here, the risks of digitalization far outweigh the benefits in the foreseeable future, because it strikes at the very heart of direct democracy.
In the magazine “megafon”, among others, you spoke out forcefully against the “Federal Act on Electronic Identification Services (e-ID Act)” back in December 2019. You must be delighted with the referendum result; what is the outlook now with regard to a digital identity for Swiss citizens?
It is good that voters rejected the Act. It would have given private third parties too many opportunities to commit identity theft in a centralized manner. If a new e-ID is implemented, it has to be structured in as decentralized a manner as possible and give users the opportunity to decide for them-selves what data is shared. It would also make sense to limit the field to e-government.
How do you assess the online security situation of Swiss companies in general?
Mass digitalization has made virtually every company vulnerable: It is less a question of whether a cyber-attack is possible than of the time and effort people are prepared to invest in carrying out an attack. The probability of an attack is very high in certain sectors, as the attack on RUAG once again demonstrated.
How do you assess the increasing trend towards cloud technologies? Does this give companies greater security with professionally managed data centers, or does the risk of outsourcing important data outweigh the benefits?
Where possible, people should manage their private and business-related data on platforms that they themselves control. However, these should be professionally administered in order to minimize points of attack. Only in cases where data is intended for the public does it make sense from a privacy and security perspective to hand it over to third parties. So much of our day-to-day life is now conducted online.
What is your personal view of Facebook, Twitter or WhatsApp? How should we deal with these services as a society?
When you use social media platforms, it is important to be aware that all of the content you post will be stored forever. You should therefore think very carefully about what you do and don’t share. For security and privacy reasons, I would advise against sharing details of your personal life on these platforms, as these could be pieced together to carry out successful attacks, including identity theft. In the case of WhatsApp, people should at the very least be aware that their entire contacts list as well as specific networks of interactions are known to Facebook. As for message encryption, there is a lack of transparency: It is not entirely clear whether third parties can still obtain access to messages for specific purposes under the “USA PATRIOT Act”. Blind faith would therefore be misguided.