How should the Swiss Confederation safeguard its values, interests, and you, its residents, in a digital space that is increasingly turning into an economic and geopolitical battleground? This blog post argues that the answer to this question should not be left solely to elected politicians or public officials but rather be the result of an inclusive societal dialogue surrounding the sovereignty of Switzerland in the digital age. To do so, the blog post examines the Swiss Federal Council’s decision to store the federal administration's data on foreign tech companies’ servers, highlights its national security and privacy implications, and draws parallels with the national debate on railroad nationalization in the 19th century.
In June 2022, the Edgelands Institute published a diagnostic report summarizing our research findings on the various ways the digital transformation is impacting Geneva’s security and surveillance landscape. To complement this report, we will publish a series of blog posts expanding on some of our key insights regarding the digitalization of security and adding further detail to the emerging trends we identified. This blog post is part of this series.
How should the Swiss Confederation safeguard its values, interests, and you, its residents, in a digital space that is increasingly turning into an economic and geopolitical battleground? As the Covid-19 pandemic and the cyber war in Ukraine have shown, digital infrastructures, such as digital public health databases, online education tools, and cyber defenses for military servers, are paramount for countries' national security and public prosperity in today's age. Only if states have sufficient autonomy and control over these infrastructures can they independently reap the economic benefits that flow from these emerging technologies and credibly uphold your privacy and protect the data collected from you. This degree of oversight, control, and independence from other countries, as well as international corporations, is commonly referred to as "digital sovereignty."
However, in an economically globalized world with interconnected value chains and digital infrastructures, digital sovereignty can never be achieved in the absolute sense, i.e., digital technologies cannot be developed entirely without external input, but rather sovereignty remains a relative concept. Thus, in today's digital age, sovereignty should not be equated with a lack of integration or protectionism but rather be understood to signify states' ability to autonomously manage technological interdependence in line with their values regarding privacy and data protection standards.
In the case of Switzerland, the decision to award the public tender worth more than 100 million Swiss francs for a cloud solution capable of storing the federal administration's data to big foreign tech companies, namely Alibaba, Amazon, IBM, Microsoft, and Oracle refueled the debate surrounding the country's digital sovereignty. Currently, the stated aim is to mainly store non-privacy-sensitive data on these foreign servers, such as swisstopo maps or meteorological models from MeteoSuisse. But ultimately, which data will be uploaded to the cloud is left to the discretion of the individual federal departments, a fact that caused widespread worry among privacy experts, Swiss-based technology companies, and politicians. Crucially, it led them to question whether this decision reflected Swiss values and interests and, most importantly, whether it compromised your privacy and data security due to a lack of federal oversight and control.
This blog post aims to put these questions surrounding Swiss sovereignty into a broader historical context and argues that the broad-based societal dialogue that preceded the 19th-century nationalization of the Swiss railway by the federal government provides essential lessons for the current project of a Swiss cloud. Most importantly, the historical case of the Swiss railroad nationalization highlights the significance of democratic consultation before critical infrastructural decisions, which directly impact Swiss residents and have far-reaching consequences for national interests and values.
Open and inclusive democratic participation is essential for the legitimacy of Switzerland's semi-direct democratic systembecause political control ultimately rests with the voter, who can intervene at various points in the legislation process, for instance, through popular initiatives or referendums. The second pillar of the Swiss political system is its federal structure, where the 26 cantons retain a high degree of policy-making autonomy, for example, in education, health, and policing. For this reason, the blog post also examines the room for maneuvering left to the canton and city of Geneva in finding its approach to sovereignty in the digital age and highlights how these initiatives could serve as a basis for discussions at the national level.
Conceptions of what states consider critical for their national sovereignty and security have changed over the centuries. Switzerland, for instance, long considered its railway system to be of paramount importance for its economic and social development, and the benefits derived thereof continue to shape the country as we know it today. However, until the late 19th century, the Swiss railroad system had been run by several private providers under the sovereignty of the cantons and with the help of substantial foreign investment, most notably from neighboring France. Only after the Franco-German war (1870-1871) had highlighted the private railroad system's shortcomings and incoherencies stemming from a lack of centralized oversight and coordination, the nationalization of the railroads by the federal government became a political issue. By nationalizing the railroad system, the federal government hoped to be better prepared for future political shocks, increase its national economic supply, and reduce the dependency on massive foreign capital investment into Swiss infrastructure that rendered the country susceptible to foreign influence.
In 1898, in a historic political act, an overwhelming majority of Swiss citizens voted in favor of a federal law to nationalize the railroads and thus subject them to the control and oversight of the Swiss state. While the cost of nationalizing the railroad system led to accrued financial debts in the short term, the centralized coordination and oversight increased the railroad's effectiveness and security in the long run by reducing incoherences and implementing common standards. To Swiss residents today, who are proud of their Swiss Federal Railways SBB and its prestigious infrastructural projects, such as the Gotthard Base Tunnel, the thought that this used to be a private railroad system guided by foreign capital and interests seems unbelievable.
However, what seems unthinkable in the case of railroads today, is happening with cloud storage infrastructure, namely that foreign technology giants are contracted to store the Swiss administration's data on their servers**, without a broad public discussion on the project's serious national security and data privacy concerns.** For instance, the public tendering procedure had already been geared towards these big, international technology companies, with requirements such as data centers having to be distributed over at least three continents, effectively deterring smaller, Swiss-based applicants. This decision caused a huge public outcry, especially after it became known that the relevant authorities ignored the federal data protection officer's recommendations to include privacy requirements in the public tender. Furthermore, according to an investigation from the Republik, the federal administration downplayed its limited oversight over the treatment of data stored outside Swiss jurisdiction in countries with laxer data protection standards and the potentially adverse effects of this on data security and privacy.
This apparent lack of digital sovereignty has important consequences on both the national and individual levels: On the national level, the decision to outsource the storage of the federal administration's data to American and Chinese tech companies heightens the risk of Swiss authorities' access being cut or security measures being compromised for economic or geopolitical reasons. As the recent Russian malware attacks directed against critical Ukrainian digital infrastructures and data centers have shown, uncompromised access to administrative data is a matter of national security because it is essential to coordinate political and military efforts. In the case of Switzerland, loss of access to the weather forecast and warnings of MeteoSuisse would have a detrimental impact on airspace security because airports such as Zurich and Geneva rely on these predictions to safely coordinate the air traffic in Switzerland.
While potentially detrimental to Switzerlands' national security, the federal administration's cloud project could also hold significant consequences for your privacy and the security of your data should some public authorities in the future decide to store the data generated from resident-government interactions in the cloud. For instance, under the so-called CLOUD ACT, Swiss residents' data stored on the servers of US-based tech companies such as Microsoft or Amazon could be accessed by federal law enforcement in the US via warrant or subpoena, even if these servers are located on foreign soil. In this case, Swiss lawmakers have limited oversight and control over the treatment of your data and lose part of their autonomy to manage their technological interdependence vis-à-vis big international tech companies. Therefore, Swiss authorities could not prevent foreign intelligence services from accessing data that the Swiss government has collected from you, with potentially detrimental consequences for your data privacy.
Taken together, the comparison between the development of the Swiss federal railroad system and the Confederation's cloud storage project reveals three significant parallels regarding their significance for Switzerland's economic prosperity and national security: The first economic parallel pertains to the fact that, like the construction of railroads in the 19th century, the development of cloud technologies today holds the promise of substantial economic benefits for the local IT sector and spurring technological innovation and development. A second parallel regards national security because, like the crucial importance of railroads for national economic supplies and military purposes, access to and protection of public authorities' data is paramount for Switzerland to effectively govern itself and safeguard its national security and public prosperity. A third parallel consists of the security benefits of a coherent and coordinated approach to large infrastructural projects, as evidenced by the increased effectiveness and robustness of the Swiss railroad system after nationalization.
Similar to the incoherent private railroad system that existed before the nationalization, Switzerland's cyber security and data protection is mainly in the hands of municipalities, without proper coordination with both the cantonal and federal levels. For instance, the social security and credit card information of the over 5000 inhabitants of the village of Rolle were made public on the Dark Net after the municipality's servers had been hacked last year and the information stored thereon had been leaked. As argued by some national parliamentarians, increased coordination and standardization of cyber security and data protection standards regarding vital digital infrastructures, such as cloud services, would significantly increase Switzerland's digital security.
While these economic and security parallels illustrate that the implications of the decision to contract foreign technology companies for the federal administration's cloud project are indeed comparable to those of the private railroad system before nationalization, the crucial difference lies in the fact that the decision to reclaim ownership of the Swiss railroad system was accompanied by a broad-based public discussion about the potential benefits and downsides of nationalization. Unfortunately, a comparable debate on the digital sovereignty implications of the current cloud infrastructure project is largely absent from current discussions, even though alternatives to outsourcing cloud services to big international tech companies exist. For instance, robust and reliable open-source cloud computing solutions, such as Openstack, are used by CERN and NASA and could also be customized to meet the federal administration's data security and privacy standards. However, the Confederation's discourse on cloud infrastructure has so far disregarded such alternative options as technologically and financially unfeasible, even though the huge public outcry after the announcement points to the popularity of such options among Swiss-based technology companies and the broader public. Therefore, the next section will focus on trail-blazing cloud initiatives at the intercantonal and cantonal levels, which hold important lessons for the national debate surrounding Switzerland's digital sovereignty.
As opposed to the federal administration's cloud project, the City and Canton of Geneva are actively trying to reduce their dependency on foreign technology companies by supporting the project of a sovereign Swiss cloud spearheaded by the French-speaking cantons and setting up its sovereign cloud infrastructure to store the public administration's data. At the intercantonal level, the Conférence latine des directeurs du numérique (CLND) is actively pursuing the development of a sovereign, Swiss-based cloud for the French- and Italian-speaking cantons. In a Blick interview, the former president of the CLND, Nuria Gorrite, expressed her concern over the widespread romanticization of cloud services that make it seem "like the data just floats in the air," thereby obfuscating the continuing importance of sovereignty and territoriality in a digital age. According to Gorrite, the digitalization of public administrations justifies no change in the state's responsibilities, and she rhetorically asks whether one could imagine the analog archives of the Swiss federal administration to be outsourced to Beijing.
At the cantonal level, Geneva's Cantonal Office of Information Systems and Digitization (OCSIN) decided against using public cloud services run by tech companies such as Microsoft and Amazon and instead chose to develop its private cloud service. Andreas Felix, IT expert at OCSIN, explains that the cloud of Geneva's public administration will therefore be developed entirely in-house for data privacy reasons. This means that the data collected from resident-government interactions in Geneva are stored and processed on sovereign servers and can only be accessed by authorized personnel. Taken together, the sovereign cloud initiative of the Latin cantons in Switzerland, as well as the development of a private cloud by the public administration in Geneva, demonstrate the financial and technological feasibility of projects that lack the involvement of big tech companies. These initiatives could serve as the basis for a discussion surrounding Switzerland’s digital sovereignty at the national level, as they constitute alternative options that have been marginal to the national debate so far.
However, as our interviews with key public officials from the city and canton of Geneva revealed, also sub-national units struggle to autonomously manage their technological interdependence vis-à-vis international tech companies. As our analytic report has found, the public administration's room for maneuver regarding the choice of digital technologies and services is heavily restricted both by the monopoly of the big technology companies and their constant lobbying through formal and informal channels. For instance, due to the lack of efficient, compatible, and affordable alternatives, the canton of Geneva eventually procured Office 365, the Microsoft Suite, as the default program for all its collaborators. In addition to this inescapability of big technology companies' tools and services, companies such as Microsoft also have representatives on the executive boards of seemingly neutral, Swiss-based initiatives, such as Digital Switzerland and the Cyber Peace Institute. As we heard in one of our interviews, these organizations then "bombard" the public administration with offers to provide them with free digital services, through which Microsoft hopes to gain more legitimacy and credibility. This example highlights the difficulty cantonal administrations face in their quest to retain sovereignty in the digital age.
It follows from the above that despite big tech companies' market dominance and persistent lobbying attempts, public authorities in Geneva are trying to assert some degree of digital sovereignty regarding the storage and treatment of residents' data. However, many residents are unaware of the importance of a sovereign digital infrastructure and, conversely, do not worry about the data security and privacy risks involved with storing their data on foreign tech companies' servers. This blog has argued that analog to the 19th-century debate surrounding the nationalization of the private railway system by the federal government, the development of critical national digital infrastructure should be accompanied by a broad social dialogue on the national security and sovereignty issues associated with outsourcing these services or not. Crucially, two such inclusive, stakeholder-led discussions are underway on the cantonal and the federal level.
On the level of the city of Geneva, Edgelands launched OPPi, a participatory survey on the digital transformation's impact on security and surveillance in the city. Residents were encouraged to fill out the survey to express their opinions on these topics and can see if other people agree or disagree with them or not. Their answers to the questions about data security and digital sovereignty will allow Edgelands to identify the main cleavages regarding these issues, and this crowdsourced opinion map will then serve as a discussion basis for the political, academic, and other participatory discussions that Edgelands will host during the following months. Crucially, discussions around the potentially adverse consequences of public authorities' loss of digital sovereignty vis-à-vis international tech companies, such as laxer data protection standards and limited oversight, raise awareness around this issue and makes Geneva's residents more attentive to digital insecurities.
On the federal level, Swiss entrepreneurs, associations, and researchers call for the creation of a sovereign "Swiss Cloud" in Swiss hands, contrary to the plans of the Federal Council. On the one hand, their popular initiative calls for attaining Swiss digital sovereignty by mobilizing Swiss cloud stakeholders, such as companies and universities, to conduct an open and comprehensive feasibility study on a "Swiss Sovereign Cloud." On the other hand, their initiative aims to let the Swiss residents have a say on Switzerland's sovereignty in a digital age and demands that the basic principles of digital sovereignty be included in the federal constitution.
In sum, both Edgelands' activities in Geneva, as well as the national popular initiative on digital sovereignty aim to involve the residents of Geneva and Switzerland in a public discussion on the extent and desirability of digital sovereignty, mirroring the debate on nationalizing the Swiss railroad system over 100 years ago. Decisions regarding your privacy and data safety should not be taken without your active involvement in the discussions surrounding Geneva's and Switzerland's digital sovereignty. Where these debates take us is up to you!