Risky use of the AHV number
In over 14,000 state databases, the AHV number (AHVN13) is currently used as an additional personal identifier. A report by ETH Zurich shows that the associated risks for the protection and security of citizen data are high.
Based on the ETH expert opinion, the cantonal data protection commissioners therefore demand that the cantonal governments refrain from further use of the AHV number as a universal personal identifier. Privatim, the Conference of Swiss Data Protection Commissioners, writes that it has long drawn attention to the fact that the extensive use of the AHV number in public administration databases endangers the fundamental rights of citizens. The report now presented by David Basin, professor of information security at ETH Zurich, makes clear the extent of the risks and shows that they will continue to increase with the ever wider use of the social security number.
Security measures for databases insufficient
First name, surname and date of birth are sufficient to uniquely identify 99.98% of the population. The fact that the AHV number is currently also used as a unique identifier in over 14,000 state databases increases the linkability of personal data and thus the risk of its misuse. In addition, the security measures in many of these databases are inadequate. They could therefore become an easy target for hacker attacks. The data that would fall into the wrong hands could easily be linked to additional sensitive information about citizens, Privatim emphasizes in its press release.
Professor Basin's analysis shows that the introduction of the AHV number as a uniform personal identifier, which is being championed in the context of eGovernment initiatives, is irresponsible from the point of view of security and the protection of personal data.
Introduce sectorial personal identifiers
Privatim has already spoken out on various occasions in favor of using sectoral personal identifiers instead of the AHV number, as the law provides for in the electronic patient file and the commercial register. The ETH report shows that this could limit the risk of misuse to one sector, but does not offer sufficient security. Privatim therefore agrees with Basin's conclusions: In the future, only sectoral personal identifiers should be introduced that are not directly linked to identifying personal data, but only allow a connection via specially secured processes. With this approach, the risks to privacy that already exist with the increasing use of the AHV number could be substantially reduced in the future.
It is now up to the Federal Council to draw the consequences from this comprehensive risk analysis at the federal level, Privatim concludes.
The expert opinion by Prof. Dr. David Basin, ETH Zurich, was commissioned by the Federal Office of Justice (FOJ) and the Federal Data Protection and Information Commissioner (FDPIC) and is available on the websites of the BJ and of the FDPIC retrievable.
