“Each year the OA-IA reviews a number of data processing operations or information systems.”
One of the key tasks of the Swiss intelligence services is to gather information regarding certain tasks prescribed by law and make it available as soon as possible to domestic and foreign security services and military and political decision makers in the form of intelligence reports. The purpose of this information gathering is to assess the prevailing threat situation so that appropriate preventive measures can be taken at national and international level.
Information that is no longer required by the intelligence services to fulfil their tasks and whose retention period has expired is passed on to the Swiss Federal Archives (SFA). If the SFA considers the information not worth archiving, it must be destroyed.
The intelligence services operate a network of information systems that process data, from its procurement to deletion. The applicable laws contain a number of regulations on data retention. As this area is important for the intelligence services, the OA-IA has defined two specific areas in its audit plan: data processing and archiving. Each year the OA-IA reviews a number of data processing operations or information systems. This year our report focuses on information systems.
Information systems audited by the OA-IA to date
To date, the OA-IA has audited the following FIS information systems:
[18-1] Overview of the FIS data landscape and content of the residual data memory
Purpose: Article 47 of the Federal Act on the Intelligence Service (Intelligence Service Act, IntelSA)1 lists the information systems operated by the FIS. The information systems are further regulated at the ordinance level.2 The OA-IA used this audit to obtain an overview of all the FIS’s information systems. The audit served as a basis for future audits. As the residual data memory can contain data that cannot be assigned to any other information system, the OA-IA inspected the system in order to determine what kind of data it contained.
Year / Source: 2018 (2018 Annual Report, page 13)
[19-15] Operation, content and use of the information systems GEVER FIS , BURAUT data storage, and SiLAN data storage (temporary evaluations)
Purpose: In 2012, the FIS introduced a business management system containing both administrative and intelligence data. All FIS staff have access to it. In view of the kind of data processed and the large number of authorised users, the OA-IA chose to perform an initial in-depth audit of a system.
Year / Source: 2019 (2019 Annual Report, page 23 ff.)
[20-16] Operation, content and use of the IASA information system6
Purpose: IASA comprises three key intelligence information systems and is the FIS’s main work instrument, which was the reason for the OA-IA audit.
Year / Source: 2020 (2020 Annual Report, page 23 ff.)
[21-17] Selected FIS information system (Quattro P)
Purpose: This information system stores and processes a large volume of data on the [travel] movements of foreign nationals. The OA-IA chose to audit Quattro P because it contains a large volume of personal data and because the system is used for the FIS’s facial recognition system.
Year / Source: 2021 (2021 Annual Report, page 21 ff.)
To date, the OA-IA has performed an audit of the following MIS information systems:
[20-17] MIS information system landscape
Purpose: The OA-IA used the audit results to gain an understanding of the information systems and to plan further audits.
Year / Source: 2020 (this topic was not dealt with specifically in the annual report, but a summary is available on the OA-IA website.)
[21-18] Data protection within the MIS
Purpose: The MIS processes personal data although this is not the main focus of its activities. The OA-IA therefore inspected the data protection aspects of its activities in certain information systems.
Year / Source: 2021 (2021 Annual Report, page 24 ff.)
To date, the OA-IA has audited the following EOC information systems:
[19-18] EOC information system landscape
Purpose: The purpose of this audit was to gain an overview of the EOC information systems landscape and to serve as a starting point for further audits. There is no specific legal base governing the EOC’s information systems; their operation is regulated in various acts and ordinances.
Year / Source: 2019 (2019 Annual Report, page 27)
Besides examining specific information systems, the OA-IA has also carried out audits in the area of data processing and archiving, amounting to ten additional audits since the beginning of its oversight activities. Thus, since taking up its duties, the OA-IA has carried out sixteen audits of the information systems of the intelligence services and of data processing in these systems. The findings of these audits are presented below.
“The relevant legal bases for operating the FIS’s information systems are more detailed and more transparent than the legal bases for operating the MIS and EOC systems.”
1 SR 121
2 Ordinance on the Federal Intelligence Service Information and Storage Systems (ISSO-FIS; SR 121.2)
3 Electronic records and process management system of the FIS
4 Data storage system of the FIS
5 Secure network of the FIS
6 Integral analysis system of the FIS
What challenges and opportunities does the OA-IA see in connection with the audited information systems?
Legal base of intelligence information systems
The information systems of the FIS, MIS and EOC do not have the same legal bases. The relevant legal bases for operating the FIS’s information systems are more detailed and more transparent than the legal bases for operating the MIS and EOC systems. These clear legal provisions make auditing the lawfulness of the FIS’s information systems easier. The OA-IA is therefore working to ensure clearer and more specific legal bases for the MIS and EOC information systems in the future.
Access by the OA-IA to intelligence information systems
During an audit, the OA-IA auditors have direct and time-limited access only to the information systems of the FIS. They also have permanent access to the FIS’s electronic records and process management system. This ready access facilitates auditing activities because the OA-IA can obtain the required documents independently. This is not the case at the MIS or the EOC, where the OA-IA auditors must be shown the systems or must organise on-site access, making the independent processing of random samples from these systems difficult.
Addressees of the recommendations and their implementation
The EOC and the MIS are relatively small organisational units within the Armed Forces and the scope for individual information systems tailored to their specific needs is therefore limited. This poses challenges for the OA-IA when formulating practicable recommendations, because the recommendations may only apply to the intelligence services and not to other sections of the Armed Forces. However, recommendations in this area nearly never only concern the MIS or the EOC, but often have intersections overlap to the whole Armed Forces.
Focus of the OA-IA’s information systems audits
Access management and deletion of data – the information systems of the FIS
Our audits of the FIS information systems focus particularly on compliance with data retention periods as well as lawful and expedient access management. The FIS has more than ten different retention periods for the data in its systems, ranging from 6 months to 45 years. Compliance with these periods is largely ensured by automatic deletion programs. The OA-IA carries out random checks in the systems to verify deletion.
Access management poses major challenges for the FIS. For information and data protection reasons, staff may only access the data they require for their work. After an internal job change, or on joining or leaving the FIS, authorisations must be updated promptly. The FIS has installed dedicated processes for this purpose, and the OA-IA conducts random checks in the information systems to verify authorisations. It can also request staff to demonstrate systems access at their workstation.
Time delay in processing information
It is important for the intelligence services that the information they gather or receive is entered into the appropriate systems as quickly as possible. For reasons of information security, procured data is sometimes first stored in specially protected temporary files. Only then is it transferred to the information systems to which staff have access for their analyses and for use in their reports. Moreover, information must sometimes be anonymised before being entered in a system. The OA-IA therefore pays close attention to examining these processes.
“Although new technologies can pose risks to our country’s security, they can also have a positive impact on the work of the intelligence services.”
The intelligence services must be in a position to anticipate societal and technological changes that negatively impact the security of Switzerland. Although new technologies can pose risks to our country’s security, they can also have a positive impact on the work of the intelligence services. The FIS’s cross-system search engine, for example, has greatly facilitated the work of its staff since its introduction six years ago.
All three services keep track of technological developments and make use of them in their intelligence activities. For example, a new facial recognition system allows the FIS to pull up an overview of facial images in its systems (see page 18 ff.). The MIS, for its part, is increasingly promoting satellite imagery analysis. And the EOC is addressing the question of how decreasing radio traffic – a result of the emergence of new communication technologies – can be monitored using other technical means.
New data management: Impact on the Intelligence Service Act
Legislation on data management generally uses the term ‘information system’. This is also the case in the Intelligence Service Act (IntelSA). Article 47 IntelSA lists the various FIS information systems. The dispatch to the IntelSA states that the FIS should file the information it collects or receives in a network of information systems according to topic, source or sensitivity.7
However, linking the term ‘information system’ to the intended purpose of data processing in legislation may no longer correspond to modern concepts of data management. The new Data Protection Act, for example, does not use the term 7 BBl 2014 2106 ‘collection of data’. The reason given for this is that, thanks to new technologies, data is used like a collection of data even if it is not stored centrally.8
The draft revision of the IntelSA requires an amendment to the legal provisions governing the FIS’s information systems. The term ‘information’ should be replaced by the term ‘data’. Data should be categorised according to the legal requirements. The content of these categories should correspond approximately to those of the information systems described in the IntelSA.
7 BBl 2014 2106
8 BBl 2017 7023