In a practice introduced last year, the OA-IA no longer includes every audit carried out in its annual report. Instead, it sets priorities, providing detailed information on some audits and no information on others. However, a summary of the results of all its audits is available on the OA-IA website.9
9 https://www.ab-nd.admin.ch/en/pruefplan-und-pruefberichte.html
Audit plan
Each year, the OA-IA draws up a risk-based audit plan10 for the following areas:
- Strategy and planning
- Organisation
- Cooperation
- Information gathering
- Resources
- Data processing and archiving
In 2021 the OA-IA planned and carried out a total of 18 audits. In addition, it carried out audit 20-3 ‘Allocation of powers and responsibilities between FISA11 and the MIS’, originally scheduled for 2020, as well as an extraordinary audit of HUMINT. However, it decided not to perform audit 20-1 ‘Change management’ or audit 21-3 ‘FIS security’ because a temporary lack of personnel resources or a significant change in circumstances between the planning and realisation stages of the audits meant they no longer made sense. However, individual aspects of these audits were either included in other audits or will be taken into account in future ones. Audit 21-16 ‘Telecommunication Services’ was launched in 2022.
Based on current events and developments, the OA-IA also conducted three short-term individual assessments in view of a possible audit. Some of the findings from these assessments have been integrated into ongoing or future audits.
10 See the OA-IA’s 2020 Annual Report, page 9
11 FIS Evaluation Division
Audits conducted in 2021
Strategy and planning
In the area ‘Strategy and planning’, topics are examined that concern the short-, medium- and long-term strategic planning of Switzerland’s intelligence services and their objectives. In 2021, the following audit was carried out in this area:
- 21-1 Deployment of FIS employees in Swiss representations abroad (FIS)
This was a follow-up audit to audit 19-2 ‘Management of intelligence data between the defence attaché and the FIS’. It was aimed at examining how the recommendation from that audit had been implemented. The audit is described in chapter 5.4 of this report, under ‘Controlling’.
Organisation
In the area ‘Organisation’, the OA-IA examines whether structures and processes within the intelligence services are suitable for fulfilling their legal mandate lawfully, expediently and effectively.
In 2021, the OA-IA carried out audit 20-3 ‘Allocation of powers and responsibilities between FISA and the MIS ’, which had been scheduled for the previous year. The findings of the audit are presented in this report. The following audits were also planned for 2021:
- 21-2 Critical infrastructure protection/cyber defence (FIS/EOC)
- 21-3 FIS Security(FIS)
- 21-4 Violent right-wing extremism (FIS)
Audit 21-3 ‘FIS Security’ was not carried out.
[20-3] Allocation of powers and responsibilities between FISA12 and the MIS (FIS/MIS)
The audit focused mainly on the question of whether there was a sufficient distinction between the intelligence products of the FIS and the MIS. The audit also looked at whether, in instances where they overlap, potential for synergy was being sufficiently used, for example by sharing expertise. The audit had originally been planned for 2020, but was then postponed because of a reorganisation of the FIS Evaluation Division. The audit was therefore launched in September 2021. The OA-IA conducted an in-depth analysis of the two services’ intelligence reports and cooperation, taking into account their basic mandates and the cooperation agreement between them. The OA-IA found that there are only a few overlapping areas in their evaluation activities.
To prevent duplication there is a regular, partly formalised, exchange between the respective FIS and MIS departments. They inform each other about what topics are in the pipeline and share their intelligence products. This exchange of information is also reflected in the reports themselves, which tend to complement rather repeat each other when reporting on common areas of interest; reports often convey different perspectives despite the same starting point. The OA-IA therefore concluded that the distinction between the areas evaluated by the FIS and MIS was expedient and effective.
[21-2] Critical infrastructure protection/cyber defence (FIS/EOC)
In its ‘Switzerland’s Security 2021’ situation report, the FIS noted an increased vulnerability to cyberattacks as a result of greater digitalisation during the COVID-19 pandemic. Swiss companies providing equipment and specialised services for critical infrastructure operators in Switzerland and abroad are interesting targets also for state-sponsored attacks. The FIS believes that classic cyberattacks, cyber espionage, cyber sabotage and cyber terrorism directly targeting critical infrastructures make up only a small proportion of the overall cyber threats identified. Critical infrastructures in Switzerland have not been a direct target of attack as yet. Nonetheless, the sabotage of critical infrastructures is considered to have the greatest potential damage because infrastructure services, for example electricity or telecommunications, are of key importance for the functioning of society.
Based on these undisputed risks, the OA-IA examined whether the FIS and the EOC have sufficient powers and capacity, both in terms of quality and quantity, to gather the necessary information13 in order to disrupt, prevent or slow down potential attacks on critical infrastructures.14
The cyber division at the FIS (CYBER FIS), the Reporting and Analysis Centre for Information Assurance (MELANI OIC15) and parts of the Armed Forces are the key actors for countering cyber threats. They are integrated into a complex, interdepartmental organisational structure whose objective is to protect critical infrastructures and defend against cyberattack. The main task of the FIS, together with the EOC, is to identify and categorise cyberattacks through intelligence means. The FIS also supports critical infrastructure operators with updates on the current cyber situation and draws on the resources of the EOC for a technical analysis of cyber threats.
CYBER FIS is responsible for operative and technical analyses. Similarly, the EOC has a Cyber Threat Intelligence (CTI) unit in the field of Cyber Network Operations (CNO), which analyses cyber threats. CYBER FIS is especially important for dealing with security-related incidents involving a foreign state; its scope of tasks does not include acts of cybercrime.
If a request by the FIS to take action against an aggressor according to Article 37 paragraph 1 IntelSA is approved, the FIS instructs the EOC to carry out the counter-attack because it does not have its own resources for doing so; according to the cyber strategy of the DDPS, this is the task of the Armed Forces. The Joint Cyber Technical Analysis Center (JCTAC) is a platform for cooperation that goes beyond the client-contractor relationship: it is not a new organisational unit, but rather a form of cooperation between FIS and EOC staff for the purpose of conducting joint technical analyses of cyber threats.
The audit showed that the FIS and the EOC have sufficient powers and capacity, and that both services work collaboratively.
Individual inquiry concerning CYBER FIS
Since May 2021, the OA-IA has been aware of irregularities in the CYBER FIS division and has closely monitored the resulting internal enquiries and posed follow-up questions where necessary. Generally, we agree with the approach taken by the FIS and the DDPS. The question of criminal liability is of great importance to us and we will therefore continue to closely monitor further developments and exert influence where necessary. So far, we have not seen any additional benefit in conducting our own further going enquiries or an audit.
[21-4] Violent right-wing extremism (FIS)
The FIS is responsible for gathering and processing information for the early recognition and prevention of threats to Switzerland’s internal and external security. This includes threats from violent extremism.16
The FIS and its activities in the field of violent right-wing extremism – just one area of violent extremism – have been repeatedly questioned and criticised by various sides. One criticism is that the FIS turns a blind eye to violent right-wing extremism and does not take the issue seriously enough.17 A further, repeated accusation is that it gathers information on political activities unlawfully.18
In its ‘Switzerland’s Security 2020’ situation report, the FIS concluded that members of right-wing extremist groups exercise restraint in their use of violence. The greatest risk of a right-wing extremist-motivated attack in Switzerland, the report said, is from lone actors with right-wing extremist views but with no firm attachment to established violent extremist groups. In its 2021 situation report, the FIS notes that the right-wing extremist scene has a considerable threat potential, but although existing groups have been dissolved and newly formed, there was only one violent incident that year.
The purpose of audit 21-4 was to examine whether the FIS has suitable strategies and processes in the field of right-wing extremism, whether these strategies and processes are implemented effectively and whether information is managed lawfully. The audit found that the FIS has a range of strategies and processes for dealing with right-wing extremism.
The FIS is not permitted to gather or process any information relating to political activities or the exercise of freedom of speech, assembly or association in Switzerland. This ban is known in German as the Datenbearbeitungsschranke (ban on data processing).19
On the other hand, the FIS is supposed to identify at an early stage dangers from violent right-wing extremism that pose a threat to Switzerland’s internal and external security. Distinguishing between data processing that is allowed and desired or prohibited poses major challenges for the FIS employees. They have to deal with several demarcation questions in the course of their daily work, for example:
- What is the difference between extremism, violent extremism and terrorism?
- What is the exact definition of extremism,20 i.e. when is a violent extremist act committed, incited or endorsed?21
- When is an occurrence a violent extremist act (and therefore may be addressed by the FIS) and when is it a political activity or the expression of freedom of speech, assembly or association (and therefore may not be addressed by the FIS)?22
- When can the FIS nonetheless process information relating to political activities or the exercise of freedom of speech, assembly or association in Switzerland because there is clear evidence that a person is exercising these rights and freedoms in order to plan or commit violent extremist act?23
Based on these questions and considerations, the FIS has developed various instruments to help its employees with their daily tasks. For example, it has established a collection of case studies and decisions based on these cases in order to help its employees to reach decisions in similar cases in the future.
One method of complying with the above-mentioned data processing ban is to anonymise information. According to the law, information that is gathered although not permitted and that concerns political activities or the exercise of freedom of expression, assembly or association in Switzerland must be anonymised. In audit 21-4, the OA-IA identified internal inconsistencies regarding the anonymization of reports and messages in relation to the data processing ban.
“The FIS must ensure the lawful implementation of the IntelSA both in the FIS and the CIS through appropriate quality assurance and control measures.”
Another important instrument in the daily work of the FIS staff is the watch list. This is a political control instrument of the Federal Council, which approves the list annually. The list contains the names of organisations and groups that are reasonably assumed to pose a threat to the internal or external security of Switzerland24 and to which the data processing ban does not apply.25
In audit 21-4, the OA-IA examined whether the procedure used by the FIS for determining what right-wing extremist organisations are included on the watch list26 is expedient. Based on random samples the OA-IA analysed the FIS’s methods and judged them to be expedient.
Nor did the OA-AI find any irregularities, based on random samples, with regard to the lawfulness of information management. It interviewed third parties to verify the effectiveness of reporting and of information forwarded to them on right-wing extremism. The interviewees confirmed that the information they received from the FIS was generally effective.
12 FIS Evaluation Division
13 Art. 6 para. 1 let. a No 4 IntelSA
14 Art. 37 para. 1 IntelSA
15 Operation Information Center at MELANI
16 Art. 6 para. 1 let. a No 5 IntelSA
17 For example, Postulate 02.3059; Postulate 17.3831; Question Time/ Question 9.5677; Question Time/Question 21.7312; Die braune Gefahr – Die Schweiz ist keine Insel, Swiss Broadcasting Company (SRF), 12 May 2019; Wie neutral ist unsere Polizei?, in the ‘Walliser Bote’ newspaper, 23 July 2020; Geheimdienst soll Rechtsextreme ins Visier nehmen, in the ‘Zeitung für die Region Basel’ newspaper, 25 May 2021.
18 For example, Parliamentary Procedural Request 19.3868; Geheimdienst überwacht Menschenrechtsorganisation seit 15 Jahren, Netzpolitik.org, 10 August 2021
19 Art. 5 para. 5 IntelSA
20 Art. 6 para. 1 let. a No 5 IntelSA
21 Art. 19 para. 2 let. e IntelSA
22 Art. 5 para. 5 IntelSA
23 Art. 5 para. 6 IntelSA
24 Art. 70 para. 1 let. b and Art. 72 IntelSA
25 Art. 5 para. 8 IntelSA
26 Art. 72 IntelSA
Cooperation
This audit area covers national and international cooperation among intelligence services. The cantonal intelligence services (CIS) are an annual focal point of the OA-IA’s audits. These audits are summarised below.
The OA-IA conducted the following audits in 2021:
- 21-5 FIS quality assurance within the Cantonal Intelligence Services (CIS) (FIS)
- 21-6 Audit of the CIS Basel-Stadt (FIS/CIS)
- 21-7 Audit of the CIS Basel-Landschaft (FIS/CIS)
- 21-8 Audit of the CIS Appenzell Ausserrhoden (FIS/ CIS)
- 21-9 Audit of the CIS Appenzell Innerrhoden (FIS/CIS)
- 21-10 Audit of the CIS Aargau (FIS/CIS)
- 21-11 Audit of the CIS Vaud (FIS/CIS)
- 21-12 Audit of the CIS Neuchâtel (FIS/CIS)
[21-5] FIS quality assurance within the Cantonal Intelligence Services (CIS/FIS)
Quality assurance is a risk-reducing measure. In addition to the regular audits of the cantonal intelligence services (CIS), the OA-IA also examined whether the measure had a risk-reducing impact on the CIS. This can ensure a well-functioning oversight of the CIS in cooperation with the OA-IA. Reliable and manageable quality assurance is important for the quality of the data and information of the FIS and of the CIS. The FIS must therefore ensure the lawful implementation of the IntelSA both in the FIS and the CIS through appropriate quality assurance and control measures. The FIS’s quality assurance office (QS FIS) in the Cyber Information Management division is responsible for this task.
At least once a year, the QS FIS carries out random checks to verify the lawfulness, expediency, effectiveness and accuracy of data processing in all of the FIS’s information systems. For this purpose, it draws up a control plan and – amongst other things – periodically checks CIS reports for their relevance “The FIS must ensure the lawful implementation of the IntelSA both in the FIS and the CIS through appropriate quality assurance and control measures.” and accuracy. It also deletes data from preliminary inquiries which was recorded more than five years previously and deletes data on the request of the CIS. In addition, it provides internal training on data protection matters.
The QS FIS always chooses the same procedure for carrying out random CIS checks. The individual steps in this procedure are scheduled with deadlines and assigned to the QS FIS staff. The individual steps include the allocation of the assignment, the collection of statistical data according to identical specifications, a questionnaire based on the statistics collected, the opinion of the CIS on the questionnaire and the final report. The final report is submitted to the FIS management for consultation and is then approved by the FIS directorate. The CIS receive the final report in this last step and the QS FIS monitors the implementation of its recommendations, if any. By involving the FIS management and the FIS directorate in the procedure, the report and recommendations receive the necessary weight vis-à-vis the CIS.
The QS FIS implements its CIS control mandate expediently and effectively. This is demonstrated, for example, by the fact that the QS FIS has developed a process for random sampling that guarantees sampling is always carried out in the same way and is based on identical procedures. The OA-IA confirmed this by carrying out two random checks. Clear internal mandates and a consistent dual-control procedure ensure that the controls are carried out efficiently and that potential risks are identified.
The QS FIS carries out its CIS control activities expediently and effectively by coordinating these activities internally and with the OA-IA’s audit plans, and taking into account the results of previous audits. This ensures that the same CIS is not audited twice in the same year, although this could be done if necessary. In addition, the FIS internal controls are spread over different shoulders, ensuring that operative and security-related technical aspects are taken into account in the audited data processing operations.
[21-6 to 21-12] Audits of the CIS Basel-Stadt, Basel-Landschaft, Appenzell Ausserrhoden, Appenzell Innerrhoden, Aargau, Vaud and Neuchâtel (FIS/CIS)
In 2021, the OA-IA audited the intelligence activities of the CIS of the cantons of Aargau, Appenzell Ausserrhoden, Appenzell Innerrhoden, Basel-Landschaft, Basel-Stadt, Neuchâtel and Vaud, as well as their cooperation with the FIS. The OA-IA has thus audited a total of 17 CIS27 since the start of its oversight duties. The remaining nine CIS will be audited over the next two years.
All CIS audits carried out in 2021 showed that the FIS and the CIS generally work well together in all areas of intelligence. However, with regard to implementation of joint operational procedures, there is a desire on both sides for better coordination. Differences of opinion between the FIS and individual CIS with respect to the annual performance review were settled in discussions to clarify the situation.
The CIS have good to very good intelligence knowledge and carry out the FIS’s mandates on time, in accordance with the law and in a quality that is satisfactory to the FIS. The FIS provides the CIS with several intelligence applications and filing systems on the decentralised work platform (DezAP),28 including a business management system (AV CIS) and a specialised application (FA CIS) that allows the cantons to record objects29 in a structured manner. The OA-IA found no data collections or personal data at the CIS for which there was no legal base for processing. However, some of the data in the specialised applications had not been recorded close to the time of the events or findings in question. As a result, some of this data had been stored in the specialised applications longer than the legally allowed five years. The reason for these incorrect data entries is assumed to be an earlier data migration in 2017/2018; the entries should disappear in the next two years as a result of the automatic deletion program. The OA-IA will follow this up in coordination with the QS FIS.
27 In 2020 the OA-IA audited the CIS of the cantons of St Gallen, Zurich, Ticino, Solothurn and Fribourg. In 2019, it audited the CIS of the cantons of Bern, Graubünden, Geneva, Jura and Schaffhausen.
28 DezAP is part of the FIS’s SiLAN secure network which provides access to the FIS’s systems from a decentralised location. The term DezAP is also used for laptops to allow decentralised work. The CIS work platform (AP CIS) is a variation on the DezAP which the CIS are provided with.
Information gathering
Information gathering is a core task of intelligence services. They can use various methods for this purpose. The OA-IA pays particularly close attention to methods that intrude most deeply into the privacy of the target person. In 2021 the OA-IA also carried out an extraordinary audit in the field of HUMINT. The FIS was notified of this audit in advance.
Die OA-IA conducted the following audits in this area in 2021:
- 21-13 Risk management for foreign operations(FIS)
- 21-14 Operations (FIS)
- 21-15 HUMINT (FIS)
- 21-19 Extraordinary audit of HUMINT (FIS)
[21-13] Risk management for foreign operations (FIS)
The FIS posts employees to carry out operations abroad. Target countries include those where the rule of law is only partially respected or not respected at all, or areas where security may be compromised. Sometimes the FIS is supported by third parties. Gathering information abroad is risky for the posted employees. The FIS must therefore ensure that these risks are not disproportionate to the expected benefit of the information they gather30 and that its posted employees are protected.31 Internal controls and processes are required to ensure these requirements are met. Appropriate and effective risk management is therefore important.
In this audit, the OA-IA focused in particular on operational missions from three areas of the FIS. In addition to conducting interviews and analysing documents, the OA-IA also compared FIS postings with those by the Federal Department of Foreign Affairs and the Federal Office of Police (fedpol).
The OA-IA found that risk management is in place for employees posted abroad, but that it is important to improve its expediency, largely to ensure the physical safety of posted personnel. It also concluded that the management of foreign missions should be centralised within the FIS, and processes should be standardised. The OA-IA can confirm that the involvement of third parties in high-risk missions abroad is lawful and clearly documented.
[21-14] Operations (FIS)
The FIS conducts intelligence operations partly using information gathering measures requiring authorisation. Less time-critical and security-relevant operations involving information gathering measures that do not require authorisation are carried out as operational investigation requirements. The FIS reports annually to the Federal Council on operations; in the case of operational investigation requirements, the head of the DDPS is only informed of their content on an ad hoc basis and as required.
In an annually recurring audit, the OA-IA analysed five intelligence operations and fifteen operational investigation requirements for their expediency, effectiveness and compliance with the law. In addition, it examined three information gathering measures requiring authorisation to determine whether their implementation complied with the decisions of the Federal Administrative Court. In previous years, these three areas were audited separately. However, since they contain many interfaces and interdependent aspects, the OA-IA decided to combine them into a single audit.
The audit comprised analysing documents and conducting interviews with the appropriate FIS specialists. Based on its findings from the audit, the OA-IA can confirm that the measures were generally carried out lawfully, expediently and effectively.
[21-15] HUMINT (FIS)
Human sources remain one of the most important instruments in information gathering by intelligence services, despite highly developed methods for technical surveillance and access to a vast array of open source material. People with access to specific information are therefore of key importance to every intelligence service.
The public discovered in the Control Delegation’s report ‘Inspection following the arrest of a former FIS source in Germany’ how the FIS uses human sources. In 2017, a former FIS source was arrested in Germany on suspicion of espionage. Following the arrest, the Control Delegation decided to examine the background to the case and the role of the FIS, the Federal Council and the Attorney General’s Office. Implementing the recommendations of the report has had a lasting effect on the FIS’s work with human sources.
Human intelligence often involves high personal risks for both FIS personnel and for the sources. This means the FIS has a special responsibility and obligation towards them, which it must take very seriously and which is given special weight in our oversight. Human intelligence officers (HUMINT officers), i.e. those who handle human intelligence sources, require specialised knowledge in their respective subject areas, comprehensive intelligence training and language skills. They must also have outstanding social skills and, above all, intercultural expertise and psychological sensitivity in order to the master the extraordinary challenges.
HUMINT officers need to understand what motivates and drives people, regardless of where they are from or what they do. Operational staff therefore receive special training in foreign languages, in the use of technology and in managing people. Moreover, life as a case officer entails many restrictions in private life.
The OA-IA examines the use of human intelligence at the FIS annually through random samples. The audits cover the whole spectrum of the management of human sources, including security risks, financial expenditure and the tangible impact of human intelligence. The OA-IA selects which cases to audit based on a risk assessment. It conducts interviews with the HUMINT officers, with the head of the HUMINT department and with employees from the Evaluation Division, who incorporate the information gained from human intelligence sources into their intelligence products.
“The OA-IA examines the use of human intelligence at the FIS annually through random samples. The audits cover the whole spectrum of the management of human sources.”
The audits place special demands on confidentiality. For example, the names of the sources and HUMINT officers remain secret, even from the OA-IA, unless they are relevant to the audit. In concrete terms, this need-to-know principle means that only persons who require this personal data in order to perform their tasks have access to it.
The protection of sources is guaranteed by law.32 The OA-IA must also fulfil these legal requirements in its audits. For reasons of national security, the OA-IA therefore cannot provide information about its audit results to the same extent as it does in other audit areas.
29 The objects most used by the FA CIS are people, events and means of communication.
30 Art. 36 para. 3 IntelSA
31 Art. 36 para. 7 IntelSA
32 Art. 35 IntelSA
Resources
In order to ensure effective intelligence operations it is essential that resources are used expediently.
In 2021, the OA-IA did not plan or carry out any audits in this area.
Data processing and archiving
The information handled by intelligence services is extremely sensitive. The legal requirements for data processing and archiving are clear, but also complex. The OA-IA must therefore pay special attention to the lawfulness of information processing.
The OA-IA planned the following audits in this area in 2021:
- 21-16 Telecommunication Services (FIS)
- 21-17 Selected FIS Information System (Quattro P)
- 21-18 Data Protection within the MIS
Audit 21-16 ‘Telecommunication Services’ was only launched in the final quarter of 2021. The findings from this audit were not yet available when this report was compiled.
[21-17] Selected FIS Information System (Quattro P)
In 2020, the OA-IA decided to include the Quattro P information system in its 2021 audit plan. The reason for this is that the system stores and processes a large volume of data on the [travel] movements of certain categories of foreign nationals, and this personal data is also used for the FIS’s facial recognition system, which the FIS has been using since 2020 but only for searching its own data. The number of Quattro P users is large; half of the FIS staff is now authorised to access the system. In its audit, the OA-IA examined the operation, use and content of the information system for its legality and expediency. A further part of the audit concerned the lawfulness of the facial recognition system used by the FIS.
As part of the audit, the auditors were granted access to the Quattro P, IASA FIS, SiLAN data storage and the facial recognition systems. This allowed the OA-IA to plan and carry out random sampling independently.
Lawfulness of data entry and processing in Quattro P
The Federal Council determines in a non-public list the categories of persons (travellers) that must be reported to the FIS without being requested to do so.33 In doing so, it takes account of the threat situation at the time. Data on persons who travel within the Schengen area is not stored in the Quattro P database due to the absence of border controls.
The following personal data is recorded in the Quattro P information system:34
- Surname, first name, date of birth, nationality;
- Identity document number, visa number, date of validity;
- Identity document photo;
- Place, date and description of the border control;
- Gender;
- Data from the identity document’s chip;
- Data from the visa.
The data is supplied by the appropriate authority (border guard, police station), which also triages the information so that the FIS receives only data that is legally permitted. The data of children under 16 is not recorded.
After analysing the legal provisions and the information system’s documentation, the OA-IA took random samples to examine whether the following data in Quattro P was in compliance with the law:
- data regarding the travel movements of nationals on the Federal Council list;
- data of children;
- compliance with five-year data retention period;35
- Quattro P entries and their recording in the IASA FIS system.
During the random sample audit, the OA-IA found cases of multiple entries of travel documents for individual travel movements. It therefore recommended that the FIS examine and take measures to reduce these cases. Otherwise, the OAIA found the data in Quattro P to be in compliance with the legal provisions.
Expediency of data entry and processing in Quattro P
The term ‘expediency’ encompasses the suitability, necessity and appropriateness of a procedure or method, in this case the processing of data in the Quattro P system. Complicated and cumbersome data processing is prone to errors and may result in information relevant to the FIS fulfilling its tasks being available too late.
In view of the large volume of data supplied, the automated transmission of data from external sources seems to have proven a success. Only a small percentage of this data is post-processed manually. If the proportion of incorrectly supplied data increases, the FIS consults the authority supplying the data and appropriate measures are taken to improve its quality.
With regard to the random samples taken to verify the lawfulness of the data collected, the OA-IA found that in around 25% of the cases examined, the direction of travel was indicated as ‘undefined’.36 The OA-IA therefore recommended that the FIS and the oversight authorities examine what measures can be adopted to reduce this proportion.
Lawfulness and expediency of access management regarding Quattro P
For reasons of information security and data protection, access to Quattro P may only be granted to those FIS employees who need it to perform their tasks. Authorisations that are no longer required do not comply with the need-to-know principle. Inexpedient access management processes lead to a delay in updating access rights. These rights must be updated quickly if a member of staff changes function or leaves the service in order to avoid unauthorised access to data and the security vulnerabilities that may arise as a result.
Based on the random samples carried out and an analysis of the relevant documents, the OA-IA recommended that access authorisations be regularly checked and deleted if no longer required.37
Lawfulness of the facial recognition system
Facial recognition systems can be used to identify people in photos, videos or in real time. The images available in data sets are analysed for the geometry of the captured faces. The characteristic analogue key features are transformed into a set of digital data – a facial print. This is as unique as the fingerprint. Such data is called biometric data.38
Facial recognition is a new search engine that is controversial from a data protection point of view. Since it is used at the FIS, the OA-IA decided to investigate the lawfulness of its use.
The OA-IA noted that at the beginning of the project the FIS conducted various inquiries to clarify the lawfulness of facial recognition. These inquiries were used to draw up processing regulations and to analyse the legal base for using facial recognition. The project subsequently developed further, but the FIS’s legal service or quality assurance division did not check the lawfulness of these further developments.
The OA-IA is of the opinion that the data processed by the facial recognition system constitutes biometric data. According to the revised Federal Act on Data Protection Act (FADP),39 which is not yet in force, such data is classed as sensitive personal data. According to Article 47 paragraph 2 IntelSA, the Federal Council determines the catalogue of personal data that may be processed in each information system. This catalogue is listed in the Ordinance on the Federal Intelligence Service Information and Storage Systems (ISSO-FIS). However, the ordinance does not contain any provisions on processing biometric data in the information systems mentioned therein.
In addition, the facial recognition system can be used to create image profiles, which can be enriched with metadata. In the OA-IA’s view, this leads to the creation of personality profiles. Based on these considerations, the OA-IA issued several recommendations, including the recommendation that the FIS include the Federal Data Protection and Information Commissioner in its further legal evaluations.
[21-18] Data protection at the MIS
In audit 20-17, the OA-IA examined the information systems of the MIS that are relevant to intelligence activities. In the current reporting year, it examined in audit 21-18 the lawfulness of personal data processing in two systems. For this audit, the OA-IA conducted interviews, inspected documents and took random samples. Among the various information systems, sub-systems and special applications, the OA-IA focused on the information systems operated by and under the responsibility of the MIS: the Information System for Military Intelligence (IK MIS) – its main working instrument – and the information system for secure information sharing with foreign states, known as BICES.40 In our view, these systems pose the greatest data protection risk on account of the volume, type and recipients of the data as well as the potential impact of violations against personality rights for those concerned.
The OA-IA noted that the MIS processes personal data as part of its legal duties and that the processing of sensitive personal data or the creation of personality profiles may also be necessary as part of these duties. However, the OA-IA did not come across any such instances during its audit of random samples. The OA-IA found that although personal data is present in certain MIS reports, this personal data is not the focus of MIS interest. The MIS focuses on gathering and evaluating information that is important for the Armed Forces (in particular for the defence of Switzerland) and for promoting peace and providing support services abroad. The information it gathers largely concerns foreign countries and not people in Switzerland; these people are not recorded in the MIS’s information systems in a structured manner. Personal data collected in the context of providing support services in Switzerland (for example at World Economic Forum meetings) is forwarded to the appropriate Swiss authorities and may not be used in connection with military intelligence activities.
“In the year under review, the OA-IA noted a marked increase in informal information indicating the dissatisfaction of FIS staff.”
Where personal data is processed, it concerns the names of people from politics, of foreign leaders and of activists from armed networks or organisations. This information enables the MIS to monitor and assess military strategic developments and armed forces. The focus is on specific countries, military threats, armed conflicts and regions abroad where the Swiss Armed Forces are deployed.
In each case examined by the OA-IA in the random sample audit, a link to the activities of the MIS was found. The OA-IA was also explained users’ access rights and the processes for archiving and deleting documents. It noted that access is limited to those members of staff who require it for their tasks. The reports in the information systems examined are sent to the Swiss Federal Archives and not retained over the legal deadline. The information systems used by the MIS are well documented and are not connected via common interfaces that would allow for automatic data exchange. This minimises the risk of misuse.
During its audit, the OA-IA did not identify any issues that led it to doubt the lawfulness of personal data processing by the MIS at any stage. Nor did the OA-IA discover any misuse or disproportionate use of the personal data collected according to the law or to data protection legislation.
The OA-IA further noted that the MIS relies on specific provisions for transmitting personal data abroad. The reports it transmits abroad generally comprise situation analyses of a military, political or military policy nature. While it cannot be ruled out that personal data may occasionally appear in MIS reports, there is no exchange of information on specific individuals. Furthermore, MIS reports are only transmitted to the services of countries that share Western values and have data protection laws.
32 Art. 35 IntelSA
33 Art. 55 para. 4 IntelSA; the list of countries is part of the list mentioned in Art. 20 para. 4 IntelSA (activities and data that must be reported without a request being made).
34 Annex 8 ISSO-FIS (Ordinance on the Federal Intelligence Service Information and Storage Systems)
35 Art. 55 ISSO-FIS
36 The following options are available: ‘Entry’, ‘Departure’ and ‘Not defined’.
37 Art. 5 para. 4 ISSO-FIS
38 Source: www.kaspersky.de/resource-center/definitions/ what-is-facial-recognition, last viewed on 22.11.2021
39 SR 235.1
40 Battlefield Information Collection and Exploitation System, the international communication network of NATO
Acceptance
In the course of their work, the OA-IA auditors were received by all audited entities in a constructive and professional manner. They were given access to the documents and information systems needed to carry out their audits. The interviewees were available to the auditors. The interviews could be planned and conducted in a timely manner despite the COVID restrictions. Additional questions were answered as quickly as possible.
In the year under review, the OA-IA noted a marked increase in informal information indicating the dissatisfaction of FIS staff. The OA-IA analysed this information where necessary and possible, and either incorporated it into its audit procedures or dealt with it individually. The head of the DDPS was informed in writing about these developments on 13 July and 22 October 2021. This is an ongoing issue that will continue to draw our attention also in the future.
Controlling of recommendations
Controlling the implementation of recommendations is not explicitly regulated by the IntelSA. In agreement with the DDPS and the audited services, it was agreed that the latter would inform the DDPS in writing of progress made in implementing the OA-IA recommendations and that the OA-IA would receive a copy of those progress updates. For 66 recommendations a notification was made in 2021. By the end of 2021, no further recommendations were pending at the MIS or EOC. In addition, a meeting was held in the middle of the year with all the audited services and in the presence of a DDPS advisor to the DDPS head to take stock of the current state of implementation.
Monitoring implementation of the recommendations – An example
With the entry into force of the IntelSA, the FIS was given a legal base for posting its own personnel to Swiss representations abroad in order to promote international contacts.41 The FIS makes use of this possibility through intelligence liaison officers. Therefore, in 2019, the OA-IA audited the management of intelligence data between the defence attaché network and the FIS.
The defence attaché network assists in implementing Switzerland’s foreign and security policy interests. Although the attachés are members of the Swiss Armed Forces, the FIS is primarily responsible for their posting and for managing their intelligence activities.
As a result of the 2019 audit, the OA-IA recommended that the FIS draws up a strategic plan to better define the posting of intelligence liaison officers and their interface with the defence attachés. The purpose of this was to improve expediency and effectiveness in this area of intelligence.
In 2021, the OA-IA conducted audit 21-1 ‘Deployment of FIS Employees to Swiss Representations abroad’. A key element of the audit was to review implementation of the recommendation to compile a strategic plan for posting intelligence liaison officers abroad. Recommendations are recorded in a monitoring system at the OA-IA and checked against an implementation report from the FIS. The OA-IA then decides whether the implementation measures are sufficient or whether a more- in-depth review is necessary. If a more indepth review is necessary, it is either integrated into an audit that has already been planned or, as in the case described above, a separate audit is carried out.