The Swiss Model Through an SSI Lens: Clarity Before the Next Step
A special thank you to Christopher Allen for the exchange — it inspired me to finally write about this specific SSI topic SSI – a path that’s been deeply important to me for the past 3 yearsWhat happens when a country builds a digital identity infrastructure that mirrors self-sovereign identity at first glance — but is run by the government?
Swiss voters have just approved the Federal Act on Electronic Identity and Other Electronic Credentials (BGEID, 2025) which regulates both:
the e-ID (and other credentials)
the trust infrastructure (Base Registry, Trust Registry, Wallets)
(here, together referred to as the Swiss model)
On the surface this looks like SSI: the e-ID and other credentials are stored on your device, any organization can register as an issuer or verifier, issuers don’t see when credentials are used, and privacy is part of the pitch. But the system is government-controlled. The government defines the rules, runs the infrastructure, and sets the law that regulates both the e-ID credential and the trust infrastructure beneath it.
How closely does this echo the spirit of self-sovereign identity?
That’s the question this article explores. To take it away, the Swiss model is not SSI at its core – nor does it claim to be –. Yet, in Switzerland this does not seem fully clear. In 8 out of 10 discussions I experience here and on LinkedIn the Swiss model is mistaken as an SSI infrastructure. As someone deeply engaged in SSI and committed to the evolution of digital identity in Switzerland, I admit this can be frustrating — but it also fuels my drive to explain, clarify, and invite more people into the conversation.
The aim with this article is to cut through misconceptions and create clarity, not to judge.
Only by being clear about what SSI is (using Christopher Allen’s ten SSI principles) – and what the Swiss model actually represents – can we have meaningful discussions on how to move forward, and drive innovation. What follows is a snapshot in time: the Swiss model is evolving, and some elements may have shifted by the time you read this. That evolution is part of the story — and it makes the discussion even more relevant.
👉 This article is part of a joint effort. Here, I share my view on the Swiss model through the lens of selected SSI principles – a perspective I have tried to frame as objectively as possible –. Later today, Christopher Allen will expand the picture to societal and geopolitical stakes, offering five concrete anchors to preserve digital autonomy and democratic sovereignty, in his talk at the official e-ID participation meeting on October 2nd at 4pm CEST— links
How to read this article
Think of this piece like a menu. If you’re in a hurry, the overview sections serve the espresso shot: a high-level summarized view of the Swiss model through the lens of six SSI principles — SSI’s way versus the Swiss model’s way — plus what the Swiss model does well and where it could do better. If you want something more filling, the closing thoughts give you the main course: the trade-offs and possible paths forward. And for those hungry for detail, the second half is the full tasting menu — a deeper, still good digestible, dive into each lens with both societal and philosophical reflections. It all finishes with further links and a short change history for dessert.
Ten SSI Principles, Six That Matter Most Here
This first part focuses on six SSI principles which show the highest impact on the Swiss model.
The Overview
The following six principles were selected because they directly touch the boundary between autonomy and dependency. They are where the Swiss model most clearly resembles SSI – and where it most clearly diverges. They reveal the strengths (legal privacy, selective disclosure, device-bound storage) and expose the limits (conditional control, portability, and protection).
SSI Principle 1 - Existence
In SSI, existence begins with the individual: you exist “by default”, independently of whether you are recognized or not, and as such also independent of any system or credential. The Swiss model takes a different approach. Here, digital existence is conditional not foundational: holders, issuers and verifiers start existing if and when the government confirms them through official records, and they only keep existing digitally through government-controlled systems. In SSI: I am, therefore I am recognized. In the Swiss model: I am, if I am acknowledged.
👉 Christopher, through his anchor on Institutional Safeguards, will later connect this to Switzerland’s constitutional principle that sovereignty resides in the people, showing why individual existence and democratic sovereignty must align.
SSI Principle 2 - Control
In SSI, individuals control their own identity, which is the way you express your existence in a system through context and interactions, and how you are recognized through that. Hence, it’s the individual who decides where and when to interact with whom. In the Swiss model, control exists but within boundaries: issuers manage your credentials, verifiers define which attributes are “indispensable” in a presentation, and the government sets the rules, registries, and conditions for recognition. This delivers reliability but also outside rules: In SSI: I decide, therefore I am in control. In the Swiss model: I comply, if I want to be recognized.
👉 In his presentation, Christopher will frame this challenge as preserving choice by design – ensuring that what is voluntary in law remains voluntary in practice.
SSI Principle 6 - Portability
In SSI, your identity travels with you: credentials and identifiers move across wallets, devices, and ecosystems without losing validity. The Swiss model allows portability, but only within boundaries. Government-issued high-assurance credentials (such as the e-ID) can be placed only in government-approved wallets (for now), and identifiers remain tied to the government ecosystem. They cannot be imported or exported, and if issuers or verifiers leave the registry, credentials linked to them may lose validity or usability. In SSI: portability means freedom of movement. In the Swiss model: portability means movement with the rules.
👉 Christopher, with his anchor Build a 20-Year Architecture, speaks directly to this: avoiding short-term lock-ins that undermine resilience and long-term autonomy.
SSI Principle 4 - Transparency
In SSI, transparency means seeing and understanding both the technology and the governance — in language accessible to everyone, not just experts. The Swiss model provides strong technical transparency: specifications are published, core infrastructure is open-source, the project is on GitHub, and public calls and email channels are available. At the same time, transparency is narrower on governance. Registry decisions, reasoning behind rules, and how incidents are handled remain less visible. Participation channels exist, but they are mostly informative — and mainly reach those with technical confidence or easy online access. In SSI: transparency means seeing both how and why. In the Swiss model: transparency shows the how, but less the why.
👉 Christopher will broaden this lens to institutional safeguards: why technical transparency is not enough without democratic checks and balances that survive political transitions.
SSI Principle 9 - Minimization
In SSI, minimization means revealing only what is strictly necessary — and preventing metadata from linking interactions. Done well, it covers both the content of disclosure and the traces left behind. The Swiss model supports minimization: selective disclosure and batch issuance are in place. But verifiers decide what is “indispensable”, and persistent data — such as the AHV number (a kind of social security number) — along with metadata on the verifier side, still allow correlation across contexts. In SSI: minimization shields both attributes and context. In the Swiss model: minimization shields mainly attributes, and traces remain.
👉 Christopher, with his anchor Build a 20-Year Architecture, highlights why minimization must remain part of a long-term design vision.
SSI Principle 10 - Protection
In SSI, protection means safeguarding the individual above the system. This includes resilience against coercion, safeguards against exclusion, and mechanisms that ensure freedoms cannot be withdrawn by a single authority. The Swiss model embeds protection into law and technology — privacy by design, selective disclosure, device-bound credentials — but continuity still depends on government recognition. If a wallet, issuer, or verifier loses approval, the credentials tied to them lose validity. In SSI: protection shields the person from the system. In the Swiss model: protection depends on the system’s approval.
👉 Christopher, through his anchor on Institutional Safeguards, will show why oversight and the right to refuse are critical to avoid protection-by-permission.
What the Swiss model does right in terms of SSI - at a glance
The Swiss model deserves recognition for safeguards and design choices that place it ahead of many centralized identity systems and provide a solid foundation to move towards a more self-sovereign identity future:
Legal guarantees – Protection is built directly into law. Privacy by design, data minimization, and security obligations are explicitly mandated. These principles are not optional but requirements embedded in the system from the start.
Selective disclosure – The Swiss model enables people to prove individual facts without exposing full credentials. This already reduces unnecessary disclosure compared to traditional ID checks.
Batch issuance – Credentials are issued in groups rather than individually, reducing linkability and the risk of collusion. This makes it harder to trace issuance events back to specific holders, strengthening protection at the infrastructure level.
Device-bound storage – Credentials are stored locally on the holder’s device, secured by trusted hardware. This reduces dependency on central databases and improves resilience against large-scale breaches.
Transparency at the technical layer – Core software of the trust infrastructure must be published as open source (with exceptions for security or third-party rights). Technical specifications and “cookbooks” are openly documented, with participation possible through GitHub and public monthly calls.
Security obligations for participants – Issuers and verifiers must meet security standards and report cyberattacks. This creates clear expectations across the ecosystem and adds accountability.
Democratic oversight – The Swiss model is anchored in democratic processes. Laws such as the Federal Act on Electronic Identity and Other Electronic Credentials (BGEID, 2025) are debated in parliament and can be challenged by citizens, giving them the power to approve or reject them through referendum. This ensures that fundamental questions of digital identity are decided through public debate and direct democracy, not by government decree or private companies alone.
These are real achievements.
Where the Swiss model could do better in terms of SSI - at a glance
Alongside its strengths, the Swiss model also introduces boundaries that make it diverge from the self-sovereign identity vision:
Centralized authority – The same government authority (federal department) operates and governs key parts of the trust infrastructure, concentrating day-to-day control. While the framework is set through democratic processes, individual continuity depends on how that authority manages the details. Shifts in political direction or leadership can directly affect who remains recognized, tying stability to institutional continuity rather than individual choice.
👉 In SSI terms: Authority should be distributed so no single actor can unilaterally decide recognition. Centralized operation ties continuity to institutional choices rather than individual autonomy.
Conditional portability – High-assurance public-sector credentials may only be stored in the government wallet or in third-party wallets explicitly approved by the government. On paper this allows choice; in practice it narrows options and risks a soft lock-in, where alternatives exist formally but remain limited. For issuers and verifiers, identifiers (DIDs) are tied to the government infrastructure, creating a hard lock-in that prevents movement across ecosystems.
👉 In SSI terms: Portability means credentials and identifiers should move freely across wallets and ecosystems. Binding them to government-approved wallets and registries reduces resilience and autonomy.
Partial transparency – Technical openness is strong: specifications, open-source code, and documentation are available. Governance transparency is weaker. Decisions about suspensions or removals from registries — and the reasoning behind them — are not fully visible. GitHub discussions, mailing lists, and participation calls exist, but they are mostly informative and primarily online, limiting inclusiveness.
👉 In SSI terms: Transparency is more than code; it also means open governance, visible reasoning, and participatory decision-making. Without that, trust risks becoming procedural rather than earned.
Limited minimization – Selective disclosure is supported, but verifiers decide which attributes are “indispensable”, leaving holders to accept or decline. Persistent personal data — such as the AHV number (a social-security-like number) — and verifier-side metadata can still enable linkability across contexts, including through collusion between verifiers. Batch issuance reduces pressure but does not eliminate correlation; additional safeguards (e.g., unlinkable cryptographic proofs) remain necessary.
👉 In SSI terms: Minimization should shield both attributes and context, preventing hidden linkability across uses, and ensuring individuals decide what is disclosed: if verifiers define what is indispensable, minimization remains partial.
Protection tied to recognition – Legal and technical safeguards are strong: privacy by design, selective disclosure, batch issuance, and local storage raise the baseline of protection. Yet these safeguards depend on continued approval within the government-controlled infrastructure. If a wallet or issuer loses recognition, individuals lose access. Protection is therefore reliable but conditional, tied to recognition by a central authority.
👉 In SSI terms: Protection should be resilient and continue even if one authority, wallet, or issuer changes. When continuity depends on central recognition, protection shifts from independent to permissioned.
Restricted ecosystem diversity – Issuers and verifiers must remain within the government trust infrastructure, with no option to move across ecosystems. This limits natural diversity and reduces incentives for innovation, while increasing dependency on a single framework. Without alternative trust anchors, resilience is tied to one system, and cross-border interoperability becomes harder.
👉 In SSI terms: Ecosystem diversity is essential: anyone should be able to issue or verify, and identities should remain valid across contexts. Restricting participation to one infrastructure reduces innovation and locks the ecosystem into a single framework.
These limits don’t erase achievements — but they highlight where the Swiss model diverges from SSI.
Closing thoughts
The Swiss model marks a significant step toward building trust in digital interactions. It embeds privacy by design in law, supports selective disclosure, enforces security obligations, and opens its technical layer to public scrutiny. These features place it ahead of many traditional ID systems and reflect a strong commitment to protecting individuals in their digital interactions — even if challenges remain.
At the same time, the model illustrates a trade-off: protection, portability, transparency, and control are all present, but in conditional form. They work reliably within a government-defined framework, yet stop short of the SSI vision where existence and rights are anchored in the individual first.
This is not a failure but a choice of priorities. Switzerland emphasizes legal certainty, predictability, and central accountability. The SSI community emphasizes resilience, decentralization, and individual control. Both respond to real needs; the challenge lies in exploring how these approaches can complement each other.
Looking ahead, the Swiss model can evolve further. Priorities for the future could include:
more participatory governance
broader wallet diversity
stronger selective disclosure and safeguards against linkability
and mechanisms that preserve continuity even if institutions change
Steps like these would bring it closer to SSI’s blueprint while retaining the legal and social strengths that underpin public trust in Switzerland.
In the end, what matters most is trust: trust that individuals are protected, that systems remain accountable, and that digital identity enhances rather than restricts human freedom. On that journey, the Swiss model is not the destination but a foundation — one that can be built upon, adapted, and improved as society, technology, and expectations continue to evolve.
👉 This article has highlighted where the Swiss model aligns with and diverges from six selected SSI principles. Christopher Allen’s presentation later today will expand this with five anchors for digital autonomy and democratic sovereignty.
The Swiss model through the SSI Lens
– in more detail –
-
QUICK TAKE-AWAY
In SSI, existence is independent and “by default”. It precedes identity. Self-sovereign identity derives from the “I” at the heart of identity, and as such begins with existence: the living person, not a registry or credential.
In the Swiss model, things are looked at from the other side: digital existence is granted only after the government confirms you through official records. In that sense, identity (via registry inclusion or the e-ID) defines digital existence. Here, recognition comes first, and digital existence follows.
SSI BLUEPRINT
You exist “by default” without needing permission or recognition. Existence is universal and unconditional, and builds the foundation of your identity, which is defined by context and relationships. As such you can “exist” in many roles and communities at once, and remain digitally present even if a provider, device, or authority disappears. Your digital existence should reflect that – free from reliance on any system, provider, database, or app etc. to make you “real”. In SSI, existence comes first; recognition follows.
WHAT THE SWISS MODEL OFFERS
For holders, digital existence begins with government recognition. It is required both to receive an e-ID — issued and placed into the government wallet on your device — and to use other credentials within the ecosystem, since their presentation depends on issuers and verifiers being recognized as well. Without this multi-layer recognition, you cannot build your digital identity in the ecosystem.
For issuers and verifiers, digital existence within the ecosystem also depends on government recognition through registration in the trust infrastructure. Universities, hospitals, banks, and others must apply for registering their identifier (DID) and be formally recognized before they can participate as themselves by issuing or verifying credentials within the system.
SO WHAT
For many, this provides a clear, predictable, and familiar path. Holders see continuity with passports, residence permits, and other official records. Issuers and verifiers benefit from a straightforward framework: once registered, they are recognized within the ecosystem.
At the same time, this design sets boundaries. Access to an e-ID, or to issuer/verifier status, rests on government recognition. In normal times, this gatekeeping is almost invisible; in moments of crisis or political change, it could affect digital existence itself.
BROADER PERSPECTIVE
From a societal angle, the government wears several hats—issuer of the e-ID, operator of the trust infrastructure, and rule-setter. This concentration ensures reliability but also makes digital existence dependent on ongoing government recognition and infrastructure. If that recognition is withdrawn, digital existence stops.
From a philosophical perspective, this reverses the SSI principle. In SSI, existence begins with being: I am. In the Swiss model, existence is administrative: I am, if I am acknowledged. By making registry inclusion the basis of recognition, existence becomes conditional. SSI principles caution against this: recognition and infrastructure can support existence, but they must never define whether a person exists in the first place.
-
QUICK TAKE-AWAY
In SSI, control means individuals decide what to share, with whom, when, and under what conditions. Identity is shaped by how individuals express their existence through interactions — technically, by managing their own identifiers, credentials, and relationships without outside interference.
In the Swiss model, control exists but within boundaries: the government governs the infrastructure that sets conditions for issuing and verifying, while verifiers define the terms of presentation. What feels like choice is often shaped by rules decided elsewhere.
SSI BLUEPRINT
Control of one’s identity is in the hand of the individual it belongs to. Identity thereby derives from existence in the way existence is expressed through context and interactions, and how recognition follows from that. Control means deciding when and where to interact, with whom, and under what conditions. Technically, this extends to managing identifiers, credentials, and relationships directly, without dependence on outside rule-setters. In SSI, authority rests with the individual: I decide, therefore I am in control.
WHAT THE SWISS MODEL OFFERS
For holders, control seems to be in their hands: credentials, revealing aspects of their identity, are stored locally on their device, with presentation requiring their action. Selective disclosure is supported, and issuers cannot track when credentials are used. Verifiers, however, define which attributes are considered indispensable during presentation, and holders can only accept or decline.
For issuers and verifiers, identifiers (DIDs) are registered and managed by them, but their continued participation in the ecosystem depends on government rules that determine whether those identifiers remain listed, active, and recognized.
SO WHAT
For most, this may feel like being in control: credentials sit on the phone, issuers cannot track usage, and holders give explicit consent before disclosure. Issuers and verifiers operate within a clear framework and manage their identifiers.
At the same time, control is conditional. Holders face verifier-defined requirements — decline, and there is no service. Issuers and verifiers keep their role only while listed and recognized in the registries. The framework delivers stability, but the scope of control is set from the outside in.
BROADER PERSPECTIVE
From a societal angle, the design offers clarity and reliability while ensuring oversight. Yet it also concentrates power: if verifiers broaden what counts as “indispensable", the holder’s on-screen “choice” risks becoming a practical “must-disclose.” If registry rules change, issuers and verifiers must adapt or lose access — and individuals may find their credentials no longer recognized. In both cases, it feels like being shown two doors but finding only one unlocked. Over time, this can normalize broader disclosure or stricter government dictate as the condition for participation.
Philosophically, SSI sees control as self-determination rooted in the person. The Swiss model shifts that paradigm: individuals exercise control, but within government-defined boundaries. The result is reliable and lawful control, but it stops short of self-sovereign identity, where ultimate authority rests with the individual.
-
QUICK TAKE-AWAY
In SSI, portability means identity belongs to you and travels with you — across services, apps, contexts, and even borders. Just as a physical ID works at a bank, an airport, or a hotel, digital credentials and identifiers should move freely without being tied to a single wallet or provider.
In the Swiss model, portability exists but is conditional. Credentials and identifiers can move, but only within the system’s approved boundaries.
SSI BLUEPRINT
Portability ensures continuity. Credentials and identifiers should carry across devices, wallets, and ecosystems without re-issuance or re-registration. Even if issuers or verifiers leave a system, identifiers remain valid so credentials can continue to function. True portability means your identity persists wherever you go, remaining yours rather than tied to any infrastructure. In SSI: portability means freedom of movement. In the Swiss model: portability means movement under conditions.
WHAT THE SWISS MODEL OFFERS
For holders, the e-ID and probably other high-assurance public-sector credentials are (currently) issued only into government-approved wallets, and device binding ties them to a specific phone. Switching is possible but requires wallet approval and re-binding.
For issuers and verifiers, identifiers (DIDs) must be registered within the government trust infrastructure. No external identifiers can be imported, and those issued within cannot be taken elsewhere. If they leave the registry, identifiers lose recognition and related credentials lose validity.
SO WHAT
For many, this seems like portability: you can move to another phone or switch wallets if more than one is available. In practice, portability is conditional – approval is required in some cases, and device binding constrains freedom of choice, creating soft lock-in where alternatives exist only in theory.
For issuers and verifiers, the constraints are harder. Participation begins with registering an identifier inside the government infrastructure; external identifiers are not accepted. Leaving, means losing recognition altogether. Credentials tied to such an issuer stop working, and moving to another ecosystem requires re-registration and re-issuance. The result is hard lock-in, where portability ends at the system’s borders.
BROADER PERSPECTIVE
From a societal angle, this is managed portability: movement is possible, but only along paths approved by the government. If wallet alternatives are scarce or approval is slow, most individuals default to the government wallet, and issuers and verifiers remain locked into the government system. Over time, this can consolidate rather than diversify the ecosystem.
Philosophically, SSI sees portability as universal: identity follows the person, not the infrastructure. The Swiss model makes portability permissioned: formally free to switch, but practically constrained. For holders, freedom risks being symbolic; for issuers and verifiers, lock-in is complete. SSI highlights that portability must be substantive, not nominal — otherwise it risks reinforcing institutional control rather than individual autonomy.
-
QUICK TAKE-AWAY
In SSI, transparency means being able to see and understand not just how the system works, but also how it is governed. It is about open technology and open decision-making together.
In the Swiss model, transparency is strong at the technical layer but weaker in governance.
SSI BLUEPRINT
Transparency goes beyond publishing code. It includes knowing who sets the rules, how trust is assigned, and how decisions are made — in language accessible to all, not just experts. True transparency combines technical openness with governance clarity so that trust is earned rather than demanded. In SSI, this often means open standards, public governance processes, and mechanisms for meaningful participation. In SSI: transparency means seeing both how and why. In the Swiss model: transparency shows the how, but not always the why.
WHAT THE SWISS MODEL OFFERS
For holders, transparency shows up in open documentation: legal provisions, technical specifications, and practical “cookbooks” that explain how the system functions. Regular participation calls and GitHub channels provide additional access points.
For issuers and verifiers, the law requires that the core software of the trust infrastructure be published as open source (with exceptions). Onboarding rules, technical requirements, and processes are openly documented, and email channels provide further means of dialogue.
SO WHAT
For many, this projects openness: laws are public, code is published, documentation is available, and participation channels exist. This sends a clear message: you can inspect the system.
At the same time, transparency is limited. Participation calls are mostly informative for the public, and governance processes — how registry decisions are made, how incidents are handled, what consequences apply — remain opaque. Individuals can see the “instructions” but not always the reasoning behind them.
BROADER PERSPECTIVE
From a societal angle, this creates structured openness: technical visibility without participatory governance. Citizens can review the legal basis, examine the code, and follow discussions, which fosters predictability. Yet transparency feels one-directional: individuals are informed but have few opportunities to shape decisions. Those without technical expertise or online access risk being excluded, while registry decisions remain hidden. Trust risks shifting from being earned to being demanded.
Philosophically, SSI frames transparency as both seeing and shaping: individuals should not only look inside the system but also leave their mark on it. The Swiss model offers clarity of rules but keeps decision-making concentrated in the government. Participation channels lean toward listening rather than co-creating. Transparency that flows mainly one way risks eroding trust instead of strengthening it. And, when the process becomes procedural—understood mainly by experts—the wider public drifts to the margins. True transparency is reciprocal: it shows how the system works and how choices are made, challenged, and adapted, so accountability is mutual rather than imposed.
-
QUICK TAKE-AWAY
In SSI, minimization means revealing only what is strictly necessary — nothing more. It applies to both the attributes disclosed and the traces interactions leave behind.
In the Swiss model, minimization is recognized and supported, but only within defined boundaries.
SSI BLUEPRINT
Minimization means showing just enough to prove a claim — for example, confirming you are of age without disclosing your birthdate. It also means protecting context: avoiding metadata or repeated identifiers that can link interactions over time. In SSI, minimization aims to shield both the content of disclosures and the surrounding circumstances, ensuring privacy across different uses. In SSI: minimization shields both attributes and context. In the Swiss model: minimization shields mainly attributes and leaves traces.
WHAT THE SWISS MODEL OFFERS
For holders, minimization is written into law. Issuers cannot track when credentials are presented, and registries avoid storing personal data, providing status checks without exposing identity. At the same time, credentials contain personal data that is typically unchanging — such as the AHV (a kind of social security number) — which increases correlation risks across contexts.
For issuers and verifiers, the infrastructure enforces technical standards that enable selective disclosure, the law mandates minimal disclosure but it does not restrict how much information verifiers may request. The decision of what is “indispensable” remains with verifiers.
SO WHAT
For many, minimization is a strength of the Swiss model. It is mandated by law and supported technically through selective disclosure (e.g., SD-JWT-VC), allowing only the required attributes to be shown. This places the system ahead of traditional ID models, where entire credentials must always be revealed.
At the same time, minimization remains partial. Holders face binary choices — disclose or decline — when verifiers request attributes. Verifiers, not individuals, decide what is indispensable – even if mandated by law, the verifiers may decide what compliance means. Metadata and persistent identifiers like the AHV number still create correlation risks that minimization alone cannot eliminate.
BROADER PERSPECTIVE
From a societal angle, minimization strengthens trust by embedding privacy into law and practice. Selective disclosure reduces overexposure, and batch issuance complicates tracking or collusion. Yet risks of correlation persist through metadata, verifier logging, and persistent identifiers.
Philosophically, SSI extends minimization beyond attributes to the full context of interactions. The Swiss model takes important steps — strong on attribute minimization, supported by batch issuance — but stops short at the metadata level. Privacy is enhanced, but it remains conditional rather than fully under individual control.
-
QUICK TAKE-AWAY
In SSI, protection means putting individual rights first. If system rules and personal freedoms collide, the framework must adapt. True protection includes resilience against coercion, safeguards against exclusion, and mechanisms that ensure freedoms cannot be unilaterally withdrawn.
In the Swiss model, protection is anchored in government rules and reinforced by technical design, but it remains conditional: the same authority both operates the trust infrastructure and governs it.
SSI BLUEPRINT
Protection means siding with individuals, not infrastructures. When uncertainties arise, the system should preserve freedoms: the right to disclose only what is necessary, the right to remain recognized even if institutions change, and the right to continuity even if one provider fails. Achieving this requires resilient mechanisms that prevent coercion or exclusion, often supported by decentralized structures so no single actor can override recognition on their own. In SSI: protection shields the person over the system. In the Swiss model: protection depends on the system’s approval.
WHAT THE SWISS MODEL OFFERS
For holders, protection is written into law: privacy by design, data minimization, and security obligations are mandatory. Credentials are stored locally on the device, can be bound to hardware, and issuers cannot track their use. Selective disclosure reduces overexposure, and batch issuance complicates linkability by making interactions harder to trace back to individuals.
For issuers and verifiers, the law requires appropriate security measures, mandatory reporting of cyberattacks, and revocation and credential integrity checks. Bug bounty programs and open-source publication of core infrastructure add further safeguards.
At the same time, continuity depends on government approval: if a wallet loses certification or an issuer is removed, all related credentials lose validity.
SO WHAT
For many, this provides strong safeguards against misuse, fraud, and surveillance. The Swiss model embeds protection directly into law and technology, raising the baseline compared to traditional systems.
At the same time, protection remains conditional. If recognition is withdrawn — for a wallet, issuer, verifier, or credential — continuity is lost. Identity remains accessible only as long as the government infrastructure approves it.
BROADER PERSPECTIVE
From a societal angle, the Swiss model offers robust legal and technical defenses against everyday risks. Privacy by design, selective disclosure, security requirements, and batch issuance all reduce exposure. Yet protection depends on centralized recognition: the same authority that operates the infrastructure also is at the top of the approval chain. If recognition is withdrawn, continuity for users is interrupted. Safeguards are strong but conditional on one authority’s stability and decisions.
Philosophically, SSI frames protection as preserving individual rights over system rules: if person and system collide, the person must prevail. The Swiss model reverses this priority: it protects by controlling, ensuring security through conditional recognition. Protection here becomes protection through permission. SSI principles caution that true protection requires resilient, decentralized mechanisms — such as distributed trust anchors — that cannot be unilaterally withdrawn.
Change History
Update Oct 3, 2025: Clarified the Swiss focus of the misconceptions about SSI that sparked this article, added a ‘How to read’ section with links, replaced AHV with ‘AHV number,’ introduced visual highlights, and noted that this article reflects my view — written as objectively as possible.