[mcv]

Finally!

The entire country has been clamouring for this for weeks, and the government has been completely silent about it. A couple of weeks ago, the entire parliament (with only a single party dissenting) voted for a motion to end the contract with Solvinity, but the government extended it anyway, leaving blocking the takeover as the only option, and there wasn't a lot of confidence that the government would do that.

The whole reason for this is that Solvinity host DigiD, the Dutch e-ID system that handles authentication to all government and many other sensitive systems (healthcare). With the US law that the US government should be able to get access to any data held by a US company, regardless of where it's hosted, this system clearly should be kept out of American hands.

Of course there's still plenty of sensitive data in the hands of Microsoft, Amazon and other US companies. No idea when they're going to do something about that.

[jorvi]

It is a bit more complex tham that.

Logius is the company that actually owns and manages the DigiD stack, it's just that they hired Solvinity for their expertise. AFAIK Solvinity can't access the data.

I can't find it right now, but on Tweakers there was a long comment by someone on the inside that explained Logius basically had almost no know-how of how the current stack works, and there's lots of bespoke stuff. Basically classic vendor lock-in. The government (rather, Logius) now really wants to transition away from Solvinity, but that will likely be a 5+ year process.

I also feel like this is another thing that the "fast ring" of the EU should do together. Take Estonia's stack as a base, and then countries like Sweden, Denmark, Finland, The Netherlands adopt it and co- develop it. Make it extensible for the bespoke things the countries need, and every few years check which bespoke extensions can actually be generalized and modularized. Would lead to a much better product. A man can dream :)

[WhyNotHugo]

> I also feel like this is another thing that the "fast ring" of the EU should do together. Take Estonia's stack as a base, and then countries like Sweden, Denmark, Finland, The Netherlands adopt it and co- develop it. Make it extensible for the bespoke things the countries need, and every few years check which bespoke extensions can actually be generalized and modularized.

Argentina's ministry of education did something like this with university software. The one used by students to sign up and by teachers to track grades, etc. There's a single open source modularised, customisable system made country-wide, and public universities customise it to their needs.

Before this initiative, every university was implementing their own software from scratch. In many cases, different faculties (e.g.: Engineering, Natural Sciences, Humanities, etc) each had their own software development teams developing their own independent software stack.

[vinay427]

> Argentina's ministry of education did something like this with university software. The one used by students to sign up and by teachers to track grades, etc.

For what it's worth, this seems roughly equivalent to Moodle, which is open-source (GPL) and used globally, apparently especially popular in some of western Europe, the US, etc. [1] School systems can and do of course customise it as needed.

[1] https://stats.moodle.org/

[bigfudge]

The problem with Moodle is that it's terrible. Yes you can customise it, but the core must be 20+ years old now, and it really shows. Universities don't have the talent in house to do anything more than bodge solutions for local bureaucratic knots. That doesn't generalise into an improving system over time.

[frevib]

> AFAIK Solvinity can't access the data.

Solvinity is the hoster. It can fully access the stack.

[crote]

It's even more complicated: the datacenter and the servers are owned and operated by the government, and the DigiD app itself is owned and operated by government-owned Logius.

From what I have been able to deduce, Solvinity is contracted for some kind of sysadmin services - so basically Kubernetes babysitting?

[overfeed]

Are you suggesting sysadmin access isn't sufficient to access data?

[mcv]

How can you be sure that Solvinity can't access the data if Logius doesn't know how the current stack works? 5+ years to migrate sounds really bad.

[metalface]

> 5+ years to migrate sounds really bad.

That's nothing. The Dutch tax authority has spent the last 5 years deliberating a migration from on-prem IBM Notes to M365.

[Kaliboy]

Honestly they have good separation of concerns in the Dutch government. And running the stack doesn't automatically mean hosting the services, there's enough local expertise in the Netherlands to run that.

A few years ago I had the mispleasure of working for the island government of Bonaire, and they kinda run the same systems as they do in the mainland, being a sort of municipality.

Since all gemeentes in the Netherlands are basically independently run but have to communicate with each other for DigiD but also the GBA (ID system) and loads of other stuff, they invented a standard. It's a SOAP based monstrosity called StUF, and you better spell it like that.

I can't find much about StUF in English, but there is this about the succesor where they lament on how engrained StUF still is.

https://www.conduction.nl/commonground/

It wouldn't surprise me that migration to common ground is what they are refering too. StUF knowledge is not widespread due to the level of vendor lock in. There's not many vendors and outside GovIT nobody cares about StUF.

[Muromec]

Estonia's tech was cool maybe 20 years ago. From what I understand it's a bit too hard on fetishization of PKI and Ukraine goes too hard on apps. Netherlands actually gets it really well with DigId that is doing bare minimum needed to actually perform eidas stuff without getting into the woods with legally blessed asn1 schemas and oid [0].

I'm not sure what bespoke stuff they invented to get their sweet vendor lock in eurobucks, but the whole thing is nothing more than an OAuth provider for 19 million people. I guess NFC integration in the app that reads physical ids is on a fancier side, but I suspect on that side it's vendor locked by card vendor and their SDK.

[0] https://zakon.rada.gov.ua/laws/show/z1398-12#Text

[Teever]

Can you elaborate on what you find problematic about the Estonian ID stack?

[sam_lowry_]

For one, they had a a major f-up with eIDs in 2017: https://ria.ee/en/news/estonia-resolves-its-id-card-crisis

And they are just good at marketing. Belgium had eIDs earlier never messed up so much as Estonians.

[Muromec]

Yeah, but it was the vendor who fucked up, not them. One can argue that using long-term certificates is bad practice in itself, but that's arguable.

[Muromec]

Disclaimer: I have more exposure to Ukrainian variation of this setup (see jkurwa) than to actual Estonian and extrapolate a bit from what I heard from people. Half of this may be outdated or wrong, but I believe that the general vibe is correct.

From what I know about Estonian eID stack, they use traditional PKI to the full extent -- LDAP, PKI, OCSP, all the standard designs from the 90ies and then internally (for use by the government itself) they have a sort of a document exchange system on top of that where everything is done through CMS (PKCS). I believe this is why eIDAS and trust services directive talk about trust lists, qualified certificate authorities and all that.

So you get a physical id card that is a smart card for X509 certificate and then sign, encrypt and do all the stuff you do with keys once you figured out key management. Since the key can't leave the card you need to deal either with a special Estonian keyboard that doubles as a keyreader (in Ukrainian flavor we get a mobile app that can generate a key and get x509 issued remotely, maybe Estonia has that too nowdays or we get a file-based key from a trusted provider, like a bank) or get an actual keyreader or a phone. On the provider side you also have to deal with trust lists, because Estonia and Lithuania don't use the same root of course.

The first gotcha is -- if you have LDAP, CSP and OCSP and can query those, that's a bit of a privacy risk (AFAIK, primary key is based on the date of birth, because reasons). Second gotcha -- key rotation is not practical, so certificates are long lived. Certificates that I saw had demographic identifier of the person as a serial, which is not great for privacy, but convenient for deployment I guess (for comparison, Ukrainian flavor only allows CSP through subject key and has the number deep in the directory lookup extension)

I don't think the stack is bad, but I think it's an overkill for the basic feature of logging into the government website and blessing some bytes with your legal persona. It does help when the user signs a legal document and then tries to walk it back (for example because the document is now an exhibit A in a VAT fraud case, yes real story). I think this particular problem can be solved by non-technical means. More specifically, PKI solves the problem of verifying the identity of the user and then allowing to prove to a third party that it happened.

What is actually needed from the ID stack is allowing a first party in a closed system to match the token presented by a second party to their legal identity. I don't believe cryptographic signing or key derivation is really necessary, as the system that produces the key and the system that verifies the signed artifact are the same entity in most threat models.

I think DigID does the right thing by being a glorified OTP generator with more or less nice UX that solves just that. The actual problem is key provisioning anyways, but once you have done that, it isn't necessary to go full PKI.

To make my point even more ahm pointy, we don't use client X509 to log into github or google. We use passwords, HOTP and fidokeys, because x509 has bad UX and bad security too (in practice)

Add: downvotes for explaining why PKI is an overkill? okay, I will not survive that

[Fnoord]

I appreciate your comment, but don't bother complaining about moderation. It isn't an interesting read.

Why not use the cert on the ID to sign your own private key in the chain? That way, you can revoke the keypair should the need arise. The private key on the ID card would be valid for as long as the ID card is valid (here in NL: 18+, 10 years; 18- 5 years). And you can use each keypair for whatever. The benefit (and possible disadvantage) is the government knows you are you.

[fc417fc802]

It's a wall of text prefaced by your disclaiming that you don't really know what you're talking about. So then why would I want to read that? Just say "yeah I'm not really sure about the details what I wrote above was word of mouth" and move on.

[dr_dshiv]

See the Foundation for Public Code: https://www.publiccode.net/

[hermanzegerman]

The German eID stack does also work well, just as the Austrian one does.

Tbh I like the German one even better because you need your physical Identity Card and can use your phone as the reader

[krzyk]

Maybe better, but less useful. I don't carry my Identity Card at all, unless I cross the border within EU where it is used. All other functions I have in our country app. To which I can log in using physical card, but I have other options that are online.

[Yaa101]

In the Netherlands it is mandatory to carry your ID card or passport at all times.

[spockz]

Not true. You have to be able identify yourself on the street in case the police wants to talk to you. A driver’s license is also valid identification.

[lava_pidgeon]

Germany as well

[tinfoilhatter]

What are the penalties for not doing so? I'm always amazed at the willingness of Europeans to follow rules like these, regardless of their impact on personal sovereignty. People in Finland were the most extreme example of this behavior that I've ever encountered. People would look like you murdered a child for jaywalking in Helsinki.

[alphager]

Nope. You have to possess a valid ID or passport, but you are not required to carry it. Keeping it at home is perfectly fine.

Carrying it is practical and most Germans do carry their ID, but it's not a requirement.

[retired]

Not exactly. The Netherlands has an identificatieplicht (an obligation to identify yourself), not a formal draagplicht (an obligation to physically carry ID at all times).

Police may require identification only in specific situations connected to their duties, not arbitrarily. If you cannot show valid ID when requested, you can still be fined or taken to a police station to establish your identity, so in practice most people do carry ID anyway.

The distinction is historically sensitive in the Netherlands because compulsory identification documents were heavily associated with Nazi occupation policies during World War II.

[NoahZuniga]

Logius is actually not a company but a part of the dutch (national) goverment.

[Muromec]

It's a state owned enterprise as far as I remember. So technically they don't wear civil service uniforms in the office, but still get the usual government office hours.

[RobotToaster]

The Dutch civil service wears a uniform?

[GuinansEyebrows]

blue jeans with an embroidered logo and 3 liters of hair gel.

[erikvanoosten]

No

[mcv]

Except for the military.

I once interviewed for a job at what I think was a civil service branch that developed software for the military. But they were out of budget for this, while the military did have budget, so if I was hired, I'd have to wear a military uniform to the office. A very stylish one, they claimed.

[NoahZuniga]

No I checked this. They aren't.

[shiandow]

In that case we can indeed safely assume they have no technical knowledge.

[WhyNotHugo]

For some of functionality, DigiD itself requires an iOS or Android app (for which you need to enter a contractual agreement with either Apple or Google and they decide whether you are allowed to install and use the app).

I understand that this particular path doesn't allow them to access further sensitive data, but it does give these corporations the power to block any individual for accessing the DigiD app.

You don't need the app for most functionality, but for a few healthcare related tasks, it's the only option, with no fallback.

[davedx]

Which tasks? I use DigiD with SMS and I've never needed to install an app, I have healthcare etc etc.

[Muromec]

I believe there are three levels -- password only, otp and otp after you tap the id card in the app (I think it's just once).

My healthcare provider changed their online thing this year and that new thing required highest assurance level. I think they changed it back because you can only tap with the Dutch id card (not the residence permit or other country's ids).

[WhyNotHugo]

Once specific task was linking an Apotheke to my healthcare provider. SMS was not allowed for this flow. I've seen other scenarios, but I don't recall them.

[hvb2]

> A couple of weeks ago, the entire parliament (with only a single party dissenting) voted for a motion to end the contract with Solvinity, but the government extended it anyway, leaving blocking the takeover as the only option,

Given what we know now, this seems perfectly logical. It's just that we don't know what else is going on behind the scenes.

I'm sure there was some negotiations on how to keep the data separate or something, with the threat of blocking it altogether as a final solution.

But agreed, this is a good outcome

[monegator]

> I'm sure there was some negotiations

which i'm sure the current administration would honour

There should be grave consequences alone for the fact that the goverment acted against the parliament

[hvb2]

> which i'm sure the current administration would honour

It would've been the same administration as the one doing the negotiations, so I would assume yes.

> There should be grave consequences alone for the fact that the goverment acted against the parliament

In general I think there's a pretty good understanding between the legislative branch and the executive branch. The Netherlands has always had coalitions. Also, every single government will talk to the other parties.

I'm not sure what country you're referring to but the Netherlands has a properly functioning democracy. The only problem it has is splintering into too many small factions making coalitions super hard

[mcv]

There are certainly countries that have it worse, but Netherland has some weird political games being played sometimes.

[hvb2]

The voters don't always deal the cards favorably for the coalition system. Compared to a 2 or 3 party system, I think I still prefer the coalitions though as it forces them to negotiate

[mcv]

Yeah, but this time the coalition negotiations were rather dirty. The largest party and therefore most likely prime minister was the most progressive of the centrist parties (D66) and would normally want to work with the moderate left-wing labour party (GLPvdA, now PRO), but the most conservative of the centrist parties (VVD) banned them from negotiations, and preferred one of the right-wing/racist parties (Ja21) instead. If the other two centrist parties really wanted, there could have been a left-center majority of 6 parties, but instead, they let the VVD call the shots, and now it's effectively a VVD minority government.

(VVD had previously also voted to label antifascism "terrorism", which I'm sure must have caused Benjamin Telders, the antifascist they named their scientific bureau after, to spin in his grave.)

[BigTTYGothGF]

> executive branch

I didn't think the Netherlands had one of those.

[hvb2]

'het kabinet' or 'de regering' is the executive branch in NL. You don't need a president to have an executive branch.

Eerste/tweede kamer. Legislative, make the laws Ministers/staatssecretarissen, executive, implement policy Hoge Raad etc, legislative.

Look up trias politica

[WJW]

Sure they do: https://prodemos.nl/kennis/informatie-over-politiek/wat-is-e...

[Muromec]

There was that chip company that was almost nationalized by the Dutch government few months ago when their Chinese owners started making funny noises.

[DoneWithAllThat]

> With the US law that the US government should be able to get access to any data held by a US company

Er, what law is this, exactly?

[frevib]

CLOUD Act and FISA §702

[davedx]

CLOUD Act.

[fsckboy]

it is not easy with a quick search to ascertain the subtleties of the CLOUD Act.

the example case on wikipedia entails a US citizen storing data with Microsoft, a US company, data that Microsoft offshored from the US. So in that case, the US Courts and politicians seem on pretty firm ground to consider that data to be "obtainable" by court order; it wouldn't make sense for American vendors to to create a privacy "double Dutch sandwich" as is done with corporate income tax loopholes. Letting the law go that far would not be a threat to "Europe".

Now if Europeans were committing crimes in the US without being in the US themselves (let's say organized crime trafficking to the US or operating phone scams) that raises more interesting questions about jurisdictions, but that discussion is only productive with good knowledge of what US-European cooperation is already in place or considered "within the pale" due to shared mutual concerns

According to wikpedia, "the CLOUD Act asserts that U.S. data and communication companies must provide stored data for a customer or subscriber on any server they own and operate when requested by warrant, but provides mechanisms for the companies or the courts to reject or challenge these if they believe the request violates the privacy rights of the foreign country the data is stored in."

It could "scare" Europeans to read that, but an important keyword is "requested by a warrant": to be scared by it, you'd need to know that US Courts are issuing warrants for Europeans who are not committing crimes in the US, which I doubt. Europeans committing crimes I already touched on.

wikipedia continues, It also provides an alternative and expedited route to MLATs through "executive agreements"; the executive branch is given the ability to enter into bi-lateral agreements with foreign countries to provide requested data related to its citizens in a streamlined manner, as long as the Attorney General, with concurrence of the Secretary of State, agree that the foreign country has sufficient protections in place to restrict access to data related to United States citizens.[8][9] The first such agreement was with the United Kingdom.[10] There is a FAQ appended to the white paper published by the U.S. Department of Justice.

This aspect of the CLOUD act should not specifically scare Europeans, they should rather be scared of their own governments cooperating in such schemes. For Europeans to want the US not to have the CLOUD act to protect them from their own governments is rational, but not something that can be discussed, it would melt European brains to say anything positive about the US.

wikipedia goes into more interesting areas for US/Euro conflict (for example, who would be covered by the GDPR for the information that the CLOUD act covers) which is interesting but I'm less equipped to discuss that than the preceding. here is the link you can chase down if you want https://en.wikipedia.org/wiki/CLOUD_Act#International_reacti... https://en.wikipedia.org/wiki/CLOUD_Act#International_reacti...

[k12sosse]

Yeah but outside US there has never been a lower trust in the US or their courts, so, we veto all new purchases to err on the side of sovereignty.

[cyanydeez]

lets be frank, these are changes caused by the downgrading of the American administration to a subscription services behind a paywall that requires DLC, root based encryption bypasses and a Clippy popup that instead of trying to be helpful is indistinguishable from a mafia racket.

[edwinjm]

*for months

[tcp_handshaker]

>> Finally!

You are behind the curve. You read here first. Lets revisit this comment in 2 years...

This will be overturned by both Dutch and European courts after the company appeals, and specially after Mark Rutte Daddy calls. The only purpose of this action is for the Dutch government to save face, and its for internal consumption. They already have the internal legal advice stating this, hidden away in some closet. But then they will say: You see, we wanted to do it but a court blocked us.

>>Of course there's still plenty of sensitive data in the hands of Microsoft, Amazon and other US companies.

The WHOLE Dutch diplomatic and broader civil service, including the Ministry of Foreign Affairs, runs extensively on Microsoft infrastructure for its daily operations, cloud services, and email. And they leak....

"Microsoft Accused Of Sharing Dutch Officials’ Data with U.S. Government" - https://www.yahoo.com/news/politics/articles/microsoft-accus...

This will also be the core legal argument by the appealing company. They will argue that the decision was politicized, insufficiently reasoned, or disproportionate because binding technical/legal safeguards would have solved the risks... And they will use as example, the diplomatic service extensive use of Microsoft :-)

So is nothing more than another Polder hypocritical take, by the Dutch government.

[Aaargh20318]

> They will argue that the decision was politicized,

It’s not ‘politicized’, it’s the gateway to all Dutch government services and as such it is inherently political.

> insufficiently reasoned, or disproportionate because binding technical/legal safeguards would have solved the risks...

There are no legal safeguards against the CLOUD act. There can be no technical or legal safeguards as long as the physical hardware is owned by a US company.

[Muromec]

>The WHOLE Dutch diplomatic and broader civil service, including the Ministry of Foreign Affairs, runs extensively on Microsoft infrastructure for its daily operations, cloud services, and email. And they leak....

There is a broad digital strategy to migrate off from American infra. Will take 10 years, but this stuff has inertia once it starts moving.

[noirscape]

In 2 years the contract is up for renegotiation to a different entity (and there's now plenty of political pressure to go with a different one), so I don't think it's a problem by then.

Tying the process up in the courts for that period is also a political victory, since by the time it'd be resolved, Solvinity wouldn't have the contract anymore anyways.

[mcv]

> This will also be the core legal argument by the appealing company. They will argue that the decision was politicized, insufficiently reasoned, or disproportionate because binding technical/legal safeguards would have solved the risks... And they will use as example, the diplomatic service extensive use of Microsoft

How would that argument support a sale to the US? It sounds like the perfect argument against it. Those technical/legal safeguards clearly didn't work for Microsoft either.

[tcp_handshaker]

You are using logic to argue for the best and most correct outcome, I am using logic, to state how and why, this will play the way it will...

[j_maffe]

> Mark Rutte Daddy calls

Mark Rutte, the chief of NATO and ex-PM, that has nothing to do with civilian tech? Can we please leave unfounded conspiracy theories to Reddit?

[ifwinterco]

I have no idea if he's involved in this at all (does seem fairly unrelated) but Mark Rutte is indeed an extremely dodgy bloke.

Not sure exactly who he represents but his actions as NATO secretary have been genuinely a bit concerning for me, he seems determined to start a war with Russia

[tcp_handshaker]

[1]- NATO Secretary General responsibilities:

"...Above and beyond the role of chair, the Secretary General has the authority to propose items for discussion and use their good offices in case of disputes between member states....

...In order to facilitate this process, the Secretary General maintains direct contact with Heads of State and Government, and Foreign and Defence Ministers in NATO and partner countries...."

[1] - https://www.nato.int/en/about-us/organization/nato-structure...

And Mark Rutte has been shaping the domestic fiscal debate inside the Netherlands [2]: "...Mark Rutte said the Netherlands must significantly boost defence spending and pointed to Dutch spending on pensions, healthcare and social security, saying only a small fraction of those allocations would strengthen defence..."

[2] - https://nltimes.nl/2024/12/03/nato-leader-rutte-netherlands-...

And on conspiracy theories - Do you trust the Financieele Dagblad?

https://nltimes.nl/2025/11/20/asml-offered-spy-us-breaking-e...

[tosti]

Dutch and belgian citizens are being misled over and over again. The more you'd dig into it, the less it all makes sense.

All we get are documents with nearly everything censored except for very benign things. Only time will tell what's going on, but I doubt I'll live the day

[hvb2]

Does that sound outlandish to you? It doesn't to me...

It's probably something he would use as 'change' to resolve something unrelated with NATO. Then he can sell how well he's keeping NATO together

[mschuster91]

> unfounded conspiracy theories

Their sentiment is that Trump intervenes by whining to Mark Rutte, who seems to be the only European Trump is actually willing to listen to, at the expense of course of giving up all his dignity in calling Trump, literally, Daddy [1].

And I would not put it past Trump to do that... I mean, that's what he already did regarding Tiktok.

With Trump nothing is impossible any more, especially if he or someone in his circle stands to make or lose money. And that's the greatest danger in the US turning into a full blown banana republic.

[1] https://www.politico.com/news/2025/06/25/nato-chief-calls-tr...

[WJW]

So what do you expect the outcome to be if Trump complains to Rutte, who will then do... what exactly? Ask the current PM to do him a favor because of "reasons"? An overwhelming majority of people in the Netherlands oppose selling this company to the US, an overwhelming majority of political parties voted to block the sale and now the secretary of state in charge of this particular department indeed blocked it.

It seems to me that there is no way that Trump could overturn this decision via Rutte that Trump couldn't accomplish on his own by just threatening the Netherlands directly.