back to article Dutch govt says no to backdoors, slides $540k into OpenSSL without breaking eye contact

The Dutch government has formally opposed the introduction of backdoors in encryption products. A government position paper, published by the Ministry of Security and Justice on Monday and signed by the security and business ministers, concludes that "the government believes that it is currently not appropriate to adopt …

  1. Drs. Security

    Dutch government and IT (Security) in general

    whilst I must give kudos to my own government (or at least the given ministery which also houses the national cyber security center btw) I am far from convinced that the same reasons of privacy and security of communications play any role in the way the Dutch government is itself handeling private and sensible data in the first place.

    On the contrary, I have seen enough examples in which the opposite is true (either by lack of knowledge and understanding or just because it seems unnecessary).

    Let this be a step for the Dutch government not only to sponsor a good opensource project but to really improve their own security posture.

    1. Anonymous Coward
      Childcatcher

      Re: Dutch government and IT (Security) in general

      "Let this be a step for the Dutch government not only to sponsor a good opensource project but to really improve their own security posture."

      ISTR that the Dutch govt settled on OpenVPN as their VPN of choice and after auditing the software created their own distribution of it. OpenVPN uses OpenSSL, so this sponsorship would logically help to improve their security.

      As OpenSSL is open source, then we all benefit - thanks Netherlands. Mind you I can't help but notice the lack of a padlock in my browser at the moment 8)

      1. jap

        Re: Dutch government and IT (Security) in general

        Actually, OpenVPN-NL (the VPN distribution vetted by the Dutch government) doesn't use OpenSSL at all - it makes use of PolarSSL^WmbedTLS. This because polar's codebase was readable and small enough to audit, as opposed to OpenSSL... and this all happened before everybody + dog started hating OpenSSL.

        1. Dan 55 Silver badge

          Re: Dutch government and IT (Security) in general

          PolarSSL being from a Dutch company can't have hurt either.

          1. Anonymous Coward
            Anonymous Coward

            Re: Dutch government and IT (Security) in general

            PolarSSL being from a Dutch company can't have hurt either.

            That's not good. That means the Dutch government could have pulled an NSA on them - introducing a backdoor and also stopping them notifying anyone about it.

            1. Anonymous Coward
              Anonymous Coward

              Re: Dutch government and IT (Security) in general

              That means the Dutch government could have pulled an NSA on them - introducing a backdoor and also stopping them notifying anyone about it

              But presumably OpenVPN-NL is for their own use and not for adoption by citizens other than for when they're interacting with government services. Arguably PolarSSL might be tainted but the NSA have nobbled general purpose crypto used by world+dog.

            2. Dan 55 Silver badge
              Happy

              Re: Dutch government and IT (Security) in general

              Now that ARM took them over, maybe the backdoors were transferred to GCHQ...

            3. Jeroentje
              WTF?

              Re: Dutch government and IT (Security) in general

              Why would they build a backdoor in software that they use?

              1. Drs. Security

                Re: Dutch government and IT (Security) in general

                besides the fact that openVPN or openSSL or whatever similar stuff build by any company is transport layer security only.

                This simply means that data is protected on the cables and wireless internet links, not in storage or in use or in any other way whatsoever.

                So nice of the Dutch government to protect data in transit (that's the bloody least they should do) but that's far from a total security posture including securing servers, authentication on basis of need-to-know and least privilege etc.

                As for that openVPN NL-style? That's certainly not used by citizens communicating with the government and looks to me like their attempt to rewrite the ISO27001:2005 to their own "security" standard.

    2. This post has been deleted by its author

    3. Anonymous Coward
      Anonymous Coward

      Re: Dutch government and IT (Security) in general

      On the contrary, I have seen enough examples in which the opposite is true (either by lack of knowledge and understanding or just because it seems unnecessary).

      Let this be a step for the Dutch government not only to sponsor a good opensource project but to really improve their own security posture.

      This may indeed change soon. This year will see an enormous amount of activity re. privacy and security, mainly prompted by the shenanigans surrounding Safe Harbor and the still pending decision of Microsoft vs DoJ (at least, I THINK it's still pending - I would welcome any update anyone may have as I predicted last year that this case would quietly go away as either outcome would cause problems).

      As for the lack of scaremongering, it's an indication that the far right has had no say in this. Scaremongering isn't very Dutch. The nation used to be fairly levelheaded but the far right has started to bring in US style tactics and, embarrassingly for us slightly older folk, they seem to work, leading to polarisation in an otherwise fairly relaxed attitude towards the world (even without drugs :) ).

      The result is a sharp ramp up in internal conflict, making the doom & gloom predictions of the far right a self-fulfilling prophesy...

      1. Drs. Security

        Re: Dutch government and IT (Security) in general

        unfortunately you will see that in Europe in its entirety at the moment. But that is somewhat besides the point discussed here.

        As for right wing politics in the Netherlands, we'll see what happens at the next elections in probably 2017.

  2. Anonymous Coward
    Anonymous Coward

    Cue all the comments suggesting that the Dutch government might have a different view once they suffer a major terror attack of their own.

    The problem with the above position is that laws made after such an event are often far from proportionate or well thought out.

    We must make these legal determinations during peace time as the media and partisan politicians make incredibly bad government when under duress.

    I applaud the Netherlands for making such a nuanced and thought-out study of this topical subject amidst their peers making rash and illiberal pronouncements.

    1. Grikath

      You'd be surprised how much violence there currently is in the Netherlands. There's been a particularly violent criminal turf war going on , including public "executions" , the immigrant/refugee issue has come to the boiling point, and the number of murder/suicide "family tragedies" is at an all-time high.

      I'm not familiar enough with UK legislation to know whether or not the dutch situation applies, but here it's possible to suspend an individuals' rights on Ministerial Authority in individual cases for specified reasons in law. This allows for "sensible and balanced" laws that apply to Joe Average, while ensuring a paper trail in case the Government feels the need to pay Special Attention to someone/thing. This is enforced by the Judiciary, who've proven to be more than willing to toss out cases where Proper Procedure has not been followed.

      As with any system, it's not perfect, but it works.

      1. Anonymous Coward
        Anonymous Coward

        while ensuring a paper trail in case the Government feels the need to pay Special Attention to someone/thing. This is enforced by the Judiciary, who've proven to be more than willing to toss out cases where Proper Procedure has not been followed.

        This is the exact bit that is missing from much of what is happening in the US and the UK. Oversight, transparency, and actual consequences when someone has been wilfully creative with the rules. Although, as far as I know there isn't much transparency to the working of the Dutch secret service (BVD) either.

        I'm OK with secrecy, provided there is credible oversight. The "credible" is where the problem lies..

  3. The Man Who Fell To Earth Silver badge
    Stop

    Saying 'no' to backdoors means nothing

    A government saying it won't require back doors is meaningless unless that government also outlaws the presence of back doors that are not disclosed to the end user.

    1. NotBob

      Re: Saying 'no' to backdoors means nothing

      You seem to forget the cardinal rule;

      All the laws we pass apply to all of you all the time. We passed them, so we can ignore them.

      At least that is how it seems to work here...

      1. Drs. Security

        Re: Saying 'no' to backdoors means nothing

        plus they don't count for our intelligent agencies because we have a committee watching over them so they don't do something really stupid (yeah right)

  4. Anonymous Coward
    Anonymous Coward

    "But the most important debate rests in the United States, where the majority of the products and services used online stem from."

    LMFTFY:

    "The most insidious debate is occurring in the United States, where the majority of snooping and prying into other people's business stems from."

    The "importance" of the debate in the US concerns the degree to which the rest of the world will continue to trust online products and services based there with their data (read: business).

    1. Mark 65

      Those global products only stem from there at the current time. Make the wrong law and wait for the exodus - it'll either be the companies or the users.

    2. WatAWorld

      You know how the rest of the world does not allow US-made guns to be sold to its citizens.

      You know how much of the world uses 220 V 50 Hz electrical equipment.

      You know how the USA is NTSC while much of the world is PAL.

      Then you know that the US position of writing most of the world's software and designing a fairly large percentage of its hardware is a tenuous position that will inevitably change over decades, and could be made to change even faster.

      1. Boothy

        Quote: You know how the USA is NTSC while much of the world is PAL.

        Not sure if you've noticed, but most placed had a bit of a digital switch over a few years back.

        Most of the world is now using DVB-T, especially in the developed world, the remaining PAL countries are mostly limited to 2nd or 3rd world ones, with many of those in the process of switching, or at least planning to switch, to DVB-T.

        The USA of course, decided to do its own thing, and now uses ATSC rather than NTFS.

        1. TheVogon

          "Not sure if you've noticed, but most placed had a bit of a digital switch over a few years back."

          OK, to update that for those that have switched, most of the world uses 50Hz display standards while the USA is still stuck on 60Hz. That's why cinema films look so crap (juddery) on screens set to US settings - they have to do 3:2 pulldown....

          "now uses ATSC rather than NTFS."

          I think you mean NTSC (Never Twice the Same Colour as we call it).

        2. Anonymous Coward
          Anonymous Coward

          "now uses ATSC rather than NTFS"

          There's their problem, using a 20 year old knackered filesystem to encode the video stream!

        3. Uffish

          NTFS ?

          Is that the (revolutionary, for its time) color system that is Never Twice the F-cking Same, or do you work in IT?

      2. a_yank_lurker

        @WatAWorld - So of the differences have to do with when the national standards were set. Some the differences are relatively easy to handle (change the power supply for 110/220) others are not so easy.

        As far as losing technical leadership, the US certainly will be facing a much more competitive landscape in the future - there are plenty of very bright engineers, scientist, etc. outside of the US that this will happen as their home countries develop.

  5. Palpy

    Augh, encryption and Paris.

    I think that "possible use of encryption" lets law enforcement off the hook.

    As the Columbia Journalism Review noted,

    "What have we learned since the 'ban encryption' movement gained full steam on the first weekday after the [Paris] attack? It turns out that most of the attackers were already known to intelligence agencies. Within a week of the attack, we found out they had used Facebook to communicate, as well as normal SMS text messaging. The ringleader even bragged about infiltrating Europe and planning an attack in ISIS’s English language glossy magazine, complete with a photo spread. ... The terrorists used their real names and identification cards for hotel and rental car reservations and did not noticeably try to cover their tracks."

    If law enforcement and security organizations cannot catch terrorists who advertise on Facebook and in magazines, complete with photos of themselves, then giving those same agencies backdoors to encryption is not going to help.

    1. John Brown (no body) Silver badge

      Re: Augh, encryption and Paris.

      ...and the same pretty much applies, at least, to all the more recent attacks. All were "known" to the security services and none were using encrypted comms. This whole "ban encryption" band wagon is just grandstanding so governments can be seen to be doing something while satisfying the spooks wet dreams.

      1. WatAWorld

        Re: Augh, encryption and Paris.

        You're 100% correct that our security agencies do not need backdoors and global spying on peaceful civilians to keep terrorists out. It is a pointless distraction in that regard.

        I believe the main use of backdoors to encryption by our security agencies will be for keeping our current and future politicians under control, to keep security agencies' budgets up, to turn our countries into mini-Russias, mini-Chinas and mini-Soviet Unions, where current and past members of security agencies control (and own) both government and industry.

        1. Chris Parsons Silver badge

          Re: Augh, encryption and Paris.

          And the worrying thing - Reg readers apart - no-one seems to give a shit.

    2. Mark 85

      Re: Augh, encryption and Paris.

      Well said. Many of us have been saying that for quite awhile. Those who believe that the government will provide security in exchange for freedom are obviously idiots as the governments (world-wide) can't provide what they call security with the information they do have. I can't say all the attacks in the last year were not stopped because "encryption" but the ones where comms were in the clear and publically available sure as hell weren't stopped.

      This is to the governments:

      <rant on> You want my freedom in exchange for security? Fine... show me that you can handle the info you get in the clear first. As it is, your arguments for backdoored or no-encryption are a low grade of BS when the very thing you claim you want my freedom for is happening.. and you do nothing except to say "oh yes, we knew about them."

      A bigger problem than terrorists are the miscreants who would take our savings, our identities. Stop them and again, then maybe we can talk about taking "freedoms for security". <rant off>

      1. gcla72
        Coat

        Re: Augh, encryption and Paris.

        <rant> </rant>... unless you are using some MS "Standard"?

      2. Drs. Security

        Re: Augh, encryption and Paris.

        I think I only have to quote Benjamin Franklin here:

        "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

        Enough said.

    3. a_yank_lurker

      Re: Augh, encryption and Paris.

      George Orwell was an extreme optimist. The neo-aristocracy wants to expand its power at the expense of the plebes. The whole effort to weaken computer security has more to do with political power than catching terrorists.

  6. Sonny Jim

    Bravo

    That's got to be one of the funniest El Reg titles I've seen.

  7. Anonymous Coward
    Anonymous Coward

    And yet another useless effort

    Now, the funding of the OpenSSL project is a good one, though I can't help wonder if that money would have been better spend on trying to fix our own economy (when at least 5 large Dutch public shops and businesses which have been around for at least 30 years all go bankrupt under the reign of a certain prime minister then something is not going right here).

    But in the end this whole encryption thing is kind of useless. Because we also have European laws to content with. And with that in mind I think the whole thing is a bit hypocritical. Because during the last European vote on encryption and backdoors our government voted in favor. So its kinda easy to try and make it sound as if they're now against the whole thing; especially since nothing they (can) do would change anything.

    1. Anonymous Coward
      Anonymous Coward

      Re: And yet another useless effort

      It's still refreshing to not hear complete bollocks whenever encryption is mentioned.

    2. imanidiot Silver badge

      Re: And yet another useless effort

      A lot of those shops going under has little to do with the economy or government policy and everything with their inability to keep up with the new technology and "shopping experience" people have come to expect.

    3. WatAWorld

      Re: And yet another useless effort

      Do you know that lack of encryption did not contribute to those five companies failing?

      Let us face it, large companies have many secrets that they strive to keep from competitors. Without encryption mining, finance and high tech companies are vulnerable to spying by competitors and by those foreign governments who charge their security agencies with economic spying (the UK, at least, admits GCHQ has this duty too).

      http://www.theguardian.com/world/2013/jun/16/uk-intelligence-agencies-spy-commonwealth-delegates

      http://www.nytimes.com/2014/02/16/us/eavesdropping-ensnared-american-law-firm.html

    4. Cardinal

      Re: And yet another useless effort

      "when at least 5 large Dutch public shops and businesses ..... all go bankrupt"

      But....not Albert, Dirk, or Freddie, Shirley?

  8. Tubs

    Confused as usual

    Correct me if I'm wrong, but is the linking of backdoors and SSL not confusing the issue?

    The only way to hide info from prying eyes would be to encrypt data at source before sending it over the wire. I can see how backdoors in encryption software at this stage would be a problem, but what has that to do with SSL?

    If my understanding is right, putting money into SSL is a red herring anyway. Any government big enough could force ISPs (or telcos) to route SSL communications through proxies for MITM purposes.

    1. Teoh Han Hui

      Re: Confused as usual

      MITM should not be possible unless you can forge (actually, the only practical way is to get some shady CA to issue it for you) the certs.

      1. Anonymous Coward
        Anonymous Coward

        Re: Confused as usual

        You're making the assumption that the big cert providers aren't already compromised.

    2. Drs. Security

      Re: Confused as usual

      correct on the confusion of issues.

      Partially on the proxy systems, because if certificate chains are setup correctly this would be detectable.

      And yes their are workarounds to make this type of proxy work too (only think back to the Diginotar incident and why a certain government allegedly broke in to get certificates to spy on their own people).

  9. Winkypop Silver badge
    Thumb Up

    No holes thanks, we're Dutch!

    The Netherlands has a history of stopping-up unwanted holes.

    https://youtu.be/STGXpq8JGIg

    Work safe!

  10. Robert Helpmann??
    Childcatcher

    For Now

    But the most important debate rests in the United States, where the majority of the products and services used online stem from.

    Yes and every time the US tries to force its thinking on world-wide consumers, it loses custom. Since the majority of those who are currently fear-mongering in Congress are also "pro-business", we can look forward to backtracking on the issue after the legal system has been thoroughly screwed up.

  11. Anonymous Coward
    Anonymous Coward

    It needs to be compulsary encryption

    They need to make it compulsary to encrypt wherever private data is handled.

    Otherwise bad countries will REQUIRE backdoors, which will also be in the Dutch version, and those countries (that have had a commercial and political advantage from the spying) will continue to have a free for all with dutch private secrets.

    China is only the lastest to pass laws to get access to these backdoors. In USA, it seems FBI asked Microsoft for the disk encryption keys, which on Windows 10 now backs up the keys to Microsoft servers by default. FBI has no legal jurisdiction over The Netherlands, and had no legal authority to demand back doors, they simply did it anyway.

    Surveillance transfers secrets from target to spy. Spy gains an advantage over target. That is true whether its NSA spying on governments, GCHQ spying on their political bosses, Cameron and May spying on their opponents. It undermines the basic democracy if a foreign power can leverage leaders to ensure outcomes it wants, not the electorate want.

    It's unlikely that we will ever be allowed to elected a pro-privacy leader in the UK again. The pro-surveillance lot simply have too much leverage over the UK political system. DO NOT LET THAT HAPPEN TO YOU. Cameron was anti-nanny state, and has now turned into supernanny surveillance Cameron, spying on all brits.

    UK GCHQ was prevented from spying on Brits, and now spies mostly on Brits. If it crosses the border they'll spy on it, even if its UK to UK data, even if they routed it off shore themselves! And our Parliament had its emails moved offshore too, by the same group of ministers behind the surveillance. So you see how bad things are in the UK.

    Once it starts, you cannot stop it, so you need to nip it in the bud.

    Make encryption compulsary and block services as the backdoors are revealed, to protect your core rights.

    1. dajames
      Headmaster

      Re: It needs to be compulsary encryption

      Make encryption compulsary ...

      Yes ... and start by learning to spell "compulsory"!

  12. John Smith 19 Gold badge
    Unhappy

    I wonder if Cameron uses E2E encryption.

    The true answer is of course "I don't know. I'm far too important to worry about such thinks. That's for the oiks to deal with"

    End to end encryption.

    You'll miss it when it's gone, Mr Cameron. *

    *Especially if (for example) someone were to snag a copy of your memoirs in transit and dump them to the public a day before publication,

  13. WatAWorld

    Like the 5 Eyes gov'ts, The Dutch gov't has a choice. But it picked the correct option

    "Or in other words, there is nothing Holland can do about Google, Microsoft, Facebook or any of the other countless products used by its citizens to communicate online."

    Being small does not mean Holland lacks choice. Israel is small. New Zealand is small.

    The easiest thing for Holland to do if it wanted to spy on its citizens would be to become a closer affiliate of the Five Eyes.

    So the Dutch government does have a choice. But unlike our governments the Dutch government is rejecting Chekism. It is rejecting turning Holland into Chekist regime run by its current and past members of its security services.

  14. Doctor Syntax Silver badge

    "the Dutch situation cannot be seen in isolation from the international context."

    It'd be interesting from the international point of view if a few large companies decided to move their HQs to the Netherlands on account of the govt's favourable attitude to encryption.

  15. Daniel Hall
    Coat

    Poker face

    I'm not bad at poker but I know now that the dutch are very good at holding a poker face because I cant tell if this is a bluff or not.

  16. Christian Berger

    The Dutch had a special problem when it comes to IT security and governments

    They once had a census. It contained lots of question and was made with the back then state of the art technology of punch cards. One seemingly harmless question was "religion". Surely there can't be any harm in that can there?

    Well some months later the Netherlands were invaded by Nazi Germany. So the Nazis went to the governmental offices, got those punchcards and threw them into a sorter and a tabulator to get nice lists of all the Jews... that's why the percentage of Jews in the Netherlands killed back then was so high.

    So you don't store data you don't need on your servers. You don't weaken encryption so you can store more data about your people. It's just bad, even if you do it with good intentions.

    1. Nattrash

      Re: The Dutch had a special problem when it comes to IT security and governments

      Given the current political (and hence public) climate in the Netherlands, this comment is not surprising. However, since it resembles the remarks of an elderly French gentleman too much, I hope you don't mind me making a couple of remarks:

      Indeed, the punch card story you recite is well documented and described in Edwin Blacks book "IBM and the Holocaust". However, as Black describes the "census story" you tell here did not happen in the Netherlands, but in Germany (https://en.wikipedia.org/wiki/IBM_and_the_Holocaust)

      Actually, the Dutch in general were rather "indifferent" to the faith of their Jewish neighbours with Jewish ancestry. For example, Anne Frank (of German and not Dutch origin BTW) was ported off to a camp due to the tip of a Dutch informer. The Dutch Railways, displaying that revered Dutch traders spirit, had absolutely no trouble sending invoices to the SS for transporting Jews to the camps, thus making 2.5 million euros (http://brandpunt.kro.nl/seizoenen/2015/afleveringen/27-01-2015/fragmenten/een-pijnlijk-verdienmodel/ns-verdiende-25-miljoen-euro-aan-jodentransporten). Perhaps it would be good if you researched and contemplated something yourself in stead of blindly parroting someone else? Experiences have been rather bad with that...

      Maybe you should start here to orient yourself before spreading FUD on a situation you most likely didn't live through yourself...

      http://www.jcpa.org/phas/phas-gerstens00.htm

  17. Disko
    Megaphone

    Euros

    please. The Dutch government uses Euros, not dollars. Bakshish as a currency is widely accepted though...

  18. Kernel

    "Cue all the comments suggesting that the Dutch government might have a different view once they suffer a major terror attack of their own."

    I seem to remember from pre-internet days that the Netherlands is quite familiar with the process of hosting terror attacks - some of their ex-colonies used to be a source of more than a little grief.

  19. Paul Hovnanian Silver badge

    On the other hand ...

    ... the Dutch are perfectly fine with half back doors.

  20. Adam Inistrator

    love 'em

    love the dutch in all their forms and always reminded of "There are two things, I can't stand .. cultural intolerance ... and the DUTCH!"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like