The entire country has been clamouring for this for weeks, and the government has been completely silent about it. A couple of weeks ago, the entire parliament (with only a single party dissenting) voted for a motion to end the contract with Solvinity, but the government extended it anyway, leaving blocking the takeover as the only option, and there wasn't a lot of confidence that the government would do that.
The whole reason for this is that Solvinity host DigiD, the Dutch e-ID system that handles authentication to all government and many other sensitive systems (healthcare). With the US law that the US government should be able to get access to any data held by a US company, regardless of where it's hosted, this system clearly should be kept out of American hands.
Of course there's still plenty of sensitive data in the hands of Microsoft, Amazon and other US companies. No idea when they're going to do something about that.
> A couple of weeks ago, the entire parliament (with only a single party dissenting) voted for a motion to end the contract with Solvinity, but the government extended it anyway, leaving blocking the takeover as the only option,
Given what we know now, this seems perfectly logical. It's just that we don't know what else is going on behind the scenes.
I'm sure there was some negotiations on how to keep the data separate or something, with the threat of blocking it altogether as a final solution.
> which i'm sure the current administration would honour
It would've been the same administration as the one doing the negotiations, so I would assume yes.
> There should be grave consequences alone for the fact that the goverment acted against the parliament
In general I think there's a pretty good understanding between the legislative branch and the executive branch. The Netherlands has always had coalitions. Also, every single government will talk to the other parties.
I'm not sure what country you're referring to but the Netherlands has a properly functioning democracy. The only problem it has is splintering into too many small factions making coalitions super hard
Logius is the company that actually owns and manages the DigiD stack, it's just that they hired Solvinity for their expertise. AFAIK Solvinity can't access the data.
I can't find it right now, but on Tweakers there was a long comment by someone on the inside that explained Logius basically had almost no know-how of how the current stack works, and there's lots of bespoke stuff. Basically classic vendor lock-in. The government (rather, Logius) now really wants to transition away from Solvinity, but that will likely be a 5+ year process.
I also feel like this is another thing that the "fast ring" of the EU should do together. Take Estonia's stack as a base, and then countries like Sweden, Denmark, Finland, The Netherlands adopt it and co- develop it. Make it extensible for the bespoke things the countries need, and every few years check which bespoke extensions can actually be generalized and modularized. Would lead to a much better product. A man can dream :)
It's a state owned enterprise as far as I remember. So technically they don't wear civil service uniforms in the office, but still get the usual government office hours.
I once interviewed for a job at what I think was a civil service branch that developed software for the military. But they were out of budget for this, while the military did have budget, so if I was hired, I'd have to wear a military uniform to the office. A very stylish one, they claimed.
Estonia's tech was cool maybe 20 years ago. From what I understand it's a bit too hard on fetishization of PKI and Ukraine goes too hard on apps. Netherlands actually gets it really well with DigId that is doing bare minimum needed to actually perform eidas stuff without getting into the woods with legally blessed asn1 schemas and oid [0].
I'm not sure what bespoke stuff they invented to get their sweet vendor lock in eurobucks, but the whole thing is nothing more than an OAuth provider for 19 million people. I guess NFC integration in the app that reads physical ids is on a fancier side, but I suspect on that side it's vendor locked by card vendor and their SDK.
Disclaimer: I have more exposure to Ukrainian variation of this setup (see jkurwa) than to actual Estonian and extrapolate a bit from what I heard from people. Half of this may be outdated or wrong, but I believe that the general vibe is correct.
From what I know about Estonian eID stack, they use traditional PKI to the full extent -- LDAP, PKI, OCSP, all the standard designs from the 90ies and then internally (for use by the government itself) they have a sort of a document exchange system on top of that where everything is done through CMS (PKCS). I believe this is why eIDAS and trust services directive talk about trust lists, qualified certificate authorities and all that.
So you get a physical id card that is a smart card for X509 certificate and then sign, encrypt and do all the stuff you do with keys once you figured out key management. Since the key can't leave the card you need to deal either with a special Estonian keyboard that doubles as a keyreader (in Ukrainian flavor we get a mobile app that can generate a key and get x509 issued remotely, maybe Estonia has that too nowdays or we get a file-based key from a trusted provider, like a bank) or get an actual keyreader or a phone. On the provider side you also have to deal with trust lists, because Estonia and Lithuania don't use the same root of course.
The first gotcha is -- if you have LDAP, CSP and OCSP and can query those, that's a bit of a privacy risk (AFAIK, primary key is based on the date of birth, because reasons). Second gotcha -- key rotation is not practical, so certificates are long lived.
I don't think the stack is bad, but I think it's an overkill for the basic feature of logging into the government website and blessing some bytes with your legal persona. It does help when the user signs a legal document and then tries to walk it back (for example because the document is now an exhibit A in a VAT fraud case, yes real story). I think this particular problem can be solved by non-technical means. More specifically, PKI solves the problem of verifying the identity of the user and then allowing to prove to a third party that it happened.
What is actually needed from the ID stack is allowing a first party in a closed system to match the token presented by a second party to their legal identity. I don't believe cryptographic signing or key derivation is really necessary, as the system that produces the key and the system that verifies the signed artifact are the same entity in most threat models.
I think DigID does the right thing by being a glorified OTP generator with more or less nice UX that solves just that. The actual problem is key provisioning anyways, but once you have done that, it isn't necessary to go full PKI.
To make my point even more ahm pointy, we don't use client X509 to log into github or google. We use passwords, HOTP and fidokeys, because x509 has bad UX and bad security too (in practice)
It's even more complicated: the datacenter and the servers are owned and operated by the government, and the DigiD app itself is owned and operated by government-owned Logius.
From what I have been able to deduce, Solvinity is contracted for some kind of sysadmin services - so basically Kubernetes babysitting?
Maybe better, but less useful. I don't carry my Identity Card at all, unless I cross the border within EU where it is used. All other functions I have in our country app. To which I can log in using physical card, but I have other options that are online.
You are behind the curve. You read here first. Lets revisit this comment in 2 years...
This will be overturned by both Dutch and European courts after the company appeals, and specially after Mark Rutte Daddy calls. The only purpose of this action is for the Dutch government to save face, and its for internal consumption. They already have the internal legal advice stating this, hidden away in some closet. But then they will say: You see, we wanted to do it but a court blocked us.
>>Of course there's still plenty of sensitive data in the hands of Microsoft, Amazon and other US companies.
The WHOLE Dutch diplomatic and broader civil service, including the Ministry of Foreign Affairs, runs extensively on Microsoft infrastructure for its daily operations, cloud services, and email. And they leak....
This will also be the core legal argument by the appealing company. They will argue that the decision was politicized, insufficiently reasoned, or disproportionate because binding technical/legal safeguards would have solved the risks...
And they will use as example, the diplomatic service extensive use of Microsoft :-)
So is nothing more than another Polder hypocritical take, by the Dutch government.
"...Above and beyond the role of chair, the Secretary General has the authority to propose items for discussion and use their good offices in case of disputes between member states....
...In order to facilitate this process, the Secretary General maintains direct contact with Heads of State and Government, and Foreign and Defence Ministers in NATO and partner countries...."
And Mark Rutte has been shaping the domestic fiscal debate inside the Netherlands [2]: "...Mark Rutte said the Netherlands must significantly boost defence spending and pointed to Dutch spending on pensions, healthcare and social security, saying only a small fraction of those allocations would strengthen defence..."
Their sentiment is that Trump intervenes by whining to Mark Rutte, who seems to be the only European Trump is actually willing to listen to, at the expense of course of giving up all his dignity in calling Trump, literally, Daddy [1].
And I would not put it past Trump to do that... I mean, that's what he already did regarding Tiktok.
With Trump nothing is impossible any more, especially if he or someone in his circle stands to make or lose money. And that's the greatest danger in the US turning into a full blown banana republic.
So what do you expect the outcome to be if Trump complains to Rutte, who will then do... what exactly? Ask the current PM to do him a favor because of "reasons"? An overwhelming majority of people in the Netherlands oppose selling this company to the US, an overwhelming majority of political parties voted to block the sale and now the secretary of state in charge of this particular department indeed blocked it.
It seems to me that there is no way that Trump could overturn this decision via Rutte that Trump couldn't accomplish on his own by just threatening the Netherlands directly.
Dutch and belgian citizens are being misled over and over again. The more you'd dig into it, the less it all makes sense.
All we get are documents with nearly everything censored except for very benign things. Only time will tell what's going on, but I doubt I'll live the day
> This will also be the core legal argument by the appealing company. They will argue that the decision was politicized, insufficiently reasoned, or disproportionate because binding technical/legal safeguards would have solved the risks... And they will use as example, the diplomatic service extensive use of Microsoft
How would that argument support a sale to the US? It sounds like the perfect argument against it. Those technical/legal safeguards clearly didn't work for Microsoft either.
>The WHOLE Dutch diplomatic and broader civil service, including the Ministry of Foreign Affairs, runs extensively on Microsoft infrastructure for its daily operations, cloud services, and email. And they leak....
There is a broad digital strategy to migrate off from American infra. Will take 10 years, but this stuff has inertia once it starts moving.
> They will argue that the decision was politicized,
It’s not ‘politicized’, it’s the gateway to all Dutch government services and as such it is inherently political.
> insufficiently reasoned, or disproportionate because binding technical/legal safeguards would have solved the risks...
There are no legal safeguards against the CLOUD act. There can be no technical or legal safeguards as long as the physical hardware is owned by a US company.
In 2 years the contract is up for renegotiation to a different entity (and there's now plenty of political pressure to go with a different one), so I don't think it's a problem by then.
Tying the process up in the courts for that period is also a political victory, since by the time it'd be resolved, Solvinity wouldn't have the contract anymore anyways.
lets be frank, these are changes caused by the downgrading of the American administration to a subscription services behind a paywall that requires DLC, root based encryption bypasses and a Clippy popup that instead of trying to be helpful is indistinguishable from a mafia racket.
All governments are "doing something". It just isn't at all effective and mostly because they're unwilling to invest even marginal amounts.
Like in this case. The technology here utterly depends on Google Play Services on Android or App Attest on Apple (or "secure enclave"), and that is in fact essentially the only functionality.
This could have been solved instead switching to a standard (switching to OATH, RFC 4226 and RFC 6238), thus killing the dependency on Google/Apple while still allowing those devices to work smoothly, but also allowing a Linux implementation, allowing anyone . Plenty of European companies provide implementations for this, some with and some without the dependency on Google/Apple attestation.
I can sign in to DigID without using my phone, except sometimes with an SMS verification code. (Of course they want to, and should, phase that out. Hopefully that won't be replaced by app store dependence.)
What alternative is there, today, that would allow securely doing this without an app store dependency?
Only a few EU countries have rolled out NFC-based eID functionality (as only physical ICAO-based ID verification via NFC is a mandatory part of the EU ID card standard); those are the only ones with a viable path forward in the short term.
I'm not talking about some abstract sense of "did the government do anything at all today", I am saying "good on the government for doing something in this specific case instead of doing nothing and letting it be sold", which was a possible outcome, and in fact the default outcome of the vast, vast majority of acquisitions is that the government does nothing to intervene.
Could they do something better, sure. I am still glad to see they did something at all.
At the same time they're allowing the tax office to migrate completely from a self hosted solution to office 365 do there's that.
They had to be dragged kicking and screaming into doing this. Several attempts were made to force them to block the takeover. Not sure what caused their latest turnaround.
I find it okay'ish. At least it's unique. Say, as much as I like Mario Zechner (who doesn't like HNers anymore for whatever reason), naming your product "Pi" is just terribly bad.
Facebook was a good name (hate the company but the name was good). But "Meta" is just dumbfucktarded.
Wait... I've got an idea: I'm going to make a product and name it "Alt". Or "Control".
Really: there are a lot of totally unhelpful name that just confuses everybody, including search engines, humans, and LLMs but I don't think "Solvinity" is that bad.
I've always found Whatsapp a terrible name, but its so established now that 'apping' is understood. If you're big enough it seems that a bad name hardly hold you back.
We're terrible at company and brand naming here in Europe. Just look at the "Wero" payment solution (formerly/currently iDeal). Like, who the hell came up with that stupid name?
The list of stupid European company names and product names are endless.
I agree, the Dutch iDeal was probably the better name. However I'm not sure if this is an uniquely European problem. Wero's counterpart 'Zelle' doesn't seem to be that much better of a name.
I wish more news outlets actually stated so - Kyndryl was formerly IBM, has 73.000 employees worldwide. When this news first broke, nobody had ever heard of it so it sounded like some small random hosting company, but it's huge.
Good for them, but I doubt this will be the last we hear about this especially with the current US government. ASML was only permitted to acquire US company Cymer (the actually valuable EUV light source technology) back in 2013 under a strict technology sharing and export control agreement.
The Netherlands blocking a US acquisition due to technology control concerns is sure to ruffle some feathers in Washington.
This is not some sort of company making unique tech, it's a company handling some of the most the vital infrastructure for our government, you can imagine the privacy concerns. Completely different case
True, but the question is if it isn't smarter to wait for the midterms in November where it currently looks like it's going to be a disaster for Trump and the Republicans.
In 2013, the same deal would likely have gone through. US-Dutch relations looked very different in 2013 under Obama than they look now under second-term Trump. Any reciprocity today based on things Obama did back then falls flat because we all know Trump opposes nearly everything Obama ever did
Great news. Would have been devastating to have such an integral part of our society at the whims of not just another nation, but an unstable and downright hostile one.
The Dutch should be aware that if Netherland has some information-sharing agreements with Five Eyes or Fourteen Eyes, all this data will still be available to the US (and other allies) (hopefully, presumably, with your government acting as the gatekeeper).
The issue was less privacy concerns, and more "hey lets not hand over one of the most critical pieces of infrastructure to a potentially hostile state". DigID is the user authentication platform for basically every government site in The Netherlands. A foreign government could use sanctions to pressure Dutch individuals to comply by limiting access to it.
It's not only about the data, it's about the risk that the US would basically turn off things like tax collection and doctors' visits in the Netherlands as part of (say) a first strike on Greenland.
Sure, the chance is low. But in the current climate people are nervous and it's best not to risk it. The current government has already embarked on a long-term strategy to bring more of critical software infrastructure back in-country, selling the core identity provider software abroad would go directly against current policy.
Sanctioning people is basically risk-free and more importantly dollar-free. Fighting wars is extremely not-free, as Trump is currently discovering in Iran. I personally rate the risk of the US actually invading Greenland as not higher than about 10%, with the matter most likely being resolved by the US administration re-discovering that the US is allowed to establish a base on the country, doing so and then announcing with big fanfare that they solved the terrible terrible problem of Greenland being "the most unsafe".
Still though, that is about 10 percentage points higher than before Trump took office. Better not to hand him too many tools to exert leverage with.
> (hopefully, presumably, with your government acting as the gatekeeper)
Exactly, that gatekeeper role is what's the difference here. Do you give all data to another country and ask them for pieces back as needed (whenever someone wants to use DigiD, the country can block it), or do you host it yourself and only share the parts that are relevant for this other country's investigations?
DigiD itself is government-owned, but its infrastructure is managed by Solvinity (a private company). Not really different from the US gov running half its stack on AWS.
Because too few IT capable people are willing to work under the government's pay scales; in most cases going private / corporate earns more. So most Dutch IT projects end up with private companies, which also means that, in the case of DigID and the secure / official messaging platform, the hosting party can charge exorbitant rates. Did you know it costs 25 cents to send a message via the Berichtenbox? So when the government does its annual "it's time to fill in your taxes" message, they have to pay millions. Assuming they don't get a bulk deal, anyway.
For the record, Logius (the government owned enterprise dealing with DigID) vacancy for Java developer: https://www.werkenvoornederland.nl/vacatures/lead-java-devel... . 92k EUR per year for whatever they measure as 40 hours a week (I bet they close the shop at 4 pm).
>Did you know it costs 25 cents to send a message via the Berichtenbox?
In a country with paid toilets what do you expect lol
There are plenty of people who are willing to work for the government and the pay is pretty decent. But their stack is often Microsoft based and their IT is located in Apeldoorn.
Who in their right mind would want to travel all the way to Apeldoorn.
A good example of internal development in the government is the police. They have internal development teams.
Most people managing stuff running in a datacenter don't live near that datacenter, it really doesn't matter where it's located. Also, the Netherlands is so tiny that crossing half of the country would still fall under "reasonable commute" in many places
Maybe that’s a reasonable commute to the US mind who isn’t used to work/life balance and likes spending unpaid hours in their car losing precious time with their family.
For me, a reasonable commute is a 10 minute bike ride to the office.
I know people that work as contractors for the Dutch government. The government doesn't save money by hiring them through contractors. They cost more through contractors. But contracting allows private companies to act as gatekeepers and pocket some cash for essentially supplying full time employees. It's a form of corruption by well connected private contracting companies.
I think a large part of the reason is that government hiring is rather permanent. It's often prohibitively expensive/hard to get rid of underperforming or superfluous employees. Contracting is a way around that. That allows hiring workers in a temporary (project) budget. For decades, sometimes.
2. The ruling party for over a decade is the VVD, a Republican Party with training wheels, with Tea Party like spinoffs in varying degrees over rabid idiocy. The VVD heavily depend on a small network of big donors and as such are strongly nudged to source the policy advice from those networks. The IT backbone of those government agencies are thus run by big corporate IT shops, which is also politically convenient as you can shrug of responsibility when it turns out there is some light between the theory and the practice of the neoliberal doctrine.
It is just about the only measure. People who claim something is extremely important and then will not take any action or spend any money - they're dishonest people.
Let's see if the Dutch are men of their words. I expect the government to offer to buy this company, or an offering being made for the Dutch investing public to get shares.
The question is rather: Why would a person complain about dying of thirst, but refuse to go to the river to drink, and also refuse to pay for a glass of water. That makes me believe he is dishonest when he's saying he is thirsty.
Or are we pretending that the Dutch people don't have any money between them to make an offer on this company?
The common expression goes: "Put your money where your mouth is"
I want to see if the Dutch will do that or not.
To see the full beauty of regulatory power, you also have to be blind to the long term consequences of decisions.
For example, are the best Dutch entrepreneurs government-aligned to the extent that they will create their startup or business in the Netherlands, knowing that they won't be able to sell shares for their company at full price? If the Dutch were willing to match the American offer, then there would be no long-term issues for them with this blocking action.
The result is that European hi-tech entrepreneurs create their businesses in a friendlier environment, which is usually the USA. And that European entrepreneurs who stay in their homeland have a hard time competing for European talent with pay.
It's easy for a nation state to mandate almost whatever they want when it comes to fixed stuff such as natural resources and agriculture. But when it comes to human talent, they (still) have the option to leave for better pastures. Or just leave business plans on the shelf.
I keep seeing variations of “okay but this will be temporary” or “this is a one off” or “they’ll relent eventually, they have no choice” in response to the EU’s (and to a lesser extent, global) divorce from US tech stacks.
You cannot unring this bell, however, nor can you put the genie back in the bottle, close Pandora’s Box, etc, pick your own metaphor. The US burned through the trust thermocline very suddenly these past few years, snapping the tension that had been brewing over several decades from US hegemony and the abusive diplomacy it created.
Now that the US regime is openly hostile to everyone else and US firms have dropped the pretense of being anything less than a global surveillance state, there’s nothing to go back to. These sorts of rejections and blocks will continue to escalate until a new norm is agreed upon by cooler heads, which I don’t see happening in the current climate.
Make no mistake, power everywhere wants more surveillance capabilities; the EU wants it as much as China or the USA. The difference is that with the leading empire in decline, everyone realizes that owning their own surveillance state is an advantage over outsourcing it to a potential enemy.
Should be simple matter to escalate this up to the President, who will put the squeeze on the Dutch government, and then secure his 10% fee for rescuing the take over deal
The subtitle “Across Europe, there have been increased concerns about the bloc’s reliance on American tech.” is false and really an economic chamber.
The author has no basis for this claim, factually or otherwise .. maybe a small tiny group would love to see this happen, but EU is happy like rest of the world minus China to enjoy the products made by great American software companies.
I didn’t notice. But regardless, a summit doesn't dictate or reflect the desires and opinions of 27 member states and its 450 million citizens and more importantly its companies and business to want to switch to European alternatives.
To give you an example, if India or China or Africa holds a summit on climate change, it doesn’t mean that its citizens want that or even care about it.
Anyway, the idea that such a big geography should move away from the best software factory of the world because it has some political agenda with its current leader is both impossible and overall quite childish and will never come to fruition.
> The figures were almost universal across all categories: 62 percent of those surveyed across the five European countries said they favored or had considered replacing US data storage and payment services, while 59 percent of respondents said they would back a change from American video-conferencing companies like Zoom.
(Technically only five countries in the EU in this survey, but the five most populous countries, and presumably other countries generally agree)
This is a direct result of Trump being in power. Before his regime, we (The Netherlands) trusted USA 1000%, this takeover would not even have been news.
This stance has shifted completely. And you can thank one guy for it.
As a Dutch citizen, I don't understand why we can't self-host an open source identity solution for 20M users with 30K requests an hour. How hard can it be?
If the owner of the stack (Logio or whatever it was called, see upthread) doesn't understand it, the consultants will run wild and soon it will require a hectare-sized datacenter running a zillion containers, and another DC for HA of course.
They make the login-screen. And now for businesses there are like 5 providers of the login screen (that you HAVE to use in order to use govt websites): you have to choose one and pay like 40EUR/y in order to log in.
Calling a login screen vital is, yes, the truth.
Out-sourcing --and creating a market for-- the login screen is, to me, one of the most bizarre thing I've seen the Dutch govt do in recent years.
> Kyndryl said in a statement it was "extremely disappointed" about the decision. "The politicization of this process has overshadowed the clear and important benefits this transaction would have brought to Solvinity's customers and Dutch citizens."
Are these guys so tone-death to the point they even try to gaslight the world? They are trying to take over a nation's ID system. Who in their right mind sees this as anything other than a national security issue?
The concerning thing for the EU should be that this valuable firm had no European capital trying to buy it. The Dutch have protected their sovereignty today while decreasing the incentive for the next entrepreneur to make something on European shores. Probably the best choice but doesn't change the structural problem.
Who knows what other offers they may have had? Perhaps the company is just worth more to a non-EU company because of the leverage controlling vital infrastructure would give them.
> "The politicization of this process has overshadowed the clear and important benefits this transaction would have brought to Solvinity's customers and Dutch citizens."
That is unbelievably rich. It's politicians job to protect the privacy and interests of its citizens. Must be a strange idea for the US these days.
Can someone tell me what actual technical issue do identification providers solve that couldn't be solved with a public key cryptography or even a password and 2FA? The whole sector seems like it was created out of corruption and shortsightedness.
You want an idp who verified that the account belongs to a specific citizen. There needs to be some loop closing between your bsn (akin to a social security number) and user accounts. That in itself is not something you can just handoff to auth0 or that you want different departments to self select and self-host.
Digid is used to submit taxes and for getting benefits from the government.
This is exactly why privacy by architecture matters more than privacy by policy. The Netherlands trusted a policy ("Solvinity can't access the data") but the architecture allowed it anyway.
The only real solution is cryptographic sovereignty systems where even the vendor mathematically cannot access user data, regardless of what US law says. Not we promise we won't look but we literally cannot look.
Building something small in this direction a mesh network where identity is a BIP-39 seed phrase and messages are E2E encrypted at the protocol level,not the application level. The goal is that even I as the developer cannot read user messages. It's still early, but this problem you're describing is exactly why it needs to exist.
[OP] vrganj | 6 hours ago
mcv | 5 hours ago
The entire country has been clamouring for this for weeks, and the government has been completely silent about it. A couple of weeks ago, the entire parliament (with only a single party dissenting) voted for a motion to end the contract with Solvinity, but the government extended it anyway, leaving blocking the takeover as the only option, and there wasn't a lot of confidence that the government would do that.
The whole reason for this is that Solvinity host DigiD, the Dutch e-ID system that handles authentication to all government and many other sensitive systems (healthcare). With the US law that the US government should be able to get access to any data held by a US company, regardless of where it's hosted, this system clearly should be kept out of American hands.
Of course there's still plenty of sensitive data in the hands of Microsoft, Amazon and other US companies. No idea when they're going to do something about that.
hvb2 | 5 hours ago
Given what we know now, this seems perfectly logical. It's just that we don't know what else is going on behind the scenes.
I'm sure there was some negotiations on how to keep the data separate or something, with the threat of blocking it altogether as a final solution.
But agreed, this is a good outcome
monegator | 5 hours ago
which i'm sure the current administration would honour
There should be grave consequences alone for the fact that the goverment acted against the parliament
hvb2 | 5 hours ago
It would've been the same administration as the one doing the negotiations, so I would assume yes.
> There should be grave consequences alone for the fact that the goverment acted against the parliament
In general I think there's a pretty good understanding between the legislative branch and the executive branch. The Netherlands has always had coalitions. Also, every single government will talk to the other parties.
I'm not sure what country you're referring to but the Netherlands has a properly functioning democracy. The only problem it has is splintering into too many small factions making coalitions super hard
mcv | 4 hours ago
Muromec | 3 hours ago
jorvi | 4 hours ago
Logius is the company that actually owns and manages the DigiD stack, it's just that they hired Solvinity for their expertise. AFAIK Solvinity can't access the data.
I can't find it right now, but on Tweakers there was a long comment by someone on the inside that explained Logius basically had almost no know-how of how the current stack works, and there's lots of bespoke stuff. Basically classic vendor lock-in. The government (rather, Logius) now really wants to transition away from Solvinity, but that will likely be a 5+ year process.
I also feel like this is another thing that the "fast ring" of the EU should do together. Take Estonia's stack as a base, and then countries like Sweden, Denmark, Finland, The Netherlands adopt it and co- develop it. Make it extensible for the bespoke things the countries need, and every few years check which bespoke extensions can actually be generalized and modularized. Would lead to a much better product. A man can dream :)
NoahZuniga | 4 hours ago
shiandow | 4 hours ago
Muromec | 3 hours ago
RobotToaster | 3 hours ago
erikvanoosten | 2 hours ago
mcv | 2 hours ago
I once interviewed for a job at what I think was a civil service branch that developed software for the military. But they were out of budget for this, while the military did have budget, so if I was hired, I'd have to wear a military uniform to the office. A very stylish one, they claimed.
GuinansEyebrows | 2 hours ago
NoahZuniga | an hour ago
mcv | 4 hours ago
Muromec | 3 hours ago
I'm not sure what bespoke stuff they invented to get their sweet vendor lock in eurobucks, but the whole thing is nothing more than an OAuth provider for 19 million people. I guess NFC integration in the app that reads physical ids is on a fancier side, but I suspect on that side it's vendor locked by card vendor and their SDK.
[0] https://zakon.rada.gov.ua/laws/show/z1398-12#Text
Teever | 2 hours ago
sam_lowry_ | 2 hours ago
And they are just good at marketing. Belgium had eIDs earlier never messed up so much as Estonians.
Muromec | 12 minutes ago
Muromec | 20 minutes ago
From what I know about Estonian eID stack, they use traditional PKI to the full extent -- LDAP, PKI, OCSP, all the standard designs from the 90ies and then internally (for use by the government itself) they have a sort of a document exchange system on top of that where everything is done through CMS (PKCS). I believe this is why eIDAS and trust services directive talk about trust lists, qualified certificate authorities and all that.
So you get a physical id card that is a smart card for X509 certificate and then sign, encrypt and do all the stuff you do with keys once you figured out key management. Since the key can't leave the card you need to deal either with a special Estonian keyboard that doubles as a keyreader (in Ukrainian flavor we get a mobile app that can generate a key and get x509 issued remotely, maybe Estonia has that too nowdays or we get a file-based key from a trusted provider, like a bank) or get an actual keyreader or a phone. On the provider side you also have to deal with trust lists, because Estonia and Lithuania don't use the same root of course.
The first gotcha is -- if you have LDAP, CSP and OCSP and can query those, that's a bit of a privacy risk (AFAIK, primary key is based on the date of birth, because reasons). Second gotcha -- key rotation is not practical, so certificates are long lived.
I don't think the stack is bad, but I think it's an overkill for the basic feature of logging into the government website and blessing some bytes with your legal persona. It does help when the user signs a legal document and then tries to walk it back (for example because the document is now an exhibit A in a VAT fraud case, yes real story). I think this particular problem can be solved by non-technical means. More specifically, PKI solves the problem of verifying the identity of the user and then allowing to prove to a third party that it happened.
What is actually needed from the ID stack is allowing a first party in a closed system to match the token presented by a second party to their legal identity. I don't believe cryptographic signing or key derivation is really necessary, as the system that produces the key and the system that verifies the signed artifact are the same entity in most threat models.
I think DigID does the right thing by being a glorified OTP generator with more or less nice UX that solves just that. The actual problem is key provisioning anyways, but once you have done that, it isn't necessary to go full PKI.
To make my point even more ahm pointy, we don't use client X509 to log into github or google. We use passwords, HOTP and fidokeys, because x509 has bad UX and bad security too (in practice)
frevib | 3 hours ago
Solvinity is the hoster. It can fully access the stack.
crote | 3 hours ago
From what I have been able to deduce, Solvinity is contracted for some kind of sysadmin services - so basically Kubernetes babysitting?
hermanzegerman | 2 hours ago
Tbh I like the German one even better because you need your physical Identity Card and can use your phone as the reader
krzyk | an hour ago
tcp_handshaker | 4 hours ago
You are behind the curve. You read here first. Lets revisit this comment in 2 years...
This will be overturned by both Dutch and European courts after the company appeals, and specially after Mark Rutte Daddy calls. The only purpose of this action is for the Dutch government to save face, and its for internal consumption. They already have the internal legal advice stating this, hidden away in some closet. But then they will say: You see, we wanted to do it but a court blocked us.
>>Of course there's still plenty of sensitive data in the hands of Microsoft, Amazon and other US companies.
The WHOLE Dutch diplomatic and broader civil service, including the Ministry of Foreign Affairs, runs extensively on Microsoft infrastructure for its daily operations, cloud services, and email. And they leak....
"Microsoft Accused Of Sharing Dutch Officials’ Data with U.S. Government" - https://www.yahoo.com/news/politics/articles/microsoft-accus...
This will also be the core legal argument by the appealing company. They will argue that the decision was politicized, insufficiently reasoned, or disproportionate because binding technical/legal safeguards would have solved the risks... And they will use as example, the diplomatic service extensive use of Microsoft :-)
So is nothing more than another Polder hypocritical take, by the Dutch government.
j_maffe | 4 hours ago
Mark Rutte, the chief of NATO and ex-PM, that has nothing to do with civilian tech? Can we please leave unfounded conspiracy theories to Reddit?
tcp_handshaker | 4 hours ago
"...Above and beyond the role of chair, the Secretary General has the authority to propose items for discussion and use their good offices in case of disputes between member states....
...In order to facilitate this process, the Secretary General maintains direct contact with Heads of State and Government, and Foreign and Defence Ministers in NATO and partner countries...."
[1] - https://www.nato.int/en/about-us/organization/nato-structure...
And Mark Rutte has been shaping the domestic fiscal debate inside the Netherlands [2]: "...Mark Rutte said the Netherlands must significantly boost defence spending and pointed to Dutch spending on pensions, healthcare and social security, saying only a small fraction of those allocations would strengthen defence..."
[2] - https://nltimes.nl/2024/12/03/nato-leader-rutte-netherlands-...
And on conspiracy theories - Do you trust the Financieele Dagblad?
https://nltimes.nl/2025/11/20/asml-offered-spy-us-breaking-e...
mschuster91 | 4 hours ago
Their sentiment is that Trump intervenes by whining to Mark Rutte, who seems to be the only European Trump is actually willing to listen to, at the expense of course of giving up all his dignity in calling Trump, literally, Daddy [1].
And I would not put it past Trump to do that... I mean, that's what he already did regarding Tiktok.
With Trump nothing is impossible any more, especially if he or someone in his circle stands to make or lose money. And that's the greatest danger in the US turning into a full blown banana republic.
[1] https://www.politico.com/news/2025/06/25/nato-chief-calls-tr...
WJW | 3 hours ago
It seems to me that there is no way that Trump could overturn this decision via Rutte that Trump couldn't accomplish on his own by just threatening the Netherlands directly.
hvb2 | 4 hours ago
It's probably something he would use as 'change' to resolve something unrelated with NATO. Then he can sell how well he's keeping NATO together
tosti | an hour ago
All we get are documents with nearly everything censored except for very benign things. Only time will tell what's going on, but I doubt I'll live the day
mcv | 4 hours ago
How would that argument support a sale to the US? It sounds like the perfect argument against it. Those technical/legal safeguards clearly didn't work for Microsoft either.
tcp_handshaker | 4 hours ago
Muromec | 3 hours ago
There is a broad digital strategy to migrate off from American infra. Will take 10 years, but this stuff has inertia once it starts moving.
Aaargh20318 | 3 hours ago
It’s not ‘politicized’, it’s the gateway to all Dutch government services and as such it is inherently political.
> insufficiently reasoned, or disproportionate because binding technical/legal safeguards would have solved the risks...
There are no legal safeguards against the CLOUD act. There can be no technical or legal safeguards as long as the physical hardware is owned by a US company.
noirscape | 3 hours ago
Tying the process up in the courts for that period is also a political victory, since by the time it'd be resolved, Solvinity wouldn't have the contract anymore anyways.
cyanydeez | 2 hours ago
edwinjm | 47 minutes ago
applfanboysbgon | 5 hours ago
spwa4 | 5 hours ago
Like in this case. The technology here utterly depends on Google Play Services on Android or App Attest on Apple (or "secure enclave"), and that is in fact essentially the only functionality.
This could have been solved instead switching to a standard (switching to OATH, RFC 4226 and RFC 6238), thus killing the dependency on Google/Apple while still allowing those devices to work smoothly, but also allowing a Linux implementation, allowing anyone . Plenty of European companies provide implementations for this, some with and some without the dependency on Google/Apple attestation.
Vinnl | 5 hours ago
lxgr | 2 hours ago
Only a few EU countries have rolled out NFC-based eID functionality (as only physical ICAO-based ID verification via NFC is a mandatory part of the EU ID card standard); those are the only ones with a viable path forward in the short term.
jeroenhd | 2 hours ago
The app has the benefit of being free, getting a working reader costs 60-90 euros last time I checked and Linux driver support isn't great.
applfanboysbgon | 4 hours ago
Could they do something better, sure. I am still glad to see they did something at all.
microtonal | 4 hours ago
https://www.logius.nl/actueel/qr-code-scanner-digid-app-werk...
(Also works fine on my GrapheneOS phone with only basic integrity, also worked on microG when I tested.)
wolvoleo | 2 hours ago
They had to be dragged kicking and screaming into doing this. Several attempts were made to force them to block the takeover. Not sure what caused their latest turnaround.
mkj | 5 hours ago
cactusplant7374 | 5 hours ago
TacticalCoder | 5 hours ago
I find it okay'ish. At least it's unique. Say, as much as I like Mario Zechner (who doesn't like HNers anymore for whatever reason), naming your product "Pi" is just terribly bad.
Facebook was a good name (hate the company but the name was good). But "Meta" is just dumbfucktarded.
Wait... I've got an idea: I'm going to make a product and name it "Alt". Or "Control".
Really: there are a lot of totally unhelpful name that just confuses everybody, including search engines, humans, and LLMs but I don't think "Solvinity" is that bad.
agmater | 5 hours ago
amelius | 4 hours ago
After Bill and Melinda Gates have their honeymoon, Melinda says, "Now I know why you call it Microsoft."
arrowsmith | 3 hours ago
Where do you live where "apping" is understood?
JSR_FDED | 3 hours ago
Deukhoofd | an hour ago
https://onzetaal.nl/taalloket/appen-whatsappen-vervoeging
mortarion | 5 hours ago
The list of stupid European company names and product names are endless.
twjdeboer | 4 hours ago
Muromec | 3 hours ago
lejalv | 2 hours ago
krior | 2 hours ago
sjamaan | 5 hours ago
fusslo | 5 hours ago
https://en.wikipedia.org/wiki/Kyndryl
> Officially formed in late 2021, Kyndryl was created from the spin-off of IBM's infrastructure services
> Kyndryl operated in 63 countries in November 2021
Cthulhu_ | 3 hours ago
pantulis | 3 hours ago
frevib | 3 hours ago
petcat | 5 hours ago
The Netherlands blocking a US acquisition due to technology control concerns is sure to ruffle some feathers in Washington.
NietTim | 5 hours ago
petcat | 5 hours ago
Epskampie | 4 hours ago
Paradigma11 | 3 hours ago
exceptione | 3 hours ago
midtake | an hour ago
I don't think it's changing after this administration.
wongarsu | 5 hours ago
gpvos | 5 hours ago
midasz | 5 hours ago
SirFatty | 5 hours ago
thisislife2 | 4 hours ago
Deukhoofd | 4 hours ago
WJW | 3 hours ago
Sure, the chance is low. But in the current climate people are nervous and it's best not to risk it. The current government has already embarked on a long-term strategy to bring more of critical software infrastructure back in-country, selling the core identity provider software abroad would go directly against current policy.
hermanzegerman | 2 hours ago
Trump also already sanctioned Justices from the ICC based in Netherlands because he didn't like them.
He's clearly not the guy with impulse control
WJW | 2 hours ago
Still though, that is about 10 percentage points higher than before Trump took office. Better not to hand him too many tools to exert leverage with.
dncornholio | 3 hours ago
arrowsmith | 3 hours ago
Probably a safe assumption, since the Netherlands is a member of the Fourteen Eyes
Aachen | 3 hours ago
Exactly, that gatekeeper role is what's the difference here. Do you give all data to another country and ask them for pieces back as needed (whenever someone wants to use DigiD, the country can block it), or do you host it yourself and only share the parts that are relevant for this other country's investigations?
selectively | 4 hours ago
creaturemachine | 4 hours ago
Muromec | 3 hours ago
kleiba2 | 4 hours ago
danslo | 4 hours ago
kleiba2 | 4 hours ago
danslo | 4 hours ago
conceptme | 4 hours ago
Nevermark | 4 hours ago
> If it's such a vital piece of infrastructure, why is it in Dutch hands at all?
It was the funniest thing I have misread in a while.
Cthulhu_ | 3 hours ago
Muromec | 3 hours ago
>Did you know it costs 25 cents to send a message via the Berichtenbox?
In a country with paid toilets what do you expect lol
Vespasian | 3 hours ago
Maybe the Netherlands are different (country can vary a lot with what is included in a salary) ?
mechazawa | 3 hours ago
Who in their right mind would want to travel all the way to Apeldoorn.
A good example of internal development in the government is the police. They have internal development teams.
edwinjm | 2 hours ago
usrnm | 2 hours ago
Aaargh20318 | 2 hours ago
For me, a reasonable commute is a 10 minute bike ride to the office.
AndyMcConachie | 3 hours ago
vanviegen | 15 minutes ago
exceptione | 3 hours ago
2. The ruling party for over a decade is the VVD, a Republican Party with training wheels, with Tea Party like spinoffs in varying degrees over rabid idiocy. The VVD heavily depend on a small network of big donors and as such are strongly nudged to source the policy advice from those networks. The IT backbone of those government agencies are thus run by big corporate IT shops, which is also politically convenient as you can shrug of responsibility when it turns out there is some light between the theory and the practice of the neoliberal doctrine.
_HMCB_ | 4 hours ago
carlosjobim | 4 hours ago
raziel2p | 3 hours ago
carlosjobim | 3 hours ago
Let's see if the Dutch are men of their words. I expect the government to offer to buy this company, or an offering being made for the Dutch investing public to get shares.
[OP] vrganj | 3 hours ago
carlosjobim | 2 hours ago
Or are we pretending that the Dutch people don't have any money between them to make an offer on this company?
[OP] vrganj | 2 hours ago
Regarding the specific case, they probably have the money. But they don't need it. Such is the beauty of regulatory power, vested in a democracy.
carlosjobim | an hour ago
I want to see if the Dutch will do that or not.
To see the full beauty of regulatory power, you also have to be blind to the long term consequences of decisions.
For example, are the best Dutch entrepreneurs government-aligned to the extent that they will create their startup or business in the Netherlands, knowing that they won't be able to sell shares for their company at full price? If the Dutch were willing to match the American offer, then there would be no long-term issues for them with this blocking action.
The result is that European hi-tech entrepreneurs create their businesses in a friendlier environment, which is usually the USA. And that European entrepreneurs who stay in their homeland have a hard time competing for European talent with pay.
It's easy for a nation state to mandate almost whatever they want when it comes to fixed stuff such as natural resources and agriculture. But when it comes to human talent, they (still) have the option to leave for better pastures. Or just leave business plans on the shelf.
stego-tech | 4 hours ago
You cannot unring this bell, however, nor can you put the genie back in the bottle, close Pandora’s Box, etc, pick your own metaphor. The US burned through the trust thermocline very suddenly these past few years, snapping the tension that had been brewing over several decades from US hegemony and the abusive diplomacy it created.
Now that the US regime is openly hostile to everyone else and US firms have dropped the pretense of being anything less than a global surveillance state, there’s nothing to go back to. These sorts of rejections and blocks will continue to escalate until a new norm is agreed upon by cooler heads, which I don’t see happening in the current climate.
Make no mistake, power everywhere wants more surveillance capabilities; the EU wants it as much as China or the USA. The difference is that with the leading empire in decline, everyone realizes that owning their own surveillance state is an advantage over outsourcing it to a potential enemy.
hunglee2 | 3 hours ago
gyanchawdhary | 3 hours ago
The author has no basis for this claim, factually or otherwise .. maybe a small tiny group would love to see this happen, but EU is happy like rest of the world minus China to enjoy the products made by great American software companies.
Tepix | 3 hours ago
gyanchawdhary | 3 hours ago
To give you an example, if India or China or Africa holds a summit on climate change, it doesn’t mean that its citizens want that or even care about it.
Anyway, the idea that such a big geography should move away from the best software factory of the world because it has some political agenda with its current leader is both impossible and overall quite childish and will never come to fruition.
gbear605 | 46 minutes ago
> The figures were almost universal across all categories: 62 percent of those surveyed across the five European countries said they favored or had considered replacing US data storage and payment services, while 59 percent of respondents said they would back a change from American video-conferencing companies like Zoom.
(Technically only five countries in the EU in this survey, but the five most populous countries, and presumably other countries generally agree)
dncornholio | 3 hours ago
This stance has shifted completely. And you can thank one guy for it.
wildekek | 3 hours ago
dncornholio | 3 hours ago
jabl | 2 hours ago
flossly | 3 hours ago
They make the login-screen. And now for businesses there are like 5 providers of the login screen (that you HAVE to use in order to use govt websites): you have to choose one and pay like 40EUR/y in order to log in.
Calling a login screen vital is, yes, the truth.
Out-sourcing --and creating a market for-- the login screen is, to me, one of the most bizarre thing I've seen the Dutch govt do in recent years.
flossly | 3 hours ago
They contracted the market and now they want to control it as if it's in house.
locknitpicker | 2 hours ago
> Kyndryl said in a statement it was "extremely disappointed" about the decision. "The politicization of this process has overshadowed the clear and important benefits this transaction would have brought to Solvinity's customers and Dutch citizens."
Are these guys so tone-death to the point they even try to gaslight the world? They are trying to take over a nation's ID system. Who in their right mind sees this as anything other than a national security issue?
markvdb | an hour ago
Trust breakdowns are costly, except to the vultures "winning" the negative-sum game. Might want to read about the fall of the Warsaw pact.
benced | 2 hours ago
vanviegen | 9 minutes ago
bilekas | an hour ago
That is unbelievably rich. It's politicians job to protect the privacy and interests of its citizens. Must be a strange idea for the US these days.
ykurtov | 11 minutes ago
iamalizard | an hour ago
jauco | 24 minutes ago
Digid is used to submit taxes and for getting benefits from the government.
madbo1 | 14 minutes ago