Context: DigiD is the Dutch national infrastructure for authenticating to government (and semi-government) services. It's used for anything from doing taxes to checking the status of your pension.
The company that basically runs it for the government is being sold to an American investment company, which brings with it obvious national security risks.
Oh, the joys of public infrastructure privatization...
There's a lesson to be learnt here, extending beyond digital infrastructures.
The Dutch government should have outsourced DigiD hosting to SURF [1] which already had extensive experience with cloud services and is virtually immune to foreign influence.
Yes but our government was deeply neoliberal, pushed for by the VVD party and obsessed with privatisation and markets. This is what caused this mess and many others.
They also adore the US (as an example Mark Rutte, the current NATO boss was their foreman and prime minister for a decade) so dependency on the US was never a problem for them until 2025 when Trump turned against his allies.
Yes, but I like to think the hacker community is persistent enough that if there were backdoors embedded in US or Chinese made hardware, it would have been found already.
Then again, they never found out about the Crypto AG communications backdoor (https://en.wikipedia.org/wiki/Crypto_AG) until 2018 as far as I know. Or they did know but since it's CIA they allowed it.
The company that runs it for the government, or the company who owns it for the government?
If the government owns the infrastructure, but outsources the day-to-day running to a company that's one thing. But if the infrastructure is owned by the third party then that's a lot harder to deal with.
> If the government owns the infrastructure, but outsources the day-to-day running to a company that's one thing
This is still very problematic. To be honest, even using foreign hardware or propietary software is problematic. But you should reduce dependence as much as possible because it is a huge vector that should the foreign government decide to turn on you openly or secretly, it could bring you down before you have a chance to detect what is happening. I believe wars between developed countries will operate at this level (i.e. by targeting foreign dependency chains whether it be national systems for id or simply cutting undersea cables)
I agree that it's still problematic. But you can recover from that by hiring your own staff and slowly taking over the running of the system. No doubt there would be issues, but it would be doable.
Recovering from "Your critical national infrastructure is physically owned by someone else" is much trickier.
The key issue here and in many similar cases is for governments to define what they mean by sovereignty. Because if it means not only ownership but also keep it out of outsiders control then it means that governments will by necessity have to get involved in data ownership and data sharing arrangements of the companies that run and manage their systems. Trust is eroding quick.
A lot of Dutch government and government adjacent services run on Microsoft Azure as well. Which is not the same level of concern, but it does mean the US government has access to that data.
even if they don't have access to the actual data, the US government has the option to order Microsoft to switch these essential government services services off. For example, as a means of pressuring the Dutch government into supporting the American annexation of Greenland.
Or even, post-Greenland, to force the Dutch to give Trump the Dutch Caribbean islands off the Venezuelan coast as well (Aruba, Bonaire, Curaçao).
If I were a Dutch member of parliament, I would be insisting this particular vulnerability to extortion be addressed as soon as possible. Of course, the US can still threaten to, at worst, nuke us all to smithereens but let's hope they're not willing to go that far.
Which has happened before and is the reason why the International Criminal Court is moving away from MS365 [0]
This prompted me to try OnlyOffice, and man is that nice. I do like LibreOffice, but 2 things bug me: It just looks old. And second, I have, since the dawn of time (and the Sun's Star Office) had issues just telling the software: "This is a Dutch doc, apply Dutch spelling and Grammar Checks". It has never worked well, even Firefox text fields work better. But with OnlyOffice it seems to work well so far, and also, it will be much much more recognizable by ex-MS Office users. It hear the interop with MS formats is also better.
> the US government has the option to order Microsoft to switch these essential government services services off
They can also order MS and Amazon and Google and Apple to switch off services on which most of the economy relies, and which most devices require to function.
But if they do that, the Dutch government has the option to pull ASML and its services (like maintenance, parts) from the US, which will cripple its chip industry. I wouldn't be surprised if there's a remote shutdown built into their devices.
The prime-minister in waiting has said that there will be a cabinet post for digital security, and Parliament has expressed in the same motion that they are worried about dependence on foreign cloud services as well.
Note: legally, the Netherlands can't give Aruba or Curaçao to the US as in the constitutional framework of the dutch kingdom they are seen as sovereign entities.
Now someone needs to convince the german government too. For some reason Merz says one thing but then acts in an orthogonal, US-serving manner. People in Germany have started to notice this too. Something is not working here for Merz - there is a disconnect between what he says and what he does.
No it’s not. It’s made very easy to vote and it has only been made easier and more people have been given the vote. That’s the whole point, so you on the one hand believe you have your say, and on the other hand the expansion of the vote was always for the purpose of drowning out the vote of intelligent, informed, smart, invested, productive people.
For every vote the most informed and well read and intelligent person has, whose family built everything there is in any democracy…every single year of your life there is one additional foreign, alien, hostile person that was just given the right to vote along with the 5 children they will have to your 1.5 to all vote against you.
That’s why the rich don’t vote, they got politicians, institutions, academics, organizations, etc. that’s our vote, we vote millions and billions of times with dollars, while importing millions of people who totally neutralize your vote and say every single time you go through that charade called voting.
Germans forget too easily that theirs is a vassal state without full sovereignty.
Until the German people can investigate and prosecute their own intelligence services, this situation will not change. That the German intelligence services answer to the CIA is a travesty for the German people.
Anyone wondering about Merz' servitude should keep this in mind.
"The deal must be blocked if there are no legal guarantees that Dutch data cannot be accessed in the U.S."
This would be a very mild response, given that the Dutch government recently attempted to take control of chipmaker Nexperia [1], where much less were at stake.
Even if guarantees are given, who is going to enforce them against an order coming from the US government?
I think the Nexperia debacle is exactly why it's such a mild response.
They bit off more than they could chew with that one. The Dutch (politicians and bureaucrats both) have been suitably chastened by the unexpected blowback.
I wonder how the data in Danish MitId is managed and stored. The thing is used for everything here, from doing taxes to buying real estate to getting a library card.
Solvinity (now acquired by Kyndryl) owns and runs a lot of the underlying infrastructure of DigiD, but the application itself and the day-to-day operations are handled by an autonomous body of the government (Logius). DigiD is mainly about translating authentication factors into a social security number (BSN) for authentication to other public institutions.
That allows Logius to pretend it's not much of a problem, and Solvinity maintains (in an unusually sharp and on-point interview) that all data is "encrypted" [1], without mentioning who possesses the keys or whether encryption is relevant at all. They go on to say that they consider the scenario of the US shutting down DigiD "very hypothetical", that they will follow Dutch law and that they have a strong supervisory board (as if that would matter).
Logius also operates MijnOverheid, which collates very sensitive information about all citizens from most government agencies and also relies on Solvinity infrastructure.
The infrastructure that Solvinity maintains goes far beyond servers, as they've concocted themselves an unholy procurement mess with their PICARD / LPC solution (Logius Private Cloud). They were advised multiple times over multiple years by the main advisory body on IT of The Netherlands (AcICT) not to do it in this way and KISS, but then did it anyway.
The intent of structuring it in this way was that it would be easier to switch infrastructure providers, but the outcome is the exact opposite: there is now a non-standard "integration layer" that would need to be rebuilt. Which is exactly what AcICT warned about from the beginning.
You can find a diagram of the responsibilities on both the Solvinity and Logius side on the last page of [2] (in Dutch).
The wild thing is that Logius also owns and maintains "Standaard Platform" [3], which is a very neat and standard Kubernetes environment, but they declined to use this for DigiD and MijnOverheid because they didn't deem it secure enough, and instead of securing their Kubernetes deployment, they went on with PICARD / LPC.
Logius is an autonomous body of the Ministry of the Interior (BZK), but they appear to have completely lost control over setting any policy and now mainly walk from crisis to crisis because any opening on their "SAFe train" is years away.
> The infrastructure that Solvinity maintains goes far beyond servers, as they've concocted themselves an unholy procurement mess with their PICARD / LPC solution (Logius Private Cloud)
Creating a database of their citizens using a private company has opened up exactly the kind of privacy problems that anyone on here could have expected. Maybe they should just use GDPR to delete the data before it’s exfiltrated?
DigiD is "the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller", and thus falls under paragraph 3(b), which excempts this data from the Right to erasure. In much the same way that the IRS won't delete your data if you tell them you're a sovereign citizen.
GDPR isn't a technology, it doesn't work like that. Deleting data would cripple all digital services.
The problem is that they privatized it. But that in turn is caused by the wage structure; if you work for the government, you fall under its collective wage system, and the way it's set up... can't compete with private companies, especially not in IT services. So the government ends up outsourcing most IT projects, with mixed success and costing them a lot. But with this, it also opens them up to risk.
I get the wage thing, but they need to be able to control these things. 51% of nontransferable shares of all companies involved.
> can't compete with private companies, especially not in IT services.
FWIW, SURF [1] (the Dutch university network operator) successefully operates much more complex digital infrastructure. So, going with a fully private infrastructure provider was a choice, not a necessity.
Using SURF would not be without precedent. The Greek government has been successfully using GRNET [2] (the Greek counterpart of SURF) for hosting and developing digital infrastructure.
You should stop using it anyway. Linkedin is a hunting ground for threat actors[1], and unless your part-time job is producing corposlop on industrial scale it amounts to little more than recruiter spam
Context: DigiD is the Dutch national infrastructure for authenticating to government (and semi-government) services. It's used for anything from doing taxes to checking the status of your pension.
The company that basically runs it for the government is being sold to an American investment company, which brings with it obvious national security risks.
Oh, the joys of public infrastructure privatization...
There's a lesson to be learnt here, extending beyond digital infrastructures.
The Dutch government should have outsourced DigiD hosting to SURF [1] which already had extensive experience with cloud services and is virtually immune to foreign influence.
[1] https://www.surf.nl/
Yes but our government was deeply neoliberal, pushed for by the VVD party and obsessed with privatisation and markets. This is what caused this mess and many others.
They also adore the US (as an example Mark Rutte, the current NATO boss was their foreman and prime minister for a decade) so dependency on the US was never a problem for them until 2025 when Trump turned against his allies.
Are there not already risks that exist from it relying on US run devices?
Obviously (Example: Zivver [1]). But that doesn't mean we have to make it worse. It means we need to tackle those risks.
[1] https://news.ycombinator.com/item?id=46262524
Yes, but I like to think the hacker community is persistent enough that if there were backdoors embedded in US or Chinese made hardware, it would have been found already.
Then again, they never found out about the Crypto AG communications backdoor (https://en.wikipedia.org/wiki/Crypto_AG) until 2018 as far as I know. Or they did know but since it's CIA they allowed it.
A backdoor could be introduced at any time by a software update.
Cutting off updates would leave devices insecure.
Do some devices not have remote disabling as a security feature?
A lot of devices and software store or backup to cloud servers.
Well, it took Juniper only 2 years find in 2015 the likely NSA implanted backdoors in their firewalls. Then the weakened Dual EC DRBG has been found.
Now (2023/2025) another two have been found.
Cisco equipment has been intercepted and implanted in the past.
So definitely "the community" can find things, sometimes it just takes ages.
And to add to your Crypto AG, Anom was also a nice example of the sting like this.
The company that runs it for the government, or the company who owns it for the government?
If the government owns the infrastructure, but outsources the day-to-day running to a company that's one thing. But if the infrastructure is owned by the third party then that's a lot harder to deal with.
> If the government owns the infrastructure, but outsources the day-to-day running to a company that's one thing
This is still very problematic. To be honest, even using foreign hardware or propietary software is problematic. But you should reduce dependence as much as possible because it is a huge vector that should the foreign government decide to turn on you openly or secretly, it could bring you down before you have a chance to detect what is happening. I believe wars between developed countries will operate at this level (i.e. by targeting foreign dependency chains whether it be national systems for id or simply cutting undersea cables)
I agree that it's still problematic. But you can recover from that by hiring your own staff and slowly taking over the running of the system. No doubt there would be issues, but it would be doable.
Recovering from "Your critical national infrastructure is physically owned by someone else" is much trickier.
It is kind of sticky situation for the country that is debating data sovereignty.
The key issue here and in many similar cases is for governments to define what they mean by sovereignty. Because if it means not only ownership but also keep it out of outsiders control then it means that governments will by necessity have to get involved in data ownership and data sharing arrangements of the companies that run and manage their systems. Trust is eroding quick.
A lot of Dutch government and government adjacent services run on Microsoft Azure as well. Which is not the same level of concern, but it does mean the US government has access to that data.
even if they don't have access to the actual data, the US government has the option to order Microsoft to switch these essential government services services off. For example, as a means of pressuring the Dutch government into supporting the American annexation of Greenland.
Or even, post-Greenland, to force the Dutch to give Trump the Dutch Caribbean islands off the Venezuelan coast as well (Aruba, Bonaire, Curaçao).
If I were a Dutch member of parliament, I would be insisting this particular vulnerability to extortion be addressed as soon as possible. Of course, the US can still threaten to, at worst, nuke us all to smithereens but let's hope they're not willing to go that far.
Which has happened before and is the reason why the International Criminal Court is moving away from MS365 [0]
This prompted me to try OnlyOffice, and man is that nice. I do like LibreOffice, but 2 things bug me: It just looks old. And second, I have, since the dawn of time (and the Sun's Star Office) had issues just telling the software: "This is a Dutch doc, apply Dutch spelling and Grammar Checks". It has never worked well, even Firefox text fields work better. But with OnlyOffice it seems to work well so far, and also, it will be much much more recognizable by ex-MS Office users. It hear the interop with MS formats is also better.
[0] https://www.techspot.com/news/110095-international-criminal-...
> the US government has the option to order Microsoft to switch these essential government services services off
They can also order MS and Amazon and Google and Apple to switch off services on which most of the economy relies, and which most devices require to function.
But if they do that, the Dutch government has the option to pull ASML and its services (like maintenance, parts) from the US, which will cripple its chip industry. I wouldn't be surprised if there's a remote shutdown built into their devices.
The prime-minister in waiting has said that there will be a cabinet post for digital security, and Parliament has expressed in the same motion that they are worried about dependence on foreign cloud services as well.
Note: legally, the Netherlands can't give Aruba or Curaçao to the US as in the constitutional framework of the dutch kingdom they are seen as sovereign entities.
Legality is meaningless unless it's backed by force, as people are finding out all over the place.
I'm aware. I just think the Trump administration would say "Do it anyway".
Bonaire then?
Bonaire is a special municipality of the Netherlands, so I think they could give that away.
Don't they have responsibilities to ensure basic right for their citizens?
Not sure they can transfer while the US practice the death penalty or penal slavery.
Now someone needs to convince the german government too. For some reason Merz says one thing but then acts in an orthogonal, US-serving manner. People in Germany have started to notice this too. Something is not working here for Merz - there is a disconnect between what he says and what he does.
Could it not be as simple as aspiration (we want to move to digital sovereignty) versus pragmatism (we need to implement this thing next month)?
I may be too cynical but when it comes to politicians, the disconnect feels more than a rule than exception.
It is hard to vote, being buttered up with promises and pretty speeches, just to be disappointed halfway to next election.
No it’s not. It’s made very easy to vote and it has only been made easier and more people have been given the vote. That’s the whole point, so you on the one hand believe you have your say, and on the other hand the expansion of the vote was always for the purpose of drowning out the vote of intelligent, informed, smart, invested, productive people.
For every vote the most informed and well read and intelligent person has, whose family built everything there is in any democracy…every single year of your life there is one additional foreign, alien, hostile person that was just given the right to vote along with the 5 children they will have to your 1.5 to all vote against you.
That’s why the rich don’t vote, they got politicians, institutions, academics, organizations, etc. that’s our vote, we vote millions and billions of times with dollars, while importing millions of people who totally neutralize your vote and say every single time you go through that charade called voting.
Germans forget too easily that theirs is a vassal state without full sovereignty.
Until the German people can investigate and prosecute their own intelligence services, this situation will not change. That the German intelligence services answer to the CIA is a travesty for the German people.
Anyone wondering about Merz' servitude should keep this in mind.
> That the German intelligence services answer to the CIA
Any sources on this? Is it some sort of legal agreement?
"The deal must be blocked if there are no legal guarantees that Dutch data cannot be accessed in the U.S."
This would be a very mild response, given that the Dutch government recently attempted to take control of chipmaker Nexperia [1], where much less were at stake.
Even if guarantees are given, who is going to enforce them against an order coming from the US government?
[1] https://nltimes.nl/tags/nexperia
I think the Nexperia debacle is exactly why it's such a mild response.
They bit off more than they could chew with that one. The Dutch (politicians and bureaucrats both) have been suitably chastened by the unexpected blowback.
I wonder how the data in Danish MitId is managed and stored. The thing is used for everything here, from doing taxes to buying real estate to getting a library card.
Solvinity (now acquired by Kyndryl) owns and runs a lot of the underlying infrastructure of DigiD, but the application itself and the day-to-day operations are handled by an autonomous body of the government (Logius). DigiD is mainly about translating authentication factors into a social security number (BSN) for authentication to other public institutions.
That allows Logius to pretend it's not much of a problem, and Solvinity maintains (in an unusually sharp and on-point interview) that all data is "encrypted" [1], without mentioning who possesses the keys or whether encryption is relevant at all. They go on to say that they consider the scenario of the US shutting down DigiD "very hypothetical", that they will follow Dutch law and that they have a strong supervisory board (as if that would matter).
Logius also operates MijnOverheid, which collates very sensitive information about all citizens from most government agencies and also relies on Solvinity infrastructure.
The infrastructure that Solvinity maintains goes far beyond servers, as they've concocted themselves an unholy procurement mess with their PICARD / LPC solution (Logius Private Cloud). They were advised multiple times over multiple years by the main advisory body on IT of The Netherlands (AcICT) not to do it in this way and KISS, but then did it anyway.
The intent of structuring it in this way was that it would be easier to switch infrastructure providers, but the outcome is the exact opposite: there is now a non-standard "integration layer" that would need to be rebuilt. Which is exactly what AcICT warned about from the beginning.
You can find a diagram of the responsibilities on both the Solvinity and Logius side on the last page of [2] (in Dutch).
The wild thing is that Logius also owns and maintains "Standaard Platform" [3], which is a very neat and standard Kubernetes environment, but they declined to use this for DigiD and MijnOverheid because they didn't deem it secure enough, and instead of securing their Kubernetes deployment, they went on with PICARD / LPC.
Logius is an autonomous body of the Ministry of the Interior (BZK), but they appear to have completely lost control over setting any policy and now mainly walk from crisis to crisis because any opening on their "SAFe train" is years away.
[1] https://www.nrc.nl/nieuws/2025/12/03/baas-van-solvinity-prob...
[2] https://www.adviescollegeicttoetsing.nl/site/binaries/site-c...
[3] https://www.logius.nl/onze-dienstverlening/infrastructuur/st...
Thanks for the detailed explanation. I attempted something similar for Belgium here: http://mikhailian.mova.org/node/297
While federal government in Belgium is less dependent on US clouds, Digital Vlaanderen is pretty much in bed with Microsoft on all levels.
> The infrastructure that Solvinity maintains goes far beyond servers, as they've concocted themselves an unholy procurement mess with their PICARD / LPC solution (Logius Private Cloud)
This is incredible. As you say, why not just k8s?
The US CLOUD Act mandates American companies to provide data to US authorities, even when stored abroad
Whoever gives US Big Tech access to their digital infrastructure is a foreign spy and should be jailed
Waiting for the first government to realize that they cant win cyber security war because it's too costly, and just switch back to analog ID.
Creating a database of their citizens using a private company has opened up exactly the kind of privacy problems that anyone on here could have expected. Maybe they should just use GDPR to delete the data before it’s exfiltrated?
DigiD is "the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller", and thus falls under paragraph 3(b), which excempts this data from the Right to erasure. In much the same way that the IRS won't delete your data if you tell them you're a sovereign citizen.
GDPR isn't a technology, it doesn't work like that. Deleting data would cripple all digital services.
The problem is that they privatized it. But that in turn is caused by the wage structure; if you work for the government, you fall under its collective wage system, and the way it's set up... can't compete with private companies, especially not in IT services. So the government ends up outsourcing most IT projects, with mixed success and costing them a lot. But with this, it also opens them up to risk.
I get the wage thing, but they need to be able to control these things. 51% of nontransferable shares of all companies involved.
> can't compete with private companies, especially not in IT services.
FWIW, SURF [1] (the Dutch university network operator) successefully operates much more complex digital infrastructure. So, going with a fully private infrastructure provider was a choice, not a necessity.
Using SURF would not be without precedent. The Greek government has been successfully using GRNET [2] (the Greek counterpart of SURF) for hosting and developing digital infrastructure.
[1] https://www.surf.nl/
[2] https://grnet.gr/en/government/
Linkedin asked me for my ID to "verify" I refused, if it ever becomes mandatory I stop using it altogether.
You should stop using it anyway. Linkedin is a hunting ground for threat actors[1], and unless your part-time job is producing corposlop on industrial scale it amounts to little more than recruiter spam
https://www.welivesecurity.com/en/social-media/linkedin-hunt...
DigID is already something dangerous, trading hands is not gonna reduce the danger.
Going back to old school services is doable and safe as long as governments are interested for the security of citizens.