alt Hacker NewsParliament tells Dutch government to keep DigiD data out of American hands
Comments
A lot of Dutch government and government adjacent services run on Microsoft Azure as well. Which is not the same level of concern, but it does mean the US government has access to that data.
Now someone needs to convince the german government too. For some reason Merz says one thing but then acts in an orthogonal, US-serving manner. People in Germany have started to notice this too. Something is not working here for Merz - there is a disconnect between what he says and what he does.
"The deal must be blocked if there are no legal guarantees that Dutch data cannot be accessed in the U.S."
This would be a very mild response, given that the Dutch government recently attempted to take control of chipmaker Nexperia [1], where much less were at stake.
Even if guarantees are given, who is going to enforce them against an order coming from the US government?
I wonder how the data in Danish MitId is managed and stored. The thing is used for everything here, from doing taxes to buying real estate to getting a library card.
Waiting for the first government to realize that they cant win cyber security war because it's too costly, and just switch back to analog ID.
Solvinity (now acquired by Kyndryl) owns and runs a lot of the underlying infrastructure of DigiD, but the application itself and the day-to-day operations are handled by an autonomous body of the government (Logius). DigiD is mainly about translating authentication factors into a social security number (BSN) for authentication to other public institutions.
That allows Logius to pretend it's not much of a problem, and Solvinity maintains (in an unusually sharp and on-point interview) that all data is "encrypted" [1], without mentioning who possesses the keys or whether encryption is relevant at all. They go on to say that they consider the scenario of the US shutting down DigiD "very hypothetical", that they will follow Dutch law and that they have a strong supervisory board (as if that would matter).
Logius also operates MijnOverheid, which collates very sensitive information about all citizens from most government agencies and also relies on Solvinity infrastructure.
The infrastructure that Solvinity maintains goes far beyond servers, as they've concocted themselves an unholy procurement mess with their PICARD / LPC solution (Logius Private Cloud). They were advised multiple times over multiple years by the main advisory body on IT of The Netherlands (AcICT) not to do it in this way and KISS, but then did it anyway.
The intent of structuring it in this way was that it would be easier to switch infrastructure providers, but the outcome is the exact opposite: there is now a non-standard "integration layer" that would need to be rebuilt. Which is exactly what AcICT warned about from the beginning.
You can find a diagram of the responsibilities on both the Solvinity and Logius side on the last page of [2] (in Dutch).
The wild thing is that Logius also owns and maintains "Standaard Platform" [3], which is a very neat and standard Kubernetes environment, but they declined to use this for DigiD and MijnOverheid because they didn't deem it secure enough, and instead of securing their Kubernetes deployment, they went on with PICARD / LPC.
Logius is an autonomous body of the Ministry of the Interior (BZK), but they appear to have completely lost control over setting any policy and now mainly walk from crisis to crisis because any opening on their "SAFe train" is years away.
[1] https://www.nrc.nl/nieuws/2025/12/03/baas-van-solvinity-prob...
[2] https://www.adviescollegeicttoetsing.nl/site/binaries/site-c...
[3] https://www.logius.nl/onze-dienstverlening/infrastructuur/st...
The US CLOUD Act mandates American companies to provide data to US authorities, even when stored abroad
Whoever gives US Big Tech access to their digital infrastructure is a foreign spy and should be jailed
Linkedin asked me for my ID to "verify" I refused, if it ever becomes mandatory I stop using it altogether.
Creating a database of their citizens using a private company has opened up exactly the kind of privacy problems that anyone on here could have expected. Maybe they should just use GDPR to delete the data before it’s exfiltrated?
DigID is already something dangerous, trading hands is not gonna reduce the danger.
Going back to old school services is doable and safe as long as governments are interested for the security of citizens.
Context: DigiD is the Dutch national infrastructure for authenticating to government (and semi-government) services. It's used for anything from doing taxes to checking the status of your pension.
The company that basically runs it for the government is being sold to an American investment company, which brings with it obvious national security risks.