Column in Het Financieele Dagblad van 25 maart 2015.

01.04.2015

Column in Het Financieele Dagblad van 25 februari 2015.

01.04.2015

Column in Het Financieele Dagblad van 28 januari 2015.

01.04.2015

Column in Het Financieele Dagblad van 31 december 2014.

08.01.2015

Today, the vulnerable state of electronic communications security dominates headlines across the globe, while surveillance, money and power increasingly permeate the ?cybersecurity? policy arena. With the stakes so high, how should communications security be regulated?
Deirdre Mulligan (UC Berkeley), Ashkan Soltani (independent, Washington Post), Ian Brown (Oxford) and Michel van Eeten (TU Delft) weighed in on this proposition at an expert panel on my doctoral project at the Amsterdam Information Influx conference.

09.12.2014

Column van 25 november 2014.

25.11.2014

Column, 28 oktober 2014.

06.11.2014

Draft paper prepared for IViR/Berkman Roundtable - 18 April 2014 - Last update July 28, 2014.

This descriptive legal analysis maps and evaluates a four decade legacy of communications security conceptualizations in E.U. law and policy, including four legislative proposals launched in 2013. As the first comprehensive historical analysis of its kind, the paper forwards a range of new scientific contributions in a time secure electronic communications are of historically unparalleled societal, economic and political relevance. Five communications security policy cycles are identified, and their ‘security’ definitions and scope are described. These cycles are: network and information security, data protection, telecommunications, encryption and cybercrime. An evaluation of the current E.U. ‘security’ conceptualizations illuminates the underlying values at stake, the protection offered in current regulations, the formulation of six research themes and an agenda for computer science, political theory and legal research. Despite constitutional values at stake such as privacy and communications freedom and a robust computer science literature, the paper observes a deep lack of conceptual clarity and coherence in E.U. security policymaking. It then concludes that the observed conceptual ambiguity has allowed powerful stakeholders to capture, or paint E.U. network and information security policies in any colour they like.

14.10.2014

Column, 30 september 2014.

10.10.2014

Also published in: ACM Queue - Security, 2014-8, vol. 12.

HTTPS (Hypertext Transfer Protocol Secure) has evolved into the de facto standard for secure Web browsing. However, widely reported security incidents—such as DigiNotar's breach, Apple's #gotofail, and OpenSSL's Heartbleed—have exposed systemic security vulnerabilities of HTTPS to a global audience. The Edward Snowden revelations—notably around operation BULLRUN, MUSCULAR, and the lesser-known FLYING PIG program to query certificate metadata on a dragnet scale—have driven the point home that HTTPS is both a major target of government hacking and eavesdropping, as well as an effective measure against dragnet content surveillance when Internet traffic traverses global networks. HTTPS, in short, is an absolutely critical but fundamentally flawed cybersecurity technology.

To evaluate both legal and technological solutions to augment the security of HTTPS, our article argues that an understanding of the economic incentives of the stakeholders in the HTTPS ecosystem, most notably the CAs, is essential. We outlines the systemic vulnerabilities of HTTPS, maps the thriving market for certificates, and analyzes the suggested regulatory and technological solutions on both sides of the Atlantic. The findings show existing yet surprising market patterns and perverse incentives: not unlike the financial sector, the HTTPS market is full of information asymmetries and negative externalities, as a handful of CAs dominate the market and have become "too big to fail." Unfortunately, proposed E.U. legislation will reinforce systemic vulnerabilities, and the proposed technological solutions that mostly originate in the U.S. are far from being adopted at scale. The systemic vulnerabilities in this crucial technology are likely to persist for years to come.

10.10.2014

Column, 29 augustus 2014.

10.10.2014

Interview, 11  augustus 2014.

10.10.2014

Forthcoming in Michigan Telecommunications & Technology Law Review, May 2015.
Presented at the Privacy Enhancing Technologies Symposium, July 2014, Amsterdam.

See also:
Legal loopholes could allow wider NSA surveillance, researchers say, CBS news, 30 June 2014.
“Loopholes for Circumventing the Constitution”, the NSA Statement, and Our Response, Freedom to Tinker, 11 July 2014.

We reveal interdependent legal and technical loopholes that the U.S. intelligence community could use to circumvent constitutional and statutory safeguards for Americans. These loopholes involve the collection of Internet traffic on foreign territory, and leave Americans as unprotected as foreigners by current U.S. surveillance laws. We also describe how modern Internet protocols can be manipulated to deliberately divert American's traffic abroad, where traffic can then be collected under a more permissive legal regime (Executive Order 12333) that is overseen solely by the Executive branch of the U.S. government. While the media has reported on some of the techniques we describe, we cannot establish the extent to which these loopholes are exploited in practice.

An actionable short-term remedy to these loopholes involves updating the antiquated legal definition of "electronic surveillance" in the Foreign Intelligence Surveillance Act (FISA), that has remained largely intact since 1978. On the long term, however, a fundamental reconsideration of established principles in U.S. surveillance law is required, since these loopholes cannot be closed by technology alone. Legal issues that require reconsideration include: the determination of applicable law by the geographical point of collection of network traffic; the lack of general constitutional or statutory protection for network traffic collection before users are "intentionally targeted"; and the fact that constitutional protection under the Fourth Amendment is limited to "U.S. persons" only. The combination of these three principles means that Americans remain highly vulnerable to bulk surveillance when the U.S. intelligence community collects their network traffic abroad.

08.07.2014

20 mei 2014.

20.05.2014

20.02.2014

29.01.2014

13.12.2013

Column uitgesproken op de Big Brother Awards 2013, 29 augustus 2013.

30.08.2013

Opinie

06.08.2013

Paper peer-reviewed and presented at WEIS 2013, 3 June 2013.

Even though we increasingly rely on HTTPS to secure Internet communications, several landmark incidents in recent years have illustrated that its security is deeply flawed. We present an extensive multi-disciplinary analysis that examines how the systemic vulnerabilities of the HTTPS authentication model could be addressed. We conceptualize the security issues from the perspective of the HTTPS value chain. We then discuss the breaches at several Certificate Authorities (CAs). Next, we explore the security incentives of CAs via the empirical analysis of the market for SSL certificates, based on the SSL Observatory dataset. This uncovers a surprising pattern: there is no race to the bottom. Rather, we find a highly concentrated market with very large price differences among suppliers and limited price competition. We explain this pattern and explore what it tells us about the security incentives of CAs, including how market leaders seem to benefit from the status quo. In light of these findings, we look at regulatory and technical proposals to address the systemic vulnerabilities in the HTTPS value chain, in particular the EU eSignatures proposal that seeks to strictly regulate HTTPS communications.

11.07.2013

Speech at the E.U. Mission to the U.S. delivered before the JHA/HR/Political Counselors meeting, Washington D.C., 10 June 2013.

27.06.2013

Vaste Commissie Binnenlandse Zaken, 26 juni 2013.

25.06.2013

Draft paper presented at Privacy Law Scholars Conference 2013, 6-7 June, Berkeley, United States. Zie ook: Snowden saga reveals gap in protection of European data, Financial Times, 29 July 2013, p. 2. http://www.ivir.nl/publications/arnbak/Snowden_saga_FT.pdf

11.06.2013

This is the English translation of a report that was released in September 2012 in The Netherlands. It was covered extensively in Dutch newspapers, on Radio1 and the 8 PM news bulletin of public broadcaster NOS. Politicians across the spectrum reacted on the report, both directly in the media and through Parliamentary questions. Meanwhile, the State Secretary of Security and Justice has responded to the Parliamentary questions on 15 October 2012. References can be found on the Institute for Information Law website. The report is also available on SSRN: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2181534 See also: Patriot Act can "obtain" data in Europe, researchers say, CBS News, 4 December 2012: http://www.cbsnews.com/8301-205_162-57556674/patriot-act-can-obtain-data-in-europe-researchers-say/ Im Bann des amerikanischen Schnüffelwahns, Süd Deutsche, 10 January 2013: http://www.sueddeutsche.de/digital/datenschutz-in-europa-im-bann-des-amerikanischen-schnueffelwahns-1.1569846

Institutions have started to move their data and ICT operations into the cloud. It is becoming clear that this is leading to a decrease of overview and control over government access to data for law enforcement and national security purposes. This report looks at the possibilities for the U.S. government to obtain access to information in the cloud from Dutch institutions on the basis of U.S. law and on the basis of Dutch law and international co-operation. It concludes that the U.S. legal state of affairs implies that the transition towards the cloud has important negative consequences for the possibility to manage information confidentiality, information security and the privacy of European end users in relation to foreign governments. The Patriot Act from 2001 has started to play a symbolic role in the public debate. It is one important element in a larger, complex and dynamic legal framework for access to data for law enforcement and national security purposes. In particular, the FISA Amendments Act provision for access to data of non-U.S. persons outside the U.S. enacted in 2008 deserves attention. The report describes this and other legal powers for the U.S. government to obtain data of non-U.S. persons located outside of the U.S. from cloud providers that fall under its jurisdiction. Such jurisdiction applies widely, namely to cloud services that conduct systematic business in the United States and is not dependent on the location where the data are stored, as is often assumed. For non-U.S. persons located outside of the U.S., constitutional protection is not applicable and the statutory safeguards are minimal. In the Netherlands and across the EU, government agencies have legal powers to obtain access to cloud data as well. These provisions can also be be used to assist the U.S. government, when it does not have jurisdiction for instance, but they must stay within the constitutional safeguards set by national constitutions, the European Convention on Human Rights and the EU Charter.

29.11.2012

Rapport in opdracht van SURF, september 2012.

Zie ook:

Persbericht van SURF; http://www.surfsites.nl/cloud/nieuws/343-persbericht-rapport-ivir-op-verzoek-van-surf-biedt-inzicht-in-rol-patriot-act-bij-gebruik-cloud-computing/

Toezicht op gegevens in een cloud is hard nodig, NOS Journaal, zaterdag 13 oktober 2012;http://nos.nl/video/429087-toezicht-op-gegevens-in-een-cloud-is-hard-nodig.html

Cyberaanvallen nieuwe vorm van politieke acties, Joris van Hoboken op Radio 1, zaterdag 13 oktober 2012;http://nos.nl/audio/428899-cyberaanvallen-nieuwe-vorm-van-politieke-acties.html

Reactie van Jeanine Hennis-Plasschaert, Radio 1, zaterdag 13 oktober 2012;http://nos.nl/audio/428908-vs-heeft-toegang-tot-cloudgegevens.html

Kamervragen SP;https://zoek.officielebekendmakingen.nl/kv-tk-2012Z17456.html

Antwoord Staatssecretaris Teeven op vragen SP;https://zoek.officielebekendmakingen.nl/ah-tk-20122013-535.html

Onrust patiëntendossier neemt toe, website NOS, 30 november 2012;http://nos.nl/artikel/446339-onrust-patientendossier-neemt-toe.html

VS kan toegang tot EPD krijgen, video NOS journaal, 30 november 2012;http://nos.nl/video/446392-vs-kan-toegang-tot-epd-krijgen.html

'De vraag is of VS medisch geheim Nederland zal respecteren', NOS journaal, 30 november 2012: http://nos.nl/video/446511-de-vraag-is-of-vs-medisch-geheim-nederland-zal-respecteren.html

Instellingen en gebruikers gaan massaal over op de cloud, en daardoor vermindert de controle en het overzicht over de toegang tot onze gegevens door overheden. Dit heeft belangrijke consequenties voor de privacy en andere fundamentele belangen bij de vertrouwelijkheid van informatie. Er is de laatste tijd veel geroepen over de Patriot Act, maar niemand heeft goed zicht op de Amerikaanse wetgeving die de VS de mogelijkheid van toegang geeft tot gegevens in de cloud. Dit rapport van het IViR in opdracht van SURFdirect geeft antwoord op deze belangrijke vragen. De Amerikaanse Grondwet en de specifieke wetten beschermen buitenlanders in mindere mate dan Amerikanen. Cloudgegevens van niet-Amerikanen in het buitenland kunnen daarom sneller en makkelijker worden opgevraagd dan van Amerikanen, en dat zonder juridische waarborgen als transparantie over het aantal opvragingen en rechtsbescherming van het individu. Daarnaast wordt het maatschappelijke debat gedomineerd door hardnekkige misvattingen en een te grote focus op de Patriot Act. Er is sprake van een veel groter geheel aan wetgeving. Voor opvraging door Amerikaanse autoriteiten maakt het niet uit op welke plek in de wereld cloudgegevens zijn opgeslagen. Het hoeft ook geen Amerikaanse cloudprovider te zijn. Als een Nederlandse cloudaanbieder structureel zaken doet in de VS, dan geeft VS wet- en regelgeving in beginsel al de mogelijkheid voor VS autoriteiten om gegevens op te vragen vanuit Nederland. Voor afnemers van clouddiensten zullen zulke relaties in de praktijk moeilijk te achterhalen zijn en door overnames in de sector kan de situatie opeens veranderen.

12.09.2012

Telecommunications Policy Research Conference, augustus 2012 Zie ook: 29C3: "Das SSL-System ist grundlegend defekt - und jemand muss es reparieren", Heise Online, 28 december 2012; Onderzoeker zet vraagtekens bij Europese https-regels, Tweakers.net, 29 december 2012.

Recent breaches and malpractices at several Certificate Authorities (CA’s) have led to a global collapse of trust in these central mediators of Hypertext Transfer Protocol Secure (HTTPS) communications. Given our dependence on secure web browsing, the security of HTTPS has become a top priority in telecommunications policy. In June 2012, the European Commission proposed a new Regulation on eSignatures. As the HTTPS ecosystem is by and large unregulated across the world, the proposal presents a paradigm shift in the governance of HTTPS. This paper examines if, and if so, how the European regulatory framework should legitimately address the systemic vulnerabilities of the HTTPS ecosystem. To this end, the HTTPS authentication model is conceptualised using actor-based value chain analysis and the systemic vulnerabilities of the HTTPs ecosystem are described through the lens of several landmark breaches. The paper explores the rationales for regulatory intervention, discusses the proposed EU eSignatures Regulation and ultimately develops a conceptual framework for HTTPS governance. It apprises the incentive structure of the entire HTTPS authentication value chain, untangles the concept of information security and connects its balancing of public and private interests to underlying values, in particular constitutional rights such as privacy, communications secrecy and freedom of expression. On the short term, specific regulatory measures to be considered throughout the value chain includes proportional liability provisions, meaningful security breach notifications and internal security requirements, but both legitimacy and effectiveness will depend on the exact wording of the regulatory provisions. The EU eSignatures proposal falls short on many of these aspects. In the long term, a robust technical and policy overhaul is needed to address the systemic weaknesses of HTTPS, as each CA is a single point of failure for the security of the entire ecosystem.

07.09.2012

15.06.2012

Toespraak uitgesproken op 3 december 2010 tijdens de conferentie "Taking on the Data Retention Directive", georganiseerd door de Europese Commissie. Een gedeelte van deze toespraak is ook gepubliceerd in Privacy & Informatie, 2010-6, p. 305.

13.12.2011

Masterscriptie Informatierecht

13.12.2011