Korte Spinhuissteeg 3
1012 CG Amsterdam
1012 CX Amsterdam
+31 20 525 33 04
+31 20 - 525 30 33
Axel Arnbak is a cybersecurity and
information law researcher at the Institute for
Information Law, University of Amsterdam. He also
conducts a Ph.D. project on
communications security governance. In the academic
year of 2013-2014, Axel will visit the U.S. on
fellowships at the Berkman Center at Harvard University
and CITP at Princeton University.
As of September 2013, Axel has
published on HTTPS/TLS governance, cloud surveillance by
intelligence agencies, communications security
conceptualizations and mandatory blocking of The Pirate
Bay. His publications have spurred several parliamentary
debates on the European and Dutch level; recently on
internet surveillance by intelligence agencies on both
sides of the Atlantic. His work has been covered by a
wide range of (inter)national media outlets, a.o. the
Financial Times, CBS News, RT, the Hindu Times and the
Wall Street Journal.
Axel was awarded the Internet Thesis
Award 2009 and general University of Amsterdam Thesis
Award 2010 for his Master's thesis on the fundamental
rights aspects of the EU Data Retention Directive and
its Dutch implementation.
Upon obtaining his LL.M. in 2009,
Axel became part of the core team that re-founded
Bits of Freedom, the Dutch digital rights
organization. Until mid August 2011, Axel was
responsible for its privacy advocacy and worked on a
full-time basis on both a national and European level
(under the flag of European Digital Rights). He helped
drafting the first net neutrality law in Europe,
stopping mandatory website blocking in The Netherlands
and stopped the Dutch government from storing all
financial information of all its citizens in a national
database for law enforcement purposes.
Axel received his LL.B. degree from
Leiden University (2007), a Competitive Strategy and
Game Theory degree from the London School of Economics
(2009) and chaired the VeerStichting foundation
(2005-2006). He is a member of the supervisory board at
the Stichting Admiraal van Kinsbergenfonds (not
See also his blogposts at
Freedom to Tinker.
(with S. Goldberg)
Loopholes for Circumventing the Constitution:
Warrantless Bulk Surveillance on Americans by Collecting
Network Traffic Abroad, Working Paper, presented at the
Privacy Enhancing Technologies Symposium 2014.
multi-disciplinary paper, we reveal interdependent
legal and technical loopholes that intelligence
agencies of the U.S. government could use to
circumvent constitutional and statutory safeguards
for U.S. persons. We outline known and new
circumvention techniques that can leave the Internet
traffic of Americans as vulnerable to surveillance,
and as unprotected by U.S. law, as the Internet
traffic of foreigners.
Nederland als internetdokter tussen cybergrootmachten:
Faciliteer een veilige en vrije IT-infrastructuur
passend bij onze structurele culturele, economische en
politieke belangen, Het Financieele Dagblad, 20
9 Problems of Government
Hacking: Why IT-Systems Deserve Constitutional
Protection, 20 February 2014.
ECHR Fasy-tracks Court
Case on PRISM and TEMPORA (and VERYANGRYBIRDS?), 29
The Politics of the EU
Court Data Retention Opinion: End to Mass Surveillance?,
13 December 2013.
(met H. Asghari, M.J.G. van Eeten &
N.A.N.M. van Eijk)
Security Economics in the HTTPS Value Chain,
paper peer-reviewed and presented at WEIS 2013, 3 June 2013.
Even though we
increasingly rely on HTTPS to secure Internet
communications, several landmark incidents in recent
years have illustrated that its security is deeply
flawed. We present an extensive multi-disciplinary
analysis that examines how the systemic
vulnerabilities of the HTTPS authentication model
could be addressed. We conceptualize the security
issues from the perspective of the HTTPS value
chain. We then discuss the breaches at several
Certificate Authorities (CAs). Next, we explore the
security incentives of CAs via the empirical
analysis of the market for SSL certificates, based
on the SSL Observatory dataset. This uncovers a
surprising pattern: there is no race to the bottom.
Rather, we find a highly concentrated market with
very large price differences among suppliers and
limited price competition. We explain this pattern
and explore what it tells us about the security
incentives of CAs, including how market leaders seem
to benefit from the status quo. In light of these
findings, we look at regulatory and technical
proposals to address the systemic vulnerabilities in
the HTTPS value chain, in particular the EU
eSignatures proposal that seeks to strictly regulate
PRISM: 'Obscured by Clouds or the Dark Side of the
Moon?: How to Address Governmental Access to Cloud Data
from Abroad, Speech at the E.U. Mission to the U.S.
delivered before the JHA/HR/Political Counselors
meeting, Washington D.C., 10 June 2013.
(with J.V.J. van Hoboken,
N.A.N.M. van Eijk)
Obscured by Clouds or How to Address Governmental Access
to Cloud Data From Abroad, draft paper presented at
Privacy Law Scholars Conference 2013, 6-7 June,
Berkeley, United States.
Snowden saga reveals gaps in protection of European data,
Financial Times, 29 July 2013, p. 2.
(with J.V.J. van Hoboken,
N.A.N.M. van Eijk and
the assistance of N.P.H. Kruijsen,
Cloud Computing in Higher Education and Research
Institutions and the USA Patriot Act, November 2012.
Institutions have started to move
their data and ICT operations into the cloud. It is
becoming clear that this is leading to a decrease of
overview and control over government access to data
for law enforcement and national security purposes.
This report looks at the possibilities for the U.S.
government to obtain access to information in the
cloud from Dutch institutions on the basis of U.S.
law and on the basis of Dutch law and international
co-operation. It concludes that the U.S. legal state
of affairs implies that the transition towards the
cloud has important negative consequences for the
possibility to manage information confidentiality,
information security and the privacy of European end
users in relation to foreign governments.
The Patriot Act from 2001 has started to play a
symbolic role in the public debate. It is one
important element in a larger, complex and dynamic
legal framework for access to data for law
enforcement and national security purposes. In
particular, the FISA Amendments Act provision for
access to data of non-U.S. persons outside the U.S.
enacted in 2008 deserves attention. The report
describes this and other legal powers for the U.S.
government to obtain data of non-U.S. persons
located outside of the U.S. from cloud providers
that fall under its jurisdiction. Such jurisdiction
applies widely, namely to cloud services that
conduct systematic business in the United States and
is not dependent on the location where the data are
stored, as is often assumed. For non-U.S. persons
located outside of the U.S., constitutional
protection is not applicable and the statutory
safeguards are minimal.
In the Netherlands and across the EU, government
agencies have legal powers to obtain access to cloud
data as well. These provisions can also be be used
to assist the U.S. government, when it does not have
jurisdiction for instance, but they must stay within
the constitutional safeguards set by national
constitutions, the European Convention on Human
Rights and the EU Charter.
This is the English translation of a
report that was released in September 2012 in The
Netherlands. It was covered extensively in Dutch
newspapers, on Radio1 and the 8 PM news bulletin of
public broadcaster NOS. Politicians across the spectrum
reacted on the report, both directly in the media and
through Parliamentary questions. Meanwhile, the State
Secretary of Security and Justice has responded to the
Parliamentary questions on 15 October 2012. References
can be found on the Institute for Information Law
website. The report is also available on
(with N.A.N.M. van Eijk)
Certificate Authority Collapse: Regulating Systemic
Vulnerabilities in the HTTPS Value Chain,
Telecommunications Policy Research Conference, August
Recent breaches and
malpractices at several Certificate Authorities (CA’s)
have led to a global collapse of trust in these central
mediators of Hypertext Transfer Protocol Secure (HTTPS)
communications. Given our dependence on secure web
browsing, the security of HTTPS has become a top
priority in telecommunications policy. In June 2012, the
European Commission proposed a new Regulation on
eSignatures. As the HTTPS ecosystem is by and large
unregulated across the world, the proposal presents a
paradigm shift in the governance of HTTPS. This paper
examines if, and if so, how the European regulatory
framework should legitimately address the systemic
vulnerabilities of the HTTPS ecosystem. To this end, the
HTTPS authentication model is conceptualised using
actor-based value chain analysis and the systemic
vulnerabilities of the HTTPs ecosystem are described
through the lens of several landmark breaches. The paper
explores the rationales for regulatory intervention,
discusses the proposed EU eSignatures Regulation and
ultimately develops a conceptual framework for HTTPS
governance. It apprises the incentive structure of the
entire HTTPS authentication value chain, untangles the
concept of information security and connects its
balancing of public and private interests to underlying
values, in particular constitutional rights such as
privacy, communications secrecy and freedom of
expression. On the short term, specific regulatory
measures to be considered throughout the value chain
includes proportional liability provisions, meaningful
security breach notifications and internal security
requirements, but both legitimacy and effectiveness will
depend on the exact wording of the regulatory
provisions. The EU eSignatures proposal falls short on
many of these aspects. In the long term, a robust
technical and policy overhaul is needed to address the
systemic weaknesses of HTTPS, as each CA is a single
point of failure for the security of the entire
Annotatie bij Rb. 's-Gravenhage 11 januari 2012 (Brein /
Ziggo & XS4ALL), AMI, 2012-3, p. 119-131.
What the European Commission owes 500 million Europeans,
speech delivered on 3 December 2010 at the conference "Taking on the Data Retention Directive",
organised by the European Commission.
Part of this
speech is also published in Privacy & Informatie, nr. 6, 2010, p. 305.