Upon graduation, Axel joined Bits of Freedom,the Dutch digital rights organization that had resumed its activities just before.  Until mid August 2011, Axel was responsible for privacy advocacy and worked on both a national and European level.

Axel received his LL.B. degree from Leiden University (2007), interned at law firm Brinkhof (2008), studied Competitive Strategy and Game Theory at the London School of Economics (2009) and chaired the VeerStichting foundation (2005-2006). Along with his full-time affiliation at IViR, he is a member of the supervisory board at the Stichting Admiraal van Kinsbergenfonds (not compensated).

Cloud Computing in Higher Education and Research Institutions and the USA Patriot Act, November 2012.

Institutions have started to move their data and ICT operations into the cloud. It is becoming clear that this is leading to a decrease of overview and control over government access to data for law enforcement and national security purposes. This report looks at the possibilities for the U.S. government to obtain access to information in the cloud from Dutch institutions on the basis of U.S. law and on the basis of Dutch law and international co-operation. It concludes that the U.S. legal state of affairs implies that the transition towards the cloud has important negative consequences for the possibility to manage information confidentiality, information security and the privacy of European end users in relation to foreign governments.
The Patriot Act from 2001 has started to play a symbolic role in the public debate. It is one important element in a larger, complex and dynamic legal framework for access to data for law enforcement and national security purposes. In particular, the FISA Amendments Act provision for access to data of non-U.S. persons outside the U.S. enacted in 2008 deserves attention. The report describes this and other legal powers for the U.S. government to obtain data of non-U.S. persons located outside of the U.S. from cloud providers that fall under its jurisdiction. Such jurisdiction applies widely, namely to cloud services that conduct systematic business in the United States and is not dependent on the location where the data are stored, as is often assumed. For non-U.S. persons located outside of the U.S., constitutional protection is not applicable and the statutory safeguards are minimal.
In the Netherlands and across the EU, government agencies have legal powers to obtain access to cloud data as well. These provisions can also be be used to assist the U.S. government, when it does not have jurisdiction for instance, but they must stay within the constitutional safeguards set by national constitutions, the European Convention on Human Rights and the EU Charter.

This is the English translation of a report that was released in September 2012 in The Netherlands. It was covered extensively in Dutch newspapers, on Radio1 and the 8 PM news bulletin of public broadcaster NOS. Politicians across the spectrum reacted on the report, both directly in the media and through Parliamentary questions. Meanwhile, the State Secretary of Security and Justice has responded to the Parliamentary questions on 15 October 2012. References can be found on the Institute for Information Law website. The report is also available on SSRN.

See also:

• Patriot Act can "obtain" data in Europe, researchers say, CBS News, 4 December 2012;

• Im Bann des amerikanischen Schnüffelwahns, Süd Deutsche, 10 January 2013.

29.11.2012

(with N.A.N.M. van Eijk) Certificate Authority Collapse: Regulating Systemic Vulnerabilities in the HTTPS Value Chain, Telecommunications Policy Research Conference, August 2012.

Paper also available through SSRN.

Recent breaches and malpractices at several Certificate Authorities (CA’s) have led to a global collapse of trust in these central mediators of Hypertext Transfer Protocol Secure (HTTPS) communications. Given our dependence on secure web browsing, the security of HTTPS has become a top priority in telecommunications policy. In June 2012, the European Commission proposed a new Regulation on eSignatures. As the HTTPS ecosystem is by and large unregulated across the world, the proposal presents a paradigm shift in the governance of HTTPS. This paper examines if, and if so, how the European regulatory framework should legitimately address the systemic vulnerabilities of the HTTPS ecosystem. To this end, the HTTPS authentication model is conceptualised using actor-based value chain analysis and the systemic vulnerabilities of the HTTPs ecosystem are described through the lens of several landmark breaches. The paper explores the rationales for regulatory intervention, discusses the proposed EU eSignatures Regulation and ultimately develops a conceptual framework for HTTPS governance. It apprises the incentive structure of the entire HTTPS authentication value chain, untangles the concept of information security and connects its balancing of public and private interests to underlying values, in particular constitutional rights such as privacy, communications secrecy and freedom of expression. On the short term, specific regulatory measures to be considered throughout the value chain includes proportional liability provisions, meaningful security breach notifications and internal security requirements, but both legitimacy and effectiveness will depend on the exact wording of the regulatory provisions. The EU eSignatures proposal falls short on many of these aspects. In the long term, a robust technical and policy overhaul is needed to address the systemic weaknesses of HTTPS, as each CA is a single point of failure for the security of the entire ecosystem.

See also:

• 29C3: "Das SSL-System ist grundlegend defekt - und jemand muss es reparieren", Heise Online, 28 December 2012.

07.09.2012

(in Dutch) Annotatie bij Rb. 's-Gravenhage 11 januari 2012 (Brein / Ziggo & XS4ALL), AMI, 2012-3, p. 119-131.

15.06.2012

What the European Commission owes 500 million Europeans, speech delivered on 3 December 2010 at the conference "Taking on the Data Retention Directive", organised by the European Commission.

Part of this speech is also published in Privacy & Informatie, nr. 6, 2010, p. 305.

13.12.2011

Updated 17.01.2013