Nico A.N.M. van Eijk
Institute for Information Law (IViR)

Korte Spinhuissteeg 3
1012 CG Amsterdam
The Netherlands

kamer B2.05
tel: +31 20 - 525 39 31
fax: +31 20 - 525 30 33

Curriculum Vitae

Nico van Eijk is Professor of Media and Telecommunications Law and Director of the Institute for Information Law (IViR, Faculty of Law, University of Amsterdam). He studied Law at the University of Tilburg and received his doctorate on government interference with broadcasting in 1992 from the University of Amsterdam. He also works as an independent legal adviser. Among other things, he is the Chairman of the Dutch Federation for Media and Communications Law (Vereniging voor Media- en Communicatierecht, VMC), a member of the supervisory board of the Dutch public broadcasting organisation (NPO) and chairman of two committees of The Social and Economic Council of the Netherlands (SER).

(met A.M. Arnbak, H. Asghari & M. van Eeten) Security Collapse in the HTTPS Market, Communications of the ACM, 2014-10, p. 47-55.
Ook gepubliceerd in: ACM Queue - Security, 2014-8, vol. 12. 

Visual artist Willow Brugh, Axel's colleague at the Berkman Center at Harvard University, has made a mesmerizing vizthink animation as a teaser to the article:

HTTPS (Hypertext Transfer Protocol Secure) has evolved into the de facto standard for secure Web browsing. However, widely reported security incidents—such as DigiNotar's breach, Apple's #gotofail, and OpenSSL's Heartbleed—have exposed systemic security vulnerabilities of HTTPS to a global audience. The Edward Snowden revelations—notably around operation BULLRUN, MUSCULAR, and the lesser-known FLYING PIG program to query certificate metadata on a dragnet scale—have driven the point home that HTTPS is both a major target of government hacking and eavesdropping, as well as an effective measure against dragnet content surveillance when Internet traffic traverses global networks. HTTPS, in short, is an absolutely critical but fundamentally flawed cybersecurity technology.

To evaluate both legal and technological solutions to augment the security of HTTPS, our article argues that an understanding of the economic incentives of the stakeholders in the HTTPS ecosystem, most notably the CAs, is essential. We outlines the systemic vulnerabilities of HTTPS, maps the thriving market for certificates, and analyzes the suggested regulatory and technological solutions on both sides of the Atlantic. The findings show existing yet surprising market patterns and perverse incentives: not unlike the financial sector, the HTTPS market is full of information asymmetries and negative externalities, as a handful of CAs dominate the market and have become "too big to fail." Unfortunately, proposed E.U. legislation will reinforce systemic vulnerabilities, and the proposed technological solutions that mostly originate in the U.S. are far from being adopted at scale. The systemic vulnerabilities in this crucial technology are likely to persist for years to come.


(with M. van Eeten & M. Mueller) The Internet and the State: A Survey of Key Developments, Raad voor Maatschappelijke Ontwikkeling, Den Haag, 2014, 42 p.

This paper sets out to provide a concise overview of key developments in relation to Internet-based services that may have an impact on public policies and ultimately on the state itself. It is intended to support the Netherlands Council for Societal Development (Raad voor Maatschappelijke Ontwikkeling, RMO) in preparing its advisory report to the Dutch government on how to deal with the impact of the Internet on society and the state.


Mass surveillance: the Dutch state of denial, openDemocracy, 16 May 2014.


The proof of the pudding is in the eating, Internet Policy Review, 10 February 2014.


(met H. Asghari, M.J.G. van Eeten & A.M. Arnbak) Security Economics in the HTTPS Value Chain, paper peer-reviewed and presented at WEIS 2013, 3 June 2013.

Even though we increasingly rely on HTTPS to secure Internet communications, several landmark incidents in recent years have illustrated that its security is deeply flawed. We present an extensive multi-disciplinary analysis that examines how the systemic vulnerabilities of the HTTPS authentication model could be addressed. We conceptualize the security issues from the perspective of the HTTPS value chain. We then discuss the breaches at several Certificate Authorities (CAs). Next, we explore the security incentives of CAs via the empirical analysis of the market for SSL certificates, based on the SSL Observatory dataset. This uncovers a surprising pattern: there is no race to the bottom. Rather, we find a highly concentrated market with very large price differences among suppliers and limited price competition. We explain this pattern and explore what it tells us about the security incentives of CAs, including how market leaders seem to benefit from the status quo. In light of these findings, we look at regulatory and technical proposals to address the systemic vulnerabilities in the HTTPS value chain, in particular the EU eSignatures proposal that seeks to strictly regulate HTTPS communications.


(with J.V.J. van Hoboken, A.M. Arnbak) Obscured by Clouds or How to Address Governmental Access to Cloud Data From Abroad, draft paper presented at Privacy Law Scholars Conference 2013, 6-7 June, Berkeley, United States.

See also: Snowden saga reveals gaps in protection of European data, Financial Times, 29 July 2013, p. 2.


The Diginotar Case: Internet Security is No Abstract Matter, Computers & Law Magazine of SCL, 2013-6, p. 1-2.


Net Neutrality and Audiovisual Services? in: Routledge Handbook of Media Law (eds. M Price, S. Verhulst & L. Morgan), Routledge 2012, p. 523-538.
ISBN 978-0-415-68316-6.


(with J.V.J. van Hoboken, A.M. Arnbak and with the assistance of N.P.H. Kruijsen, Cloud Computing in Higher Education and Research Institutions and the USA Patriot Act, November 2012.

Institutions have started to move their data and ICT operations into the cloud. It is becoming clear that this is leading to a decrease of overview and control over government access to data for law enforcement and national security purposes. This report looks at the possibilities for the U.S. government to obtain access to information in the cloud from Dutch institutions on the basis of U.S. law and on the basis of Dutch law and international co-operation. It concludes that the U.S. legal state of affairs implies that the transition towards the cloud has important negative consequences for the possibility to manage information confidentiality, information security and the privacy of European end users in relation to foreign governments.
The Patriot Act from 2001 has started to play a symbolic role in the public debate. It is one important element in a larger, complex and dynamic legal framework for access to data for law enforcement and national security purposes. In particular, the FISA Amendments Act provision for access to data of non-U.S. persons outside the U.S. enacted in 2008 deserves attention. The report describes this and other legal powers for the U.S. government to obtain data of non-U.S. persons located outside of the U.S. from cloud providers that fall under its jurisdiction. Such jurisdiction applies widely, namely to cloud services that conduct systematic business in the United States and is not dependent on the location where the data are stored, as is often assumed. For non-U.S. persons located outside of the U.S., constitutional protection is not applicable and the statutory safeguards are minimal.
In the Netherlands and across the EU, government agencies have legal powers to obtain access to cloud data as well. These provisions can also be be used to assist the U.S. government, when it does not have jurisdiction for instance, but they must stay within the constitutional safeguards set by national constitutions, the European Convention on Human Rights and the EU Charter.

This is the English translation of a report that was released in September 2012 in The Netherlands. It was covered extensively in Dutch newspapers, on Radio1 and the 8 PM news bulletin of public broadcaster NOS. Politicians across the spectrum reacted on the report, both directly in the media and through Parliamentary questions. Meanwhile, the State Secretary of Security and Justice has responded to the Parliamentary questions on 15 October 2012. References can be found on the Institute for Information Law website. The report is also available on SSRN.

See also: Patriot Act can "obtain" data in Europe, researchers say, CBS News, 4 December 2012.


Duties of Care on the Internet?, in: Cyber Safety: an introduction, R. Leukfeldt & W. Stol (ed.), The Hague: Eleven International Publishing 2012, p. 267-279.
ISBN 9789490947750.


(with W. Benedek & J. Liddicoat) Comments relating to freedom of expression and freedom of association with regard to new generic top level domains, Comments submitted to the Governmental Advisory Committee (GAC) of the Internet Corporation for Assigned Names and Numbers, DG-I (2012) 4, 12 October 2012.


(with B. van der Sloot), Must-carry Regulation: A Must or a Burden?, IRIS plus, 2012-5, p. 7-23.

The first must-carry rules date back to 1990, the time when space on analogue broadcasting networks was limited and when supply grew quickly due to the introduction of private broadcasters. To ensure that channels of general interest would still be transmitted, countries introduced rules to regulate the scarcely available cable capacity. The major reason for introducing these must-carry rules was to guarantee access to public service broadcasting and ensure a diverse choice of programmes. The option in the European regulatory framework of reserving distribution capacity for selected channels, is characterised by its technology-neutral formulation. A distinctive feature of these European rules is that must-carry obligations can only be imposed if the respective networks are the principal means of receiving radio and television channels for a significant number of end-users of these networks. In a market where users increasingly opt for using one provider for all their communication services, the question is justified if - apart from technical restrictions - must-carry obligations should be linked to a quantitative criterion. In this article, insight is provided into the choices made by various European countries with respect to regulation must-carry obligations and how the general European framework is applicable to national regulations. A brief comparison is made with the situation in the United States, some conclusions are drawn and thoughts are provided on the future of must-carry obligations in Europe.


(with P. Nooren & A. Leurdijk) Net neutrality and the value chain for video, info, 2012-6, p. 45-58.

Video distribution over the Internet leads to heated net-neutrality related debates between network operators and Over-the-Top application providers. The purpose of this paper is to analyze this debate from a new perspective that takes into account all of the assets that companies try to exploit in the so-called battle for eyeballs in video distribution.


(with A.M. Arnbak) Certificate Authority Collapse: Regulating Systemic Vulnerabilities in the HTTPS Value Chain, Telecommunications Policy Research Conference, August 2012.

Paper also available through SSRN.

Recent breaches and malpractices at several Certificate Authorities (CA’s) have led to a global collapse of trust in these central mediators of Hypertext Transfer Protocol Secure (HTTPS) communications. Given our dependence on secure web browsing, the security of HTTPS has become a top priority in telecommunications policy. In June 2012, the European Commission proposed a new Regulation on eSignatures. As the HTTPS ecosystem is by and large unregulated across the world, the proposal presents a paradigm shift in the governance of HTTPS. This paper examines if, and if so, how the European regulatory framework should legitimately address the systemic vulnerabilities of the HTTPS ecosystem. To this end, the HTTPS authentication model is conceptualised using actor-based value chain analysis and the systemic vulnerabilities of the HTTPs ecosystem are described through the lens of several landmark breaches. The paper explores the rationales for regulatory intervention, discusses the proposed EU eSignatures Regulation and ultimately develops a conceptual framework for HTTPS governance. It apprises the incentive structure of the entire HTTPS authentication value chain, untangles the concept of information security and connects its balancing of public and private interests to underlying values, in particular constitutional rights such as privacy, communications secrecy and freedom of expression. On the short term, specific regulatory measures to be considered throughout the value chain includes proportional liability provisions, meaningful security breach notifications and internal security requirements, but both legitimacy and effectiveness will depend on the exact wording of the regulatory provisions. The EU eSignatures proposal falls short on many of these aspects. In the long term, a robust technical and policy overhaul is needed to address the systemic weaknesses of HTTPS, as each CA is a single point of failure for the security of the entire ecosystem.

See also:


(with M. Keste and J. Poort) Valuing commercial radio licences, European Journal of Law and Economics, 2012.

Within the EU regulatory framework, licensees for commercial radio broadcasting may be charged a fee to ensure optimal allocation of scarce resources but not to maximize public revenues. While radio licence renewal occurs in many EU countries, an objective, model-based approach for setting licence fees has not been used so far. In this paper, it is described how such a fee can be determined for the purpose of licence renewal or extension. National and regional Dutch FM licences were valued, taking into account that simulcast broadcasting of digital and analogue radio is obligatory upon extension. Licences are valued using discounted cash flow methodology, whereby the cash flows of an averagely efficient entrant are taken as the benchmark for valuation of each individual licence. Cash flows during the licence period 2011–2017 are forecast based on generalized least squares regressions, using financial variables of Dutch radio stations for the years 2004–2008. Separately, bottom-up cost and investment models are used to calculate analogue and digital distribution costs. This results in a value per licence, based on objective licence characteristics, which can be used to set licence fees if administrative renewal or extension is opted for instead of a new auction or beauty contest.

For students and researchers, access to the article is available at the Springer database, through your own university library.


(with N. Helberger, L. Kool, A. van der Plas and B. van der Sloot) Online tracking: questioning the power of informed consent, info, 2012-5, p. 57-73.

The paper aims to report the main findings of a study for the Dutch Regulatory Authority for the Telecommunications sector OPTA to explore how the new European "cookie rules" in the ePrivacy Directive impact on behavioral advertising practices via the storing and reading of cookies. The paper identifies the main dilemmas with the implementation of the new European rules. The Dutch case provides a valuable reality check also outside The Netherlands. Even before the amendment of the directive, The Netherlands already had an opt-in system in place. From the Dutch experience important lessons can be learned also for other European countries.


(with J. Poort, I. Akker, B. van der Sloot & P. Rutten) Digitally binding: Examining the feasibility of charging a fixed price for e-books, Report commissioned by the Ministry of Education, Culture and Science (OC&W), Amsterdam, March 2012.

Legal price fixing for printed books in the Dutch and Frisian languages was introduced in the Netherlands in 2005. Publishers today are required to fix retail prices for new books and retailers are required to charge the prices set. Fixed prices are valid for an indefinite period, but publishers are permitted to adjust them after a period of six months and to discard the fixed price altogether after a year. The Resale Price Maintenance (Books) Act (Wet op de vaste boekenprijs) seeks to contribute towards a large and varied stock and wide geographic availability of books, as well as towards public participation (purchasing and reading habits). With the emergence of e-books, the question arises as to whether it would be possible and desirable to introduce legally enforced price fixing for digital books too. This study examines the feasibility and enforceability of resale price maintenance (RPM) for e-books and analyses the functionality in terms of the degree to which it contributes to pluralism and the broad availability of supply, the market structure of the book business and the diversity and availability of print books.

Originally published in Dutch as: Digitaal gebonden: Onderzoek naar de functionaliteit van een vaste prijs voor het e-boek.


(with J. Poort) Universal service and disabled people, Telecommunications Policy, 2012-36, p. 85-95.

The EU regulatory framework enacted 25 May 2011 has the objective to provide functionally equal access to telecommunications services for disabled persons. What are the rules, who are the target groups, and what obstacles do they face when using various telecommunication services? And what arrangements do exist in a selected group of six EU Member States to remove these obstacles? Recommendations include the introduction of a more market-oriented approach, independent of specific networks.


Net Neutrality and Audiovisual Services, IRIS Plus, 2011-5, p. 7-19.

This article is part of IRIS Plus 2011-5 "Why Discuss Network Neutrality?".
Article also available in
French and German.


(with N. Helberger, L. Kool, A. van der Plas & B. van der Sloot)   Online tracking: Questioning the power of informed consent, Paper prepared for ITS, 22nd European Regional ITS Conference Budapest, Hungary (18-21 September 2011).

(with B. van der Sloot) How Television went digital in the Netherlands, Mapping Digital Media: reference series no. 11, September 2011.


File Sharing, note written at the request of the European Parliament's Committee on Legal Affairs, 2011.


About Network Neutrality 1.0, 2.0, 3.0 and 4.0, Computers & Law Magazine, 2011-6.

Nico van Eijk puts network neutrality in context, predicts the future flow of debate on the topic and makes a series of telling observations on network neutrality dilemmas.

This article was translated into Russian for research purposes: О СЕТЕВОМ НЕЙТРАЛИТЕТЕ 1.0, 2.0, 3.0 И 4.0.


(with T.M. van Engers (Leibniz Center for Law), C. Wiersma, C.A. Jasserand and W. Abel) Moving Towards Balance: A study into duties of care on the Internet, WODC / University of Amsterdam, 2010, 125 p.

Commissioned by the WODC (Research and Documentation Centre of the Ministry of Security and Justice), research has been conducted on duties of care on the Internet, more specifically from the perspective of Internet service providers. The situation in four countries - the Netherlands, the UK, Germany and France - was researched. The (self-)regulation with respect to five separate themes (Internet security and safety, child pornography, copyright, identity fraud and the trade in stolen goods through Internet platforms) was identified. In addition to this, a significant number of interviews with stakeholders were conducted.


(with J. Poort and P. Rutten) Legal, Economic and Cultural Aspects of File Sharing, Communications & Strategies, 2010-77, p. 35-54.

This contribution seeks to identify the short and long-term economic and cultural effects of file sharing on music, films and games, while taking into account the legal context and policy developments. The short-term implications examined concern direct costs and benefits to society, whereas the long-term impact concerns changes in the industry's business models as well as in cultural diversity and the accessibility of content. It observes that the proliferation of digital distribution networks combined with the availability of digital technology among consumers has broken the entertainment industries' control over the access to their products. Only part of the decline in music sales can be attributed to file sharing. Despite the losses for the music industry, the increased accessibility of culture renders the overall welfare effects of file sharing robustly positive. As a consequence the entertainment industries, particularly the music industry, have to explore new models to sustain their business.


(with N. Helberger, L. Guibault, E.H. Janssen, C.J. Angelopoulos, J.V.J. van Hoboken, E. Swart, et al.) User-Created-Content: Supporting a participative Information Society, Final Report, Study carried out for the European Commission by IDATE, TNO and IViR, 2008.


Search Engines, the New bottleneck for Content Access, in: B. Preissl, J. Haucap & P. Curwen (eds.), Telecommunication Markets, Drivers and Impediments, London: Springer, 2009, p. 141-157.

The core function of a search engine is to make content and sources of information easily accessible (although the search results themselves may actually include parts of the underlying information). In an environment with unlimited amounts of information available on open platforms such as the internet, the availability or accessibility of content is no longer a major issue. The real question is how to find the information. Search engines are becoming the most important gateway used to find content: research shows that the average user considers them to be the most important intermediary in their search for content. They also believe that search engines are reliable. The high social impact of search engines is now evident. This contribution discusses the functionality of search engines and their underlying business model - which is changing to include the aggregation of content as well as access to it, hence making search engines a new player on the content market. The biased structure of and manipulation by search engines is also explored. The regulatory environment is assessed - at present, search engines largely fall outside the scope of (tele)communications regulation - and possible remedies are proposed.


A Converged Regulatory Model for Search Engines?, Magazine of the Society for Computers and Law, 2009-6, p. 1-3.


(with A. Huygen, N. Helberger et al) Ups and downs. Economic and cultural effects of file sharing on music, film and games (authorised translation), a study by TNO Information and Communication Technology, SEO Economic Research and the Institute for Information Law, commissioned by the Dutch Ministries of Education, Culture and Science, Economic Affairs and Justice, February 2009.


Search Engines, the new bottleneck for content acccess, Paper presented at the International Telecommunications Society 19th European Regional Conference, 2-5 September 2007, Istanbul, Turkey.


The modernisation of the European Television without Frontiers Directive: unnecessary regulation and the introduction of internet governance, (draft) paper presented at the International Telecommunications Society 19th European Regional Conference, 2-5 September 2007, Istanbul, Turkey.

Critical analysis of the proposed Audiovisual Media Services Directive (AVMS).


(with K. Maniadaki) Institutional Aspects of Internet Governance, in: C. Moeller & A. Amouroux (eds.), Governing the Internet - Freedom and Regulation in the OSCE Region, Vienna: OSCE Representative on Freedom of the Media, 2007, p. 67-87.


Search engines: Seek and ye shall find? The position of search engines in law’, IRIS plus (Supplement to IRIS - Legal observations of the European Audiovisual Observatory), 2006-2.


Public Service Broadcasting and State Aid’, paper presented at the EPRA-conference (European Platform of Regulatory Authorities), 19-21 October 2005, Budapest.

See also the slides.

Published 10.11.2005

Universal Service, a new look at an old concept: broadbandaccess as auniversal service’. This paper was presented at the15th Biennial Conference of the International Telecommunication Society/Berlin,5-7 September 2004

Published 14.09.2004

Regulating old values in the Digital Age’ Contribution to the OSCE-conference 'Guaranteeing Media Freedom in the Internet', 27/28 Augustus 2004, Amsterdam.

Published 31.08.2004

Study on the use of conditional access systems for reasons other than the protection of remuneration, to examine the legal and the economic implications within the Internal Market and the need of introducing specific legal protection, Report presented to the European Commission by N. Helberger, N.A.N.M. van Eijk & P.B. Hugenholtz.

The study offers an analysis of the use of conditional access systems for other reasons than the protection of remuneration interests. The report also examines the need to provide for additional legal protection by means of a Community initiative, such as a possible extension of the Conditional Access Directive. The report will give a legal and economic analysis of the most important non-remuneration reasons to use conditional access (CA), examine whether services based on conditional access for these reasons are endangered by piracy activities, to what extent existing legislation in the Member States provides for sufficient protection, and what the possible impact of the use of conditional access is on the Internal Market. Furthermore, the study analysis the specific legislation outside the European Union, notably in Australia, Canada, Japan and the US, as well as the relevant international rules at the level of the EC, WIPO and the Council of Europe.

Published 06.08.2001

Broadband Services and Local Loop Unbundling in the Netherlands’, IEEE Communications Magazine October 1999, p. 2-5.

The article describes the availability of broadband services in the Netherlands. This particularly concerns broadband services for the consumer/end user such as access to Internet.

Published 26.01.2000

Cable television networks in Europe’, in: Santiago Muñoz Machado/Rafael de Lorenzo (red.), Derecho Europea del audiovisual, actas del congreso organizado por la asociación europea de derecho del audiovisual, Madrid/Sevilla: 1997, p. 1073-1079.

The European Commission adopted in October 1995 a directive to allow the carriage of all liberalised telecommunications services on cable TV networks as from 1 January 1996. By adopting this directive, the European Commission aims to foster competition and new initiatives in the telecommunications field. This article addresses the enforcement and content of the Commission's directive.

Published 08.04.1998

Updated 10.10.2014