Nico van Eijk is
Professor of Media and Telecommunications Law and
Director of the Institute for Information Law (IViR,
Faculty of Law, University of Amsterdam). He studied Law
at the University of Tilburg and received his doctorate
on government interference with broadcasting in 1992
from the University of Amsterdam. He also works as an
independent legal adviser. Among other things, he is the
Chairman of the Dutch Federation for Media and
Communications Law (Vereniging voor Media- en
Communicatierecht, VMC), a member of the supervisory
board of the Dutch public broadcasting organisation (NPO)
and chairman of two committees of The Social and
Economic Council of the Netherlands (SER).
(met A.M. Arnbak,
M. van Eeten)
Security Collapse in the HTTPS Market,
the ACM, 2014-10, p. 47-55.
Ook gepubliceerd in:
ACM Queue - Security, 2014-8, vol. 12.
Visual artist Willow Brugh, Axel's colleague at the Berkman
Center at Harvard University, has made a mesmerizing vizthink
animation as a teaser to the article:
(Hypertext Transfer Protocol Secure) has evolved into the de
facto standard for secure Web browsing. However, widely reported
security incidents—such as DigiNotar's breach, Apple's
#gotofail, and OpenSSL's Heartbleed—have exposed systemic
security vulnerabilities of HTTPS to a global audience. The
Edward Snowden revelations—notably around operation BULLRUN,
MUSCULAR, and the lesser-known FLYING PIG program to query
certificate metadata on a dragnet scale—have driven the point
home that HTTPS is both a major target of government hacking and
eavesdropping, as well as an effective measure against dragnet
content surveillance when Internet traffic traverses global
networks. HTTPS, in short, is an absolutely critical but
fundamentally flawed cybersecurity technology.
evaluate both legal and technological solutions to augment the
security of HTTPS, our article argues that an understanding of
the economic incentives of the stakeholders in the HTTPS
ecosystem, most notably the CAs, is essential. We outlines the
systemic vulnerabilities of HTTPS, maps the thriving market for
certificates, and analyzes the suggested regulatory and
technological solutions on both sides of the Atlantic. The
findings show existing yet surprising market patterns and
perverse incentives: not unlike the financial sector, the HTTPS
market is full of information asymmetries and negative
externalities, as a handful of CAs dominate the market and have
become "too big to fail." Unfortunately, proposed E.U.
legislation will reinforce systemic vulnerabilities, and the
proposed technological solutions that mostly originate in the
U.S. are far from being adopted at scale. The systemic
vulnerabilities in this crucial technology are likely to persist
for years to come.
(with M. van Eeten & M.
The Internet and the State: A Survey of Key
Developments, Raad voor Maatschappelijke Ontwikkeling,
Den Haag, 2014, 42 p.
This paper sets out to provide a
concise overview of key developments in relation to
Internet-based services that may have an impact on
public policies and ultimately on the state itself.
It is intended to support the Netherlands Council
for Societal Development (Raad voor
Maatschappelijke Ontwikkeling, RMO) in preparing
its advisory report to the Dutch government on how
to deal with the impact of the Internet on society
and the state.
Mass surveillance: the
Dutch state of denial,
openDemocracy, 16 May 2014.
The proof of the pudding is in the eating,
Internet Policy Review, 10 February 2014.
(met H. Asghari, M.J.G. van Eeten &
Security Economics in the HTTPS Value Chain,
paper peer-reviewed and presented at WEIS 2013, 3 June 2013.
Even though we
increasingly rely on HTTPS to secure Internet
communications, several landmark incidents in recent
years have illustrated that its security is deeply
flawed. We present an extensive multi-disciplinary
analysis that examines how the systemic
vulnerabilities of the HTTPS authentication model
could be addressed. We conceptualize the security
issues from the perspective of the HTTPS value
chain. We then discuss the breaches at several
Certificate Authorities (CAs). Next, we explore the
security incentives of CAs via the empirical
analysis of the market for SSL certificates, based
on the SSL Observatory dataset. This uncovers a
surprising pattern: there is no race to the bottom.
Rather, we find a highly concentrated market with
very large price differences among suppliers and
limited price competition. We explain this pattern
and explore what it tells us about the security
incentives of CAs, including how market leaders seem
to benefit from the status quo. In light of these
findings, we look at regulatory and technical
proposals to address the systemic vulnerabilities in
the HTTPS value chain, in particular the EU
eSignatures proposal that seeks to strictly regulate
(with J.V.J. van Hoboken,
Obscured by Clouds or How to Address Governmental Access
to Cloud Data From Abroad, draft paper presented at
Privacy Law Scholars Conference 2013, 6-7 June,
Berkeley, United States.
Snowden saga reveals gaps in protection of European data,
Financial Times, 29 July 2013, p. 2.
The Diginotar Case: Internet Security is No Abstract
Matter, Computers & Law Magazine of SCL, 2013-6,
Net Neutrality and
Audiovisual Services? in:
Routledge Handbook of Media Law (eds. M Price,
S. Verhulst & L. Morgan), Routledge 2012, p. 523-538.
(with J.V.J. van Hoboken,
A.M. Arnbak and
the assistance of N.P.H. Kruijsen,
Cloud Computing in Higher Education and Research
Institutions and the USA Patriot Act, November 2012.
Institutions have started to move
their data and ICT operations into the cloud. It is
becoming clear that this is leading to a decrease of
overview and control over government access to data
for law enforcement and national security purposes.
This report looks at the possibilities for the U.S.
government to obtain access to information in the
cloud from Dutch institutions on the basis of U.S.
law and on the basis of Dutch law and international
co-operation. It concludes that the U.S. legal state
of affairs implies that the transition towards the
cloud has important negative consequences for the
possibility to manage information confidentiality,
information security and the privacy of European end
users in relation to foreign governments.
The Patriot Act from 2001 has started to play a
symbolic role in the public debate. It is one
important element in a larger, complex and dynamic
legal framework for access to data for law
enforcement and national security purposes. In
particular, the FISA Amendments Act provision for
access to data of non-U.S. persons outside the U.S.
enacted in 2008 deserves attention. The report
describes this and other legal powers for the U.S.
government to obtain data of non-U.S. persons
located outside of the U.S. from cloud providers
that fall under its jurisdiction. Such jurisdiction
applies widely, namely to cloud services that
conduct systematic business in the United States and
is not dependent on the location where the data are
stored, as is often assumed. For non-U.S. persons
located outside of the U.S., constitutional
protection is not applicable and the statutory
safeguards are minimal.
In the Netherlands and across the EU, government
agencies have legal powers to obtain access to cloud
data as well. These provisions can also be be used
to assist the U.S. government, when it does not have
jurisdiction for instance, but they must stay within
the constitutional safeguards set by national
constitutions, the European Convention on Human
Rights and the EU Charter.
This is the English translation of a
report that was released in September 2012 in The
Netherlands. It was covered extensively in Dutch
newspapers, on Radio1 and the 8 PM news bulletin of
public broadcaster NOS. Politicians across the spectrum
reacted on the report, both directly in the media and
through Parliamentary questions. Meanwhile, the State
Secretary of Security and Justice has responded to the
Parliamentary questions on 15 October 2012. References
can be found on the Institute for Information Law
website. The report is also available on
Patriot Act can "obtain" data in Europe, researchers say,
CBS News, 4 December 2012.
Duties of Care on the Internet?, in:
Cyber Safety: an
introduction, R. Leukfeldt & W. Stol (ed.), The
Hague: Eleven International Publishing 2012, p. 267-279.
(with W. Benedek & J.
Comments relating to freedom of expression and freedom
of association with regard to new generic top level
domains, Comments submitted to the Governmental Advisory
Committee (GAC) of the Internet Corporation for Assigned
Names and Numbers, DG-I (2012) 4, 12 October 2012.
B. van der Sloot),
Must-carry Regulation: A Must or a Burden?,
IRIS plus, 2012-5, p. 7-23.
must-carry rules date back to 1990, the time when
space on analogue broadcasting networks was limited
and when supply grew quickly due to the introduction
of private broadcasters. To ensure that channels of
general interest would still be transmitted,
countries introduced rules to regulate the scarcely
available cable capacity. The major reason for
introducing these must-carry rules was to guarantee
access to public service broadcasting and ensure a
diverse choice of programmes. The option in the
European regulatory framework of reserving
distribution capacity for selected channels, is
characterised by its technology-neutral formulation.
A distinctive feature of these European rules is
that must-carry obligations can only be imposed if
the respective networks are the principal means of
receiving radio and television channels for a
significant number of end-users of these networks.
In a market where users increasingly opt for using
one provider for all their communication services,
the question is justified if - apart from technical
restrictions - must-carry obligations should be
linked to a quantitative criterion. In this article,
insight is provided into the choices made by various
European countries with respect to regulation
must-carry obligations and how the general European
framework is applicable to national regulations. A
brief comparison is made with the situation in the
United States, some conclusions are drawn and
thoughts are provided on the future of must-carry
obligations in Europe.
(with P. Nooren & A.
Net neutrality and the value chain for video, info,
2012-6, p. 45-58.
over the Internet leads to heated net-neutrality
related debates between network operators and
Over-the-Top application providers. The purpose of
this paper is to analyze this debate from a new
perspective that takes into account all of the
assets that companies try to exploit in the
so-called battle for eyeballs in video distribution.
(with A.M. Arnbak)
Certificate Authority Collapse: Regulating Systemic
Vulnerabilities in the HTTPS Value Chain,
Telecommunications Policy Research Conference, August
Recent breaches and
malpractices at several Certificate Authorities (CA’s)
have led to a global collapse of trust in these central
mediators of Hypertext Transfer Protocol Secure (HTTPS)
communications. Given our dependence on secure web
browsing, the security of HTTPS has become a top
priority in telecommunications policy. In June 2012, the
European Commission proposed a new Regulation on
eSignatures. As the HTTPS ecosystem is by and large
unregulated across the world, the proposal presents a
paradigm shift in the governance of HTTPS. This paper
examines if, and if so, how the European regulatory
framework should legitimately address the systemic
vulnerabilities of the HTTPS ecosystem. To this end, the
HTTPS authentication model is conceptualised using
actor-based value chain analysis and the systemic
vulnerabilities of the HTTPs ecosystem are described
through the lens of several landmark breaches. The paper
explores the rationales for regulatory intervention,
discusses the proposed EU eSignatures Regulation and
ultimately develops a conceptual framework for HTTPS
governance. It apprises the incentive structure of the
entire HTTPS authentication value chain, untangles the
concept of information security and connects its
balancing of public and private interests to underlying
values, in particular constitutional rights such as
privacy, communications secrecy and freedom of
expression. On the short term, specific regulatory
measures to be considered throughout the value chain
includes proportional liability provisions, meaningful
security breach notifications and internal security
requirements, but both legitimacy and effectiveness will
depend on the exact wording of the regulatory
provisions. The EU eSignatures proposal falls short on
many of these aspects. In the long term, a robust
technical and policy overhaul is needed to address the
systemic weaknesses of HTTPS, as each CA is a single
point of failure for the security of the entire
(with M. Keste and J. Poort) Valuing
commercial radio licences, European Journal of Law and
Within the EU
regulatory framework, licensees for commercial radio
broadcasting may be charged a fee to ensure optimal
allocation of scarce resources but not to maximize
public revenues. While radio licence renewal occurs
in many EU countries, an objective, model-based
approach for setting licence fees has not been used
so far. In this paper, it is described how such a
fee can be determined for the purpose of licence
renewal or extension. National and regional Dutch FM
licences were valued, taking into account that
simulcast broadcasting of digital and analogue radio
is obligatory upon extension. Licences are valued
using discounted cash flow methodology, whereby the
cash flows of an averagely efficient entrant are
taken as the benchmark for valuation of each
individual licence. Cash flows during the licence
period 2011–2017 are forecast based on generalized
least squares regressions, using financial variables
of Dutch radio stations for the years 2004–2008.
Separately, bottom-up cost and investment models are
used to calculate analogue and digital distribution
costs. This results in a value per licence, based on
objective licence characteristics, which can be used
to set licence fees if administrative renewal or
extension is opted for instead of a new auction or
For students and
researchers, access to the article is available at the
Springer database, through your own university
(with N. Helberger, L.
Kool, A. van der Plas and
B. van der Sloot)
Online tracking: questioning the power of informed
consent, info, 2012-5, p. 57-73.
The paper aims to
report the main findings of a study for the Dutch
Regulatory Authority for the Telecommunications
sector OPTA to explore how the new European "cookie
rules" in the ePrivacy Directive impact on
behavioral advertising practices via the storing and
reading of cookies. The paper identifies the main
dilemmas with the implementation of the new European
rules. The Dutch case provides a valuable reality
check also outside The Netherlands. Even before the
amendment of the directive, The Netherlands already
had an opt-in system in place. From the Dutch
experience important lessons can be learned also for
other European countries.
(with J. Poort, I. Akker,
B. van der Sloot & P.
Digitally binding: Examining the feasibility of charging
a fixed price for e-books, Report commissioned by
the Ministry of Education, Culture and Science (OC&W),
Amsterdam, March 2012.
Legal price fixing for printed books
in the Dutch and Frisian languages was introduced in
the Netherlands in 2005. Publishers today are
required to fix retail prices for new books and
retailers are required to charge the prices set.
Fixed prices are valid for an indefinite period, but
publishers are permitted to adjust them after a
period of six months and to discard the fixed price
altogether after a year. The Resale Price
Maintenance (Books) Act (Wet op de vaste
boekenprijs) seeks to contribute towards a large
and varied stock and wide geographic availability of
books, as well as towards public participation
(purchasing and reading habits). With the emergence
of e-books, the question arises as to whether it
would be possible and desirable to introduce legally
enforced price fixing for digital books too. This
study examines the feasibility and enforceability of
resale price maintenance (RPM) for e-books and
analyses the functionality in terms of the degree to
which it contributes to pluralism and the broad
availability of supply, the market structure of the
book business and the diversity and availability of
Originally published in Dutch as:
Digitaal gebonden: Onderzoek naar de functionaliteit van
een vaste prijs voor het e-boek.
(with J. Poort)
Universal service and disabled people,
Telecommunications Policy, 2012-36, p. 85-95.
The EU regulatory
framework enacted 25 May 2011 has the objective to
provide functionally equal access to telecommunications
services for disabled persons. What are the rules, who
are the target groups, and what obstacles do they face
when using various telecommunication services? And what
arrangements do exist in a selected group of six EU
Member States to remove these obstacles? Recommendations
include the introduction of a more market-oriented
approach, independent of specific networks.
Net Neutrality and Audiovisual Services, IRIS
Plus, 2011-5, p. 7-19.
This article is
part of IRIS Plus 2011-5
"Why Discuss Network Neutrality?".
Article also available in
N. Helberger, L.
Kool, A. van der Plas &
B. van der
Online tracking: Questioning the power of informed
Paper prepared for ITS, 22nd European Regional ITS
Conference Budapest, Hungary (18-21 September 2011).
(with B. van der
Television went digital in the Netherlands,
Mapping Digital Media: reference series no. 11,
File Sharing, note written at the request of the
European Parliament's Committee on Legal Affairs, 2011.
About Network Neutrality 1.0, 2.0, 3.0 and 4.0,
Computers & Law Magazine, 2011-6.
Nico van Eijk puts
network neutrality in context, predicts the future
flow of debate on the topic and makes a series of
telling observations on network neutrality dilemmas.
This article was
translated into Russian for research purposes:
О СЕТЕВОМ НЕЙТРАЛИТЕТЕ 1.0, 2.0, 3.0 И 4.0.
(with T.M. van Engers (Leibniz Center for Law), C.
Wiersma, C.A. Jasserand
Moving Towards Balance: A study into duties of care on
the Internet, WODC / University of Amsterdam, 2010, 125
Commissioned by the
WODC (Research and Documentation Centre of the
Ministry of Security and Justice), research has been
conducted on duties of care on the Internet, more
specifically from the perspective of Internet
service providers. The situation in four countries -
the Netherlands, the UK, Germany and France - was
researched. The (self-)regulation with respect to
five separate themes (Internet security and safety,
child pornography, copyright, identity fraud and the
trade in stolen goods through Internet platforms)
was identified. In addition to this, a significant
number of interviews with stakeholders were
(with J. Poort and P.
Legal, Economic and Cultural Aspects of File Sharing,
Communications & Strategies, 2010-77, p. 35-54.
seeks to identify the short and long-term economic
and cultural effects of file sharing on music, films
and games, while taking into account the legal
context and policy developments. The short-term
implications examined concern direct costs and
benefits to society, whereas the long-term impact
concerns changes in the industry's business models
as well as in cultural diversity and the
accessibility of content. It observes that the
proliferation of digital distribution networks
combined with the availability of digital technology
among consumers has broken the entertainment
industries' control over the access to their
products. Only part of the decline in music sales
can be attributed to file sharing. Despite the
losses for the music industry, the increased
accessibility of culture renders the overall welfare
effects of file sharing robustly positive. As a
consequence the entertainment industries,
particularly the music industry, have to explore new
models to sustain their business.
van Hoboken, E. Swart, et al.)
User-Created-Content: Supporting a participative
Information Society, Final Report, Study carried
out for the European Commission by
IDATE, TNO and IViR, 2008.
Engines, the New bottleneck for Content Access, in:
B. Preissl, J. Haucap & P. Curwen (eds.), Telecommunication
Markets, Drivers and Impediments, London: Springer,
2009, p. 141-157.
The core function of
a search engine is to make content and sources of
information easily accessible (although the search
results themselves may actually include parts of the
underlying information). In an environment with
unlimited amounts of information available on open
platforms such as the internet, the availability or
accessibility of content is no longer a major issue.
The real question is how to find the information.
Search engines are becoming the most important gateway
used to find content: research shows that the average
user considers them to be the most important
intermediary in their search for content. They also
believe that search engines are reliable. The high
social impact of search engines is now evident. This
contribution discusses the functionality of search
engines and their underlying business model - which is
changing to include the aggregation of content as well
as access to it, hence making search engines a new
player on the content market. The biased structure of
and manipulation by search engines is also explored.
The regulatory environment is assessed - at present,
search engines largely fall outside the scope of
(tele)communications regulation - and possible
remedies are proposed.
Converged Regulatory Model for Search Engines?, Magazine
of the Society for Computers and Law, 2009-6, p.
A. Huygen, N. Helberger et
and downs. Economic and cultural effects of file sharing
on music, film and games (authorised translation), a
study by TNO Information and Communication Technology,
SEO Economic Research and the Institute for Information
Law, commissioned by the Dutch Ministries of Education,
Culture and Science, Economic Affairs and Justice,
Engines, the new bottleneck for content acccess,
Paper presented at the International Telecommunications
Society 19th European Regional Conference, 2-5 September
2007, Istanbul, Turkey.
modernisation of the European Television without
Frontiers Directive: unnecessary regulation and the
introduction of internet governance, (draft) paper
presented at the International Telecommunications
Society 19th European Regional Conference, 2-5 September
2007, Istanbul, Turkey.
Critical analysis of
the proposed Audiovisual Media Services Directive
|(with K. Maniadaki)
Aspects of Internet Governance, in: C. Moeller &
A. Amouroux (eds.), Governing
the Internet - Freedom and Regulation in the OSCE Region,
Vienna: OSCE Representative on Freedom of the Media,
2007, p. 67-87.
engines: Seek and ye shall find? The position of search
engines in law’, IRIS plus (Supplement to IRIS
- Legal observations of the European Audiovisual
Service Broadcasting and State Aid’, paper
presented at the EPRA-conference (European
Platform of Regulatory Authorities), 19-21 October
See also the
Service, a new look at an old concept: broadbandaccess
as auniversal service’. This paper was presented
Biennial Conference of the International
Telecommunication Society/Berlin,5-7 September 2004
old values in the Digital Age’ Contribution to the
'Guaranteeing Media Freedom in the Internet', 27/28
Augustus 2004, Amsterdam.
on the use of conditional access systems for reasons
other than the protection of remuneration, to examine
the legal and the economic implications within the
Internal Market and the need of introducing specific
legal protection, Report presented to the
European Commission by N.
Helberger, N.A.N.M. van Eijk
& P.B. Hugenholtz.
The study offers an
analysis of the use of conditional access systems for
other reasons than the protection of remuneration
interests. The report also examines the need to
provide for additional legal protection by means of a
Community initiative, such as a possible extension of
the Conditional Access Directive. The report will give
a legal and economic analysis of the most important
non-remuneration reasons to use conditional access
(CA), examine whether services based on conditional
access for these reasons are endangered by piracy
activities, to what extent existing legislation in the
Member States provides for sufficient protection, and
what the possible impact of the use of conditional
access is on the Internal Market. Furthermore, the
study analysis the specific legislation outside the
European Union, notably in Australia, Canada, Japan
and the US, as well as the relevant international
rules at the level of the EC, WIPO and the Council of
Services and Local Loop Unbundling in the Netherlands’,
IEEE Communications Magazine October 1999, p.
The article describes
the availability of broadband services in the
Netherlands. This particularly concerns broadband
services for the consumer/end user such as access to
television networks in Europe’, in: Santiago
Muñoz Machado/Rafael de Lorenzo (red.), Derecho
Europea del audiovisual, actas del congreso organizado
por la asociación europea de derecho del audiovisual,
Madrid/Sevilla: 1997, p. 1073-1079.
Commission adopted in October 1995 a directive to
allow the carriage of all liberalised
telecommunications services on cable TV networks as
from 1 January 1996. By adopting this directive, the
European Commission aims to foster competition and new
initiatives in the telecommunications field. This
article addresses the enforcement and content of the