Column 23 maart 2018
Column 22 februari 2018
Column 25 januari 2018
Column 30 november 2017
While China’s new cybersecurity law may appear vague, cumbersome and lacking clarity, one thing is clear and that is that international companies with any operations and/or activities in China should quickly assess if and how they are covered by the new legislation.
On 20 June 2017, Axel Arnbak and Frederik Zuiderveen Borgesius spoke at the Dutch Senate (Eerste Kamer) at an Expert Meeting on Privacy. The meeting focused on two bills, 'Computercriminaliteit III' (Computer Crime III, concerning, among other things, hacking by the police) and 'Vastleggen en bewaren kentekengegevens door politie' (on the use of automatic number plate recognition cameras by the police).
Information Law Series, Alphen aan den Rijn: Wolters Kluwer 2016, 296 pp.
Column in Het Financieele Dagblad van 16 juni 2016.
Column in Het Financieele Dagblad van 19 mei 2016.
Column in Het Financieele Dagblad van 21 april 2016.
Column in Het Financieele Dagbladvan 24 maart 2016.
Column in Het Financieele Dagblad van 2 december 2015.
Column in Het Financieele Dagblad van 30 december 2015.
Column in Het Financieele Dagblad van 28 januari 2016.
Column in Het Financieele Dagblad van 25 februari 2016.
Column in Het Financieele Dagblad van 4 november 2015.
This paper discusses the regulation of mass metadata surveillance in Europe through the lens of the landmark judgment in which the Court of Justice of the European Union struck down the Data Retention Directive. The controversial directive obliged telecom and Internet access providers in Europe to retain metadata of all their customers for intelligence and law enforcement purposes, for a period of up to two years. In the ruling, the Court declared the directive in violation of the human rights to privacy and data protection. The Court also confirmed that the mere collection of metadata interferes with the human right to privacy. In addition, the Court developed three new criteria for assessing the level of data security required from a human rights perspective: security measures should take into account the risk of unlawful access to data, and the data’s quantity and sensitivity. While organizations that campaigned against the directive have welcomed the ruling, we warn for the risk of proceduralization of mass surveillance law. The Court did not fully condemn mass surveillance that relies on metadata, but left open the possibility of mass surveillance if policymakers lay down sufficient procedural safeguards. Such proceduralization brings systematic risks for human rights. Government agencies, with ample resources, can design complicated systems of procedural oversight for mass surveillance – and claim that mass surveillance is lawful, even if it affects millions of innocent people.
Column in Het Financieele Dagblad van 7 oktober 2015.
Column in Het Financieele Dagblad van 9 september 2015.
Column in Het Financieele Dagblad van 12 augustus 2015.
Column in Het Financieele Dagblad van 15 juli 2015.
Column in Het Financieele Dagblad van 17 juni 2015.
Column in Het Financieele Dagblad van 20 mei 2015.
Column in Het Financieele Dagblad van 22 april 2015.
Column in Het Financieele Dagblad van 28 januari 2015.
Column in Het Financieele Dagblad van 25 februari 2015.
Column in Het Financieele Dagblad van 25 maart 2015.
Column in Het Financieele Dagblad van 31 december 2014.
Today, the vulnerable state of electronic communications security dominates headlines across the globe, while surveillance, money and power increasingly permeate the ?cybersecurity? policy arena. With the stakes so high, how should communications security be regulated?
Deirdre Mulligan (UC Berkeley), Ashkan Soltani (independent, Washington Post), Ian Brown (Oxford) and Michel van Eeten (TU Delft) weighed in on this proposition at an expert panel on my doctoral project at the Amsterdam Information Influx conference.
Column van 25 november 2014.
Column, 28 oktober 2014.
Draft paper prepared for IViR/Berkman Roundtable - 18 April 2014 - Last update July 28, 2014.
This descriptive legal analysis maps and evaluates a four decade legacy of communications security conceptualizations in E.U. law and policy, including four legislative proposals launched in 2013. As the first comprehensive historical analysis of its kind, the paper forwards a range of new scientific contributions in a time secure electronic communications are of historically unparalleled societal, economic and political relevance. Five communications security policy cycles are identified, and their ‘security’ definitions and scope are described. These cycles are: network and information security, data protection, telecommunications, encryption and cybercrime. An evaluation of the current E.U. ‘security’ conceptualizations illuminates the underlying values at stake, the protection offered in current regulations, the formulation of six research themes and an agenda for computer science, political theory and legal research. Despite constitutional values at stake such as privacy and communications freedom and a robust computer science literature, the paper observes a deep lack of conceptual clarity and coherence in E.U. security policymaking. It then concludes that the observed conceptual ambiguity has allowed powerful stakeholders to capture, or paint E.U. network and information security policies in any colour they like.
Interview, 11 augustus 2014.
Column, 29 augustus 2014.
Also published in: ACM Queue - Security, 2014-8, vol. 12.
HTTPS (Hypertext Transfer Protocol Secure) has evolved into the de facto standard for secure Web browsing. However, widely reported security incidents—such as DigiNotar's breach, Apple's #gotofail, and OpenSSL's Heartbleed—have exposed systemic security vulnerabilities of HTTPS to a global audience. The Edward Snowden revelations—notably around operation BULLRUN, MUSCULAR, and the lesser-known FLYING PIG program to query certificate metadata on a dragnet scale—have driven the point home that HTTPS is both a major target of government hacking and eavesdropping, as well as an effective measure against dragnet content surveillance when Internet traffic traverses global networks. HTTPS, in short, is an absolutely critical but fundamentally flawed cybersecurity technology.
To evaluate both legal and technological solutions to augment the security of HTTPS, our article argues that an understanding of the economic incentives of the stakeholders in the HTTPS ecosystem, most notably the CAs, is essential. We outlines the systemic vulnerabilities of HTTPS, maps the thriving market for certificates, and analyzes the suggested regulatory and technological solutions on both sides of the Atlantic. The findings show existing yet surprising market patterns and perverse incentives: not unlike the financial sector, the HTTPS market is full of information asymmetries and negative externalities, as a handful of CAs dominate the market and have become "too big to fail." Unfortunately, proposed E.U. legislation will reinforce systemic vulnerabilities, and the proposed technological solutions that mostly originate in the U.S. are far from being adopted at scale. The systemic vulnerabilities in this crucial technology are likely to persist for years to come.
Column, 30 september 2014.
Forthcoming in Michigan Telecommunications & Technology Law Review, May 2015.
Presented at the Privacy Enhancing Technologies Symposium, July 2014, Amsterdam.
Legal loopholes could allow wider NSA surveillance, researchers say, CBS news, 30 June 2014.
“Loopholes for Circumventing the Constitution”, the NSA Statement, and Our Response, Freedom to Tinker, 11 July 2014.
We reveal interdependent legal and technical loopholes that the U.S. intelligence community could use to circumvent constitutional and statutory safeguards for Americans. These loopholes involve the collection of Internet traffic on foreign territory, and leave Americans as unprotected as foreigners by current U.S. surveillance laws. We also describe how modern Internet protocols can be manipulated to deliberately divert American's traffic abroad, where traffic can then be collected under a more permissive legal regime (Executive Order 12333) that is overseen solely by the Executive branch of the U.S. government. While the media has reported on some of the techniques we describe, we cannot establish the extent to which these loopholes are exploited in practice.
An actionable short-term remedy to these loopholes involves updating the antiquated legal definition of "electronic surveillance" in the Foreign Intelligence Surveillance Act (FISA), that has remained largely intact since 1978. On the long term, however, a fundamental reconsideration of established principles in U.S. surveillance law is required, since these loopholes cannot be closed by technology alone. Legal issues that require reconsideration include: the determination of applicable law by the geographical point of collection of network traffic; the lack of general constitutional or statutory protection for network traffic collection before users are "intentionally targeted"; and the fact that constitutional protection under the Fourth Amendment is limited to "U.S. persons" only. The combination of these three principles means that Americans remain highly vulnerable to bulk surveillance when the U.S. intelligence community collects their network traffic abroad.
20 mei 2014.
Blogpost at Freedom to Tinker.
Column uitgesproken op de Big Brother Awards 2013, 29 augustus 2013.
Paper peer-reviewed and presented at WEIS 2013, 3 June 2013.
Even though we increasingly rely on HTTPS to secure Internet communications, several landmark incidents in recent years have illustrated that its security is deeply flawed. We present an extensive multi-disciplinary analysis that examines how the systemic vulnerabilities of the HTTPS authentication model could be addressed. We conceptualize the security issues from the perspective of the HTTPS value chain. We then discuss the breaches at several Certificate Authorities (CAs). Next, we explore the security incentives of CAs via the empirical analysis of the market for SSL certificates, based on the SSL Observatory dataset. This uncovers a surprising pattern: there is no race to the bottom. Rather, we find a highly concentrated market with very large price differences among suppliers and limited price competition. We explain this pattern and explore what it tells us about the security incentives of CAs, including how market leaders seem to benefit from the status quo. In light of these findings, we look at regulatory and technical proposals to address the systemic vulnerabilities in the HTTPS value chain, in particular the EU eSignatures proposal that seeks to strictly regulate HTTPS communications.
Speech at the E.U. Mission to the U.S. delivered before the JHA/HR/Political Counselors meeting, Washington D.C., 10 June 2013.
Vaste Commissie Binnenlandse Zaken, 26 juni 2013.
Draft paper presented at Privacy Law Scholars Conference 2013, 6-7 June, Berkeley, United States. Zie ook: Snowden saga reveals gap in protection of European data, Financial Times, 29 July 2013, p. 2.
This is the English translation of a report that was released in September 2012 in The Netherlands. It was covered extensively in Dutch newspapers, on Radio1 and the 8 PM news bulletin of public broadcaster NOS. Politicians across the spectrum reacted on the report, both directly in the media and through Parliamentary questions. Meanwhile, the State Secretary of Security and Justice has responded to the Parliamentary questions on 15 October 2012.
The report is also available on SSRN.
- Patriot Act can "obtain" data in Europe, researchers say, CBS News, 4 December 2012;
- Im Bann des amerikanischen Schnüffelwahns, Süd Deutsche, 10 January 2013.
Institutions have started to move their data and ICT operations into the cloud. It is becoming clear that this is leading to a decrease of overview and control over government access to data for law enforcement and national security purposes. This report looks at the possibilities for the U.S. government to obtain access to information in the cloud from Dutch institutions on the basis of U.S. law and on the basis of Dutch law and international co-operation. It concludes that the U.S. legal state of affairs implies that the transition towards the cloud has important negative consequences for the possibility to manage information confidentiality, information security and the privacy of European end users in relation to foreign governments. The Patriot Act from 2001 has started to play a symbolic role in the public debate. It is one important element in a larger, complex and dynamic legal framework for access to data for law enforcement and national security purposes. In particular, the FISA Amendments Act provision for access to data of non-U.S. persons outside the U.S. enacted in 2008 deserves attention. The report describes this and other legal powers for the U.S. government to obtain data of non-U.S. persons located outside of the U.S. from cloud providers that fall under its jurisdiction. Such jurisdiction applies widely, namely to cloud services that conduct systematic business in the United States and is not dependent on the location where the data are stored, as is often assumed. For non-U.S. persons located outside of the U.S., constitutional protection is not applicable and the statutory safeguards are minimal. In the Netherlands and across the EU, government agencies have legal powers to obtain access to cloud data as well. These provisions can also be be used to assist the U.S. government, when it does not have jurisdiction for instance, but they must stay within the constitutional safeguards set by national constitutions, the European Convention on Human Rights and the EU Charter.
Rapport in opdracht van SURF, september 2012.
- Persbericht van SURF;
- Toezicht op gegevens in een cloud is hard nodig, NOS Journaal, zaterdag 13 oktober 2012;
- Cyberaanvallen nieuwe vorm van politieke acties, Joris van Hoboken op Radio 1, zaterdag 13 oktober 2012;
- Reactie van Jeanine Hennis-Plasschaert, Radio 1, zaterdag 13 oktober 2012;
- Kamervragen SP;
- Antwoord Staatssecretaris Teeven op vragen SP;
- Onrust patiëntendossier neemt toe, website NOS, 30 november 2012;
- VS kan toegang tot EPD krijgen, video NOS journaal, 30 november 2012;
- 'De vraag is of VS medisch geheim Nederland zal respecteren', NOS journaal, 30 november 2012.
Instellingen en gebruikers gaan massaal over op de cloud, en daardoor vermindert de controle en het overzicht over de toegang tot onze gegevens door overheden. Dit heeft belangrijke consequenties voor de privacy en andere fundamentele belangen bij de vertrouwelijkheid van informatie. Er is de laatste tijd veel geroepen over de Patriot Act, maar niemand heeft goed zicht op de Amerikaanse wetgeving die de VS de mogelijkheid van toegang geeft tot gegevens in de cloud. Dit rapport van het IViR in opdracht van SURFdirect geeft antwoord op deze belangrijke vragen. De Amerikaanse Grondwet en de specifieke wetten beschermen buitenlanders in mindere mate dan Amerikanen. Cloudgegevens van niet-Amerikanen in het buitenland kunnen daarom sneller en makkelijker worden opgevraagd dan van Amerikanen, en dat zonder juridische waarborgen als transparantie over het aantal opvragingen en rechtsbescherming van het individu. Daarnaast wordt het maatschappelijke debat gedomineerd door hardnekkige misvattingen en een te grote focus op de Patriot Act. Er is sprake van een veel groter geheel aan wetgeving. Voor opvraging door Amerikaanse autoriteiten maakt het niet uit op welke plek in de wereld cloudgegevens zijn opgeslagen. Het hoeft ook geen Amerikaanse cloudprovider te zijn. Als een Nederlandse cloudaanbieder structureel zaken doet in de VS, dan geeft VS wet- en regelgeving in beginsel al de mogelijkheid voor VS autoriteiten om gegevens op te vragen vanuit Nederland. Voor afnemers van clouddiensten zullen zulke relaties in de praktijk moeilijk te achterhalen zijn en door overnames in de sector kan de situatie opeens veranderen.
Telecommunications Policy Research Conference, augustus 2012 Zie ook: 29C3: "Das SSL-System ist grundlegend defekt - und jemand muss es reparieren", Heise Online, 28 december 2012; Onderzoeker zet vraagtekens bij Europese https-regels, Tweakers.net, 29 december 2012.
Recent breaches and malpractices at several Certificate Authorities (CA’s) have led to a global collapse of trust in these central mediators of Hypertext Transfer Protocol Secure (HTTPS) communications. Given our dependence on secure web browsing, the security of HTTPS has become a top priority in telecommunications policy. In June 2012, the European Commission proposed a new Regulation on eSignatures. As the HTTPS ecosystem is by and large unregulated across the world, the proposal presents a paradigm shift in the governance of HTTPS. This paper examines if, and if so, how the European regulatory framework should legitimately address the systemic vulnerabilities of the HTTPS ecosystem. To this end, the HTTPS authentication model is conceptualised using actor-based value chain analysis and the systemic vulnerabilities of the HTTPs ecosystem are described through the lens of several landmark breaches. The paper explores the rationales for regulatory intervention, discusses the proposed EU eSignatures Regulation and ultimately develops a conceptual framework for HTTPS governance. It apprises the incentive structure of the entire HTTPS authentication value chain, untangles the concept of information security and connects its balancing of public and private interests to underlying values, in particular constitutional rights such as privacy, communications secrecy and freedom of expression. On the short term, specific regulatory measures to be considered throughout the value chain includes proportional liability provisions, meaningful security breach notifications and internal security requirements, but both legitimacy and effectiveness will depend on the exact wording of the regulatory provisions. The EU eSignatures proposal falls short on many of these aspects. In the long term, a robust technical and policy overhaul is needed to address the systemic weaknesses of HTTPS, as each CA is a single point of failure for the security of the entire ecosystem.
Toespraak uitgesproken op 3 december 2010 tijdens de conferentie "Taking on the Data Retention Directive", georganiseerd door de Europese Commissie. Een gedeelte van deze toespraak is ook gepubliceerd in Privacy & Informatie, 2010-6, p. 305.