| Arnbak, A., Geursen, W., Yakovleva, S. Kaleidoscopic data-related enforcement in the digital age In: Common Market Law Review, vol. 57, nr. 5, pp. 1461-1494, 2020. @article{Yakovleva2020c,
title = {Kaleidoscopic data-related enforcement in the digital age},
author = {Yakovleva, S. and Geursen, W. and Arnbak, A.},
url = {https://www.ivir.nl/publicaties/download/CMLR_2020.pdf},
year = {2020},
date = {2020-10-01},
journal = {Common Market Law Review},
volume = {57},
number = {5},
pages = {1461-1494},
abstract = {The interplay between competition, consumer and data protection law, when applied to data collection and processing practices, may lead to situations where several competent authorities can, independently, carry out enforcement actions against the same practice, or where an authority competent to carry out enforcement in one area of law can borrow the concepts of another area to advance its own goals. The authors call this “kaleidoscopic enforcement”. Kaleidoscopic enforcement may undermine existing coordination mechanisms within specif ic areas, and may lead to both the incoherent enforcement of EU rules applicable to data, and to sub-optimal enforcement. An EU level binding
inter-disciplinary coordination mechanism between competition, consumer and data protection authorities is needed. Now the Commission has announced ambitious plans to enhance the coherent application of EU law in several areas, it is the perfect time to work towards creating such an enforcement mechanism.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The interplay between competition, consumer and data protection law, when applied to data collection and processing practices, may lead to situations where several competent authorities can, independently, carry out enforcement actions against the same practice, or where an authority competent to carry out enforcement in one area of law can borrow the concepts of another area to advance its own goals. The authors call this “kaleidoscopic enforcement”. Kaleidoscopic enforcement may undermine existing coordination mechanisms within specif ic areas, and may lead to both the incoherent enforcement of EU rules applicable to data, and to sub-optimal enforcement. An EU level binding
inter-disciplinary coordination mechanism between competition, consumer and data protection authorities is needed. Now the Commission has announced ambitious plans to enhance the coherent application of EU law in several areas, it is the perfect time to work towards creating such an enforcement mechanism. |
| Arnbak, A., Geursen, W,W,, Yakovleva, S. Drie mogelijke boetes van mededingings-, consumenten- en persoonsgegevensautoriteiten voor hetzelfde datagebruik In: Tijdschrift Mededingingsrecht in de Praktijk, nr. 2, pp. 30-37, 2020. @article{Yakovleva2020b,
title = {Drie mogelijke boetes van mededingings-, consumenten- en persoonsgegevensautoriteiten voor hetzelfde datagebruik},
author = {Yakovleva, S. and Geursen, W,W, and Arnbak, A.},
url = {https://www.ivir.nl/publicaties/download/MP_2020_164.pdf},
year = {2020},
date = {2020-06-09},
journal = {Tijdschrift Mededingingsrecht in de Praktijk},
number = {2},
pages = {30-37},
abstract = {Door de toename van datagebruik door ondernemingen is er sprake van convergentie tussen het mededingings-, consumenten- en gegevensbeschermingsrecht. Er kan dan parallelle handhaving plaatsvinden ten aanzien van \'{e}\'{e}n en dezelfde handeling door dezelfde onderneming door drie verschillende autoriteiten. Dat noemen wij caleidoscopische handhaving. Dat heeft volgens ons verschillende keerzijden, waaronder het risico op overhandhaving door drie afzonderlijke procedures van drie afzonderlijke autoriteiten en mogelijk drie boetes. Wij onderzoeken in dit artikel waarom het ne-bis-in-idem-beginsel niet van toepassing is en het beginsel van eendaadse samenloop evenmin (net als in de recente Marine Harvest gun-jumping zaak), waardoor proportionaliteit overblijft.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Door de toename van datagebruik door ondernemingen is er sprake van convergentie tussen het mededingings-, consumenten- en gegevensbeschermingsrecht. Er kan dan parallelle handhaving plaatsvinden ten aanzien van één en dezelfde handeling door dezelfde onderneming door drie verschillende autoriteiten. Dat noemen wij caleidoscopische handhaving. Dat heeft volgens ons verschillende keerzijden, waaronder het risico op overhandhaving door drie afzonderlijke procedures van drie afzonderlijke autoriteiten en mogelijk drie boetes. Wij onderzoeken in dit artikel waarom het ne-bis-in-idem-beginsel niet van toepassing is en het beginsel van eendaadse samenloop evenmin (net als in de recente Marine Harvest gun-jumping zaak), waardoor proportionaliteit overblijft. |
| Arnbak, A. Draconische Europese censuurwetten geen oplossing voor onwenselijke informatie online In: Het Financieele Dagblad, vol. 2018, 2018. @article{Arnbak2018l,
title = {Draconische Europese censuurwetten geen oplossing voor onwenselijke informatie online},
author = {Arnbak, A.},
url = {https://axelarnbak.nl/2018/10/04/53e-fd-column-draconische-europese-censuurwetten-geen-oplossing-voor-onwenselijke-informatie-online/},
year = {2018},
date = {2018-10-04},
journal = {Het Financieele Dagblad},
volume = {2018},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
| Arnbak, A. Eerste Snowden-uitspraak van Europees Hof helpt tegenstanders Nederlandse sleepwet nauwelijks In: Het Financieele Dagblad, vol. 2018, 2018. @article{Arnbak2018k,
title = {Eerste Snowden-uitspraak van Europees Hof helpt tegenstanders Nederlandse sleepwet nauwelijks},
author = {Arnbak, A.},
url = {https://axelarnbak.nl/2018/09/21/52e-fd-column-eerste-snowden-uitspraak-van-europees-hof-helpt-tegenstanders-nederlandse-sleepwet-nauwelijks/},
year = {2018},
date = {2018-09-20},
journal = {Het Financieele Dagblad},
volume = {2018},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
| Arnbak, A. In China's cyberwereld is niet vrijheid, maar gehoorzaamheid de norm In: Het Financieele Dagblad, vol. 2018, 2018. @article{Arnbak2018j,
title = {In China's cyberwereld is niet vrijheid, maar gehoorzaamheid de norm},
author = {Arnbak, A.},
url = {https://axelarnbak.nl/2018/09/06/51e-fd-column-in-chinas-cyberwereld-is-niet-vrijheid-maar-gehoorzaamheid-de-norm/},
year = {2018},
date = {2018-09-06},
journal = {Het Financieele Dagblad},
volume = {2018},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
| Arnbak, A. Intensievere samenwerking met VS sluitstuk doordrukken inlichtingenwet In: Het Financieele Dagblad, vol. 2018, 2018. @article{Arnbak2018i,
title = {Intensievere samenwerking met VS sluitstuk doordrukken inlichtingenwet},
author = {Arnbak, A.},
url = {https://axelarnbak.nl/2018/07/12/50e-fd-column-intensievere-samenwerking-met-vs-sluitstuk-doordrukken-inlichtingenwet/},
year = {2018},
date = {2018-07-12},
journal = {Het Financieele Dagblad},
volume = {2018},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
| Arnbak, A. Maatschappelijk belang onderbelicht in nieuwe Europese privacyregels In: Het Financieele Dagblad, vol. 2018, 2018. @article{Arnbak2018h,
title = {Maatschappelijk belang onderbelicht in nieuwe Europese privacyregels},
author = {Arnbak, A.},
url = {https://axelarnbak.nl/2018/06/18/49e-fd-column-maatschappelijk-belang-onderbelicht-in-nieuwe-europese-privacyregels/},
year = {2018},
date = {2018-06-14},
journal = {Het Financieele Dagblad},
volume = {2018},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
| Arnbak, A. Nieuwe privacregels AVG bieden kansen voor innovatieve data-analyse In: Het Financieele Dagblad, vol. 2018, 2018. @article{Arnbak2018g,
title = {Nieuwe privacregels AVG bieden kansen voor innovatieve data-analyse},
author = {Arnbak, A.},
url = {https://axelarnbak.nl/2018/05/17/48e-fd-column-nieuwe-privacyregels-avg-bieden-kansen-voor-innovatieve-data-analyse/},
year = {2018},
date = {2018-05-17},
journal = {Het Financieele Dagblad},
volume = {2018},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
| Arnbak, A. Veranker Europese waarden in technologie van de toekomst In: Het Financieele Dagblad, vol. 2018, 2018. @article{Arnbak2018f,
title = {Veranker Europese waarden in technologie van de toekomst},
author = {Arnbak, A.},
url = {https://axelarnbak.nl/2018/04/23/47e-fd-column-veranker-europese-waarden-in-technologie-van-de-toekomst/},
year = {2018},
date = {2018-04-19},
journal = {Het Financieele Dagblad},
volume = {2018},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
| Arnbak, A. Het kabinet past bescheidenheid bij uitvoering van de inlichtingenwet In: Het Financieele Dagblad, vol. 2018, 2018, (Column 23 maart 2018). @article{Arnbak2018,
title = {Het kabinet past bescheidenheid bij uitvoering van de inlichtingenwet},
author = {Arnbak, A.},
url = {https://axelarnbak.nl/2018/03/25/46e-fd-column-het-kabinet-past-bescheidenheid-bij-uitvoering-van-de-inlichtingenwet/},
year = {2018},
date = {2018-03-26},
journal = {Het Financieele Dagblad},
volume = {2018},
note = {Column 23 maart 2018},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
| Arnbak, A. Geen Spelen of verkiezingen zonder digitale oorlogsvoering In: Het Financieele Dagblad, vol. 2018, 2018, (Column 22 februari 2018). @article{Arnbak2018b,
title = {Geen Spelen of verkiezingen zonder digitale oorlogsvoering},
author = {Arnbak, A.},
url = {https://axelarnbak.nl/2018/03/25/45e-fd-column-geen-spelen-of-verkiezingen-zonder-digitale-oorlogsvoering/},
year = {2018},
date = {2018-03-26},
journal = {Het Financieele Dagblad},
volume = {2018},
note = {Column 22 februari 2018},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
| Arnbak, A. Machtspositie Nederland belangrijke drijfveer controversiële internettap In: Het Financieele Dagblad, vol. 2018, 2018, (Column 25 januari 2018). @article{Arnbak2018c,
title = {Machtspositie Nederland belangrijke drijfveer controversi\"{e}le internettap},
author = {Arnbak, A.},
url = {https://axelarnbak.nl/2018/01/26/44e-fd-column-machtspositie-nederland-belangrijke-drijfveer-voor-controversiele-internettap/},
year = {2018},
date = {2018-03-26},
journal = {Het Financieele Dagblad},
volume = {2018},
note = {Column 25 januari 2018},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
| Arnbak, A. Bewuste digitale keuze is voor gebruiker belangrijker dan ooit: Noodzakelijke internationale consensus over digitale innovatie steeds lastiger te realiseren In: Het Financieele Dagblad, vol. 2017, 2018. @article{Arnbak2018d,
title = {Bewuste digitale keuze is voor gebruiker belangrijker dan ooit: Noodzakelijke internationale consensus over digitale innovatie steeds lastiger te realiseren},
author = {Arnbak, A.},
url = {https://axelarnbak.nl/2018/01/26/43e-fd-column-bewuste-digitale-keuze-is-voor-gebruiker-belangrijker-dan-ooit/},
year = {2018},
date = {2018-03-26},
journal = {Het Financieele Dagblad},
volume = {2017},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
| Arnbak, A. Big Brother Awards verklaren vertrouwensbreuk burger en politiek: Burger zoekt vaker heil bij rechter voor bescherming digitale rechten In: Het Financieele Dagblad, vol. 2017, 2018, (Column 30 november 2017). @article{Arnbak2018e,
title = {Big Brother Awards verklaren vertrouwensbreuk burger en politiek: Burger zoekt vaker heil bij rechter voor bescherming digitale rechten},
author = {Arnbak, A.},
url = {https://axelarnbak.nl/2017/11/30/42e-fd-column-big-brother-awards-verklaren-vertrouwensbreuk-burger-en-politiek/},
year = {2018},
date = {2018-03-26},
journal = {Het Financieele Dagblad},
volume = {2017},
note = {Column 30 november 2017},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
| Arnbak, A. Referendum 'sleepnetwet' voorbode digitale perikelen Rutte III: D66 zal achterban herhaaldelijk moeten teleurstellen rond digitale dossiers In: Het Financieele Dagblad, vol. 2017, 2017. @article{Arnbak2017b,
title = {Referendum 'sleepnetwet' voorbode digitale perikelen Rutte III: D66 zal achterban herhaaldelijk moeten teleurstellen rond digitale dossiers},
author = {Arnbak, A.},
url = {https://axelarnbak.nl/2017/11/02/41e-fd-column-referendum-sleepwet-voorbode-digitale-perikelen-rutte-iii/},
year = {2017},
date = {2017-11-02},
journal = {Het Financieele Dagblad},
volume = {2017},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
| Arnbak, A. Ziekenhuizen en energiebedrijven gaan wellicht boeten voor beveiligingsfouten: Nieuwe IT-wet bedoeld om 'potentiële maatschappelijke ontwrichting' te voorkomen In: Het Financieele Dagblad, vol. 2017, 2017. @article{Arnbak2017b,
title = {Ziekenhuizen en energiebedrijven gaan wellicht boeten voor beveiligingsfouten: Nieuwe IT-wet bedoeld om 'potenti\"{e}le maatschappelijke ontwrichting' te voorkomen},
author = {Arnbak, A.},
url = {https://axelarnbak.nl/2017/10/05/40e-fd-column-ziekenhuizen-en-energiebedrijven-gaan-wellicht-boeten-voor-beveiligingsfouten/},
year = {2017},
date = {2017-10-05},
journal = {Het Financieele Dagblad},
volume = {2017},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
| Arnbak, A. Digitale anonimiteit is ook bij gebruik van de bitcoin een gevaarlijke illusie: Subtielere consequentie van cryptogeld is versterking machtsconcentratie internetgiganten In: Het Financieele Dagblad, vol. 2017, pp. 11, 2017. @article{Arnbak2017b,
title = {Digitale anonimiteit is ook bij gebruik van de bitcoin een gevaarlijke illusie: Subtielere consequentie van cryptogeld is versterking machtsconcentratie internetgiganten},
author = {Arnbak, A.},
url = {https://www.ivir.nl/publicaties/download/FD_07sep2017.pdf},
year = {2017},
date = {2017-09-07},
journal = {Het Financieele Dagblad},
volume = {2017},
pages = {11},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
| Arnbak, A., Staden ten Brink, R. van, Veldhoen, D., Wang, J. China's new cybersecurity law - effective as of 1 June 2017 In: Trade Security Journal, vol. 2017, nr. 2, pp. 27-29, 2017. @article{tenBrink2017,
title = {China's new cybersecurity law - effective as of 1 June 2017},
author = {Staden ten Brink, R. van and Wang, J. and Veldhoen, D. and Arnbak, A.},
url = {https://www.ivir.nl/publicaties/download/TSJ_2017_2.pdf},
year = {2017},
date = {2017-07-21},
journal = {Trade Security Journal},
volume = {2017},
number = {2},
pages = {27-29},
abstract = {While China’s new cybersecurity law may appear vague, cumbersome and lacking clarity, one thing is clear and that is that international companies with any operations and/or activities in China should quickly assess if and how they are covered by the new legislation. },
keywords = {},
pubstate = {published},
tppubtype = {article}
}
While China’s new cybersecurity law may appear vague, cumbersome and lacking clarity, one thing is clear and that is that international companies with any operations and/or activities in China should quickly assess if and how they are covered by the new legislation. |
| Arnbak, A., Zuiderveen Borgesius, F. Video of expert meeting at the Dutch Senate on privacy 2017. @online{Arnbak2017,
title = {Video of expert meeting at the Dutch Senate on privacy},
author = {Arnbak, A. and Zuiderveen Borgesius, F.},
url = {https://youtu.be/NQCO33RMYgc },
year = {2017},
date = {2017-06-22},
abstract = {On 20 June 2017, Axel Arnbak and Frederik Zuiderveen Borgesius spoke at the Dutch Senate (Eerste Kamer) at an Expert Meeting on Privacy.
The meeting focused on two bills, 'Computercriminaliteit III' (Computer Crime III, concerning, among other things, hacking by the police) and 'Vastleggen en bewaren kentekengegevens door politie' (on the use of automatic number plate recognition cameras by the police).
},
keywords = {},
pubstate = {published},
tppubtype = {online}
}
On 20 June 2017, Axel Arnbak and Frederik Zuiderveen Borgesius spoke at the Dutch Senate (Eerste Kamer) at an Expert Meeting on Privacy.
The meeting focused on two bills, 'Computercriminaliteit III' (Computer Crime III, concerning, among other things, hacking by the police) and 'Vastleggen en bewaren kentekengegevens door politie' (on the use of automatic number plate recognition cameras by the police).
|
| Arnbak, A. Securing Private Communications: Protecting Private Communications Security in EU Law - Fundamental Rights, Functional Value Chains and Market Incentives 2016. @book{,
title = {Securing Private Communications: Protecting Private Communications Security in EU Law - Fundamental Rights, Functional Value Chains and Market Incentives},
author = {A.M. Arnbak},
url = {http://www.ivir.nl/publicaties/download/1803},
year = {2016},
date = {2016-07-01},
note = {
Information Law Series, Alphen aan den Rijn: Wolters Kluwer 2016, 296 pp.
ISBN: 9789041167378.
},
keywords = {},
pubstate = {published},
tppubtype = {book}
}
|
| Arnbak, A. Chefsache: Bestuurders aansprakelijk na ernstige cyberaanval 2016. @misc{,
title = {Chefsache: Bestuurders aansprakelijk na ernstige cyberaanval},
author = {A.M. Arnbak},
url = {https://axelarnbak.nl/wp-content/uploads/2016/06/FD24.pdf},
year = {2016},
date = {2016-06-17},
note = {
Column in Het Financieele Dagblad van 16 juni 2016.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Nieuw toezicht: Stortvloed aan data schreeuwt om ingrijpen 2016. @misc{,
title = {Nieuw toezicht: Stortvloed aan data schreeuwt om ingrijpen},
author = {A.M. Arnbak},
url = {https://axelarnbak.nl/wp-content/uploads/2016/05/FD23.pdf},
year = {2016},
date = {2016-05-20},
note = {
Column in Het Financieele Dagblad van 19 mei 2016.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Privacy en veiligheid in Europa 2016. @book{,
title = {Privacy en veiligheid in Europa},
author = {A.M. Arnbak},
url = {https://axelarnbak.nl/wp-content/uploads/2016/04/FD22.pdf},
year = {2016},
date = {2016-04-21},
note = {
Column in Het Financieele Dagblad van 21 april 2016.
},
keywords = {},
pubstate = {published},
tppubtype = {book}
}
|
| Arnbak, A. Katalysator die privacy volwassen maakt 2016. @misc{,
title = {Katalysator die privacy volwassen maakt},
author = {A.M. Arnbak},
url = {https://axelarnbak.nl/wp-content/uploads/2016/04/FD21.pdf},
year = {2016},
date = {2016-03-24},
note = {
Column in Het Financieele Dagbladvan 24 maart 2016.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Zwarte markt: Speltheorie in plaats van recht en ethiek 2016. @misc{,
title = {Zwarte markt: Speltheorie in plaats van recht en ethiek},
author = {A.M. Arnbak},
url = {https://www.axelarnbak.nl/wp-content/uploads/2015/12/FD17.pdf},
year = {2016},
date = {2016-03-08},
note = {
Column in Het Financieele Dagblad van 2 december 2015.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Blockchain: Recht en cultuur bepalen succes fintech 2016. @misc{,
title = {Blockchain: Recht en cultuur bepalen succes fintech},
author = {A.M. Arnbak},
url = {https://www.axelarnbak.nl/wp-content/uploads/2015/12/fd18.pdf},
year = {2016},
date = {2016-03-08},
note = {
Column in Het Financieele Dagblad van 30 december 2015.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Datamining: Tussen technologie en democratie bij verkiezingen 2016. @misc{,
title = {Datamining: Tussen technologie en democratie bij verkiezingen},
author = {A.M. Arnbak},
url = {https://www.axelarnbak.nl/wp-content/uploads/2016/02/fd19.pdf},
year = {2016},
date = {2016-03-08},
note = {
Column in Het Financieele Dagblad van 28 januari 2016.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. FBI vs Apple: Gevecht om de macht woedt in digitale wereld 2016. @misc{,
title = {FBI vs Apple: Gevecht om de macht woedt in digitale wereld},
author = {A.M. Arnbak},
url = {https://www.axelarnbak.nl/wp-content/uploads/2016/02/fd20.pdf},
year = {2016},
date = {2016-03-08},
note = {
Column in Het Financieele Dagblad van 25 februari 2016.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Safe Harbor 2.0 gedoemd te mislukken 2015. @misc{,
title = {Safe Harbor 2.0 gedoemd te mislukken},
author = {A.M. Arnbak},
url = {https://www.axelarnbak.nl/2015/11/05/16e-column-financieele-dagblad-privacy-week-safe-harbor-2-0-gedoemd-te-mislukken/},
year = {2015},
date = {2015-11-05},
note = {
Column in Het Financieele Dagblad van 4 november 2015.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A., Zuiderveen Borgesius, F. New Data Security Requirements and the Proceduralization of Mass Surveillance Law after the European Data Retention Case In: 2015. @article{,
title = {New Data Security Requirements and the Proceduralization of Mass Surveillance Law after the European Data Retention Case},
author = {F.J. Zuiderveen Borgesius and A.M. Arnbak},
url = {http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2678860},
year = {2015},
date = {2015-10-27},
abstract = {
This paper discusses the regulation of mass metadata surveillance in Europe through the lens of the landmark judgment in which the Court of Justice of the European Union struck down the Data Retention Directive. The controversial directive obliged telecom and Internet access providers in Europe to retain metadata of all their customers for intelligence and law enforcement purposes, for a period of up to two years. In the ruling, the Court declared the directive in violation of the human rights to privacy and data protection. The Court also confirmed that the mere collection of metadata interferes with the human right to privacy. In addition, the Court developed three new criteria for assessing the level of data security required from a human rights perspective: security measures should take into account the risk of unlawful access to data, and the data\’s quantity and sensitivity. While organizations that campaigned against the directive have welcomed the ruling, we warn for the risk of proceduralization of mass surveillance law. The Court did not fully condemn mass surveillance that relies on metadata, but left open the possibility of mass surveillance if policymakers lay down sufficient procedural safeguards. Such proceduralization brings systematic risks for human rights. Government agencies, with ample resources, can design complicated systems of procedural oversight for mass surveillance - and claim that mass surveillance is lawful, even if it affects millions of innocent people.
},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
This paper discusses the regulation of mass metadata surveillance in Europe through the lens of the landmark judgment in which the Court of Justice of the European Union struck down the Data Retention Directive. The controversial directive obliged telecom and Internet access providers in Europe to retain metadata of all their customers for intelligence and law enforcement purposes, for a period of up to two years. In the ruling, the Court declared the directive in violation of the human rights to privacy and data protection. The Court also confirmed that the mere collection of metadata interferes with the human right to privacy. In addition, the Court developed three new criteria for assessing the level of data security required from a human rights perspective: security measures should take into account the risk of unlawful access to data, and the data’s quantity and sensitivity. While organizations that campaigned against the directive have welcomed the ruling, we warn for the risk of proceduralization of mass surveillance law. The Court did not fully condemn mass surveillance that relies on metadata, but left open the possibility of mass surveillance if policymakers lay down sufficient procedural safeguards. Such proceduralization brings systematic risks for human rights. Government agencies, with ample resources, can design complicated systems of procedural oversight for mass surveillance – and claim that mass surveillance is lawful, even if it affects millions of innocent people.
|
| Arnbak, A. Datatransport - Hof EU nog steeds niet volwassen 2015. @misc{,
title = {Datatransport - Hof EU nog steeds niet volwassen},
author = {A.M. Arnbak},
url = {https://www.axelarnbak.nl/2015/10/07/15e-column-financieele-dagblad-datatransport-hof-eu-nog-steeds-niet-volwassen/},
year = {2015},
date = {2015-10-09},
note = {
Column in Het Financieele Dagblad van 7 oktober 2015.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Afluisterwet is juridische gatenkaas 2015. @misc{,
title = {Afluisterwet is juridische gatenkaas},
author = {A.M. Arnbak},
url = {https://www.axelarnbak.nl/wp-content/uploads/2015/09/FD14.pdf},
year = {2015},
date = {2015-09-10},
note = {
Column in Het Financieele Dagblad van 9 september 2015.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Maak de makers van software aansprakelijk 2015. @misc{,
title = {Maak de makers van software aansprakelijk},
author = {A.M. Arnbak},
url = {https://www.axelarnbak.nl/wp-content/uploads/2015/08/FD13.pdf},
year = {2015},
date = {2015-08-20},
note = {
Column in Het Financieele Dagblad van 12 augustus 2015.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Europa gaat te traag met beleid voor versleuteling 2015. @misc{,
title = {Europa gaat te traag met beleid voor versleuteling},
author = {A.M. Arnbak},
url = {http://www.ivir.nl/publicaties/download/1588.pdf},
year = {2015},
date = {2015-07-16},
note = {
Column in Het Financieele Dagblad van 15 juli 2015.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Lobby in Europa zorgt voor absurd internetbeleid 2015. @misc{,
title = {Lobby in Europa zorgt voor absurd internetbeleid},
author = {A.M. Arnbak},
url = {https://www.axelarnbak.nl/wp-content/uploads/2015/06/fd11.pdf},
year = {2015},
date = {2015-06-18},
note = {
Column in Het Financieele Dagblad van 17 juni 2015.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Software is ook bij bitcoin altijd politiek 2015. @misc{,
title = {Software is ook bij bitcoin altijd politiek},
author = {A.M. Arnbak},
url = {https://www.axelarnbak.nl/2015/05/20/10e-column-financieele-dagblad-machtsstrijd-software-is-ook-bij-bitcoin-altijd-politiek/},
year = {2015},
date = {2015-06-05},
note = {
Column in Het Financieele Dagblad van 20 mei 2015.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Internet der dingen zwaar beveiligen 2015. @misc{,
title = {Internet der dingen zwaar beveiligen},
author = {A.M. Arnbak},
url = {https://www.axelarnbak.nl/2015/04/24/9e-column-financieele-dagblad-levensgevaarlijk-internet-der-dingen-zwaar-beveiligen/},
year = {2015},
date = {2015-04-28},
note = {
Column in Het Financieele Dagblad van 22 april 2015.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Emotie domineert verstand na aanslagen in Parijs 2015. @misc{,
title = {Emotie domineert verstand na aanslagen in Parijs},
author = {A.M. Arnbak},
url = {http://www.ivir.nl/publicaties/download/1529.pdf},
year = {2015},
date = {2015-04-01},
note = {
Column in Het Financieele Dagblad van 28 januari 2015.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Neem heft in eigen hand na hack Gemalto 2015. @misc{,
title = {Neem heft in eigen hand na hack Gemalto},
author = {A.M. Arnbak},
url = {http://www.ivir.nl/publicaties/download/1530.pdf},
year = {2015},
date = {2015-04-01},
note = {
Column in Het Financieele Dagblad van 25 februari 2015.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Nederlandse polder als model voor regulering internet 2015. @misc{,
title = {Nederlandse polder als model voor regulering internet},
author = {A.M. Arnbak},
url = {http://www.ivir.nl/publicaties/download/1531.pdf},
year = {2015},
date = {2015-04-01},
note = {
Column in Het Financieele Dagblad van 25 maart 2015.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Wat eeuwen van spam ons leren over cybersecurity 2015. @misc{,
title = {Wat eeuwen van spam ons leren over cybersecurity},
author = {A.M. Arnbak},
url = {http://www.ivir.nl/publicaties/download/1480.pdf},
year = {2015},
date = {2015-01-08},
note = {
Column in Het Financieele Dagblad van 31 december 2014.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Expert Panel Report: A New Governance Model for Communications Security? 2014. @techreport{,
title = {Expert Panel Report: A New Governance Model for Communications Security?},
author = {A.M. Arnbak},
url = {https://freedom-to-tinker.com/blog/axel/expert-panel-report-a-new-governance-model-for-communications-security/},
year = {2014},
date = {2014-12-09},
abstract = {
Today, the vulnerable state of electronic communications security dominates headlines across the globe, while surveillance, money and power increasingly permeate the ?cybersecurity? policy arena. With the stakes so high, how should communications security be regulated?
Deirdre Mulligan (UC Berkeley), Ashkan Soltani (independent, Washington Post), Ian Brown (Oxford) and Michel van Eeten (TU Delft) weighed in on this proposition at an expert panel on my doctoral project at the Amsterdam Information Influx conference.
},
keywords = {},
pubstate = {published},
tppubtype = {techreport}
}
Today, the vulnerable state of electronic communications security dominates headlines across the globe, while surveillance, money and power increasingly permeate the ?cybersecurity? policy arena. With the stakes so high, how should communications security be regulated?
Deirdre Mulligan (UC Berkeley), Ashkan Soltani (independent, Washington Post), Ian Brown (Oxford) and Michel van Eeten (TU Delft) weighed in on this proposition at an expert panel on my doctoral project at the Amsterdam Information Influx conference.
|
| Arnbak, A. De unieke sleutel tot onze digitale informatie 2014. @periodical{,
title = {De unieke sleutel tot onze digitale informatie},
author = {A.M. Arnbak},
url = {http://www.ivir.nl/publicaties/download/1442.pdf},
year = {2014},
date = {2014-11-25},
journal = {Financieel Dagblad},
note = {
Column van 25 november 2014.
},
keywords = {},
pubstate = {published},
tppubtype = {periodical}
}
|
| Arnbak, A. Deltaplan voor online privacy & beveiliging In: Het Financieele Dagblad, 2014. @article{,
title = {Deltaplan voor online privacy \& beveiliging},
author = {A.M. Arnbak},
url = {https://www.axelarnbak.nl/2014/11/04/derde-column-in-financieele-dagblad-deltaplan-online-privacy-en-beveiliging/},
year = {2014},
date = {2014-11-06},
journal = {Het Financieele Dagblad},
note = {
Column, 28 oktober 2014.
},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
| Arnbak, A. Any Colour You Like: the History (and Future?) of E.U. Communications Security Policy 14.10.2014, (
Draft paper prepared for IViR/Berkman Roundtable - 18 April 2014 - Last update July 28, 2014.
). @misc{,
title = {Any Colour You Like: the History (and Future?) of E.U. Communications Security Policy},
author = {Arnbak, A.},
url = {http://www.ivir.nl/publicaties/download/1421.pdf},
year = {2014},
date = {2014-10-14},
abstract = {
This descriptive legal analysis maps and evaluates a four decade legacy of communications security conceptualizations in E.U. law and policy, including four legislative proposals launched in 2013. As the first comprehensive historical analysis of its kind, the paper forwards a range of new scientific contributions in a time secure electronic communications are of historically unparalleled societal, economic and political relevance. Five communications security policy cycles are identified, and their ‘security’ definitions and scope are described. These cycles are: network and information security, data protection, telecommunications, encryption and cybercrime. An evaluation of the current E.U. ‘security’ conceptualizations illuminates the underlying values at stake, the protection offered in current regulations, the formulation of six research themes and an agenda for computer science, political theory and legal research. Despite constitutional values at stake such as privacy and communications freedom and a robust computer science literature, the paper observes a deep lack of conceptual clarity and coherence in E.U. security policymaking. It then concludes that the observed conceptual ambiguity has allowed powerful stakeholders to capture, or paint E.U. network and information security policies in any colour they like.
},
note = {
Draft paper prepared for IViR/Berkman Roundtable - 18 April 2014 - Last update July 28, 2014.
},
keywords = {},
pubstate = {published},
tppubtype = {presentation}
}
This descriptive legal analysis maps and evaluates a four decade legacy of communications security conceptualizations in E.U. law and policy, including four legislative proposals launched in 2013. As the first comprehensive historical analysis of its kind, the paper forwards a range of new scientific contributions in a time secure electronic communications are of historically unparalleled societal, economic and political relevance. Five communications security policy cycles are identified, and their ‘security’ definitions and scope are described. These cycles are: network and information security, data protection, telecommunications, encryption and cybercrime. An evaluation of the current E.U. ‘security’ conceptualizations illuminates the underlying values at stake, the protection offered in current regulations, the formulation of six research themes and an agenda for computer science, political theory and legal research. Despite constitutional values at stake such as privacy and communications freedom and a robust computer science literature, the paper observes a deep lack of conceptual clarity and coherence in E.U. security policymaking. It then concludes that the observed conceptual ambiguity has allowed powerful stakeholders to capture, or paint E.U. network and information security policies in any colour they like.
|
| Arnbak, A. Twijfels over cyberdiefstal Russische bende 2014. @misc{,
title = {Twijfels over cyberdiefstal Russische bende},
author = {A.M. Arnbak},
url = {http://www.ivir.nl/publicaties/download/FD_12082014.pdf},
year = {2014},
date = {2014-10-10},
journal = {Het Financieele Dagblad},
note = {
Interview, 11 augustus 2014.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Cybersecurity dekmantel voor digitale boterberg 2014. @misc{,
title = {Cybersecurity dekmantel voor digitale boterberg},
author = {A.M. Arnbak},
url = {http://www.ivir.nl/publicaties/download/FD_29082014.pdf},
year = {2014},
date = {2014-10-10},
journal = {Het Financieele Dagblad},
note = {
Column, 29 augustus 2014.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Stortvloed regels moet beveiliging internet verbeteren 2014. @misc{,
title = {Stortvloed regels moet beveiliging internet verbeteren},
author = {A.M. Arnbak},
url = {http://www.ivir.nl/publicaties/download/FD_30092014.pdf},
year = {2014},
date = {2014-10-10},
journal = {Het Financieele Dagblad},
note = {
Column, 30 september 2014.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A., Asghari, H., Eeten, M.J.G. van, van Eijk, N. Security Collapse in the HTTPS Market In: Communications of the ACM, vol. 57, nr. 10, pp. 47-55., 2014, (
Also published in:<i> <a href="http://dl.acm.org/citation.cfm?id=2673311&CFID=582181517&CFTOKEN=51677975" target="_blank">ACM Queue - Security</a></i>, 2014-8, vol. 12.
). @article{,
title = {Security Collapse in the HTTPS Market},
author = {Asghari, H. and Eeten, M.J.G. van and Arnbak, A. and van Eijk, N.},
url = {http://www.ivir.nl/publicaties/download/CACM_2014_10.pdf},
year = {2014},
date = {2014-10-10},
journal = {Communications of the ACM},
volume = {57},
number = {10},
pages = {47-55.},
abstract = {
HTTPS (Hypertext Transfer Protocol Secure) has evolved into the de facto standard for secure Web browsing. However, widely reported security incidents\textemdashsuch as DigiNotar's breach, Apple's #gotofail, and OpenSSL's Heartbleed\textemdashhave exposed systemic security vulnerabilities of HTTPS to a global audience. The Edward Snowden revelations\textemdashnotably around operation BULLRUN, MUSCULAR, and the lesser-known FLYING PIG program to query certificate metadata on a dragnet scale\textemdashhave driven the point home that HTTPS is both a major target of government hacking and eavesdropping, as well as an effective measure against dragnet content surveillance when Internet traffic traverses global networks. HTTPS, in short, is an absolutely critical but fundamentally flawed cybersecurity technology.
To evaluate both legal and technological solutions to augment the security of HTTPS, our article argues that an understanding of the economic incentives of the stakeholders in the HTTPS ecosystem, most notably the CAs, is essential. We outlines the systemic vulnerabilities of HTTPS, maps the thriving market for certificates, and analyzes the suggested regulatory and technological solutions on both sides of the Atlantic. The findings show existing yet surprising market patterns and perverse incentives: not unlike the financial sector, the HTTPS market is full of information asymmetries and negative externalities, as a handful of CAs dominate the market and have become "too big to fail." Unfortunately, proposed E.U. legislation will reinforce systemic vulnerabilities, and the proposed technological solutions that mostly originate in the U.S. are far from being adopted at scale. The systemic vulnerabilities in this crucial technology are likely to persist for years to come.
},
note = {
Also published in:\<i\> \<a href="http://dl.acm.org/citation.cfm?id=2673311\&CFID=582181517\&CFTOKEN=51677975" target="_blank"\>ACM Queue - Security\</a\>\</i\>, 2014-8, vol. 12.
},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
HTTPS (Hypertext Transfer Protocol Secure) has evolved into the de facto standard for secure Web browsing. However, widely reported security incidents—such as DigiNotar's breach, Apple's #gotofail, and OpenSSL's Heartbleed—have exposed systemic security vulnerabilities of HTTPS to a global audience. The Edward Snowden revelations—notably around operation BULLRUN, MUSCULAR, and the lesser-known FLYING PIG program to query certificate metadata on a dragnet scale—have driven the point home that HTTPS is both a major target of government hacking and eavesdropping, as well as an effective measure against dragnet content surveillance when Internet traffic traverses global networks. HTTPS, in short, is an absolutely critical but fundamentally flawed cybersecurity technology.
To evaluate both legal and technological solutions to augment the security of HTTPS, our article argues that an understanding of the economic incentives of the stakeholders in the HTTPS ecosystem, most notably the CAs, is essential. We outlines the systemic vulnerabilities of HTTPS, maps the thriving market for certificates, and analyzes the suggested regulatory and technological solutions on both sides of the Atlantic. The findings show existing yet surprising market patterns and perverse incentives: not unlike the financial sector, the HTTPS market is full of information asymmetries and negative externalities, as a handful of CAs dominate the market and have become "too big to fail." Unfortunately, proposed E.U. legislation will reinforce systemic vulnerabilities, and the proposed technological solutions that mostly originate in the U.S. are far from being adopted at scale. The systemic vulnerabilities in this crucial technology are likely to persist for years to come.
|
| Arnbak, A. Loopholes for Circumventing the Constitution: Unrestrained Bulk Surveillance on Americans by Collecting Network Traffic Abroad In: pp. 1-24, 2014. @article{,
title = {Loopholes for Circumventing the Constitution: Unrestrained Bulk Surveillance on Americans by Collecting Network Traffic Abroad},
author = {A.M. Arnbak},
url = {http://www.ivir.nl/publicaties/download/1375.pdf},
year = {2014},
date = {2014-07-08},
pages = {1-24},
abstract = {
We reveal interdependent legal and technical loopholes that the U.S. intelligence community could use to circumvent constitutional and statutory safeguards for Americans. These loopholes involve the collection of Internet traffic on foreign territory, and leave Americans as unprotected as foreigners by current U.S. surveillance laws. We also describe how modern Internet protocols can be manipulated to deliberately divert American\'s traffic abroad, where traffic can then be collected under a more permissive legal regime (Executive Order 12333) that is overseen solely by the Executive branch of the U.S. government. While the media has reported on some of the techniques we describe, we cannot establish the extent to which these loopholes are exploited in practice.
An actionable short-term remedy to these loopholes involves updating the antiquated legal definition of "electronic surveillance" in the Foreign Intelligence Surveillance Act (FISA), that has remained largely intact since 1978. On the long term, however, a fundamental reconsideration of established principles in U.S. surveillance law is required, since these loopholes cannot be closed by technology alone. Legal issues that require reconsideration include: the determination of applicable law by the geographical point of collection of network traffic; the lack of general constitutional or statutory protection for network traffic collection before users are "intentionally targeted"; and the fact that constitutional protection under the Fourth Amendment is limited to "U.S. persons" only. The combination of these three principles means that Americans remain highly vulnerable to bulk surveillance when the U.S. intelligence community collects their network traffic abroad.
},
note = {
Forthcoming in Michigan Telecommunications \& Technology Law Review, May 2015.
Presented at the Privacy Enhancing Technologies Symposium, July 2014, Amsterdam.
See also:
Legal loopholes could allow wider NSA surveillance, researchers say, CBS news, 30 June 2014.
“Loopholes for Circumventing the Constitution”, the NSA Statement, and Our Response, Freedom to Tinker, 11 July 2014.
},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
We reveal interdependent legal and technical loopholes that the U.S. intelligence community could use to circumvent constitutional and statutory safeguards for Americans. These loopholes involve the collection of Internet traffic on foreign territory, and leave Americans as unprotected as foreigners by current U.S. surveillance laws. We also describe how modern Internet protocols can be manipulated to deliberately divert American's traffic abroad, where traffic can then be collected under a more permissive legal regime (Executive Order 12333) that is overseen solely by the Executive branch of the U.S. government. While the media has reported on some of the techniques we describe, we cannot establish the extent to which these loopholes are exploited in practice.
An actionable short-term remedy to these loopholes involves updating the antiquated legal definition of "electronic surveillance" in the Foreign Intelligence Surveillance Act (FISA), that has remained largely intact since 1978. On the long term, however, a fundamental reconsideration of established principles in U.S. surveillance law is required, since these loopholes cannot be closed by technology alone. Legal issues that require reconsideration include: the determination of applicable law by the geographical point of collection of network traffic; the lack of general constitutional or statutory protection for network traffic collection before users are "intentionally targeted"; and the fact that constitutional protection under the Fourth Amendment is limited to "U.S. persons" only. The combination of these three principles means that Americans remain highly vulnerable to bulk surveillance when the U.S. intelligence community collects their network traffic abroad.
|
| Arnbak, A. Nederland als internetdokter tussen cybergrootmachten: Faciliteer een veilige en vrije IT-infrastructuur passend bij onze structurele culturele, economische en politieke belangen 2014. @periodical{,
title = {Nederland als internetdokter tussen cybergrootmachten: Faciliteer een veilige en vrije IT-infrastructuur passend bij onze structurele culturele, economische en politieke belangen},
author = {A.M. Arnbak},
url = {http://www.ivir.nl/publicaties/download/FD_20052014.pdf},
year = {2014},
date = {2014-05-20},
journal = {Het Financieele Dagblad},
note = {
20 mei 2014.
},
keywords = {},
pubstate = {published},
tppubtype = {periodical}
}
|
| Arnbak, A. 9 Problems of Government Hacking: Why IT-Systems Deserve Constitutional Protection In: 2014. @article{,
title = {9 Problems of Government Hacking: Why IT-Systems Deserve Constitutional Protection},
author = {A.M. Arnbak},
url = {https://freedom-to-tinker.com/blog/axel/9-problems-of-governments-hacking-why-it-systems-deserve-constitutional-protection/},
year = {2014},
date = {2014-02-20},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
| Arnbak, A. ECHR Fast-Tracks Court Case on PRISM and TEMPORA (and VERYANGRYBIRDS?) 2014. @misc{,
title = {ECHR Fast-Tracks Court Case on PRISM and TEMPORA (and VERYANGRYBIRDS?)},
author = {A.M. Arnbak},
url = {https://freedom-to-tinker.com/blog/axel/echr-fast-tracks-court-case-on-prism-and-tempora-and-very-angry-birds/},
year = {2014},
date = {2014-01-29},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. The Politics of the EU Court Data Retention Opinion: End to Mass Surveillance? 2013. @misc{,
title = {The Politics of the EU Court Data Retention Opinion: End to Mass Surveillance?},
author = {A.M. Arnbak},
url = {https://freedom-to-tinker.com/blog/axel/the-politics-of-the-eu-court-data-retention-opinion-end-to-mass-surveillance/},
year = {2013},
date = {2013-12-13},
note = {
Blogpost at Freedom to Tinker.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Het maatschappelijke debat na PRISM - vijftig open vragen over privacy 2013. @misc{,
title = {Het maatschappelijke debat na PRISM - vijftig open vragen over privacy},
author = {A.M. Arnbak},
url = {http://www.ivir.nl/publicaties/download/BBA2013.pdf},
year = {2013},
date = {2013-08-30},
note = {
Column uitgesproken op de Big Brother Awards 2013, 29 augustus 2013.
},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A., van Hoboken, J. De wind van Snowden in de Amerikaanse informatieparaplu In: Mediaforum, nr. 7/8, pp. 173, 2013. @article{,
title = {De wind van Snowden in de Amerikaanse informatieparaplu},
author = {A.M. Arnbak and J.V.J. van Hoboken},
url = {http://www.ivir.nl/publicaties/download/981.pdf},
year = {2013},
date = {2013-08-06},
journal = {Mediaforum},
number = {7/8},
pages = {173},
note = {Opinie},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
| Arnbak, A., Asghari, H., Eeten, M.J.G. van, van Eijk, N. Security Economics in the HTTPS Value Chain 11.07.2013, (
Paper peer-reviewed and presented at WEIS 2013, 3 June 2013.
). @misc{,
title = {Security Economics in the HTTPS Value Chain},
author = {Asghari, H. and Eeten, M.J.G. van and Arnbak, A. and van Eijk, N.},
url = {http://www.ivir.nl/publicaties/download/paper_WEIS_2013.pdf},
year = {2013},
date = {2013-07-11},
pages = {1-35},
abstract = {
Even though we increasingly rely on HTTPS to secure Internet communications, several landmark incidents in recent years have illustrated that its security is deeply flawed. We present an extensive multi-disciplinary analysis that examines how the systemic vulnerabilities of the HTTPS authentication model could be addressed. We conceptualize the security issues from the perspective of the HTTPS value chain. We then discuss the breaches at several Certificate Authorities (CAs). Next, we explore the security incentives of CAs via the empirical analysis of the market for SSL certificates, based on the SSL Observatory dataset. This uncovers a surprising pattern: there is no race to the bottom. Rather, we find a highly concentrated market with very large price differences among suppliers and limited price competition. We explain this pattern and explore what it tells us about the security incentives of CAs, including how market leaders seem to benefit from the status quo. In light of these findings, we look at regulatory and technical proposals to address the systemic vulnerabilities in the HTTPS value chain, in particular the EU eSignatures proposal that seeks to strictly regulate HTTPS communications.
},
note = {
Paper peer-reviewed and presented at WEIS 2013, 3 June 2013.
},
keywords = {},
pubstate = {published},
tppubtype = {presentation}
}
Even though we increasingly rely on HTTPS to secure Internet communications, several landmark incidents in recent years have illustrated that its security is deeply flawed. We present an extensive multi-disciplinary analysis that examines how the systemic vulnerabilities of the HTTPS authentication model could be addressed. We conceptualize the security issues from the perspective of the HTTPS value chain. We then discuss the breaches at several Certificate Authorities (CAs). Next, we explore the security incentives of CAs via the empirical analysis of the market for SSL certificates, based on the SSL Observatory dataset. This uncovers a surprising pattern: there is no race to the bottom. Rather, we find a highly concentrated market with very large price differences among suppliers and limited price competition. We explain this pattern and explore what it tells us about the security incentives of CAs, including how market leaders seem to benefit from the status quo. In light of these findings, we look at regulatory and technical proposals to address the systemic vulnerabilities in the HTTPS value chain, in particular the EU eSignatures proposal that seeks to strictly regulate HTTPS communications.
|
| Arnbak, A. PRISM: Obscured by Clouds or the Dark Side of the Moon?: How to Address Governmental Access to Cloud Data from Abroad 27.06.2013. @misc{,
title = {PRISM: Obscured by Clouds or the Dark Side of the Moon?: How to Address Governmental Access to Cloud Data from Abroad},
author = {A.M. Arnbak},
url = {http://www.ivir.nl/publicaties/download/979.pdf},
year = {2013},
date = {2013-06-27},
note = {
Speech at the E.U. Mission to the U.S. delivered before the JHA/HR/Political Counselors meeting, Washington D.C., 10 June 2013.
},
keywords = {},
pubstate = {published},
tppubtype = {presentation}
}
|
| Arnbak, A., van Hoboken, J. Gespreksnotitie RTG 'praktijken, gevolgen en wettelijke kaders inzake het aftappen van persoonsgegevens' 25.06.2013. @misc{,
title = {Gespreksnotitie RTG 'praktijken, gevolgen en wettelijke kaders inzake het aftappen van persoonsgegevens'},
author = {A.M. Arnbak and J.V.J. van Hoboken},
url = {http://www.ivir.nl/publicaties/download/978.pdf},
year = {2013},
date = {2013-06-25},
note = {
Vaste Commissie Binnenlandse Zaken, 26 juni 2013.
},
keywords = {},
pubstate = {published},
tppubtype = {presentation}
}
|
| Arnbak, A., van Eijk, N., van Hoboken, J. Obscured by Clouds or How to Address Governmental Access to Cloud Data From Abroad 11.06.2013. @misc{,
title = {Obscured by Clouds or How to Address Governmental Access to Cloud Data From Abroad},
author = {J.V.J. van Hoboken and A.M. Arnbak and N.A.N.M. van Eijk},
url = {http://www.ivir.nl/publicaties/download/obscured_by_clouds.pdf},
year = {2013},
date = {2013-06-11},
note = {
Draft paper presented at Privacy Law Scholars Conference 2013, 6-7 June, Berkeley, United States. Zie ook: Snowden saga reveals gap in protection of European data, Financial Times, 29 July 2013, p. 2.
},
keywords = {},
pubstate = {published},
tppubtype = {presentation}
}
|
| Arnbak, A., van Eijk, N., van Hoboken, J. Cloud Computing in Higher Education and Research Institutions and the USA Patriot Act 2012. @techreport{,
title = {Cloud Computing in Higher Education and Research Institutions and the USA Patriot Act},
author = {J.V.J. van Hoboken and A.M. Arnbak and N.A.N.M. van Eijk},
url = {http://www.ivir.nl/publicaties/download/Cloud_Computing_Patriot_Act_2012.pdf},
year = {2012},
date = {2012-11-29},
abstract = {
Institutions have started to move their data and ICT operations into the cloud. It is becoming clear that this is leading to a decrease of overview and control over government access to data for law enforcement and national security purposes. This report looks at the possibilities for the U.S. government to obtain access to information in the cloud from Dutch institutions on the basis of U.S. law and on the basis of Dutch law and international co-operation. It concludes that the U.S. legal state of affairs implies that the transition towards the cloud has important negative consequences for the possibility to manage information confidentiality, information security and the privacy of European end users in relation to foreign governments. The Patriot Act from 2001 has started to play a symbolic role in the public debate. It is one important element in a larger, complex and dynamic legal framework for access to data for law enforcement and national security purposes. In particular, the FISA Amendments Act provision for access to data of non-U.S. persons outside the U.S. enacted in 2008 deserves attention. The report describes this and other legal powers for the U.S. government to obtain data of non-U.S. persons located outside of the U.S. from cloud providers that fall under its jurisdiction. Such jurisdiction applies widely, namely to cloud services that conduct systematic business in the United States and is not dependent on the location where the data are stored, as is often assumed. For non-U.S. persons located outside of the U.S., constitutional protection is not applicable and the statutory safeguards are minimal. In the Netherlands and across the EU, government agencies have legal powers to obtain access to cloud data as well. These provisions can also be be used to assist the U.S. government, when it does not have jurisdiction for instance, but they must stay within the constitutional safeguards set by national constitutions, the European Convention on Human Rights and the EU Charter.
},
note = {
This is the English translation of a report that was released in September 2012 in The Netherlands. It was covered extensively in Dutch newspapers, on Radio1 and the 8 PM news bulletin of public broadcaster NOS. Politicians across the spectrum reacted on the report, both directly in the media and through Parliamentary questions. Meanwhile, the State Secretary of Security and Justice has responded to the Parliamentary questions on 15 October 2012.
The report is also available on SSRN.
See also:
- Patriot Act can "obtain" data in Europe, researchers say, CBS News, 4 December 2012;
- Im Bann des amerikanischen Schn\"{u}ffelwahns, S\"{u}d Deutsche, 10 January 2013.
},
keywords = {},
pubstate = {published},
tppubtype = {techreport}
}
Institutions have started to move their data and ICT operations into the cloud. It is becoming clear that this is leading to a decrease of overview and control over government access to data for law enforcement and national security purposes. This report looks at the possibilities for the U.S. government to obtain access to information in the cloud from Dutch institutions on the basis of U.S. law and on the basis of Dutch law and international co-operation. It concludes that the U.S. legal state of affairs implies that the transition towards the cloud has important negative consequences for the possibility to manage information confidentiality, information security and the privacy of European end users in relation to foreign governments. The Patriot Act from 2001 has started to play a symbolic role in the public debate. It is one important element in a larger, complex and dynamic legal framework for access to data for law enforcement and national security purposes. In particular, the FISA Amendments Act provision for access to data of non-U.S. persons outside the U.S. enacted in 2008 deserves attention. The report describes this and other legal powers for the U.S. government to obtain data of non-U.S. persons located outside of the U.S. from cloud providers that fall under its jurisdiction. Such jurisdiction applies widely, namely to cloud services that conduct systematic business in the United States and is not dependent on the location where the data are stored, as is often assumed. For non-U.S. persons located outside of the U.S., constitutional protection is not applicable and the statutory safeguards are minimal. In the Netherlands and across the EU, government agencies have legal powers to obtain access to cloud data as well. These provisions can also be be used to assist the U.S. government, when it does not have jurisdiction for instance, but they must stay within the constitutional safeguards set by national constitutions, the European Convention on Human Rights and the EU Charter.
|
| Arnbak, A., van Eijk, N., van Hoboken, J. Cloud diensten in hoger onderwijs en onderzoek en de USA Patriot Act 2012. @techreport{,
title = {Cloud diensten in hoger onderwijs en onderzoek en de USA Patriot Act},
author = {J.V.J. van Hoboken and N.A.N.M. van Eijk and A.M. Arnbak},
url = {http://www.ivir.nl/publicaties/download/Clouddiensten_in_HO_en_USA_Patriot_Act.pdf},
year = {2012},
date = {2012-09-12},
abstract = {
Instellingen en gebruikers gaan massaal over op de cloud, en daardoor vermindert de controle en het overzicht over de toegang tot onze gegevens door overheden. Dit heeft belangrijke consequenties voor de privacy en andere fundamentele belangen bij de vertrouwelijkheid van informatie. Er is de laatste tijd veel geroepen over de Patriot Act, maar niemand heeft goed zicht op de Amerikaanse wetgeving die de VS de mogelijkheid van toegang geeft tot gegevens in de cloud. Dit rapport van het IViR in opdracht van SURFdirect geeft antwoord op deze belangrijke vragen. De Amerikaanse Grondwet en de specifieke wetten beschermen buitenlanders in mindere mate dan Amerikanen. Cloudgegevens van niet-Amerikanen in het buitenland kunnen daarom sneller en makkelijker worden opgevraagd dan van Amerikanen, en dat zonder juridische waarborgen als transparantie over het aantal opvragingen en rechtsbescherming van het individu. Daarnaast wordt het maatschappelijke debat gedomineerd door hardnekkige misvattingen en een te grote focus op de Patriot Act. Er is sprake van een veel groter geheel aan wetgeving. Voor opvraging door Amerikaanse autoriteiten maakt het niet uit op welke plek in de wereld cloudgegevens zijn opgeslagen. Het hoeft ook geen Amerikaanse cloudprovider te zijn. Als een Nederlandse cloudaanbieder structureel zaken doet in de VS, dan geeft VS wet- en regelgeving in beginsel al de mogelijkheid voor VS autoriteiten om gegevens op te vragen vanuit Nederland. Voor afnemers van clouddiensten zullen zulke relaties in de praktijk moeilijk te achterhalen zijn en door overnames in de sector kan de situatie opeens veranderen.
},
note = {
Rapport in opdracht van SURF, september 2012.
Zie ook:
- Persbericht van SURF;
- Toezicht op gegevens in een cloud is hard nodig, NOS Journaal, zaterdag 13 oktober 2012;
- Cyberaanvallen nieuwe vorm van politieke acties, Joris van Hoboken op Radio 1, zaterdag 13 oktober 2012;
- Reactie van Jeanine Hennis-Plasschaert, Radio 1, zaterdag 13 oktober 2012;
- Kamervragen SP;
- Antwoord Staatssecretaris Teeven op vragen SP;
- Onrust pati\ëntendossier neemt toe, website NOS, 30 november 2012;
- VS kan toegang tot EPD krijgen, video NOS journaal, 30 november 2012;
- \'De vraag is of VS medisch geheim Nederland zal respecteren\', NOS journaal, 30 november 2012.
},
keywords = {},
pubstate = {published},
tppubtype = {techreport}
}
Instellingen en gebruikers gaan massaal over op de cloud, en daardoor vermindert de controle en het overzicht over de toegang tot onze gegevens door overheden. Dit heeft belangrijke consequenties voor de privacy en andere fundamentele belangen bij de vertrouwelijkheid van informatie. Er is de laatste tijd veel geroepen over de Patriot Act, maar niemand heeft goed zicht op de Amerikaanse wetgeving die de VS de mogelijkheid van toegang geeft tot gegevens in de cloud. Dit rapport van het IViR in opdracht van SURFdirect geeft antwoord op deze belangrijke vragen. De Amerikaanse Grondwet en de specifieke wetten beschermen buitenlanders in mindere mate dan Amerikanen. Cloudgegevens van niet-Amerikanen in het buitenland kunnen daarom sneller en makkelijker worden opgevraagd dan van Amerikanen, en dat zonder juridische waarborgen als transparantie over het aantal opvragingen en rechtsbescherming van het individu. Daarnaast wordt het maatschappelijke debat gedomineerd door hardnekkige misvattingen en een te grote focus op de Patriot Act. Er is sprake van een veel groter geheel aan wetgeving. Voor opvraging door Amerikaanse autoriteiten maakt het niet uit op welke plek in de wereld cloudgegevens zijn opgeslagen. Het hoeft ook geen Amerikaanse cloudprovider te zijn. Als een Nederlandse cloudaanbieder structureel zaken doet in de VS, dan geeft VS wet- en regelgeving in beginsel al de mogelijkheid voor VS autoriteiten om gegevens op te vragen vanuit Nederland. Voor afnemers van clouddiensten zullen zulke relaties in de praktijk moeilijk te achterhalen zijn en door overnames in de sector kan de situatie opeens veranderen.
|
| Arnbak, A., van Eijk, N. Certificate Authority Collapse: Regulating Systemic Vulnerabilities in the HTTPS Value Chain 07.09.2012. @misc{,
title = {Certificate Authority Collapse: Regulating Systemic Vulnerabilities in the HTTPS Value Chain},
author = {A.M. Arnbak and N.A.N.M. van Eijk},
url = {http://www.ivir.nl/publicaties/download/paper_TPRC_2012.pdf},
year = {2012},
date = {2012-09-07},
abstract = {
Recent breaches and malpractices at several Certificate Authorities (CA\’s) have led to a global collapse of trust in these central mediators of Hypertext Transfer Protocol Secure (HTTPS) communications. Given our dependence on secure web browsing, the security of HTTPS has become a top priority in telecommunications policy. In June 2012, the European Commission proposed a new Regulation on eSignatures. As the HTTPS ecosystem is by and large unregulated across the world, the proposal presents a paradigm shift in the governance of HTTPS. This paper examines if, and if so, how the European regulatory framework should legitimately address the systemic vulnerabilities of the HTTPS ecosystem. To this end, the HTTPS authentication model is conceptualised using actor-based value chain analysis and the systemic vulnerabilities of the HTTPs ecosystem are described through the lens of several landmark breaches. The paper explores the rationales for regulatory intervention, discusses the proposed EU eSignatures Regulation and ultimately develops a conceptual framework for HTTPS governance. It apprises the incentive structure of the entire HTTPS authentication value chain, untangles the concept of information security and connects its balancing of public and private interests to underlying values, in particular constitutional rights such as privacy, communications secrecy and freedom of expression. On the short term, specific regulatory measures to be considered throughout the value chain includes proportional liability provisions, meaningful security breach notifications and internal security requirements, but both legitimacy and effectiveness will depend on the exact wording of the regulatory provisions. The EU eSignatures proposal falls short on many of these aspects. In the long term, a robust technical and policy overhaul is needed to address the systemic weaknesses of HTTPS, as each CA is a single point of failure for the security of the entire ecosystem.
},
note = {
Telecommunications Policy Research Conference, augustus 2012 Zie ook: 29C3: "Das SSL-System ist grundlegend defekt - und jemand muss es reparieren", Heise Online, 28 december 2012; Onderzoeker zet vraagtekens bij Europese https-regels, Tweakers.net, 29 december 2012.
},
keywords = {},
pubstate = {published},
tppubtype = {presentation}
}
Recent breaches and malpractices at several Certificate Authorities (CA’s) have led to a global collapse of trust in these central mediators of Hypertext Transfer Protocol Secure (HTTPS) communications. Given our dependence on secure web browsing, the security of HTTPS has become a top priority in telecommunications policy. In June 2012, the European Commission proposed a new Regulation on eSignatures. As the HTTPS ecosystem is by and large unregulated across the world, the proposal presents a paradigm shift in the governance of HTTPS. This paper examines if, and if so, how the European regulatory framework should legitimately address the systemic vulnerabilities of the HTTPS ecosystem. To this end, the HTTPS authentication model is conceptualised using actor-based value chain analysis and the systemic vulnerabilities of the HTTPs ecosystem are described through the lens of several landmark breaches. The paper explores the rationales for regulatory intervention, discusses the proposed EU eSignatures Regulation and ultimately develops a conceptual framework for HTTPS governance. It apprises the incentive structure of the entire HTTPS authentication value chain, untangles the concept of information security and connects its balancing of public and private interests to underlying values, in particular constitutional rights such as privacy, communications secrecy and freedom of expression. On the short term, specific regulatory measures to be considered throughout the value chain includes proportional liability provisions, meaningful security breach notifications and internal security requirements, but both legitimacy and effectiveness will depend on the exact wording of the regulatory provisions. The EU eSignatures proposal falls short on many of these aspects. In the long term, a robust technical and policy overhaul is needed to address the systemic weaknesses of HTTPS, as each CA is a single point of failure for the security of the entire ecosystem.
|
| Arnbak, A. Annotatie bij Rb. 's-Gravenhage 11 januari 2012 (Brein / Ziggo & XS4ALL) 2012. @misc{,
title = {Annotatie bij Rb. 's-Gravenhage 11 januari 2012 (Brein / Ziggo \& XS4ALL)},
author = {A.M. Arnbak},
url = {http://www.ivir.nl/publicaties/download/AMI_2012_3.pdf},
year = {2012},
date = {2012-06-15},
journal = {AMI},
number = {3},
pages = {119-131},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
|
| Arnbak, A. Alles onder controle? Een kritische blik op de door de dataretentierichtlijn in het leven geroepen driehoeksverhouding tussen de Wet Bewaarplicht Telecommunicatiegegevens, de strafvorderlijke toegangs 2011. @techreport{,
title = {Alles onder controle? Een kritische blik op de door de dataretentierichtlijn in het leven geroepen driehoeksverhouding tussen de Wet Bewaarplicht Telecommunicatiegegevens, de strafvorderlijke toegangs},
author = {A.M. Arnbak},
url = {http://www.ivir.nl/publicaties/download/973.pdf},
year = {2011},
date = {2011-12-13},
note = {
Masterscriptie Informatierecht
},
keywords = {},
pubstate = {published},
tppubtype = {techreport}
}
|
| Arnbak, A. What the European Commission owes 500 million Europeans 13.12.2011. @misc{,
title = {What the European Commission owes 500 million Europeans},
author = {A.M. Arnbak},
url = {http://www.ivir.nl/publicaties/download/974.pdf},
year = {2011},
date = {2011-12-13},
note = {
Toespraak uitgesproken op 3 december 2010 tijdens de conferentie "Taking on the Data Retention Directive", georganiseerd door de Europese Commissie. Een gedeelte van deze toespraak is ook gepubliceerd in Privacy \& Informatie, 2010-6, p. 305.
},
keywords = {},
pubstate = {published},
tppubtype = {presentation}
}
|
Axel Arnbak was cybersecurity en informatierecht onderzoeker aan het Instituut voor Informatierecht en het Berkman Center van Harvard University. Hij deed promotieonderzoek naar communications security governance. In 2013-14 was Axel als resident Research Fellow verbonden het Berkman Center en het Center for Information Technology Policy aan Princeton University. Zijn publicaties leidden tot parlementaire debatten op Europees en Nederlands niveau en worden vaak aangehaald in (inter)nationale media. Voor zijn master’s thesis over de Europese en Nederlandse dataretentie-wetgeving won Axel de Internet Scriptieprijs 2009 en de UvA-scriptieprijs 2010. Na zijn afstuderen ging Axel aan de slag bij de toen net heropgerichte digitale burgerrechtenbeweging Bits of Freedom.
Axel is momenteel werkzaam als advocaat bij De Brauw Blackstone Westbroek. Verder is Axel columnist bij het Financieele Dagblad, blogt op Freedom to Tinker en geeft regelmatig lezingen over technologie, recht en samenleving. Zijn Engelse pagina bevat meer informatie.