Dutch Government Backs Strong Encryption, Condemns Backdoors

blottsie writes: The Netherlands government issued a strong statement on Monday against weakening encryption for the purposes of law enforcement and intelligence agencies. The move comes as governments in the United Kingdom and China act to legally require companies to give them access to wide swaths of encrypted Internet traffic. U.S. lawmakers are also considering introducing similar legislation.

Non-FVEY status has its benefits

It's nice to see a modern, developed nation that actually believes in freedom.

Re:Non-FVEY status has its benefits

Meh, the current Dutch governments is one of the most shitty, corrupt and voter hating governments we had in our history, getting the vote with lies and then continuing with their own agenda. The current biggest party in the polls has more than the coalition combined, which has shriveled to a small minority, which is the only reason they didn't resign yet. This government passes law after law to make more spying on their citizens possible, and if it isn't allowed by law, they do it anyway. I wouldn't read too much in this except industrial protection. The text describes two things the government wants: a) it wants strong secure communications for businesses and citizens (*cough*), and b) it wants to be able to break encryption to be able to spy on pedophiles and terrorists. It concludes it cannot achieve b) without violating a), hence only a) is possible now. I suspect this is not to protect our rights but to protect big corps such as Shell (I name Shell as an example because various of our politicians have a Shell background and it is one of the most powerful companies on earth, being spied on by various countries) and for PR for IT. In the meantime our own little version of NSA will be using any exploit and other possibility to continue to invade our privacy. My guess they took some lessons from the Patriot Act, which made security a joke as they for example could go to Apple or MicroSoft and ask for their full cooperation and then Apple or MS couldn't say a thing. This was all very bad for business, and now these companies claim to secure and protect our communications, which is much better PR. I doubt the NSA's possibilities have really dwindled. Don't trust the Dutch government. They cooperate with the US/NSA and made the Netherlands a testbed for their technology.

Re:Non-FVEY status has its benefits

Exactly what they want you to think, as they install their backdoors

Re:Non-FVEY status has its benefits

[Errol+backfiring]

It's nice to see a modern, developed nation that actually believes in freedom.

I sincerely wished that were true. This is the very same government, hell, even the same minister, that gave the police the right to hack into any computer they are interested in. They probably know enough ways to break into their subjects' systems that they are not harmed by encryption anyway.

Re:Non-FVEY status has its benefits

[jblues]

Your government is bank-rolled by Shell? Lucky bastards. We got [citation] ExxonMobil in Australia, although Shell have been backers in the past. Come to think of it though, our mob would have a tough time the Netherlands, as they completely have it in for windmills

Re:Non-FVEY status has its benefits

[cryptogranny]

Any link about the subject?

What authority?

[sanf780]

Dutch legislation is not really relevant, I would say. If most software is coming from the US, including OS from Microsoft, Apple and Google, how are you supposed to enforce adequate encription if the US mandates weaker versions? Is it going to be the GNU/Linux on the Dutch Desktop during 2016?

Re:What authority?

At least GNU/Linux will still be legal here. Otherwise you have a good point of course.

Re:What authority?

[maligor]

Dutch legislation is not really relevant, I would say. If most software is coming from the US, including OS from Microsoft, Apple and Google, how are you supposed to enforce adequate encription if the US mandates weaker versions? Is it going to be the GNU/Linux on the Dutch Desktop during 2016?

Netherlands has a population of 17M, so assuming you sell a copy to a quarter the popluation, it's 4M copies. Quite frankly out of their population they'll have enough software engineers to make their own security if necessary.

Re:What authority?

Dutch legislation is not really relevant, I would say. If most software is coming from the US, including OS from Microsoft, Apple and Google, how are you supposed to enforce adequate encription if the US mandates weaker versions? Is it going to be the GNU/Linux on the Dutch Desktop during 2016?

What does standalone software have to do with the encryption of data across networks throughout the world (aka the Internet)? This is good news for the world as it means one region of the world won't allow snooping in people's encrypted data. At least if the data reaches a server in the Netherlands, we won't have to worry if their gov will wanna see what is in there (assuming they are being truthful).

Re:What authority?

[bytesex]

AES and SHA-3 were (partly) conceived in Belgium. Legislation is one thing - inventing the technology is something else.

Yeah I know Belgium and the Netherlands are not the same country. I live in one of them. I was trying to make a point.

Re:What authority?

or corporations in a last ditch effort to retain some semblance of customer credibility will relocate to the Netherlands to avoid us regulations... much like the rich do to avoid taxes...

what is the US going to do, put the Netherlands under economic sanctions?

on top of that, its not like any company will be held liable to any state under the current round of trade agreements (where corporations can sue governments for loss of profits) so in effect while you may be correct in the irrelevance of the dutch legislation i would also posit that US legislation is just as irrelevant as the politicians give everything away to their corporate minders.

Re:What authority?

Quite frankly out of their population they'll have enough software engineers to make their own security if necessary.

Will it have blackjack and hookers?

Re:What authority?

First of all, deciding not to murder people is good even if someone else decides to murder people. Maybe this harsh analogy teaches you not to dismiss so easily when people do the right thing. Secondly, the Netherlands host a big Internet exchange, AMS-IX, in Amsterdam. An official decision by the Netherlands in favor of strong encryption thus affects one of the big Internet hubs in Europe. Encryption can be weakened not just by design but also by implementation, so this is good. This decision also makes the Netherlands a prime choice for conferences on cryptography. Cryptographers are already uneasy about traveling to the USA, and the Netherlands are a good choice geographically and now policy-wise as well.

Re:What authority?

Internationalization of a software package includes much more than just translation of the user interface. In the future, encryption will become relevant, again. But this time it's all reverse! ;)

Re:What authority?

It's a moral victory. Now it's a legitimate question and not a forgone conclusion that governments respect the citizens' right to encrypt.

Re:What authority?

[Opportunist]

In this day and age? It's trivial to move your company to Atlantis if you find it. If the Netherlands offer the best conditions and the least legal bullshit, you'd be surprised how quickly companies move away from Ireland...

Re:What authority?

[Holi]

I don't know about blackjack, but it's Dutch so it would most likely have hookers.

Re:What authority?

[Teun]

Dutch legislation is ruling inside The Netherlands, a small country but an important international junction with a respectable tradition re. international law.

The Netherlands hosts one of the largest internet exchanges and as such it's laws have an international aspect.

Now the next thing I would like our government to do is to start an investigation into the spyware introduced (and back ported from) Windows 10.

Re:What authority?

Yeah I know Belgium and the Netherlands are not the same country.

I live in the U.S., so I had no idea. Also, what do Belgium and the Netherlands have to do with Dutchistan?

Re:What authority?

[Altrag]

That's not terribly relevant since the laws would apply individually in the countries you're selling the product, not the country your head office is in: If they sell it in the US, it has to follow US law (at least the US version does.. its very common for items sold in different countries to not be completely identical. A very visible example is packaging of basically anything in Canada where you're required by law to have everything printed in both English and French.. and of course Americans would throw a shit fit if they saw French on things so companies that sell cross-border have to design two completely separate packages.)

Web services are another story though. If the service operates entirely out of Atlantis but does something US law prohibits.. what can the US do about that? They can try to block US citizens from accessing that service but that will draw out the anti-censorship and the slippery slope crowds pretty damned quickly.

Of course things get even muddier as the web service grows. They'll start wanting to work with content distribution networks (CDNs) to get their data flowing faster. But now the question arises, does a partially cached website sitting on a third party's CDN server in the US constitute the service "operating" in the US and thus bound to US law? Are the US citizens accessing it also bound by Atlantis law since anything dynamic still has to be piped from the main servers? Does it get treated like international waters where damned near anything is fair game?

Of course the US is going to want to impose US law (hell they like doing that even when there's no question of being out of their jurisdiction.) And Atlantis is going to want to retain their sovereignty (especially the web service in question who doesn't want to have to deal with two entirely different legal frameworks even if they only coincidentally based in Atlantis and not actively trying to skirt US law.)

Ideally the citizens accessing the web service would be the place where the law is imposed but of course there's no practical way to do that. Identifying them is an invasion of privacy to begin with (PRISM&friends notwithstanding) but even if you could get away with that, by the time the web service is big enough to be news there's too many users to start punishing them individually short of taking an RIAA-style tactic of harassing 12 year old girls to "make an example" -- which of course the internet takes as just another example of how big of a dick you can be and doesn't really accomplish anything.

Re: What authority?

[ControlFreal]

Dutch is the demonym for those from the Netherlands, and the adjective for things from there. Dutch is also the language spoken there, as well as in the northern part of Belgium (Flanders).

Re: What authority?

Stupid sexy Flanders.

Re: What authority?

As long as your Intel chip and your Asus motherboard and your Linksys router doesn't have a backdoor, you are fine woth Linux >.

Re: What authority?

You don't have to be an idiot just because you live in the US...

Re: What authority?

interested to know what world you live in where most s/w is written in the US. I expect India, China and Eastern Europe are a lot higher. Yes, the s/w companies might call the USA home and a certain amount of s/w may be integrated in the US but it's not written there. I wish I had facts to back this up but ask yourself how often you speak to an American when you contact support for s/w.

Re:What authority?

Even microsoft/apple users can install open stuff. Libreoffice is one option - a no-backdoor encryption suite is another. Cops can show me a warrant when they need to look at my computer.

Re: What authority?

[KGIII]

Yes, but it helps.

Re:What authority?

[RockDoctor]

I don't know about blackjack, but it's Dutch so it would most likely have hookers.

Most (not all, but most) hookers in the Netherlands are not Dutch. At least, of the samples I've sampled.

Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.

... of a soul-less original.

Re:What authority?

[Holi]

.. of a soul-less original.

Hey, I am not a ginger!

Well then

[liqu1d]

Are you accepting new residents?

Re:Well then

[vikingpower]

We are. For an American or European, there is no problem at all in coming to the Netherlands and living there. What with you being a techie, you'll have a job in twice no time. Nearly the entire population, nowadays, speaks Dutch. Disclaimer: I am of Dutch nationality, although I live in Austria, another EU state (one that does not even make strong encryption a subject of public discussion, but simply and tacitly assumes that strong encryption should be had by all who wish to use it, period).

Re:Well then

[avandesande]

I think you meant to say "Nearly the entire population, nowadays, speaks English"

Re: Well then

[liqu1d]

Their meaning was clear and easily forgiven since their English is vastly superior to my Dutch :D.

Re:Well then

Techies who are looking for great employment in The Netherlands should probably check out the area in and around Eindhoven. Techie students looking for a great technical university can check out TU Delft.

Re:Well then

[PopeRatzo]

For an American or European, there is no problem at all in coming to the Netherlands and living there.

That's for sure. Last time I was in Amsterdam, I met a really nice girl who taught me what backdoors were for. She was just standing in a doorway and was just super friendly. It would have been one of the greatest nights of my life, but I must have lost my wallet somewhere. I remember thinking that she had really strong hands for a girl.

Re: Well then

[liqu1d]

I hate to ask but did your IDS pick up any backdoor entry? Hope you checked you're firewall tables afterwards assuming you weren't correctly locked down initially.

Re:Well then

We are. For an American or European, there is no problem at all in coming to the Netherlands and living there. What with you being a techie, you'll have a job in twice no time. Nearly the entire population, nowadays, speaks Dutch.

I think you meant to say "Nearly the entire population, nowadays, speaks English"

I think it's reasonable to say that nearly the entire population of Holland speaks Dutch.

Re:Well then

[Opportunist]

Is that the girl that told you it's no problem to have a small cock, while you thought that it would still be better if she had none?

Re:Well then

[Teun]

In Austria they are so worried about every one's privacy that the use of a dash cam can cost you a fine of around €8,500.

Although the Austrians lifted the ban on Google Street view Google has lost the appetite to enable it. (As in Germany)

Re:Well then

[KingOfBLASH]

As an American who lived in the Netherlands for 7 years (first Maastricht and then Amsterdam) I can tell you it's not that easy to find a job. Dutch immigration laws are a pain, and thanks to the PVV and Gert Wilders they're basically trying to prevent more migrants coming and kick the ones already there out. (My source? My visa was revoked and I was politely asked to leave the country after my visa was revoked for being laid off).

What this ends up meaning is if you're EU you'll have no problems (because you can just move there, because it's EU) but if you're non-EU forget about it. (Actually it's just very difficult). And even if you have very hard to find skills you'll be punished for being a foreigner. They'll pay you less (because you pay less taxes) and gouge you for housing prices.

Still, despite the drawbacks it was worth it. If you get a chance, take it.

Re:Well then

[FrozenGeek]

Nice sig.

Re:Well then

My friends neighbor moved to Amsterdam for the free healthcare, not that he needed any help due to rich parents, but US doctors would not prescribe him any more medication. I helped my friend clean out his apartment before his parents got there and holy crap, this guy had more drugs (of every kind) than a pharmacy.

Re:Well then

Health care is not free in The Netherlands. It's not expensive though -- health insurance with complete coverage is around €1000 with a one-time €380 deductible and it is pretty good (probably top ten in the world).

Re:Well then

(Former) American living in Belgium here. It's about the same for both us and the Netherlands.

If married to an EU citizen, you just show up. You'll get a permanent residency permit automatically, which gives you access to welfare, health care and almost free education (I took a year of French classes, then went to a local Uni for a masters). After five years (three if employed and paying taxes) you get citizenship. The standard for marriage is very low: if you don't have a legal certificate, you simply have to prove that you've been living together for six months (ie, with bills in both your names) or have a child together. It does not matter if you're gay.

If not married to an EU citizen, you're basically welcome if you can contribute to the economy. You can show up on a tourist visa, which allows you to stay up to three months at a time, up to six months per year. Use that time to apply for a temporary residency permit and get a job. You get access to basic welfare and health care immediately, although you can loose the temporary residency permit if you can't stay gainfully employed. Once you've been paying taxes for a while you'll get a permanent residency permit (I forget how long, three years I think), with which the other social systems open up. You can become a citizen after five years of paying taxes.

There is only one question on the citizenship test, which is delivered in the language of your choice: "Do you support the Universal Declaration of Human Rights?". I am guessing you know the correct answer already. You don't have to give up your former citizenship.

In the bigger European countries (like Germany, France, UK) it is harder, but once you are a citizen of Belgium or the Netherlands you can go live anywhere in the EU as long as you can hold a job in that country (you have to be an economic actor of some sort to be covered by the EU freedom of movement).

Life here is good: although we have fewer formal civil liberty protections compared to the US* in practice you are much freer here. Don't bother other people and pay your taxes and you can do whatever you want. Like to smoke pot? no problem. Want to have a crazy religion? no problem. Nudist? no problem. Gay? nobody cares. Want to start a business? You are not wagering your home or your children's future on it.

If Trump gets elected, I foresee a wave of American immigration :).

* For example, in Belgium you must carry ID at all times and show it to the police when requested. In the US, I had police ask me for ID every few months (traffic stops, "loittering" while walking home from work...). You can legally refuse, but I think we all know how that works out. In a decade here, they've only asked it of me once, and I had actually been caught committing a misdemeanor (threw a cigarette butt on the ground), so fair enough. Heck, I've only ever seen somebody get pulled over two or three times, the police don't patrol the roads here.

Re:Well then

That is exactly the opposite of my experience as an American in Europe. I don't know your situation, but it sounds like you were living on an expat visa. While I am not accusing you of being in this situation, I see lots of Americans come here on these temporary work arrangements and expect to be treated the same as locals while maintaining the option simply go back to the States if things get hard here. They pay lower taxes, yet expect the locals treat them the same as a local. It does not work that way.

If you want the locals to take care of you, then you need to show that you are willing to take care of locals. If you are prepared to integrate and pay your taxes, then you don't have problems... at least I didn't. This means applying for residency (eventually citizenship) instead of living on a reduced-tax arrangement visa. You should be able to communicate in the local language after a year or so; it sends a strong signal to the immigration officials about your intentions (and will help you get another job if you get laid off).

Another note, your characterization of EU vs non-EU is wrong. Freedom of movement in the EU applies only to economic actors; if you're unemployed and living on the dole you are no longer an economic actor and you'll be sent home after three months... unless you've applied for permanent residency and been paying the local taxes (just like non-EU).

Re:Well then

[johanw]

However, the TU (Technical University) Eindhoven is at least as good as Delft. Each one has its specialties, aerospace engineering can only be done in Delft but for nuclear fusion technology Eindhoven is the place to be).

Re:Well then

[KingOfBLASH]

A few things to note:

a) Not an American in Europe: an American in the Netherlands. Visa programs are set by countries themselves so the experience in Ireland won't be the same as an expat in the Netherlands. There are certainly some countries that are more welcoming

In the Netherlands you can't just come over unless you're on an expat visa. And "Integrating" requires five years of continuous employment. The problem being if you get laid off (as I was) and blind sided you basically get shipped home.

And getting citizenship may mean renouncing your US citizenship. Again depends on the country, some will let you have two citizenships (although not all will)

b) There is a HUGE difference between current climate in Europe for immigration and five to ten years ago. Many new restrictions were added after the economic crisis. Even more restrictions were added when all the syrian refugees started showing up. With such a large influx of migrants (and rampant xenophobia in some countries) many governments are making the bar for a non-refugee much higher.

Probably a representative government

Probably because they have a voted in a more representative government instead of the USA/UK version of democracy where you get presented with a list of rich people you can choose from.

Re:Probably a representative government

The stupid intelligence agencies could not stop the Paris attacks and they were planned and carried out via unencrypted voice calls on smartphones. The US did not stop the California terrorists despite having access to petabytes to the petabytes of unencrypted metadata and even plain text data via Twitter and Facebook APIs.

Re:Probably a representative government

[wyHunter]

Unless, of course, the European parliament overrules the Dutch one and they get broken code.

Re:Probably a representative government

The intelligence agencies don't want to stop terror attacks. Each time one occurs, these agencies are given more power and funding. Preventing terrorism is counter to their interests; history shows they're far more likely to be instigating it instead.

Re:Probably a representative government

Well, yes, but that means there are over 20 parties to choose from when there are elections, instead of just two.

It's nice because you don't have to go for the lesser of two evils, you can actually pick a party that is more or less in line with your views. Parties will need to compromise and form coalitions in parliament in order to create a majority.

It's not so nice in that it's really difficult to pick the right party to vote on.

Re:Probably a representative government

I rather have a difficult choice, than only two choices that do not represent me at all.

Most government leaders: Ignorant about technology

[Futurepower(R)]

Most government leaders are EXTREMELY ignorant about technology, but they know technology is important, so they pretend they know things.

If encryption is outlawed, it will just be hidden. There will be large images with messages in the grey areas, for example.

At a minimum

... against weakening encryption for the purposes of law enforcement and intelligence agencies.

At a minimum, '5 eyes' countries will lay down the law when the time comes. In the meantime, how much of the data cloud, or the world's information is in the Netherlands?

Netherlands government: Sensible, not corrupt.

[Futurepower(R)]

"... how much of the data cloud, or the world's information is in the Netherlands?"

After encryption is outlawed everywhere else, all of it.

Re:Netherlands government: Sensible, not corrupt.

Actually quite a lot since it has on of the largest, if not largest, internet exchange points: https://en.wikipedia.org/wiki/List_of_Internet_exchange_points_by_size

Re:Netherlands government: Sensible, not corrupt.

They will also become the most hacked country on the planet, beating even the US.

Re:Netherlands government: Sensible, not corrupt.

Of course, nobody will be able to get it in our out, so it still won't matter. It's like they will house 100% of nothing. But, hey, 100% is a lot, right?

Re:Netherlands government: Sensible, not corrupt.

> After encryption is outlawed everywhere else, all of it.

In order to "protect" your data, we have new data residency requirements so that you must keep data on our citizens in our country.

Otherwise other people might run off with it!

Re:Netherlands government: Sensible, not corrupt.

[Mister+Liberty]

Almost the perfect honeypot.

Almost. You'll be hard pressed to find another government having their limp fist up the US' 'backdoor' as deep as the current government of The Netherlands.
If this luring game works, they get to get to suck dick as well, that's my take on this.

Be sensible: Secure Data and the Cloud are two mutually exclusive concepts.

Re:Netherlands government: Sensible, not corrupt.

Where's all the big ones? Must be the United States of NSA owns all that isn't on the list.

Re:Netherlands government: Sensible, not corrupt.

[Opportunist]

Why should that be the case? I'd rather think that hackers would go for the low hanging fruit, i.e. for countries that have a lot of data and outlawed strong crypto.

Re:Netherlands government: Sensible, not corrupt.

What do you mean, the big ones? You're looking at them: DE-CIX and AMS-IX are the biggest internet exchanges in the world. If you expected US exchanges to be bigger, then take note that the internet is much more hierarchical and oriented towards private peerings and backbone carriers in the USA than towards "public" internet exchanges as it is in Europe. With the half-hearted denials of BND spying for the NSA at DE-CIX, and following this decision to support strong encryption in the Netherlands, expect AMS-IX to overtake DE-CIX.

Re:Netherlands government: Sensible, not corrupt.

TransIP is a Dutch cloud provider, offers free 1 TB storage (called "STACK") with data stored in The Netherlands

Re:Netherlands government: Sensible, not corrupt.

Do you really think the Dutch don't spy even more than the Germans? The Dutch government has a long history of large-scale illegal espionage and illegal transfers of illicitly obtained data to foreign governments (i.e., mostly the US and the UK, probably Germany and France too). I wouldn't trust any national government with my data at this point if I actually had the choice.

Re:Netherlands government: Sensible, not corrupt.

I didn't say they don't and I don't think they don't, but with allowing strong backdoor-less cryptography now the official policy, the network operators can at least do anything technically possible to keep the spies out. Whether they actually do that is a different matter.

Lawful intercept

All the endorsement of encryption is worth nothing ing until the lawful intercept laws are of the books.

Re:Lawful intercept

[Coren22]

You mean like no longer using warrants to tap a phone?

FYI, lawful intercept is when a police officer puts a tap on a phone after getting a warrant for the phone line and person to be captured.

https://en.wikipedia.org/wiki/...
https://en.wikipedia.org/wiki/...

Re:Most government leaders: Ignorant about technol

How come steganography wasn't used to circumvent strong cryptography bans in the early 1990's?

Just another way to keep us isolated

So, imagine a situation like this:

Netherlands REQUIRES strong encryption on all internet services
US REQUIRES weak encryption on all internet services

Now, no one in the US can use the internet to talk to anyone in the Netherlands.

*** FACEPALM ***

Re:Just another way to keep us isolated

[Opportunist]

Set up a relay somewhere that reencrypts everything.

Security? What security?

Too little too late

[zmooc]

This "letter from the government" comes only weeks after they passed a law legalizing hacking by the police. It means nothing.

Also, this letter is available only in MS Word format and LibreOffice refuses to open it. The Dutch government is a bunch of clueless computer illiterate idiots.

Re:Too little too late

[Futurepower(R)]

"... letter is available only in MS Word format and LibreOffice refuses to open it."

The .DocX letter opens in Wordpad, with a message saying some of the information may not be viewable. See the text below.

"The Dutch government is a bunch of clueless computer illiterate idiots."

Probably Microsoft made another new file format so that new documents cannot be opened by old versions of Microsoft software, or other software. Microsoft is then able to sell everyone new versions. Not everyone can know all the methods of abuse by software makers.

_______________

Aan de Voorzitter van de Tweede Kamer
der Staten-Generaal
Postbus 20018
2500 EA DEN HAAG

Datum 4 januari 2016
Onderwerp Kabinetsstandpunt encryptie
Ministerie van Veiligheid en Justitie

Turfmarkt 147
2511 DPDen Haag
Postbus 16950
2500 BZDen Haag
www.nctv.nl

Ons kenmerk
708641

Kabinetsstandpunt Encryptie
Hierbij sturen wij u het kabinetsstandpunt toe over encryptie. Hiermee wordt tegemoet gekomen aan de gedane toezeggingen tijdens het AO Telecomraad van 10 juni 2015 (TK 2014-2015, 21501-33, nr. 552) en AO JBZ-Raad van 7 oktober 2015.

Inleiding
Encryptie, ook wel versleuteling, is in toenemende mate eenvoudig te verkrijgen en gebruiken en maakt daarmee steeds vaker onderdeel uit van het reguliere dataverkeer. Door de overheid, bedrijven en burgers wordt encryptie steeds meer toegepast om de vertrouwelijkheid en integriteit van hun communicatie en opgeslagen data te beschermen. Dat is belangrijk voor het vertrouwen van mensen in digitale producten en diensten en voor de Nederlandse economie in het licht van de zich snel ontwikkelende digitale maatschappij. Tegelijkertijd vormt encryptie een belemmering voor het verkrijgen van informatie die noodzakelijk is voor opsporings-, inlichtingen- en veiligheidsdiensten wanneer kwaadwillenden (zoals criminelen en terroristen) hiervan gebruikmaken. De recente aanslagen in Parijs, waarbij mogelijk gebruik is gemaakt van versleuteling van de communicatie door de terroristen, leiden tot de gerechtvaardigde vraag wat er nodig is om opsporings-, inlichtingen- en veiligheidsdiensten goed zicht te bieden en laten houden op aanslagplanning.

De in de vorige alinea beschreven tweeledigheid was eveneens te horen in het publieke debat van de afgelopen maanden over de dilemmaâ(TM)s rondom het gebruik van encryptie. Ook uw Kamer heeft over dit onderwerp gesproken. Tijdens het AO Telecomraad is gevraagd wat het Kabinet gaat doen aan het stimuleren van sterke encryptie. Daarnaast is vanuit de Tweede Kamer gevraagd om te komen met een kabinetsstandpunt rond encryptie.

Hierna wordt ingegaan op het belang van encryptie voor de systeem- en informatiebeveiliging van de overheid en bedrijven, en voor de grondwettelijke bescherming van de persoonlijke levenssfeer en het communicatiegeheim. Daarnaast wordt het belang van opsporing van ernstige misdrijven en bescherming van de nationale veiligheid geschetst. Tot slot wordt na weging van de belangen gekomen tot een conclusie.

De Nederlandse situatie kan hierbij niet los worden gezien van de internationale context. Sterke encryptiesoftware is in toenemende mate wereldwijd beschikbaar of al geïntegreerd in producten of diensten. Gelet op de brede beschikbaarheid en toepassing van geavanceerde encryptietechnieken en het grensoverschrijdende karakter van het dataverkeer is het handelingsperspectief op nationaal niveau beperkt.

Belang van encryptie voor de overheid, bedrijven en burgers
Cryptografie speelt een sleutelrol in de technische beveiliging in het digitale domein. Veel cybersecuritymaatregelen in organisaties leunen sterk op de toepassing van encryptie. De veilige opslag van wachtwoorden, het beschermen van laptops tegen verlies of diefstal en het veilig bewaren van backups zijn moeilijker zonder het gebruik van encryptie. Het afschermen van gegevens die verstuurd worden via

Re:Too little too late

Sorry, I'm just not interested in joining the Dutch branch of GNAA (GNAN?) today.

Re:Too little too late

[pieterbos]

Because for most readers that's in the wrong language and far too long, a summary:

Encryption nowadays is everywhere and getting more easy to obtain/use. It's important for businesses, and for people who want to keep their private life private. It is getting more and more impossible to break encryption. This is a problem for national security and intellegence services. However, there's no foreseeable way of putting in backdoors without compromising security. Cooperation with industry partners is required for intelligence/security tasks. The cabinet (meaning the ministers) sees the importance of encryption for security/safety onn the internet, for privacy of civilians and confidential communication for the government and businesses. Therefore it considers it undesirable to take limiting measures regarding the development, availability and use of encryption within the Netherlands. Internationally, The Netherlands will promote these views and conclusions.

Then there's mention of a budget amendment that recently has been accepted. It means the state will donate 500.000 euro to open encryption projects, like openssl, libressl, etc. They say they're actually going to do that.

Re:Too little too late

[Teun]

Yes it is a strange format they used, certainly not the .odl they are supposed to use.
I opened it in TextMaker from freeoffice(.com)

B.t.w, I do not see any conflict between legalising police hacking and encouraging strong encryption.

Re: Too little too late

Te lang; niet gelezen.

Re:Too little too late

Huh? I have LibreOffice on my (Kubuntu) Linux system, and it opens the document without any problem...

Guess you do not have an up-to-date version or something?

Re:Too little too late

I presume they'd be clever enough to turn it into GONAD? Probably a bit like: Gay Old Niggers Association of Dutchmen. I don't have the copypasta handy or I'd waste the time making that - just for you Mr. Anon C. Oward. Alas, I'm also too lazy to go dig it out of Google/Pastebin.

Hmm... AC or no AC? Meh... AC it is.

Will last until ISIS attacks

[jfdavis668]

Then they will be tracking everything trying to root them out.

The Oldest Problem With Government Oversight

[kjhambrick]

Who watches the watchers ?

Re:The Oldest Problem With Government Oversight

[Opportunist]

I dunno. Coast guard?

#Team_Netherlands

[Dutchmaan]

Every day I read about another reason on why I'm proud to be Dutch....

Re:#Team_Netherlands

Yeah, whatever. Count your blessings again, with NL state being one of the most prolific eavesdroppers and phone tappers (pro rata ofcourse) in the world.
For an intelligence agency meta data is way more interesting than the actual email blob.
So your encrypted IPhone, or your https sessions, no one cares. By the time they've zoomed in on you, they don't need your iphone anymore. They got everything they need through other means (safe harbour anyone?).

I'm proud, but not for being Dutch :-p

Re:#Team_Netherlands

Can I be dutch too?

Re:#Team_Netherlands

[Opportunist]

A year ago we were all Charlie, why not be Dutch for a change?

Re:Most government leaders: Ignorant about technol

[MtHuurne]

The USA had a strong crypto export ban in the early 90's. There were no laws against using strong encryption, only about shipping crypto implementations. In practice, it meant that people in Europe had to download Netscape from a site outside the USA.

Re:Most government leaders: Ignorant about technol

Whose to say that it wasn't?

Enigma

[little1973]

Just create a software version of Enigma (https://en.wikipedia.org/wiki/Enigma_machine) with eg. 20 wheels. Also, create a matrix which contains how the wheels should turn. You can create thousands of wheel turning patters. Voila, unbreakable encryption without using a sufficiently long one time pad.

Of course, the initial configuration has to be sent somehow (eg. via courier or other conventional ways which 3-letter agencies seem to forget) and the encoding/decoding machine should never be connected to the internet.

Re:Enigma

Both RFC 2549 and RFC 1149 describe a relatively good way to distribute either one time pads, enigma matrices or wheel configurations. If you prefer delivery of your one time pad data over IPv6 securely, you can also use RFC 6214. With modern SD cards you can post one time pads worth exchange of up to 32GB of secure communications per carrier. Additional advantage of RFC 2549, 1149 and 6214 in case latency doesn't matter is that they are also fit for relatively transportation of the actual message too. But if latency matters you can transfer the one time pad over carriers described by RFC 2549, 1149 and 6214 and then do secure comms with good latency over conventional techniques securely.

Re:Enigma

[ewibble]

First thousands of keys (if you are being literal) is quite small for a computer so a brute force attack would succeed really quickly.
Apart from that, is how do you transfer your encryption key so it can't be intercepted?

The reason a 1 time pad is considered perfect encryption is
1. you are guaranteed by some magical process that no one gets your key.
2. without knowing the key all messages of the same length are equally likely.

Here it says it already been cracked, and even if it wasn't it would take only 3 weeks by brute force for a desktop,
https://www.quora.com/How-long...
They would not have to brute force it or use a desktop, and brute force is very distributive.

Note you cannot brute force a 1 time pad because of point 2.

Re:Enigma

[The-Ixian]

I think we can simplify things a little bit here and just use RFC 1149.

RFC 2549 and RFC 6214 do not add anything new to the technology and just add to the complexity.

Re:Enigma

[little1973]

Obviously, you do not understand how enigma works. With 20 wheels you have an 26^20 initial configuration and defining thousands of wheel turning patters makes the attacker's work much-much harder.

And actually, cracking the original enigma should takes just a few seconds on today's desktop computers.

Enigma basically replaces each letter with a different one according to the wheel settings. With 20 wheels the initial configuration contains 20 characters plus the number of the wheel turning pattern. This is far stronger than a simple one-time pad with 20 characters (aka 20*5 bits = 100 bits).

Also, a wheel can contain the whole ASCII table in which case the initial configuration is 255^20.

Re:Enigma

My understanding is that a one-time pad *must* be at least as long as the plaintext, otherwise it's just a symmetric key -- an AES-128 key is simply 32 cryptographically random bytes known by both sides. Worse, if you ever reuse that key to XOR encrypt multiple blocks of plaintext without any additional scrambling or IV (such as provided by more sophisticated chained ciphers), it becomes very easy for someone to recover the key. Hence the "one-time" part.

Enigma's rotors are a mechanical version of a stream cipher, which makes it more difficult (but not impossible) to derive the key by making the "shift" operation much more expensive to reverse since it changes after every letter.

Enigma basically replaces each letter with a different one according to the wheel settings.

IIRC, one of the flaws in Enigma that made it easier to crack than the nominal bit length was that letters were never replaced with the same letter -- which helped eliminate a number of combinations.

Re:Enigma

[thinkwaitfast]

how do you transfer your encryption key so it can't be intercepted?

Post office

Re:Enigma

Amateur cryptography bullet list:
  - reference Enigma or something else that sounds cool - check.
  - only talk about the size of the keyspace when talking about breaking the encryption - check
  - hand-wave the hard part (key exchange) - check
  - call it 'unbreakable' - check
  - come up with something less secure than existing algorithms - check

Two things you should do:
  - Read this: https://www.schneier.com/crypt...
  - Use AES instead of your own algorithm

Re:Enigma

[amorsen]

Why would you use a fairly lousy symmetric encryption algorithm when AES is freely available? The rest of your post works just as well with AES as it does with Enigma, and AES not have Enigmas flaws.

Re:Most government leaders: Ignorant about technol

[coofercat]

I complained to my MP (in the UK, where our PM has publicly stated he'd like back doors all over the place) and got a response which essentially said "we invest in strong encryption, we don't advocate weakening encryption at all. However, we do want tech companies to give us access to data when we ask for it".

In other words - it's all about double-speak. To turn this into slashdot friendly words: "we come in peace. shoot to kill".

Strong statements are all well and good, but until they also legislate to say (to tech companies) "it's okay to store data in encrypted form that you don't have the keys for", they're not really any different from the other countries of the western world that are keen to snoop on our every move. They're less in-bed with the Americans than we Brits are, so hopefully not quite as pervasive as we are, but apart from scale and efficiency, not that far different.

odd

Considering the Netherlands has the most wiretaps per capita of any country in the world this seems rather odd.

Re:Most government leaders: Ignorant about technol

[kheldan]

They don't want to outlaw encryption, they just want to render it so weak that your average 15 year old script kiddie can break into the so-called 'backdoor' they want written into it, so for all intents and purposes it'll be rendered useless. It'll end up the equivalent of having a $5 padlock on an exposed $2 mild-steel hasp securing the front door to your house: It'll keep out the lazy burglars (or the ones too weak to just kick the door in), but any burglar with any skill at all will go right around it like it wasn't there. The tech sector keeps telling apparently clueless politicians this and they keep either not understanding or just plain ignoring it because it doesn't fit into their agenda; I'm leaning hard towards the latter.

..and, of course, as you say: if they succeed in destroying any usefulness of encryption, criminal-types will just find other ways to hide or obfuscate what they're doing, just like always. It's like word filters on discussion forums; determined people will just find ways to say 'fuck', 'shit', 'cock', etc., without actually using the words, and they'll change up what they're doing to keep ahead of the wordfilters faster than the wordfilters can be updated. It's a negative-sum game in either case but they don't seem to understand that -- or just don't care, or worse, they're really wanting to spy on honest citizens more than anything else.

In other words...

Dutch government makes a strongly worded statement with the hopes that someone will notice that they exist, and jump to the inaccurate conclusion that they are somewhat relevant.

When this story hit ./, all three Dutch government employees celebrated with high fives and a few seconds of hearty laughter.

Where did we go wrong?

[AndyKron]

I approve of the Netherlands government. Whatever happened to the United States? Where did we go wrong? Why do European countries get better, and we get closer to North Korea?

Re:Where did we go wrong?

[wyHunter]

Where did we go wrong? I'll give you two words: Baby Boomers. Being JUST younger than they are I've watched with horror all the things that they've done all my life.

translaters broken?

[hansbogert]

As a dutch native, I can say that the wording was typically weasel wording. Especially the part where the minister, who only a few months ago was openly complaining about encryption, now says in the conclusion part of the official document: > Derhalve is het kabinet van mening dat het op dit moment niet wenselijk is om beperkende wettelijke maatregelen te nemen ten aanzien van de ontwikkeling, de beschikbaarheid en het gebruik van encryptie binnen Nederland. Translation: Therefore, the government believes that it is _currently_ not appropriate to take restrictive legal measures against the development, availability and use of encryption within the Netherlands. The translation was done by Google, and seems to be very adequate, please zoom in on the wording "currently". If that's the conclusion, I wouldn't call it "strong" wording at all, which Slashdot says the minister used. Building in backdoors isn't time related, or currently not a good idea -- it's inherently bad, not just today.

Re:translaters broken?

I agree. This letter contains a lot of arguments for this decision. They are quite clear:

- Strong encryption is readily available on the internet.
- They have trouble cracking it
- Dutch companies complained that it would harm their international appeal
- They can't get US companies to cooperate

They also list reasons for why encryption is a problem, it's sadly familiar:
- pedophiles
- terrorism
- the Paris attacks

So they tried but couldn't get it done. Now they will wait for other countries (=USA) to make a move and then fall in line.

Re:translaters broken?

[Teun]

Currently is correct in about every sense, even those 4000 y/o piramids in Egypt are just current until ISIS declares them symbols of idolatry.
Besides, once your stuff is properly encrypted no change in (the wording of) law is going to magically unencrypt it.

Re: translaters broken?

No, but they can magically force you to decrypt your stuff or go to prison. Think it through, they won't give up and ultimately they will prevail. It's a matter of power: for all the fancy talks about democracy, governments and their agencies have power, while the populace is helpless.

Re: translaters broken?

[Teun]

That's what Cameron is trying to do in the UK and with the absence of UK privacy law he makes a chance to get it.
This is one reason he wants to limit the influence of EU law ('Brussels') on his islands, EU law is much more privacy minded than his ilk likes.

Most western-style democracies make it impossible to retroactively change law, a change it would only be applicable to new cases (of encryption).

Democracy is only as strong as the legal concepts and traditions it is based upon (Trias Politica) which leaves me quite happy to live in The Netherlands.

Re:Most government leaders: Ignorant about technol

[Kjella]

This is one of those case where you're almost obligated to lie as a politician, or at least use weasel words. If you strongly support unbreakable backdoors, you get the police, intelligence services and such saying you're crippling their work against terrorism and crime, that you're naive and irresponsible. If you strongly support backdoors, you get all kinds of civil rights groups and others saying you're an authoritrian, totalitarian creep that is making the terrorists win by taking our freedoms away. And that you can't stop open source encryption, so you're just playing security theater and not being in touch with reality.

What you get is a muddy gray answer saying we're working on a way to let you eat your cake and have it too, please don't stop voting for us either way. Another example is gun control, there's no magic bullet to tell terrorists and school shooters from ordinary people. But if you hear a politican talk, they'll take away the guns from the "bad guys" and not the "good guys" all the same. Or that don't want the war on drugs with hard enforcement nor legalization and free weed, but some vague better treatment of addiction rather than punishment that is trying to score the vote of both the concerned teen mom and recreational drug users alike.

Here's the thing I've noticed after talking to quite a few people about politics, many have much clearer reasons why they're voting against someone than for someone. One burning issue where you really, really can't accept voting for that guy. So politicians tend to avoid making those kind of statements, trying to push the kind of politics that'll make you vote for them and doing damage control by being so bland as possible on the rest. After all this is a race against other politicians, it's not like they need a strong position on everything. What's important are the few issues they manage to make stick, the babble is quickly forgotten.

summary:

summary: We don't have a clue how to weaken encryption and therefore decided to make not weakening encryption our goal, so we we could pad each other on the back for reaching this wonderful goal without actually doing shit.

But, But, But!

We must destroy encryption, in order to save our citizens!

What is wrong with the Dutch? We really must have a meeting and get them back on message! /SpyAgencies

But ...

[PPH]

... they are still OK with half back doors.

Bravo

[Curate]

Bravo to The Netherlands for taking this stand. I mean that sincerely. They will face an uphill battle however.

Re:Most government leaders: Ignorant about technol

[myowntrueself]

I complained to my MP (in the UK, where our PM has publicly stated he'd like back doors all over the place) and got a response which essentially said "we invest in strong encryption, we don't advocate weakening encryption at all. However, we do want tech companies to give us access to data when we ask for it".

In other words - it's all about double-speak

I'm not sure. Were I running a tech company I would interpret the above as meaning that we should turn over the data. The encrypted data.

Statewide encryption protocol

[niff]

After somebody pointed out the problems with rot13 encryption, the Dutch settled for double rot13 (rot26) encryption.

Re:Statewide encryption protocol

[jiriw]

Then another someone pointed out even rot26 was now considered too easy to crack because of the increased processing power of commonly available computing technology. So they modernized the rot encryption algorithm. The new shiny they jokingly named 'Rotn encryption', because hackers would have a rotten time hacking this one:

rot(n), n = 26*iv + salt

with iv being prime for added security. The salt was considered optional and only used when using the algorithm for hashing super secret passwords.

A later government statement said they also had considered adding pepper but that would have made computation of the algorithm too expensive, for pepper being an imported spice and all. Since their preferred importer, the VOC, lost their market monopoly some centuries ago, they were not sure if the added use would give their secret formula 'oomph' worth the money. This is of course a very Dutch way to look at such matters. They are firm believers that an increase in expense should only be allowed when it adds even greater value to the product.

Smart6

Nice6

Cowards

The Dutch only condemn the backdoors that they did not pay for!

Ha Ha

Some quick notes

[rocqua]

I read through the actual document, and there are a few interesting points not mentioned in the article.

Firstly, the minister perpetuates the rumor of encryption being relevant in the paris attacks: "De recente aanslagen in Parijs, waarbij mogelijk gebruik is gemaakt van versleuteling van de communicatie door de terroristen" which translates to: "the recent attacks in Paris, where encryption was possibly used in the terrorists communications".

Secondly, the minister hints at following the recent American idea of asking IT companies to voluntarily use encryption in such a way that the government can still acess communications: His statement translates to: "In carrying out their duties, security agencies are partially dependent on cooperation with suppliers of IT products and services. Given this dependence, consultation with these suppliers is needed regarding effective provisioning of data in the case of use by mallicious parties, considering everyone's role and responsibilites as well as the legal frameworks." (5th paragraph 4th page)

Re:Some quick notes

Firstly, the minister perpetuates the rumor of encryption being relevant in the paris attacks: "De recente aanslagen in Parijs, waarbij mogelijk gebruik is gemaakt van versleuteling van de communicatie door de terroristen" which translates to: "the recent attacks in Paris, where encryption was possibly used in the terrorists communications".

Die mensen gebruikten helemaal geen enkele vorm van encryptie

Translation:
Those people didn't use any form of encryption.

They know it and that's why they used the word possibly as in "where encryption was possibly used... "

Re:Some quick notes

[Bob+the+Super+Hamste]

Well several weeks before (maybe a month or two) previous to the Paris attacks one of the big wigs from the CIA, or FBI said it would take a large attack where encryption was used in the planning to basically get the ball rolling on stopping people from having strong encryption. Then the Paris attacks happen and the big point that gets pushed in the media is the line about encryption so that wasn't a big surprise.

At least we know who to blame...

At least I know who to sue if my identity gets stolen, or are we meant to hope that only benevolent hactivists find the backdoors?

Re:Most government leaders: Ignorant about technol

[KGIII]

This is one of those case where you're almost obligated to lie as a politician, or at least use weasel words.

In 2016 (this year, actually - wow), I'll be running for the Senate in the State of Maine. Maine's a pretty small place with very little power and, if elected, I'll be a Senator from a district that is pretty well off the beaten path - even by Maine's standards. In other words, I'll be completely powerless.

Which means I get to say that I am 100% against back doors in encryption, software of any kind (without owner's consent), and don't actually care that it makes the police have to work more diligently. The rights of the innocent outweigh the risks of the accused. It the police want data they can get a warrant. If they data is encrypted they can use all the tech they want to use to decrypt that data, and only that data, after having taken it as evidence by lawful means.

So yeah, I'm not actually gonna be entrusted with anything important but at least I get to keep my dignity.

Reason #483

[weweedmaniii]

I knew there was another reason I moved the Netherlands other than all the other reasons, they still understand the concept of privacy & more practically they will not be in power forever and exempt from the tyranny of the government overreach er I mean "freedom"....

One critical assumption

It makes the assumption that the Dutch government will actually obey the laws that apply to them, I've been busy with freedom of information requests to the Dutch government to find out about scandalous decision making at local government level. A wide ranging request was send in and received the results. A large pile of material but absolutely nothing regarding the decision making in question. The minutes of every meeting on the subject was refused and as I said there's nothing about national security in the request. They simply refuse to comply! What do you do? If the Dutch government can so easily break the law on quite small (But important to us) issues they won't give a flying fuck about anything they consider important.