
Dutch government says no to backdoors, grants $540k to OpenSSL - janvdberg
http://www.theregister.co.uk/2016/01/04/dutch_government_says_no_to_backdoors/
======
jacquesm
As much as I like this I'm sad to say that we _also_ have numerous violations
of the law with respect to privacy by many branches of the Dutch government.
Journalists have had their phones tapped, the schools and health care
providers are asking for ever more absolutely private information about
parents from both the parents _and_ their children (this is of course 'for the
children' so never mind the violations), finger prints of non-felons are still
collected with impunity, dragnet style information collection is on the order
of the day, there are no means of transport that are not under continuous
surveillance outside of going on foot and by bicycle (and even there the
little snitch in your pocket will tell big daddy where you are) and so on.

It's sad that we _seem_ to be able to make the right decisions from time to
time but at the same time we are actually making the wrong decisions most of
the time. Here's to hoping things will eventually get better, I shudder to
think of the kind of catastrophe that would swing the pendulum back the other
way and turn the tide.

~~~
speleding
I agree with most of your points, but why do you think "finger print
collection of non-felons" is a problem? There are well-documented examples of
that database being used to catch bad guys, and I have not heard of any abuses
of that database. So I would think this is one example where a small privacy
incursion is offset by a proven gain in security.

I would go as far as saying that collection of fingerprints and DNA profiles
should be expanded. I have enough trust in Dutch democracy to change it back
again if it turns out not to improve security after all. (As someone who has
lived in other countries, I would not say the same of any democracy).

~~~
megablast
Are you being serious? Do you understand what we are fighting for here?

What if one day, it becomes illegal to be gay? Or have sex with someone out of
wedlock?

Then all this data could be used against someone.

------
breakingcups
This is a refreshing voice to hear in the media. I really appreciate the
nuance that the Dutch government has displayed here, aligning itself with what
most people in this audience would consider common sense.

Are there other governments that have spoken out in support of encryption like
this? I'm sure there must be, but (casually following the news) I haven't seen
any.

------
jlgaddis
If I'm thinking of the same thing (and I believe I am), the vote actually
happened a month or so ago.

The original proposal was to give 500k euro to OpenSSL but what actually was
approved was to spread that out amongst OpenSSL, PolarSSL (which, I think,
comes from .nl), and LibreSSL, in a manner that was not yet determined.

Personally, I'd prefer to see the majority of it go to the guys working on
LibreSSL simply because I think it would have the most impact there. I
somewhat expect most of it go to OpenSSL, however, if for no other reason than
it being the most widely used of the three.

~~~
praseodym
Yes, the proposal was changed to spend the 500k EUR on open source encryption
projects in general, to quote: "OpenSSL, LibreSSL, PolarSSL, etc." \- no
particular distribution of the money has been decided on as far as I can see.

Source:
[http://www.tweedekamer.nl/kamerstukken/amendementen/detail?i...](http://www.tweedekamer.nl/kamerstukken/amendementen/detail?id=2015Z23825&did=2015D48058)

------
omarforgotpwd
The danger of critical infrastructure being attacked digitally is already far
greater than the risk of say, a bomb attack. Weakening our digital defenses to
spy on terrorists is like throwing your laptop in the pool because you're
afraid someone might light it on fire.

~~~
rsync
"The danger of critical infrastructure being attacked digitally is already far
greater than the risk of say, a bomb attack."

This is not true. However, it is important to keep in mind that _were it ever
true_ it would be because of blatant negligence on the part of human actors.

It is neither obvious nor inevitable that a nuclear plant will ever be
attacked digitally _because a nuclear plant need not be networked - even
internally_.

It is neither obvious nor inevitable that a hydro dam will ever be attacked
digitally _because a hydro dam need not be networked - even internally_.

With an open mind and some creativity this could be true even for things like
air traffic control and the power grid. They don't need Internet access. They
might not even need IP.

If any of these things are fragile to digital attacks it is because they were
_gratuitously made fragile_.

~~~
Lawtonfogle
One only needs to look at the recent issue with hacking cars to see that it is
quite possible. A single bomb, short of a nuke, would do far less damage than
a virus attacking certain vehicles. The real issue is the effort needed to
acquire the bomb/build the virus. Bombs seem to still have a far lower startup
cost, so while you may get less bang for your dollar, they are more popular.

Is it popularity or damage/$ that determines what is more dangerous?

------
timonv
This statement was made early December. And I think it does deserve some
nuance:

Minister Steur (Security and Justice) this monday said, representing the
second chamber, that "laws that prohibit encryption are not desirable _at this
time_ ". That doesn't retract their early statement, but I think it's an
important nuance. Arguably, it might also just be political play to get some
douchebag rightwing parties over the line. (dutch source
[http://tweakers.net/nieuws/107104/kabinet-beperking-van-
encr...](http://tweakers.net/nieuws/107104/kabinet-beperking-van-encryptie-is-
op-dit-moment-niet-wenselijk.html))

Similarly, in december, a law was passed that allows authorities to hack
'criminals' without a warrant. In many countries, (liberty) activists are
criminals too.

That said, I still appreciate where things are going. Privacy is a very tough
political climate and I think it's solid that we (the Dutch) take this
standpoint. Baby steps.

~~~
dkural
Someone who disagrees with your policy does not make them a douche. This is
the beginning of illiberal politics: If you are not with me, I will denigrate
your person and declare you an enemy. The left wing of Europe was running at
full speed towards Stalin / USSR for most of 2nd half of 20th century. It's
easier to name-call than to govern.

~~~
borispavlovic
You're doing exactly the thing that you're accusing of -- labeling. Just
because you disagree with left parties' policies you're labeling them they
were running towards Stalin and USSR, which is also not very logical since
Stalin died in 1952.

~~~
dkural
TL;DR version: I use it as an example to illustrate why it's bad to
generalize.

More: I don't disagree with left parties policies - I am a Democrat, and would
most likely for left-wing parties in most of Europe (or whoever is less
xenophobic). I am against tyranny on the left or on the right. I don't like
people who support the denigration / dehumanization / oppression of those who
they disagree with and marginalize an entire group of people. I can cite you
dozens of statements made by the likes of Jean-Paul Sartre, Arthur Scargill,
Jan Myrdal, Doris Lessing, Andre Gide, Bertold Brecht, and other lesser known
political leaders intellectuals in Western Europe (that is, the part not
invaded by Soviets thanks to US intervention), that is supportive of Stalin /
supportive of USSR. I am stating a fact, not using slurs.

I am also critical of the right (or anyone, really) that support
dictatorial/oppressive governments in Latin America and the Middle East. I am
pro individual freedom, liberty, and dignity. I am against people being
enslaved either by their own state, or by an exploitative economy through the
invisible chains of debt.

------
nomercy400
Dutch here. The argumentation is remarkably good. The privacy like you have
with letters and phone calls is part of our constitution, and also part of
European guidelines. The rules to violate this privacy, only in certain cases,
is already part of the law (eg. wiretaps under suspicion). ISPs have to
cooperate where possible.

That the dutch intelligence services are now hampered by end-to-end encryption
making the ISPs have no way to cooperate any more, is basically the problem of
the intelligence services to solve, and not a legal problem. Hence, encryption
stays in place.

~~~
rambambam
How much privacy with phone calls is there, when The Netherlands are known for
having the most phone taps in the world? The formal privacy looks pretty
strong indeed, government needs a warrant, etc., but at the end of the day
they can do whatever they want.

~~~
Maarten88
From what I hear, police here can also freely access and query all phone
metadata, without the need for a warrant.

------
Freak_NL
I tried to open the (Dutch) DOCX that contains the official position paper of
our government, but LibreOffice refuses to open it:

    
    
      File format error found at 
      SAXParseException: '[word/document.xml line 2]: unknown error', Stream 'word/document.xml', Line 2, Column 30060(row,col).
    

[http://www.tweedekamer.nl/kamerstukken/brieven_regering/deta...](http://www.tweedekamer.nl/kamerstukken/brieven_regering/detail?id=2016Z00009&did=2016D00015)

Great. Usually OOXML Word files at least _open_ in LibreOffice, but this one
seems to have some unsolvable weirdness. I don't get why they don't offer a
PDF download — it, at least, _is_ an open format that can be reliably opened
on any OS. Or offer a plain text version, or simply post the paper on their
website in HTML.

~~~
oever
Please complain to them [1]. They are required to publish that document as
ODF, not DOCX. Alternatively PDF or HTML could be used. Using DOCX in Dutch
government is against the standard [2], which is ODF 1.2.

[1] [http://www.tweedekamer.nl/contact/contact#webform-client-
for...](http://www.tweedekamer.nl/contact/contact#webform-client-form-2) [2]
[https://lijsten.forumstandaardisatie.nl/open-
standaard/odf12](https://lijsten.forumstandaardisatie.nl/open-standaard/odf12)

~~~
Freak_NL
Done. The helpdesk representative actually mailed me the PDF version, and said
that a PDF version should be forthcoming:

 _Bijna alle kamerstukken zijn als pdf terug te vinden. Zo te zien worden de
recente eerst als doc gepubliceerd._

Apparently new documents can be posted as DOCX only (strange).

You are right to point out the open standard guidelines, but unfortunately,
they are marked as _comply or explain_. This means that they are not mandatory
if you have a valid reason not to be able to comply with them. In this case,
the reason is probably "our civil servants are used to Microsoft's defaults",
which is — as much as I disagree with this policy — probably enough to get
away it.

------
teekert
It's nice, meanwhile "we" now have a law being debated by government (not sure
it will pass) that allows the government to hack individuals if they are
suspect, this may even happen via people the suspect may know. It even
includes being allowed to install spyware on a webcam.

But I guess it is good to leave encryption strong, forget about mass
surveillance and focus energy on individuals actually suspected of a crime.

The cynic in me thinks the reasoning was: "We need a European Google", "We see
that Europeans distrust American companies because of NSA economic spying in
the past", "Let's make the Netherlands more attractive for large European
companies"... no Idealism involved.

Edit: Updated original post: This new law ("Wet Computercriminaliteit 3") has
not been passed yet!

~~~
SCHiM
If there is a reasonable suspicion I don't see the problem with giving law
enforcement the legal ability to hack their targets. This is something very
different from drag-net surveillance and should not be tainted with the same
stigma. It's not like the government actually _needs_ or wants to maintain
giant botnets of all the targets they've hacked.

~~~
belorn
Withholding known security vulnerabilities from the public in order to be
later used for hacking is immoral and dangerous.

Imagine if the police had prior knowledge of a vulnerability in the computer
system of a car, but did not act to protect the public. A few years later a
criminal figure out the same vulnerability and causes a major car crash on a
motorway and murder several people. I would view the police officer to be
found liable under breach of duty, same as if they witnessed a crime and
refused to act.

Under the same logic, if companies has a legal responsibility to protect their
customers and provide safe products, and police officers has a professional
responsibility to report crimes, then the police should be forced to act if
they have confirmed information about a security vulnerability.

~~~
cornedor
> if companies has a legal responsibility to protect their customers and
> provide safe products

Since 1 January there is also a law in the Netherlands that requires companies
to report any data leaks.

[https://www.government.nl/latest/news/2015/07/10/obligation-...](https://www.government.nl/latest/news/2015/07/10/obligation-
to-report-data-leaks-and-cbp-power-to-impose-fines-in-effect-
from-1-january-2016)

~~~
rogeryu
A data leak is not the same as a security vulnerability. The data leaks refer
to organisations having customer data which is hacked. They have to report
this. This doesn't cover finding a leak in Flash.

------
neuromute
Credit where credit is due. This is exactly the right approach. If only other
governments would follow suit.

~~~
peteretep
The EU has a remarkable track record on implementing the best of its
constituent governments policies on human rights and privacy, so there's hope
there.

------
timwaagh
'Although the Dutch position is nuanced and firm, the government also has the
luxury of not having real impact on the real world' noted.

~~~
Arnt
Some people desire simplicity, and will think it into existence if necessary.
I expect the author of those words didn't, for example, think about the
Netherlands being a net contributor to the EU, he just knew it's a small
country.

In the EU, net contributors seem to have something awfully close to an
effective veto regarding minor issues, so this is good news.

~~~
wobbleblob
> In the EU, net contributors seem to have something awfully close to an
> effective veto regarding minor issues,

Do you have a source for this? I never got this impression. Some countries
have proportionally large influence due to their size, namely France and
Germany. Some others due to the high quality diplomats and politicians they
send to Europe, such as Belgium and Italy.

Some countries actively sabotage their own influence in the EU, by showing
nothing but hostility and obstruction (UK), or by using the EU as a kind of
retirement plan for politicians and diplomats that failed domestically
(Netherlands). Always echoing the German point of view should not be seen as
"an effective veto", it is essentially an attempt to stay in favor with their
formerly close, powerful friend to the east, who has been getting less and
less interested over the years, as his attention shifts towards the East.

~~~
Arnt
I read SZ (sz.de), which has separate articles about major issues and the
occasional summary of minor things, e.g. when parliament is dissolved. "Other
topics this year included: ..." Those other topics, the ones that don't merit
separate articles, are the ones I have in mind.

------
rdl
I hope we don't get someone in a few years "uncovering secret information that
OpenSSL is funded by a foreign government".

~~~
wila
They are funding it in public, no secret on that part.

Hopefully they won't fund secret backdoors though :)

~~~
rdl
I mostly meant the parallels with Tor (which is also openly government funded)

------
ksec
So to OpenSSL and not to LibreSSL?

~~~
icebraining
Apparently, money will go to OpenSSL, LibreSSL and PolarSSL.
[http://www.theregister.co.uk/2015/12/09/netherlands_votes_to...](http://www.theregister.co.uk/2015/12/09/netherlands_votes_to_spend_on_encryption/)

------
rplnt
Wasn't OpenSSL quite vulnerable and not recommended to use few years back and
people were phasing it out? Or am I mistaking this with something else?

~~~
DiabloD3
You're a bit mistaken. A lot of FOSS political warrghble happened, but OpenSSL
still remains the most audited and used SSL library out there.

Yes, it may have bugs. Yes, the NSA may have tampered with the standards
themselves (that everyone else must also implement, else risk compatiblity
issues in some areas).

But there are no drop in alternatives that aren't based on the same codebase,
and almost no one is using any alternatives: NSS (Mozilla's framework) is
rarely used outside of Firefox, GnuTLS is rarely used, I've never heard of
anyone using PolarSSL outside of very specific embedded projects, and LibreSSL
(a OpenSSL fork) is being adopted only as a license-related political
response, and BoringSSL is Google's response to the entire thing (their own
OpenSSL fork that they control, to just ignore the entire political bullshit).

~~~
jlgaddis
FWIW, LibreSSL replaced OpenSSL in OpenBSD 5.6 -- over a year ago.

~~~
DiabloD3
OpenBSD started the LibreSSL project, so, naturally, they would adopt it. OSX
has also adopted it for purely license politics reasons, El Capitan shipped
with it:

    
    
      $ /usr/bin/ssh -V                                             
      OpenSSH_6.9p1, LibreSSL 2.1.8

~~~
jlgaddis
> _"... license-related political reasons ..."_

> " _... license politics reasons ... "_

I'm not sure exactly what you mean by this?

I mentioned OpenBSD replacing OpenSSL with it simply because the "official"
OpenSSH is now developed against it.

I'm not sure if LibreSSL is being used for the portable version yet but
if/when that happens, I expect people will begin to "trust" it more, leading
to more projects potentially deciding to also replace OpenSSL with LibreSSL
(i.e. for valid technical reasons, not for "political" ones).

~~~
DiabloD3
Until the announcement in August 2015, OpenSSL was dual licensed ASL1 + SSLeay
License (and by dual licensed, OpenSSL means both apply, instead of choose
one), the terms of which make it GPL incompatible, and also has questionable
patent issues (a problem for commercial software).

The announcement was that they are moving to Apache License 2.0, thus solving
both issues. However, this move has not happened yet.

------
Cyph0n
This is how it's done, if you truly want a more secure world, that is.

------
dmichulke
Any government that imposes less taxes (all else being equal) and has thereby
managed to entice its population to spend an equivalent or higher amount of
time or money on the project did a better job.

Unfortunately their deeds will be unsung.

------
theandrewbailey
Damn. This really encourages me to start donating to open source projects.

------
chei0aiV
Don't worry, they can still get your stuff; the new Dutch cybercrime law
allows the likes of Fox-IT to hack your laptop/ISP and grab your data from
there.

~~~
cpach
Of course they can. But isn’t it better to target specific computers instead
of doing dragnet surveillance on all Internet traffic?

~~~
chei0aiV
Sure, but not without a warrant.

------
known
I'd install [http://wiki.debian.org/iptables](http://wiki.debian.org/iptables)

------
rand1012
Does it not bother anyone else that openssl doesn't support HTTPS on their
website?

------
mhixson
Is an English translation of the original position paper available somewhere?

~~~
lucb1e
FWIW, when news first broke I posted a translation of a news article:
[https://news.ycombinator.com/item?id=10698743](https://news.ycombinator.com/item?id=10698743)

------
meshko
You can read the headline in a hilariously ironic way.

------
tomp
This reminds me of the time when NSA offered an encryption algorithm to the
public...

~~~
stephenr
i haven't read the article but isn't this the dutch government just giving
money to an existing open source project, to use as they see fit to
improve/maintain the existing library?

seems ultimately the opposite of what you're talking about.

~~~
tomp
Sure, but you never know what (non-public) conditions are attached to the
money...

