Context: DigiD is the Dutch national infrastructure for authenticating to government (and semi-government) services. It's used for anything from doing taxes to checking the status of your pension.
The company that basically runs it for the government is being sold to an American investment company, which brings with it obvious national security risks.
Oh, the joys of public infrastructure privatization...
There's a lesson to be learnt here, extending beyond digital infrastructures.
The Dutch government should have outsourced DigiD hosting to SURF [1] which already had extensive experience with cloud services and is virtually immune to foreign influence.
The company that runs it for the government, or the company who owns it for the government?
If the government owns the infrastructure, but outsources the day-to-day running to a company that's one thing. But if the infrastructure is owned by the third party then that's a lot harder to deal with.
A lot of Dutch government and government adjacent services run on Microsoft Azure as well. Which is not the same level of concern, but it does mean the US government has access to that data.
even if they don't have access to the actual data, the US government has the option to order Microsoft to switch these essential government services services off. For example, as a means of pressuring the Dutch government into supporting the American annexation of Greenland.
Or even, post-Greenland, to force the Dutch to give Trump the Dutch Caribbean islands off the Venezuelan coast as well (Aruba, Bonaire, Curaçao).
If I were a Dutch member of parliament, I would be insisting this particular vulnerability to extortion be addressed as soon as possible. Of course, the US can still threaten to, at worst, nuke us all to smithereens but let's hope they're not willing to go that far.
Now someone needs to convince the german government too. For some reason Merz says one thing but then acts in an orthogonal, US-serving manner. People in Germany have started to notice this too. Something is not working here for Merz - there is a disconnect between what he says and what he does.
Germans forget too easily that theirs is a vassal state without full sovereignty.
Until the German people can investigate and prosecute their own intelligence services, this situation will not change. That the German intelligence services answer to the CIA is a travesty for the German people.
Anyone wondering about Merz' servitude should keep this in mind.
"The deal must be blocked if there are no legal guarantees that Dutch data cannot be accessed in the U.S."
This would be a very mild response, given that the Dutch government recently attempted to take control of chipmaker Nexperia [1], where much less were at stake.
Even if guarantees are given, who is going to enforce them against an order coming from the US government?
I think the Nexperia debacle is exactly why it's such a mild response.
They bit off more than they could chew with that one. The Dutch (politicians and bureaucrats both) have been suitably chastened by the unexpected blowback.
I wonder how the data in Danish MitId is managed and stored. The thing is used for everything here, from doing taxes to buying real estate to getting a library card.
Solvinity (now acquired by Kyndryl) owns and runs a lot of the underlying infrastructure of DigiD, but the application itself and the day-to-day operations are handled by an autonomous body of the government (Logius). DigiD is mainly about translating authentication factors into a social security number (BSN) for authentication to other public institutions.
That allows Logius to pretend it's not much of a problem, and Solvinity maintains (in an unusually sharp and on-point interview) that all data is "encrypted" [1], without mentioning who possesses the keys or whether encryption is relevant at all. They go on to say that they consider the scenario of the US shutting down DigiD "very hypothetical", that they will follow Dutch law and that they have a strong supervisory board (as if that would matter).
Logius also operates MijnOverheid, which collates very sensitive information about all citizens from most government agencies and also relies on Solvinity infrastructure.
The infrastructure that Solvinity maintains goes far beyond servers, as they've concocted themselves an unholy procurement mess with their PICARD / LPC solution (Logius Private Cloud). They were advised multiple times over multiple years by the main advisory body on IT of The Netherlands (AcICT) not to do it in this way and KISS, but then did it anyway.
The intent of structuring it in this way was that it would be easier to switch infrastructure providers, but the outcome is the exact opposite: there is now a non-standard "integration layer" that would need to be rebuilt. Which is exactly what AcICT warned about from the beginning.
You can find a diagram of the responsibilities on both the Solvinity and Logius side on the last page of [2] (in Dutch).
The wild thing is that Logius also owns and maintains "Standaard Platform" [3], which is a very neat and standard Kubernetes environment, but they declined to use this for DigiD and MijnOverheid because they didn't deem it secure enough, and instead of securing their Kubernetes deployment, they went on with PICARD / LPC.
Logius is an autonomous body of the Ministry of the Interior (BZK), but they appear to have completely lost control over setting any policy and now mainly walk from crisis to crisis because any opening on their "SAFe train" is years away.
> The infrastructure that Solvinity maintains goes far beyond servers, as they've concocted themselves an unholy procurement mess with their PICARD / LPC solution (Logius Private Cloud)
You should stop using it anyway. Linkedin is a hunting ground for threat actors[1], and unless your part-time job is producing corposlop on industrial scale it amounts to little more than recruiter spam
Creating a database of their citizens using a private company has opened up exactly the kind of privacy problems that anyone on here could have expected. Maybe they should just use GDPR to delete the data before it’s exfiltrated?
DigiD is "the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller", and thus falls under paragraph 3(b), which excempts this data from the Right to erasure. In much the same way that the IRS won't delete your data if you tell them you're a sovereign citizen.
GDPR isn't a technology, it doesn't work like that. Deleting data would cripple all digital services.
The problem is that they privatized it. But that in turn is caused by the wage structure; if you work for the government, you fall under its collective wage system, and the way it's set up... can't compete with private companies, especially not in IT services. So the government ends up outsourcing most IT projects, with mixed success and costing them a lot. But with this, it also opens them up to risk.
I get the wage thing, but they need to be able to control these things. 51% of nontransferable shares of all companies involved.
jeroenhd|1 month ago
The company that basically runs it for the government is being sold to an American investment company, which brings with it obvious national security risks.
m000|1 month ago
There's a lesson to be learnt here, extending beyond digital infrastructures.
The Dutch government should have outsourced DigiD hosting to SURF [1] which already had extensive experience with cloud services and is virtually immune to foreign influence.
[1] https://www.surf.nl/
graemep|1 month ago
AndrewDucker|1 month ago
If the government owns the infrastructure, but outsources the day-to-day running to a company that's one thing. But if the infrastructure is owned by the third party then that's a lot harder to deal with.
debarshri|1 month ago
awesan|1 month ago
michh|1 month ago
Or even, post-Greenland, to force the Dutch to give Trump the Dutch Caribbean islands off the Venezuelan coast as well (Aruba, Bonaire, Curaçao).
If I were a Dutch member of parliament, I would be insisting this particular vulnerability to extortion be addressed as soon as possible. Of course, the US can still threaten to, at worst, nuke us all to smithereens but let's hope they're not willing to go that far.
shevy-java|1 month ago
Angostura|1 month ago
TheChaplain|1 month ago
It is hard to vote, being buttered up with promises and pretty speeches, just to be disappointed halfway to next election.
aa-jv|1 month ago
Until the German people can investigate and prosecute their own intelligence services, this situation will not change. That the German intelligence services answer to the CIA is a travesty for the German people.
Anyone wondering about Merz' servitude should keep this in mind.
m000|1 month ago
This would be a very mild response, given that the Dutch government recently attempted to take control of chipmaker Nexperia [1], where much less were at stake.
Even if guarantees are given, who is going to enforce them against an order coming from the US government?
[1] https://nltimes.nl/tags/nexperia
kyboren|1 month ago
They bit off more than they could chew with that one. The Dutch (politicians and bureaucrats both) have been suitably chastened by the unexpected blowback.
WhereIsTheTruth|1 month ago
Whoever gives US Big Tech access to their digital infrastructure is a foreign spy and should be jailed
heikkilevanto|1 month ago
Confiks|1 month ago
That allows Logius to pretend it's not much of a problem, and Solvinity maintains (in an unusually sharp and on-point interview) that all data is "encrypted" [1], without mentioning who possesses the keys or whether encryption is relevant at all. They go on to say that they consider the scenario of the US shutting down DigiD "very hypothetical", that they will follow Dutch law and that they have a strong supervisory board (as if that would matter).
Logius also operates MijnOverheid, which collates very sensitive information about all citizens from most government agencies and also relies on Solvinity infrastructure.
The infrastructure that Solvinity maintains goes far beyond servers, as they've concocted themselves an unholy procurement mess with their PICARD / LPC solution (Logius Private Cloud). They were advised multiple times over multiple years by the main advisory body on IT of The Netherlands (AcICT) not to do it in this way and KISS, but then did it anyway.
The intent of structuring it in this way was that it would be easier to switch infrastructure providers, but the outcome is the exact opposite: there is now a non-standard "integration layer" that would need to be rebuilt. Which is exactly what AcICT warned about from the beginning.
You can find a diagram of the responsibilities on both the Solvinity and Logius side on the last page of [2] (in Dutch).
The wild thing is that Logius also owns and maintains "Standaard Platform" [3], which is a very neat and standard Kubernetes environment, but they declined to use this for DigiD and MijnOverheid because they didn't deem it secure enough, and instead of securing their Kubernetes deployment, they went on with PICARD / LPC.
Logius is an autonomous body of the Ministry of the Interior (BZK), but they appear to have completely lost control over setting any policy and now mainly walk from crisis to crisis because any opening on their "SAFe train" is years away.
[1] https://www.nrc.nl/nieuws/2025/12/03/baas-van-solvinity-prob...
[2] https://www.adviescollegeicttoetsing.nl/site/binaries/site-c...
[3] https://www.logius.nl/onze-dienstverlening/infrastructuur/st...
sam_lowry_|1 month ago
While federal government in Belgium is less dependent on US clouds, Digital Vlaanderen is pretty much in bed with Microsoft on all levels.
philipallstar|1 month ago
This is incredible. As you say, why not just k8s?
zgignuew|1 month ago
unknown|1 month ago
[deleted]
dev1ycan|1 month ago
tucnak|1 month ago
https://www.welivesecurity.com/en/social-media/linkedin-hunt...
clickety_clack|1 month ago
bux93|1 month ago
Cthulhu_|1 month ago
The problem is that they privatized it. But that in turn is caused by the wage structure; if you work for the government, you fall under its collective wage system, and the way it's set up... can't compete with private companies, especially not in IT services. So the government ends up outsourcing most IT projects, with mixed success and costing them a lot. But with this, it also opens them up to risk.
I get the wage thing, but they need to be able to control these things. 51% of nontransferable shares of all companies involved.
fithisux|1 month ago
Going back to old school services is doable and safe as long as governments are interested for the security of citizens.