Dutch govt says no to backdoors, slides $540k into OpenSSL without breaking eye contact
People need encryption to be safe and secure, says ministry
The Dutch government has formally opposed the introduction of backdoors in encryption products.
A government position paper, published by the Ministry of Security and Justice on Monday and signed by the security and business ministers, concludes that "the government believes that it is currently not appropriate to adopt restrictive legal measures against the development, availability and use of encryption within the Netherlands."
The conclusion comes at the end of a five-page run-through of the arguments for greater encryption and the counter-arguments for allowing the authorities access to the information.
"By introducing a technical input into an encryption product that would give the authorities access would also make encrypted files vulnerable to criminals, terrorists and foreign intelligence services," the paper noted. "This could have undesirable consequences for the security of information communicated and stored, and the integrity of ICT systems, which are increasingly of importance for the functioning of the society."
The formal position comes just months after the Dutch government approved a €500,000 ($540,000) grant to OpenSSL, the project developing the widely used open-source encryption software library.
The paper itself is a balanced read, although it is notable that more time is spent on highlighting the benefits of encryption and there is little of the fear-mongering that has marked out efforts to introduce backdoors into the United States and United Kingdom.
Encryption, it states, is "important for the confidence of people in digital products and services and for the Dutch economy in light of the rapidly evolving digital society."
It notes however that the "same encryption is a barrier to obtaining information necessary for investigation, intelligence and security services when attackers (including criminals and terrorists) are involved."
We'll always have Paris
The Paris attacks were the spark for the paper after public debate led to the House of Representatives formally asking for an official government position on encryption.
The paper references this fact, noting: "The recent attacks in Paris, where possible use was made of encryption by the terrorists, lead to the justified question: what is needed for investigation, and for intelligence and security services to provide good visibility into attack planning?"
Before getting to that point, however, the paper notes that encryption is crucially important in the modern era. "The secure storage of passwords, to protect against loss or theft of laptops and secure storage of backups have been difficult without the use of encryption," it notes.
It also highlights internet banking, government communication with citizens including tax returns, the security of diplomatic and military communications, confidential business information, cloud computing, journalism, privacy and freedom of expression.
"Encryption ensures the confidentiality and integrity of communications and allows people to better protect themselves against espionage and cyber crime," it notes. "These are fundamental rights and freedoms; security and economic interests stand to benefit."
However, it also notes that the same technology introduces "obstacles" in legitimate and important investigations into issues such as child abuse images, countering cyber attacks, tracking possible terrorist attacks and dealing with serious criminals.
It notes that while all citizens have a right to privacy of their communications, that these rights "are not absolute, which means that restrictions are permitted, provided they meet the requirements of the Constitution and the European Court of Human Rights."
But the ability to impinge those rights must be "proportional to the infringement," the paper concludes, and given the widespread nature and importance of encryption in the modern digital world, it cannot support a legally mandated backdoor.
Although the Dutch position is nuanced and firm, the government also has the luxury of not having real impact on the real world. As the paper notes, "the Dutch situation cannot be seen in isolation from the international context. Strong encryption software is increasingly available worldwide or already integrated into products or services."
Or in other words, there is nothing Holland can do about Google, Microsoft, Facebook or any of the other countless products used by its citizens to communicate online.
The UK government appears to be taking a firm line in the opposite direction, asking in legislation to be allowed access to all citizens' data. But the most important debate rests in the United States, where the majority of the products and services used online stem from.
The encryption debate in the US became particularly heated toward the end of last year, with politicians and law enforcement again pushing for access to encrypted communications after having backed down a few months earlier in the face of an intransigent tech sector. As 2015 was closing, Apple CEO Tim Cook again reiterated his line that he will not make the company's products crackable.
As things stand, the tech sector is refusing to provide a backdoor (although Google has been noticeably quiet on the issue), and politicians have instead put their faith into a vague formulation of the country's "best minds" coming up with a new, as yet unspecified solution.
This "magical thinking" is also present in the Dutch government's position, when it gives itself a get-out clause for future events.
"Given the importance of the investigation and prosecution of criminal offenses and the interests involved in national security ... we are required to look for new solutions." ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Let's Encrypt
- Palo Alto Networks
- Trusted Platform Module
- Zero trust