Hacker News

It is a bit more complex tham that.

Logius is the company that actually owns and manages the DigiD stack, it's just that they hired Solvinity for their expertise. AFAIK Solvinity can't access the data.

I can't find it right now, but on Tweakers there was a long comment by someone on the inside that explained Logius basically had almost no know-how of how the current stack works, and there's lots of bespoke stuff. Basically classic vendor lock-in. The government (rather, Logius) now really wants to transition away from Solvinity, but that will likely be a 5+ year process.

I also feel like this is another thing that the "fast ring" of the EU should do together. Take Estonia's stack as a base, and then countries like Sweden, Denmark, Finland, The Netherlands adopt it and co- develop it. Make it extensible for the bespoke things the countries need, and every few years check which bespoke extensions can actually be generalized and modularized. Would lead to a much better product. A man can dream :)

*for months

> A couple of weeks ago, the entire parliament (with only a single party dissenting) voted for a motion to end the contract with Solvinity, but the government extended it anyway, leaving blocking the takeover as the only option,

Given what we know now, this seems perfectly logical. It's just that we don't know what else is going on behind the scenes.

I'm sure there was some negotiations on how to keep the data separate or something, with the threat of blocking it altogether as a final solution.

But agreed, this is a good outcome

lets be frank, these are changes caused by the downgrading of the American administration to a subscription services behind a paywall that requires DLC, root based encryption bypasses and a Clippy popup that instead of trying to be helpful is indistinguishable from a mafia racket.

>> Finally!

You are behind the curve. You read here first. Lets revisit this comment in 2 years...

This will be overturned by both Dutch and European courts after the company appeals, and specially after Mark Rutte Daddy calls. The only purpose of this action is for the Dutch government to save face, and its for internal consumption. They already have the internal legal advice stating this, hidden away in some closet. But then they will say: You see, we wanted to do it but a court blocked us.

>>Of course there's still plenty of sensitive data in the hands of Microsoft, Amazon and other US companies.

The WHOLE Dutch diplomatic and broader civil service, including the Ministry of Foreign Affairs, runs extensively on Microsoft infrastructure for its daily operations, cloud services, and email. And they leak....

"Microsoft Accused Of Sharing Dutch Officials’ Data with U.S. Government" - https://www.yahoo.com/news/politics/articles/microsoft-accus...

This will also be the core legal argument by the appealing company. They will argue that the decision was politicized, insufficiently reasoned, or disproportionate because binding technical/legal safeguards would have solved the risks... And they will use as example, the diplomatic service extensive use of Microsoft :-)

So is nothing more than another Polder hypocritical take, by the Dutch government.

I wish more news outlets actually stated so - Kyndryl was formerly IBM, has 73.000 employees worldwide. When this news first broke, nobody had ever heard of it so it sounded like some small random hosting company, but it's huge.

Nobody gets fired from hiring Kyndryl.

30k requests and hour? A 5 euro VPS can handle this easily.

DigiD itself is government-owned, but its infrastructure is managed by Solvinity (a private company). Not really different from the US gov running half its stack on AWS.

Because too few IT capable people are willing to work under the government's pay scales; in most cases going private / corporate earns more. So most Dutch IT projects end up with private companies, which also means that, in the case of DigID and the secure / official messaging platform, the hosting party can charge exorbitant rates. Did you know it costs 25 cents to send a message via the Berichtenbox? So when the government does its annual "it's time to fill in your taxes" message, they have to pay millions. Assuming they don't get a bulk deal, anyway.

Apologies in advance for wasting anyone's time with a light hearted tangent. But as I scrolled past your comment I read:

> If it's such a vital piece of infrastructure, why is it in Dutch hands at all?

It was the funniest thing I have misread in a while.

because privatisation

This is not some sort of company making unique tech, it's a company handling some of the most the vital infrastructure for our government, you can imagine the privacy concerns. Completely different case

In 2013, the same deal would likely have gone through. US-Dutch relations looked very different in 2013 under Obama than they look now under second-term Trump. Any reciprocity today based on things Obama did back then falls flat because we all know Trump opposes nearly everything Obama ever did

At the same time they're allowing the tax office to migrate completely from a self hosted solution to office 365 do there's that.

They had to be dragged kicking and screaming into doing this. Several attempts were made to force them to block the takeover. Not sure what caused their latest turnaround.

All governments are "doing something". It just isn't at all effective and mostly because they're unwilling to invest even marginal amounts.

Like in this case. The technology here utterly depends on Google Play Services on Android or App Attest on Apple (or "secure enclave"), and that is in fact essentially the only functionality.

This could have been solved instead switching to a standard (switching to OATH, RFC 4226 and RFC 6238), thus killing the dependency on Google/Apple while still allowing those devices to work smoothly, but also allowing a Linux implementation, allowing anyone . Plenty of European companies provide implementations for this, some with and some without the dependency on Google/Apple attestation.

It's not only about the data, it's about the risk that the US would basically turn off things like tax collection and doctors' visits in the Netherlands as part of (say) a first strike on Greenland.

Sure, the chance is low. But in the current climate people are nervous and it's best not to risk it. The current government has already embarked on a long-term strategy to bring more of critical software infrastructure back in-country, selling the core identity provider software abroad would go directly against current policy.

The issue was less privacy concerns, and more "hey lets not hand over one of the most critical pieces of infrastructure to a potentially hostile state". DigID is the user authentication platform for basically every government site in The Netherlands. A foreign government could use sanctions to pressure Dutch individuals to comply by limiting access to it.

> (hopefully, presumably, with your government acting as the gatekeeper)

Exactly, that gatekeeper role is what's the difference here. Do you give all data to another country and ask them for pieces back as needed (whenever someone wants to use DigiD, the country can block it), or do you host it yourself and only share the parts that are relevant for this other country's investigations?

> if Netherland has some information-sharing agreements with … Fourteen Eyes

Probably a safe assumption, since the Netherlands is a member of the Fourteen Eyes

It's not about privacy, it's about control.

Solvinity = Solvent Divinity

We're terrible at company and brand naming here in Europe. Just look at the "Wero" payment solution (formerly/currently iDeal). Like, who the hell came up with that stupid name?

The list of stupid European company names and product names are endless.

> Solvinity is a pretty terrible company name.

I find it okay'ish. At least it's unique. Say, as much as I like Mario Zechner (who doesn't like HNers anymore for whatever reason), naming your product "Pi" is just terribly bad.

Facebook was a good name (hate the company but the name was good). But "Meta" is just dumbfucktarded.

Wait... I've got an idea: I'm going to make a product and name it "Alt". Or "Control".

Really: there are a lot of totally unhelpful name that just confuses everybody, including search engines, humans, and LLMs but I don't think "Solvinity" is that bad.

Oh, and if you out-source it, then I do not thing you should have a say in whom the contract. Either keep it in house, or out-source.

They contracted the market and now they want to control it as if it's in house.

maybe how much money you are willing to spend isn't a perfect measure of how important something is?

By that we mean, send a whitehouse crony over to throw a temper tantrum on Dutch soil.

As per the Dutch language saying: "Trust comes on foot, but leaves on horseback."

Trust breakdowns are costly, except to the vultures "winning" the negative-sum game. Might want to read about the fall of the Warsaw pact.

Two thirds of Europeans want this - https://www.techpolicy.press/almost-two-thirds-of-europeans-...

> The figures were almost universal across all categories: 62 percent of those surveyed across the five European countries said they favored or had considered replacing US data storage and payment services, while 59 percent of respondents said they would back a change from American video-conferencing companies like Zoom.

(Technically only five countries in the EU in this survey, but the five most populous countries, and presumably other countries generally agree)

Are you serious? You did notice that there was even a EU digital sovereignty summit recently?