ES version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
60% Positive
Analyzed from 7319 words in the discussion.
Trending Topics
#government#dutch#company#data#more#should#solvinity#digid#netherlands#country
Discussion (232 Comments)Read Original on HackerNews
The entire country has been clamouring for this for weeks, and the government has been completely silent about it. A couple of weeks ago, the entire parliament (with only a single party dissenting) voted for a motion to end the contract with Solvinity, but the government extended it anyway, leaving blocking the takeover as the only option, and there wasn't a lot of confidence that the government would do that.
The whole reason for this is that Solvinity host DigiD, the Dutch e-ID system that handles authentication to all government and many other sensitive systems (healthcare). With the US law that the US government should be able to get access to any data held by a US company, regardless of where it's hosted, this system clearly should be kept out of American hands.
Of course there's still plenty of sensitive data in the hands of Microsoft, Amazon and other US companies. No idea when they're going to do something about that.
Logius is the company that actually owns and manages the DigiD stack, it's just that they hired Solvinity for their expertise. AFAIK Solvinity can't access the data.
I can't find it right now, but on Tweakers there was a long comment by someone on the inside that explained Logius basically had almost no know-how of how the current stack works, and there's lots of bespoke stuff. Basically classic vendor lock-in. The government (rather, Logius) now really wants to transition away from Solvinity, but that will likely be a 5+ year process.
I also feel like this is another thing that the "fast ring" of the EU should do together. Take Estonia's stack as a base, and then countries like Sweden, Denmark, Finland, The Netherlands adopt it and co- develop it. Make it extensible for the bespoke things the countries need, and every few years check which bespoke extensions can actually be generalized and modularized. Would lead to a much better product. A man can dream :)
Argentina's ministry of education did something like this with university software. The one used by students to sign up and by teachers to track grades, etc. There's a single open source modularised, customisable system made country-wide, and public universities customise it to their needs.
Before this initiative, every university was implementing their own software from scratch. In many cases, different faculties (e.g.: Engineering, Natural Sciences, Humanities, etc) each had their own software development teams developing their own independent software stack.
For what it's worth, this seems roughly equivalent to Moodle, which is open-source (GPL) and used globally, apparently especially popular in some of western Europe, the US, etc. [1] School systems can and do of course customise it as needed.
[1] https://stats.moodle.org/
Solvinity is the hoster. It can fully access the stack.
From what I have been able to deduce, Solvinity is contracted for some kind of sysadmin services - so basically Kubernetes babysitting?
That's nothing. The Dutch tax authority has spent the last 5 years deliberating a migration from on-prem IBM Notes to M365.
A few years ago I had the mispleasure of working for the island government of Bonaire, and they kinda run the same systems as they do in the mainland, being a sort of municipality.
Since all gemeentes in the Netherlands are basically independently run but have to communicate with each other for DigiD but also the GBA (ID system) and loads of other stuff, they invented a standard. It's a SOAP based monstrosity called StUF, and you better spell it like that.
I can't find much about StUF in English, but there is this about the succesor where they lament on how engrained StUF still is.
https://www.conduction.nl/commonground/
It wouldn't surprise me that migration to common ground is what they are refering too. StUF knowledge is not widespread due to the level of vendor lock in. There's not many vendors and outside GovIT nobody cares about StUF.
I'm not sure what bespoke stuff they invented to get their sweet vendor lock in eurobucks, but the whole thing is nothing more than an OAuth provider for 19 million people. I guess NFC integration in the app that reads physical ids is on a fancier side, but I suspect on that side it's vendor locked by card vendor and their SDK.
[0] https://zakon.rada.gov.ua/laws/show/z1398-12#Text
Tbh I like the German one even better because you need your physical Identity Card and can use your phone as the reader
I understand that this particular path doesn't allow them to access further sensitive data, but it does give these corporations the power to block any individual for accessing the DigiD app.
You don't need the app for most functionality, but for a few healthcare related tasks, it's the only option, with no fallback.
My healthcare provider changed their online thing this year and that new thing required highest assurance level. I think they changed it back because you can only tap with the Dutch id card (not the residence permit or other country's ids).
Given what we know now, this seems perfectly logical. It's just that we don't know what else is going on behind the scenes.
I'm sure there was some negotiations on how to keep the data separate or something, with the threat of blocking it altogether as a final solution.
But agreed, this is a good outcome
which i'm sure the current administration would honour
There should be grave consequences alone for the fact that the goverment acted against the parliament
It would've been the same administration as the one doing the negotiations, so I would assume yes.
> There should be grave consequences alone for the fact that the goverment acted against the parliament
In general I think there's a pretty good understanding between the legislative branch and the executive branch. The Netherlands has always had coalitions. Also, every single government will talk to the other parties.
I'm not sure what country you're referring to but the Netherlands has a properly functioning democracy. The only problem it has is splintering into too many small factions making coalitions super hard
Er, what law is this, exactly?
the example case on wikipedia entails a US citizen storing data with Microsoft, a US company, data that Microsoft offshored from the US. So in that case, the US Courts and politicians seem on pretty firm ground to consider that data to be "obtainable" by court order; it wouldn't make sense for American vendors to to create a privacy "double Dutch sandwich" as is done with corporate income tax loopholes. Letting the law go that far would not be a threat to "Europe".
Now if Europeans were committing crimes in the US without being in the US themselves (let's say organized crime trafficking to the US or operating phone scams) that raises more interesting questions about jurisdictions, but that discussion is only productive with good knowledge of what US-European cooperation is already in place or considered "within the pale" due to shared mutual concerns
According to wikpedia, "the CLOUD Act asserts that U.S. data and communication companies must provide stored data for a customer or subscriber on any server they own and operate when requested by warrant, but provides mechanisms for the companies or the courts to reject or challenge these if they believe the request violates the privacy rights of the foreign country the data is stored in."
It could "scare" Europeans to read that, but an important keyword is "requested by a warrant": to be scared by it, you'd need to know that US Courts are issuing warrants for Europeans who are not committing crimes in the US, which I doubt. Europeans committing crimes I already touched on.
wikipedia continues, It also provides an alternative and expedited route to MLATs through "executive agreements"; the executive branch is given the ability to enter into bi-lateral agreements with foreign countries to provide requested data related to its citizens in a streamlined manner, as long as the Attorney General, with concurrence of the Secretary of State, agree that the foreign country has sufficient protections in place to restrict access to data related to United States citizens.[8][9] The first such agreement was with the United Kingdom.[10] There is a FAQ appended to the white paper published by the U.S. Department of Justice.
This aspect of the CLOUD act should not specifically scare Europeans, they should rather be scared of their own governments cooperating in such schemes. For Europeans to want the US not to have the CLOUD act to protect them from their own governments is rational, but not something that can be discussed, it would melt European brains to say anything positive about the US.
wikipedia goes into more interesting areas for US/Euro conflict (for example, who would be covered by the GDPR for the information that the CLOUD act covers) which is interesting but I'm less equipped to discuss that than the preceding. here is the link you can chase down if you want https://en.wikipedia.org/wiki/CLOUD_Act#International_reacti... https://en.wikipedia.org/wiki/CLOUD_Act#International_reacti...
You are behind the curve. You read here first. Lets revisit this comment in 2 years...
This will be overturned by both Dutch and European courts after the company appeals, and specially after Mark Rutte Daddy calls. The only purpose of this action is for the Dutch government to save face, and its for internal consumption. They already have the internal legal advice stating this, hidden away in some closet. But then they will say: You see, we wanted to do it but a court blocked us.
>>Of course there's still plenty of sensitive data in the hands of Microsoft, Amazon and other US companies.
The WHOLE Dutch diplomatic and broader civil service, including the Ministry of Foreign Affairs, runs extensively on Microsoft infrastructure for its daily operations, cloud services, and email. And they leak....
"Microsoft Accused Of Sharing Dutch Officials’ Data with U.S. Government" - https://www.yahoo.com/news/politics/articles/microsoft-accus...
This will also be the core legal argument by the appealing company. They will argue that the decision was politicized, insufficiently reasoned, or disproportionate because binding technical/legal safeguards would have solved the risks... And they will use as example, the diplomatic service extensive use of Microsoft :-)
So is nothing more than another Polder hypocritical take, by the Dutch government.
It’s not ‘politicized’, it’s the gateway to all Dutch government services and as such it is inherently political.
> insufficiently reasoned, or disproportionate because binding technical/legal safeguards would have solved the risks...
There are no legal safeguards against the CLOUD act. There can be no technical or legal safeguards as long as the physical hardware is owned by a US company.
There is a broad digital strategy to migrate off from American infra. Will take 10 years, but this stuff has inertia once it starts moving.
Tying the process up in the courts for that period is also a political victory, since by the time it'd be resolved, Solvinity wouldn't have the contract anymore anyways.
How would that argument support a sale to the US? It sounds like the perfect argument against it. Those technical/legal safeguards clearly didn't work for Microsoft either.
Mark Rutte, the chief of NATO and ex-PM, that has nothing to do with civilian tech? Can we please leave unfounded conspiracy theories to Reddit?
Not sure exactly who he represents but his actions as NATO secretary have been genuinely a bit concerning for me, he seems determined to start a war with Russia
"...Above and beyond the role of chair, the Secretary General has the authority to propose items for discussion and use their good offices in case of disputes between member states....
...In order to facilitate this process, the Secretary General maintains direct contact with Heads of State and Government, and Foreign and Defence Ministers in NATO and partner countries...."
[1] - https://www.nato.int/en/about-us/organization/nato-structure...
And Mark Rutte has been shaping the domestic fiscal debate inside the Netherlands [2]: "...Mark Rutte said the Netherlands must significantly boost defence spending and pointed to Dutch spending on pensions, healthcare and social security, saying only a small fraction of those allocations would strengthen defence..."
[2] - https://nltimes.nl/2024/12/03/nato-leader-rutte-netherlands-...
And on conspiracy theories - Do you trust the Financieele Dagblad?
https://nltimes.nl/2025/11/20/asml-offered-spy-us-breaking-e...
All we get are documents with nearly everything censored except for very benign things. Only time will tell what's going on, but I doubt I'll live the day
It's probably something he would use as 'change' to resolve something unrelated with NATO. Then he can sell how well he's keeping NATO together
Their sentiment is that Trump intervenes by whining to Mark Rutte, who seems to be the only European Trump is actually willing to listen to, at the expense of course of giving up all his dignity in calling Trump, literally, Daddy [1].
And I would not put it past Trump to do that... I mean, that's what he already did regarding Tiktok.
With Trump nothing is impossible any more, especially if he or someone in his circle stands to make or lose money. And that's the greatest danger in the US turning into a full blown banana republic.
[1] https://www.politico.com/news/2025/06/25/nato-chief-calls-tr...
That is unbelievably rich. It's politicians job to protect the privacy and interests of its citizens. Must be a strange idea for the US these days.
So...they outsource to Logius, who then hires Solvinity to give two for-profit corps access to your information? Why are the blocking the acquisition entirely and not... ya know, hosting their own infrastructure?
Because they're not a tech company and they're aware of that so they place bidding contractors to specialists in the field who offer a proposal and bid. This is nothing new.
https://openwallet.foundation/staff/
Governments need it to be solved by a team (either within the government or a vendor company) because it is the non-tech things that are missing from the open source solution: high availability / redundancy, hosting, backups, business continuity, audits, someone to grill when there is a leak.
The people who work in government and banks aren’t incompetent. They are just like you and I but they work within a highly rigid system because if their system isn’t rigid, societies fall. People don’t think rationally during bank runs or when nobody in a country can access public services for weeks at a time. This is the core hazard of Mr. Robot.
>high availability
oh yeah, oh noes.
All but one of these is a tech problem though.
So we are back to a single “something you know” factor as identity?
There’s a reason your idea doesn’t exist.
...OR, we host our data in our own countries with companies incorporated in our countries. (Sovereign cloud)
https://en.wikipedia.org/wiki/Kyndryl
> Officially formed in late 2021, Kyndryl was created from the spin-off of IBM's infrastructure services
> Kyndryl operated in 63 countries in November 2021
Who in their right mind would want to travel all the way to Apeldoorn.
A good example of internal development in the government is the police. They have internal development teams.
This puts a huge filters out who's willing to work for them.
>Did you know it costs 25 cents to send a message via the Berichtenbox?
In a country with paid toilets what do you expect lol
Maybe the Netherlands are different (country can vary a lot with what is included in a salary) ?
2. The ruling party for over a decade is the VVD, a Republican Party with training wheels, with Tea Party like spinoffs in varying degrees over rabid idiocy. The VVD heavily depend on a small network of big donors and as such are strongly nudged to source the policy advice from those networks. The IT backbone of those government agencies are thus run by big corporate IT shops, which is also politically convenient as you can shrug of responsibility when it turns out there is some light between the theory and the practice of the neoliberal doctrine.
> If it's such a vital piece of infrastructure, why is it in Dutch hands at all?
It was the funniest thing I have misread in a while.
The Netherlands blocking a US acquisition due to technology control concerns is sure to ruffle some feathers in Washington.
I don't think it's changing after this administration.
> In 1997, ASML began studying a shift to using extreme ultraviolet. Two years later, it joined a consortium, which included Intel and two other U.S. chipmakers, in order to exploit fundamental research conducted by the US Department of Energy. Because the Cooperative Research and Development Agreement (CRADA) it operates under is funded by the US government, licensing must be approved by Congress.
Not just heavily benefitted. The entire wafer-making technology is the result of US government funding and research. There's a reason why Cymer continues to operate independently in San Diego instead of by ASML in Europe. That was mandated by the acquisition agreement. The R&D and manufacture of the EUV light sources had to remain in California. ASML in the Netherlands is just the final assembler of the machines.
ASML brought Cymer in house because it couldn't make the tech they needed and they needed to dump resources and engineers on the project of a supplier to make what they needed actually happen. Cymber could only accomplish 10W EUV lights, while ASML needed 250W sources, so they bought the company to actually execute on what they needed. And there were other sources that ASML could have flipped to.
They literally bought it because it failed to do what they needed. Somehow loads of Americans, in that fun American exceptionalism way, want to rewrite the world where really ASML is just some magical US tech in a trench coat, because everything somehow owes its existence to Americans.
>especially with the current US government
The US government has forced every American company to cease work with any judge or employee of the ICC, all in defence of America's boss Israel. This alone should see every American company ousted from every foreign nation. The idea of giving an American domiciled firm control over domestic infrastructure tech is insane (like, treasonous level), and anyone pushing this needs to be fully investigated. Similarly, the fact that the UK keeps implementing garbage from Palantir is clear evidence that the country is utterly busted and needs a massive civil service overhaul.
This is all quite aside from the various tantrums, grotesque levels of corruption, and openly threatening allies.
I'm sure it will "ruffle some features", but it turns out the US blew its load already. Absolutely no one cares what that idiocracy's cabal of pedos, halfwits and self-dealing criminals throw a tantrum about anymore. At this point the US should be punted from NATO, every base closed, and everyone should just nuke up.
They had to be dragged kicking and screaming into doing this. Several attempts were made to force them to block the takeover. Not sure what caused their latest turnaround.
Like in this case. The technology here utterly depends on Google Play Services on Android or App Attest on Apple (or "secure enclave"), and that is in fact essentially the only functionality.
This could have been solved instead switching to a standard (switching to OATH, RFC 4226 and RFC 6238), thus killing the dependency on Google/Apple while still allowing those devices to work smoothly, but also allowing a Linux implementation, allowing anyone . Plenty of European companies provide implementations for this, some with and some without the dependency on Google/Apple attestation.
Could they do something better, sure. I am still glad to see they did something at all.
Only a few EU countries have rolled out NFC-based eID functionality (as only physical ICAO-based ID verification via NFC is a mandatory part of the EU ID card standard); those are the only ones with a viable path forward in the short term.
The app has the benefit of being free, getting a working reader costs 60-90 euros last time I checked and Linux driver support isn't great.
https://www.logius.nl/actueel/qr-code-scanner-digid-app-werk...
(Also works fine on my GrapheneOS phone with only basic integrity, also worked on microG when I tested.)
Sure, the chance is low. But in the current climate people are nervous and it's best not to risk it. The current government has already embarked on a long-term strategy to bring more of critical software infrastructure back in-country, selling the core identity provider software abroad would go directly against current policy.
Trump also already sanctioned Justices from the ICC based in Netherlands because he didn't like them.
He's clearly not the guy with impulse control
Still though, that is about 10 percentage points higher than before Trump took office. Better not to hand him too many tools to exert leverage with.
Private companies ought to have the freedom to do business with whomever they like, but for essential public services, better to assume essential public infrastructure simply must not be offshored at all.
Probably a safe assumption, since the Netherlands is a member of the Fourteen Eyes
Exactly, that gatekeeper role is what's the difference here. Do you give all data to another country and ask them for pieces back as needed (whenever someone wants to use DigiD, the country can block it), or do you host it yourself and only share the parts that are relevant for this other country's investigations?
I say, blocking foreign takeover of vital companies would actually incentivize me as an entrepreneur to choose the EU, and I say that as a startup founder in Europe. Because it levels the playing field for founders who believe in sovereignty: now I don’t have to worry about competitors selling out to foreign capital doing better than me due to that.
The structural problem is that we are destroying trading relationships built with Europe over generations.
Yes, it would be better for America and for the EU if America acted normal but I would not advise anyone to plan hoping on that.
You cannot unring this bell, however, nor can you put the genie back in the bottle, close Pandora’s Box, etc, pick your own metaphor. The US burned through the trust thermocline very suddenly these past few years, snapping the tension that had been brewing over several decades from US hegemony and the abusive diplomacy it created.
Now that the US regime is openly hostile to everyone else and US firms have dropped the pretense of being anything less than a global surveillance state, there’s nothing to go back to. These sorts of rejections and blocks will continue to escalate until a new norm is agreed upon by cooler heads, which I don’t see happening in the current climate.
Make no mistake, power everywhere wants more surveillance capabilities; the EU wants it as much as China or the USA. The difference is that with the leading empire in decline, everyone realizes that owning their own surveillance state is an advantage over outsourcing it to a potential enemy.
The list of stupid European company names and product names are endless.
I find it okay'ish. At least it's unique. Say, as much as I like Mario Zechner (who doesn't like HNers anymore for whatever reason), naming your product "Pi" is just terribly bad.
Facebook was a good name (hate the company but the name was good). But "Meta" is just dumbfucktarded.
Wait... I've got an idea: I'm going to make a product and name it "Alt". Or "Control".
Really: there are a lot of totally unhelpful name that just confuses everybody, including search engines, humans, and LLMs but I don't think "Solvinity" is that bad.
After Bill and Melinda Gates have their honeymoon, Melinda says, "Now I know why you call it Microsoft."
Where do you live where "apping" is understood?
Beside the point, this is drawing clearer picture of US control: losing. Us is seen as a threat and coercion making practices start with owning data using that as control.
Some American companies have tried to establish convoluted workarounds in Europe to get around this, but as far as I’m aware it hasn’t been tested in court yet.
But to get there you first need to have access to the government API giving you information about a person with certain tax number (name, DOB, address) so you can send them a letter with the code, for which you likely need to be inside their security perimeter. Then you have to actually send the code and have the app generate the key. Then sure, you can expose oauth2 provider and authenticate user with an HOTP you enrolled after they entered the binding key from mail. That's about the whole thing if you don't count bells and whistles.
Bells and whistles include:
- talking to the physical id card so you can mark the key as high trust;
- keeping the session open so second login during 15 minutes would be confirmed with one tap in the app;
- backup authentication method with sms-otp;
- all the nasty stuff that happens with fraud and blocking access but you can't just block the customer and tell them to go somewhere else;
- antidebugging and obfuscation nonsence in mobile apps because CyBErsEcUritTy (second level scam);
- fancy paper to print one time codes that come by mail (not sure DigID does this, but banks do)
Digid is used to submit taxes and for getting benefits from the government.
They make the login-screen. And now for businesses there are like 5 providers of the login screen (that you HAVE to use in order to use govt websites): you have to choose one and pay like 40EUR/y in order to log in.
Calling a login screen vital is, yes, the truth.
Out-sourcing --and creating a market for-- the login screen is, to me, one of the most bizarre thing I've seen the Dutch govt do in recent years.
They contracted the market and now they want to control it as if it's in house.
This stance has shifted completely. And you can thank one guy for it.
Let's see if the Dutch are men of their words. I expect the government to offer to buy this company, or an offering being made for the Dutch investing public to get shares.
> Kyndryl said in a statement it was "extremely disappointed" about the decision. "The politicization of this process has overshadowed the clear and important benefits this transaction would have brought to Solvinity's customers and Dutch citizens."
Are these guys so tone-death to the point they even try to gaslight the world? They are trying to take over a nation's ID system. Who in their right mind sees this as anything other than a national security issue?
Trust breakdowns are costly, except to the vultures "winning" the negative-sum game. Might want to read about the fall of the Warsaw pact.
So it took your horse? Better stop trust from ever coming then.
The author has no basis for this claim, factually or otherwise .. maybe a small tiny group would love to see this happen, but EU is happy like rest of the world minus China to enjoy the products made by great American software companies.
> The figures were almost universal across all categories: 62 percent of those surveyed across the five European countries said they favored or had considered replacing US data storage and payment services, while 59 percent of respondents said they would back a change from American video-conferencing companies like Zoom.
(Technically only five countries in the EU in this survey, but the five most populous countries, and presumably other countries generally agree)
the poll may be telling us as much about the priorities and assumptions of the people asking the question as it does about public opinion… in fact, the need to run a poll on this specific question arguably says more about the agenda behind it than the resuglt itself ..
This page includes a video of our Prime Minister, in English. You should listen to what he says. The time of depending on America's security umbrella is over.
To give you an example, if India or China or Africa holds a summit on climate change, it doesn’t mean that its citizens want that or even care about it.
Anyway, the idea that such a big geography should move away from the best software factory of the world because it has some political agenda with its current leader is both impossible and overall quite childish and will never come to fruition.