The Netherlands rethinks its US tech addiction

BRUSSELS — An identity tool that underpins the digital lives of Dutch people and has partly fallen into American hands is prompting the country to reconsider its reliance on U.S. technology.

In the Netherlands, almost every citizen regularly uses the online identification tool DigiD to book a doctor’s appointment, buy a house or access online public services.

With a Dutch supplier of the tool in the process of being acquired by a U.S. technology company, that’s prompting concerns that the Netherlands is giving away critical technology at a moment of heightened sensitivity around the country’s wholesale use of American services.

As Dutch lawmakers in the parliament’s digital affairs committee met Tuesday to debate the issue, they received a petition signed by 140,000 people calling on the government to block the acquisition.

“If the Dutch government does something that [U.S. President Donald] Trump doesn’t like, he can shut down our government with one push of a button,” the petition reads. “That’s a big danger.” 

The debate over DigiD has put the spotlight on a topic that has been simmering for a while. 

With the Netherlands a long-time proponent of the transatlantic relationship, Dutch society is built on U.S. technology and IT services — as is the country’s government. That’s now seen as a glaring security issue as Trump fires off threats toward Europe. 

Two-thirds of the domain names of Dutch governments, schools and other critical companies rely on at least one U.S. cloud provider, research by the Dutch public broadcaster showed Sunday, with Microsoft the frontrunner. 

“We are the most Microsoft-loving country of the whole world,” said Bert Hubert, a Dutch cybersecurity expert and former intelligence watchdog. “The Dutch government uses more Microsoft than the U.S. government.”

Omnipresent

Questions over DigiD’s relationship with U.S. technology started in early November. 

U.S. cloud provider Kyndryl, a recent spin-off of the well-known U.S. tech company IBM, announced at the time that it would acquire Dutch cloud provider Solvinity. That company doesn’t own the online identification tool DigiD but provides the platform on which it runs. 

To Dutch people, DigiD is ubiquitous in their lives. “Every time you want to rent a house in the Netherlands, make an appointment with the doctor or do something in the hospital, you have to go through DigiD,” Hubert said. 

Potential U.S. control over such an omnipresent tool triggered fierce pushback. 

Last year the International Criminal Court, based in The Hague, ditched Microsoft as a service provider amid concerns about U.S. sanctions targeting the court. | Erik S. Lesser/EPA

Putting vital digital infrastructure in American hands “raises Dutch vulnerability for outages, manipulation or even blackmail,” a group of experts, among them Hubert, said in a letter their lawyers sent mid-January to the ministry service in charge of scrutinising acquisitions.  

The acquisition could also endanger the security of Dutch people’s sensitive personal data, lawmakers and experts argue.

“The risk is that it falls under the U.S. Cloud Act, which says that it doesn’t matter if data is hosted on EU soil, but if the service is done by a U.S. company, then the [U.S.] government can ask for that data,” said Barbara Kathmann, lawmaker of the GreenLeft-Labour party and expert in digital affairs. 

The Dutch Economy Ministry is now looking into the deal and whether it raises national security concerns, a ministry representative said in the Dutch parliament last week.

Kyndryl said in a statement that it “always lived up to relevant Dutch and European requirements for the security of customers’ data and will continue to comply with existing obligations of Solvinity to its customers.”

Cautionary tale

The Solvinity acquisition has put the spotlight on a topic that has been simmering for a while. 

Last year the International Criminal Court, based in The Hague, ditched Microsoft as a service provider amid concerns about U.S. sanctions targeting the court. 

The ICC case and the Solvinity acquisition should serve as a cautionary tale for Europe to start mapping its reliance on the U.S. and nurturing European alternatives, said Sarah El Boujdaini, a lawmaker for the centrist D66 — the party of the incoming prime minister Rob Jetten.

“We need to have a wider look at where our most vulnerable dependencies are, where we need to take back control, and where we need to procure more from European companies,” said El Boujdaini. 

That should include a particular focus on government services and services that people access continually, several interviewees said.

“Traditional government services should not be outsourced to other countries, especially not countries that are willing and have shown to be capable of weaponizing those dependencies,” said Dutch liberal European Parliament lawmaker Bart Groothuis. 

“Of course [the government] should make use of the services of ICT providers,” said Hubert, “but what you should not do is give a part of your society that you depend on 24 hours a day to a company that can be acquired.”