The Dutch government makes use of American cloud services to store data, such as Amazon’s AWS, for example. It also turns out that 75% of government institutions have outsourced their email services to Microsoft or Google.
Privacy has always been a topic of concern in this context. Recently, Minister of Economic Affairs Dirk Beljaarts suggested that encryption could prevent the U.S. government from accessing this Dutch data.
This suggestion, however, immediately raises several questions among security experts. How feasible is this idea? What practical challenges might arise? Some key considerations include:
1. Which encryption algorithm will be used? The U.S. NSA has previously asked companies, like Juniper, to weaken encryption so that the NSA could monitor communications. Side-channel attacks and weakened encryption are therefore serious risks to take into account. A non-American algorithm might be preferred in this case.
2. The encryption would need to be end-to-end to prevent data from leaking during transit. This also raises the question of whether it is safe to use American software, such as Windows. After all, this software could, in theory, leak data after decryption, as could any American-made hardware.
Even equipment from other countries isn’t free of risks. For example, the U.S. NSA once listened in on Dutch police communications by exploiting a vulnerability in SE 660 Crypto mobile phones, made by ASCOM in Switzerland.
3. Governments have been working on quantum computers for some time. These will be extremely powerful, and it is expected that current encryption methods may eventually no longer be secure. This is known as the ‘Harvest now, decrypt later’ principle. With this in mind, how can the Netherlands ensure that today’s encrypted data remains secure in the future?
4. There are also political challenges. The Dutch government has previously stated it is not a fan of encryption, as it could hinder law enforcement efforts. A ban on encryption has even been discussed in the past. How can this be reconciled with the idea of using encryption to comply with the government’s own privacy regulations?
It is a complex challenge, and the only solution seems to be to store data solely in Europe. This would require a European cloud provider that can compete with American alternatives. However, such a provider doesn’t (yet) exist. While French provider OVHcloud and Germany’s T-Systems may be contenders, the downside is that they still use American hardware and software, meaning the data theoretically cannot be considered 100% secure.