Dutch gov't pulls report on dangers of American cloud service after criticism

The Ministry of Justice and Security removed a report on the risks of Amazon’s “European Sovereign Cloud” service shortly after publishing it. This followed critics saying that the report underestimates the service’s dangers and illustrates the government’s tunnel vision regarding American big tech, the Volkskrant reports.

The European Sovereign Cloud is a service offered by American tech giant Amazon Web Services in response to Europe’s desire for greater digital independence from the United States. The service is specifically delivered in data centers on European soil with European employees.

Tech experts have been skeptical of this new service since its launch, arguing that it doesn’t matter where the data center is located or who works there. As long as the customer deals with an American parent company, the United States government can access its data, and the president can suspend services through sanctions legislation.

The Ministry of Justice and Security’s Strategic Supplier Management (SLM) department, which negotiates contracts with Amazon, Google, and Microsoft on behalf of the government, asked lawyers from the American law firm Greenberg Traurig to study the European Sovereign Cloud and analyze its risks. The lawyers concluded that it is possible for the U.S. government to gain access to data or suspend services through law and informal pressure, but they considered it unlikely to happen.

An employee of the SLM department wrote a post on LinkedIn, summarizing the conclusions of the report. He said it was highly unlikely that the U.S. would gain access to Dutch government data, and that “the likelihood that U.S. sanctions will lead to suspension of services is also low.” He said no definitive judgment can be made yet, but the product “potentially” aligns with the Dutch vision of digital sovereignty.

Following this post, tech expert and activist Bert Hubert posted a blog on his website criticizing the research. According to him, the report underestimates the risk governments face by using Amszon’s new cloud service. Nitesh Bharosa, professor of government technology at Delft University of Technology, also raised concerns about governments not having any access to the technology involved in the service. “The technology is delivered as a black box. To ensure the security of government data, you want to check at the source code level for backdoors.”

Three days after publication, the Ministry deleted the report from the open.overheid.nl website, and the LinkedIn post was removed. A week later, on February 26, the Ministry republished the research with a memo stressing that this is not a technical, but a legal investigation. The report is also “not a policy recommendation or compliance assessment,” and “no risk assessment” is made based on the report, the Ministry said.

In the Netherlands and Europe, there has been a growing push for government and essential services to move away from American big tech. Tech experts recently told the Dutch parliament that Dutch and European providers can provide most of the services that American companies do.

Critics think that the Ministry of Justice’s SLM department has created a kind of tunnel vision in the government, where it can’t see beyond American big tech. GroenLinks-PvdA MP Barbara Kathmann, the chair of the Standing Committee on Digital Affairs, told the Volkskrant that she often hears the SLM referred to as “the Dutch Ministry of Microsoft.” According to her, European companies have given up on the Dutch government. This report again shows the government’s “blindness to the lobby of big tech,” she said.

The Ministry of Justice and Security told the Volkskrant that the SLM does look beyond products from Microsoft, Google, and Amazon. Investigations are also underway into the cloud services of the German StackIt and the French OVHCloud, a spokesperson said.