This project originated from a M.Sc. student project on security in the Dutch EPD system by Niels Sijm, a student of the SNE master's program at the University of Amsterdam, conducted under my supervision. Here is some information about me. The project was based on the then-current AORTA specification. Here is his report.
After the project ended, I continued to study the AORTA specification to find answers to some still-open questions. As part of this, Nictiz, the organization responsible for designing the EPD, has been kind enough to provide me with information in those cases where it was hard to establish precisely how the system worked. Based on this work, I wrote a technical report describing the system and evaluating its security architecture.
In December 2009, I sent Nictiz a first draft of my report, in January the final version. In January 2010, I gave a brief talk about security in the EPD at the 3d International Conference on Computers, Privacy, and Data Protection (CPDP 2010) in Brussels. This conference did not provide printed proceedings.
On February 18, 2010, I sent a letter to the Dutch senate describing my findings in Dutch. The minister responsible for the EPD, minister Klink, has also been informed. The CBP (College Bescherming Persoonsgegevens, the Dutch data protection authority) have also received a copy of the paper and a transcript of the letter to the senate. Based on my findings, I have contributed to a meeting in the senate on March 22, 2010. (here is an addendum)
On March 26, 2010 NRC placed an article about my work. The report and the results were released to the general public by means of a press release next. This was picked up by a number of newspapers the next day.
The press release (in Dutch) can be found here.
The report will be submitted to a scientific security conference in the near future.
Back to the main EPD page.