This story in 1 minute What’s the news? With the sale of Amsterdam-based data security company Zivver, sensitive information about European citizens is now in the hands of Kiteworks.
The CEO of the American tech company is a former cyber specialist from an elite unit of the Israeli army, as are several other members of its top management.
Various institutions in Europe and the U.K. – from hospitals to courts and immigration services – use Zivver to send confidential documents. While Zivver says these documents are encrypted, an investigation by Follow the Money shows that the company is able to read their contents. Why does this matter? Cybersecurity and intelligence experts told Follow the Money that the takeover should either have been prevented or properly assessed in advance.
Zivver processes information that could be extremely valuable to third parties, such as criminals or foreign intelligence services.
That information is now subject to invasive U.S. law, and overseen by a company with well-documented links to Israeli intelligence. How was this investigated? Follow the Money investigated the acquisition of Zivver and the management of Kiteworks, and spoke to experts in intelligence services and cyber security. This article is part of an ongoing series. The EU Files Read more Fold in
When the American data security company Kiteworks bought out its Dutch industry peer Zivver in June, CEO Jonathan Yaron described it as “a proud moment for all of us”. The purchase was “a significant milestone in Kiteworks’ continued mission to safeguard sensitive data across all communication channels”, he added in a LinkedIn post. But what Yaron did not mention was that this acquisition – coming at a politically charged moment between the U.S. and the EU – put highly sensitive, personal data belonging to European and British citizens directly into American hands. Zivver is used by institutions including hospitals, health insurers, government services and immigration authorities in countries including the Netherlands, Germany, Belgium and the U.K. Neither did Yaron mention that much of Kiteworks’ top management – himself included – are former members of an elite Israeli Defence Force unit that specialised in eavesdropping and breaking encrypted communications.
Our journalism is only possible thanks to the trust of our paying members. Not a member yet? Sign up now
In addition to this, an investigation by Follow the Money shows that data processed by Zivver is less secure than the service leads its customers to believe. Research found that emails and documents sent by Zivver can be read by the company itself. This was later confirmed by Zivver to Follow the Money. “All of the red flags should have been raised during this acquisition” Zivver maintained, however, that it does not have access to the encryption keys used by customers, and therefore cannot hand over data to U.S. authorities. This is despite independent researchers confirming that the data was – for a brief period – accessible to the company. If U.S. officials wanted access to such communication, Zivver would be legally obligated to provide it. Cybersecurity experts now point to serious security concerns, and ask why this sale seems to have gone through without scrutiny from European authorities. “All of the red flags should have been raised during this acquisition,” said intelligence expert Hugo Vijver, a former long-term officer in AIVD, the Dutch security service. Classified documents Amsterdam-based Zivver – which was founded in 2015 by Wouter Klinkhamer and Rick Goud – provides systems for the encrypted exchange of information via email, chat and video, among other means. Dutch courts, for example, work with Zivver to send classified documents, and solicitors use the service to send confidential information to the courts. Other government agencies in the Netherlands – including the immigration service – also use Zivver. So do vital infrastructure operators such as the Port of Rotterdam and The Hague Airport.
In the U.K., a number of NHS hospitals and local councils use the company. In Belgium and Germany it is used in major hospitals. The information that Zivver secures for its customers is therefore confidential and sensitive by nature. When approached by Follow the Money, a number of governmental agencies said the company’s Dutch origins were a big factor in their decision to use Zivver. Additionally, the fact that the data transferred via Zivver was stored on servers in Europe also played a role in their decisions. Now that Zivver has been acquired by a company in the United States, that data is subject to far-reaching American laws. This means that the U.S. government can request access to this information if it wishes, regardless of where the data is stored. The Trump effect These laws are not new, but they have become even more draconian since U.S. President Donald Trump's return to office, according to experts. Bert Hubert, a former regulator of the Dutch intelligence services, warned: “America is deteriorating so rapidly, both legally and democratically, that it would be very naive to hand over your courts and hospitals to their services.” “Trump recently called on Big Tech to ignore European legislation. And that is what they are going to do. We have no control over it,” he added.
... continue reading