• Pascal's Chatbot Q&As
  • Posts
  • GPT-4o about Zivver. This acquisition has effectively placed highly sensitive Dutch communications under the potential reach of both U.S. extraterritorial law and Israeli intelligence interests.

GPT-4o about Zivver. This acquisition has effectively placed highly sensitive Dutch communications under the potential reach of both U.S. extraterritorial law and Israeli intelligence interests.

Forensic analysis revealed that Zivver messages are, under certain conditions, processed in unencrypted form on Zivver’s servers, contrary to its public claims of "zero access encryption".

Author

Pascal Hetzscholdt
September 14, 2025

Essay: A Strategic Blunder in Digital Sovereignty — Dutch Confidential Data in Foreign Hands

by ChatGPT-4o

The recent Follow the Money exposé titled "Strategic blunder: confidential data of Dutch people in the hands of Americans" provides a deeply troubling look into the consequences of the acquisition of Zivver, a Dutch secure communications platform, by the US-Israeli cybersecurity company Kiteworks. What initially appears to be a routine tech-sector acquisition is in fact a geopolitical and data sovereignty wake-up call — one with severe implications for Dutch citizens, institutions, and the broader European digital infrastructure.

Summary of Key Events

Zivver, founded in Amsterdam in 2015, has provided encrypted communication services for government bodies, courts, hospitals, and other sensitive sectors in the Netherlands, Belgium, and Germany. Many public institutions adopted Zivver specifically because it operated under EU data protection laws and hosted data in Europe — reassuring clients of independence from US or other foreign surveillance regimes.

However, in mid-2025, Zivver was quietly acquired by Kiteworks, an American cybersecurity firm whose executive team is deeply embedded with veterans of Israel's elite cyber-intelligence unit, Unit 8200 — a group notorious for global eavesdropping, encryption breaking, and cyber-ops including the infamous Stuxnet attack. This acquisition, occurring without regulatory review under Dutch investment screening laws (Vifo), has effectively placed highly sensitive Dutch communications under the potential reach of both U.S. extraterritorial law (e.g., the CLOUD Act) and Israeli intelligence interests.

Most critically, forensic analysis revealed that Zivver messages are, under certain conditions, processed in unencrypted form (“flat text”) on Zivver’s servers, contrary to its public claims of “zero access encryption.” This creates a technical possibility for interception, analysis, or coercive handover of sensitive data — even if no abuse has yet been documented.

Surprising, Controversial, and Valuable Findings

Surprising

  • Despite Zivver’s assurances of end-to-end encryption and customer-only access keys, researchers found that emails and attachments are readable (unencrypted) on Zivver servers under certain workflows, such as webmail use or exchanges with non-Zivver recipients.

  • The lack of screening by Dutch authorities under the Vifo Act is shocking, especially given Zivver’s extensive government and healthcare clientele. Regulators claim Zivver didn’t meet the technical definition of “vital infrastructure,” raising questions about outdated classification systems.

🚨 Controversial

  • The depth of integration between Kiteworks' leadership and Unit 8200 is alarming. Several executives, including the CEO and M&A director, are ex-IDF officers with extensive cyber-intelligence credentials.

  • Israel’s long-term strategy to dominate communications infrastructure is discussed openly. Experts suggest the Zivver acquisition may serve Israeli geopolitical interests more than commercial ones.

  • A former Dutch intelligence supervisor starkly warns: “If you want to share something secret: consider a typewriter.” This is more than hyperbole—it reflects growing fears of systemic vulnerability in Europe’s digital sovereignty.

💡 Valuable

  • The report emphasizes a rarely addressed but critical risk vector: Western democracies may over-focus on Chinese surveillance while underestimating allied countries like Israel, whose intelligence reach and legal frameworks differ starkly from EU privacy norms.

  • The journalists shed light on the opaque ‘zero access’ marketing claims made by encryption providers, urging regulators and users alike to demand technical verification and independent audits.

Recommendations

🧍‍♂️ For Citizens

  • Demand transparency: When using digital services provided by healthcare, legal, or governmental institutions, citizens should ask where and how their data is stored and encrypted — and by whom.

  • Use alternative secure channels for truly sensitive personal data where possible (e.g., in-person, paper-based, or certified local solutions).

  • Support civil society efforts that promote digital rights, privacy protections, and transparency in state tech procurement.

🏢 For Businesses and Public Institutions

  • Reassess vendor risk: Institutions must broaden their risk assessment frameworks beyond technical checklists to include ownership structures, geopolitical affiliations, and data jurisdiction issues.

  • Mandate independent audits of any encryption or zero-access claim and integrate these audits into procurement and compliance regimes.

  • Prioritize EU-based providers or consortia committed to operating under the GDPR and avoiding entanglement with foreign intelligence regimes.

🏛️ For Regulators and Policymakers

  • Update the definition of “vital infrastructure” to include secure communications services, especially those used by courts, hospitals, and law enforcement agencies.

  • Enforce mandatory pre-acquisition reviews for any foreign takeovers of companies handling sensitive citizen data, regardless of size or market share.

  • Create a pan-European certification and audit framework for end-to-end encryption providers, including mandatory disclosure of any foreign ownership, intelligence affiliations, and actual encryption implementation.

Conclusion

The Zivver-Kiteworks case reveals a structural failure in the Dutch and, by extension, European regulatory frameworks — a failure to anticipate how data, sovereignty, and security intersect in today’s hyperconnected world. In a time of rising geopolitical instability and eroding trust between even traditional allies, the strategic blunder is not merely that foreign firms acquired a security-sensitive company. It is that Europe failed to recognize data infrastructure as a matter of national security.

This is a call to action — not just to protect citizen data, but to redefine digital independence in the 21st century.

Grok: In summary, Europe's dependency on Palantir for enforcement, intelligence, and analytics is significant but not without controversy.

·

2 FEB

Asking AI services: Tell me everything you know about Palantir Gotham, Europa and explain just how dependent Europe is on Palantir for its enforcement and intelligence work and analytics.

·

2 FEB

It's probably not the best basis for the US either. A LOT more disciplines, experts and scientists of many more fields are required. A tech heavy think-tank(er) is likely going to topple. But Karp does display a lot of masculinity though, with his strong talk! 🦾 🤖 💪 Clip: