> Is there any factual basis to this claim

Please feel free to translate and read the Dutch version of this article. On the bottom, several security researchers found vulnerabilities in Zivver [1]

[1] https://www.ftm.nl/artikelen/vertrouwelijke-zaken-te-grabbel...

▲

ishi a day ago | parent [-]

So Zivver created a product with security vulnerabilities, Kitenet bought Zivver (probably for their customer base), and it's all some sort of conspiracy to steal personal data?

▲

Fnoord a day ago | parent | next [-]

We merely bought the honeypot, Your Honor! We didn't know what we were buying!

Perfect cover story /slowclap

Secret services use companies as cover all the time. Nothing new there.

The conspiracy is that it is a dragnet for the data, and given the data is first send plaintext to Zivver (see the Dutch FTM article I already linked), it isn't far-fetched.

Looking at the current geopolitical situation, it also isn't far-fetched. It even fits in the Israeli secret services' M.O.

Actually, anyone who uses Zivver can find these vulnerabilities. I was worried about this, and reported it to my former employer (while still employed), but alas I did not have a PoC and they had a lot of other security related incidents so this was low priority. Also, this was at a time when the company was still privately owned by the Dutch founders. My hypothesis is that someone working for such an organization passed it to the Israeli secret service, who then got motivated to buy this honeypot.

Chinese do something similar: release some piece of technology, never provide any meaningful updates to the product, and voila it is insecure as hell (yet 'we didn't know' provides plausible deniability). I saw this first-hand with KRACK vulnerability.

Also... Kiteworks [1] is the name of the company. Not sure why you keep calling it Kitenet.

[1] https://en.wikipedia.org/wiki/Kiteworks

▲

chiefalchemist a day ago | parent | prev | next [-]

To be fair, it’s not a conspiracy if it actually happens. It’s surprising how often this type of reasoning is still so common.

▲

dlubarov a day ago | parent [-]

What are you saying actually happened? It sounds like the concern is that in a certain context, messages are cloud hosted instead of client-side e2e encrypted? Did anyone even claim otherwise?

How is this different from suggesting Netflix was all a secret plot by Stanford to spy on Europeans' TV binging?

▲

Fnoord a day ago | parent [-]

Two anonymous security researchers working at Dutch government found the data is send plaintext [1]. One independent security researcher was able to verify their claim.

This should be a concern if the company is owned by Dutch people, but more so if it is owned by a company with questionable jurisdiction. Which unfortunately the USA and Israel are these days.

[1] https://www.ftm.nl/artikelen/vertrouwelijke-zaken-te-grabbel...

▲

dlubarov a day ago | parent [-]

Did they ever claim otherwise? They say "Zivver scans the content of every email" prominently on the front page. The flow seems to be TLS to Zivver first, scanning, then encryption.

If all it takes to convince us that a communication product was created as a front for spying operations is not having a strict e2e design like Signal's, then do you think virtually all of them are fronts for spying operations?

▲

Fnoord 16 hours ago | parent [-]

Listen, I am Dutch. I am loyal to the Dutch government, Dutch society, and therein lie my interests. This is also my potential bias.

> Did they ever claim otherwise? They say "Zivver scans the content of every email" prominently on the front page. The flow seems to be TLS to Zivver first, scanning, then encryption.

I worked at a government organization which used Zivver. This was around 2018. It was assumed to be E2E encrypted. I wrote about the issue in my security audit, but it had low priority for a myriad of reasons (they had worse issues at the time). Zivver is more akin to the Lavabit situation.

Proton's OpenPGP.js is slightly more secure than this implementation (it encrypts client-side), but because Proton can decide (and be forced) to serve a different OpenPGP.js, it suffers from a similar issue.

> If all it takes to convince us that a communication product was created as a front for spying operations is not having a strict e2e design like Signal's, then do you think virtually all of them are fronts for spying operations?

I never wrote it was created as a front. I don't believe anyone asserted that. The company was founded by a couple of Dutch people in 2015, it was a Dutch company. So they fell under Dutch jurisdiction. I honestly haven't looked them up.

Fast forward to June 2025 and this company got acquired by an American company where the higher echelons are ex-Israeli spies. This could be a front, I don't know. I very much question this sale should've been ACK'ed by the Dutch government. Because due to the CLOUD act, the data now falls under American jurisdiction. Around the time of the acquisition though, the Dutch government fell. responsible up to then was Dirk Beljaarts. Around that time (June 2025), Vincent Karremans took his place. Fast forward a couple of months later, we had the Nexperia crisis, where Karremans intervened. A fallout from a stopped acquisition due to national security is lower than Nexperia fallout though.

I copied the title of the article verbatim. The Dutch article has a different title, and is IMO of better quality. The title of that article calls it a strategic blunder. I very much agree with that, but not because the top of Kiteworks is Israeli and ex-Unit 8200. That is just a cherry on top, worse case scenario a red herring. No, because of the current geopolitical situation with regards to Trump and the CLOUD act. Can you blame them for trying, given the situation and stakes? The acquisition occurred at a perfect timing.

The TL;DR is not that a American or Israeli entity supposedly succeeded. It is that the Dutch government failed. And while Zivver is heavily in use in The Netherlands, it also is within EU. So we failed to serve the best interests of EU here as well.

▲

dlubarov 14 hours ago | parent [-]

Thanks for the added context, that sounds reasonable to have wanted the product to continue under Dutch ownership.

> I never wrote it was created as a front. I don't believe anyone asserted that.

There seem to be vague insinuations of a conspiracy floating around, rather than an explicit conspiracy theory, so I may have mischaracterized it. But for example, you mentioned elsewhere that "Mossad's way of operating is aggressive". Could you clarify what you're insinuating, if anything?

	▲	Fnoord 12 hours ago \| parent [-]
		Hmm, from EU PoV, given many other EU countries rely on it, I believe NL is a reasonable host, but other EU countries could be as well. I'm no expert on that subject, just following Hubert's assessment that it falls in their M.O. (already linked), following Modderkolk's recent assessment on how Mossad operates [1]. Look at all the flak I get in this thread while I just went with HN rule of 1:1 using title. Problem is all these sources are in my native language. And finally, yes my suspicion is on high alert ever since the Maccabi riots in Amsterdam [2], to which Modderkolk also refers to. And yes, I am well aware every Israeli adult is ex-military [3]. If it were up to me, we'd restart this practice here in NL. [1] https://podcasts.apple.com/nl/podcast/hoe-de-mossad-overal-t... [2] https://en.wikipedia.org/wiki/November_2024_Amsterdam_riots [3] https://news.ycombinator.com/item?id=46036671

▲

SilverElfin a day ago | parent | prev [-]

There’s really nothing concrete in this “article”. It’s basically vague insinuations and conjecture and conspiracy theory, all in support of putting out content with something nefarious implied about all Israelis. In other words, it’s propaganda.