All governments, including Canada, must preserve the privacy of their own citizens. In terms of national risk, it is a very bad proposition for citizen identification to depend on a third country, for any reason whatsoever.
Currently, the Netherlands has an online petition to prevent the sale of DigiD, the authentication system used to grant access to many government portals. A U.S. technology firm is seeking to purchase one of the companies involved.
As a result, the Dutch Parliament has requested that the government halt the sale of Solvinity, one of the companies behind the national digital ID system DigiD, to the U.S.-based multinational Kyndryl. The petition claims that this sale represents a national security risk.
Solvinity is a managed cloud and IT services provider focused on secure infrastructure for mission-critical workloads, including government systems, but it is not a hyperscale cloud provider like Azure or AWS.
Solvinity
Petition (original language: Dutch)
- Bescherm DigiD, data en staatsveiligheid: stop de Amerikaanse overname Solvinity
- Stop de overname van onze DigiD-partner; onze digitale identiteit niet als handelswaar
Canadian perspective
From a Canadian perspective, the principle that a government portal authentication system must be controlled 100% by the government behind it is the ideal solution. Under no circumstances should a country such as the United States have any of the following:
- Cloud service of any kind
This means the company can legally be compelled to provide access to other entities of that country, specifically through court orders. When it is not automatic between 2 countries, the USA is know to often overeach when they want to do it. - Any backup copies, for any reason whatsoever, even if encrypted.
- Any control over the authentication code itself
Such code can be modified at any time by the supplier. Even if the code is fully legitimate today, there is no guarantee that the entity will not later install backdoors, collect data from unauthorized systems, or otherwise abuse the trust of the country.
In IT security, this would be phrased in a more concise, technical manner:- No mixed jurisdiction at the trust anchor
- No foreign legal reach over authentication infrastructure
- No foreign-controlled update channels
- No dependency on opaque vendor security claims
Does this apply to Canada?
Canada is in a weak position regarding the sovereignty of the information of its population’s. Facebook, Google, and many other U.S. companies regularly store or process data outside of Canada.
If not database, Software
Even for Canadian portals (government, banks, and likely medical access), Canada and its provinces rely heavily on software from U.S. suppliers such as Microsoft (known for user surveillance), Google (self‑explanatory), Adobe (problematic history), and Cloudflare (serious concerns). All of these companies can change their code in ways that could compromise Canadian users if they wished. That is a terrible idea to depend on them..
Given the current relationship with the United States, Canada should ensure that:
- All databases used to authenticate Canadians should be hosted on Canadian servers, including those used indirectly through platforms such as Facebook, Google, or Amazon.
Regarding government, banks, and medical databases:
- These systems must run on infrastructure owned either by the Canadian government or by companies under 100% Canadian control.
No Azure. No Adobe Cloud. No AWS. - All government agencies — from the federal level to the smallest municipality — as well as all Canadian banks and medical databases should participate in a nationwide authentication system in which it is illegal for any part of the process to rely on foreign servers or foreign‑controlled software development. (Yes, Canada will need Canadian programmers to achieve this.)
- Data brokers, such as credit bureaus, must also be placed under 100% Canadian ownership and control.