The NTR Supervisory Board will immediately cease cooperation with the agency investigating the internal work culture at the broadcaster. The investigation was conducted by CAOP, a knowledge center in the field of labor affairs, among others, and has now been discontinued. During the investigation, multiple shortcomings were found that affected the privacy of employees.

“The developments in July were not conducive to trust in CAOP. After yesterday’s new error, that trust has disappeared,” the NTR supervisory board wrote to staff. “As a supervisory board and a client, we are also responsible for this situation and this is difficult for us.” The board will now consider what form the investigation will take.

The investigation into NTR stems from the report of the Van Rijn Commission, which investigated abusive behaviour in public broadcasting on behalf of the NPO. This included mention of NTR when it came to the working environment. Staff pointed out the lack of a clear policy for staff and leadership. The NTR Supervisory Board then decided to conduct its own investigation by the CAOP. Media Director Willemijn Francissen then resigned to make way for the investigation.

But the research didn’t go well. NTR had to stop an employee survey on social safety in the workplace twice. The digital security of the survey turned out to be insufficient, meaning that the promised anonymity could not be guaranteed. NTR employees discovered that it was also possible for managers to view the answers of colleagues who had partially completed the survey. An employee could also complete the survey for another colleague who had not yet participated. NTR then reported the data breach to the Dutch Data Protection Authority.

The investigation was stopped and the security situation will be improved. Things went wrong again. Employees should only be able to complete the new survey after verification, using a unique login code. But this week it emerged that employees could also answer the survey without this code. Then the investigation was stopped again.

CAOP uses Crowdtech software. These parties also conducted the Van Rijn Commission’s nonprofit research.

According to CAOP, the data breach may have been caused by “human error.” An important box was not checked, according to the organization. “While making mistakes is painful, this is painful for the investigating agency.”

News hour The information from reporters about the data breach and the CAOP Foundation has been provided to several software experts. According to Eric Paul, an assistant professor of digital security at Radboud University, there is a bug in Crowdtech’s software. “Surveys should never be accessible to other participants, regardless of what options you have selected or left unchecked.”

Leaving the customer, in this case the CAOP, to tick the right box is irresponsible, says Herbert Bos, professor of computer systems security at Vrije Universiteit. “You don’t say with a car: you have to press these buttons before you get on the road, otherwise the brakes won’t work. There’s no scenario where you want to drive on the road without brakes.”

According to Marco Sprott, professor of advanced data science at Leiden University, it is “very likely” that other similar studies conducted using Crowdtech software also have these security risks. “The fact that someone can change the URL is not something you want and is technically unnecessary. I am almost certain that insect He was also present at the Van Rijn investigation. He has just come out now.”

Crowdtech does not want to respond substantively to the criticism, but refers to the CAOP. The CAOP does not want to answer technical questions about Crowdtech’s program. The organization states that Crowdtech is accredited, but does not want to address specific questions about the underlying research methodology.

According to CAOP spokeswoman Patricia De Broeckaert, the NTR data breach is an isolated incident. “First it was human error, and the second time it was an unfortunate connection. It has nothing to do with the security of the software.” She says that security firm Fox-IT examined the questionnaire and software after the first NTR investigation and found them to be secure. So the NTR case “has nothing to do with the security of Van Rijn’s research or any other research.”

The nonprofit states that it has not currently received any indications or reports from (former) employees or from CAOP that this was also the case at that time. “We will inquire with CAOP as to whether this is also the case during this investigation.”