The unbearable lightness of the French authorities in matters of digital sovereignty

©SAUL LOEB / AFP

Atlantico: National Security Agency (NSA) it may soon have the power to force US institutions and other companies to spy on their consumers for their own benefit. To what extent could such a change of law affect even France? Could our companies, being linked to various US companies, be affected?

Pierre Beyssac: French companies are concerned, in fact, and have been for some time. This is a result of FISA, the Foreign Intelligence Surveillance Act, which allows the US government to spy on foreign clients for US companies, including outside US soil. We must also mention the Cloud Act, which allows the US government to demand from Microsoft, Google and other companies of this type access to the data of non-US companies that use their services. This also works to gain access to data stored on European soil. In short, then, our societies are already concerned with the potential problems of espionage by the NSA. The novelty stems from the fact that there is now talk of extending this way of working to all companies, as well as to all American residents.

Does this mean that our businesses are not protected at all? The situation is divided into several aspects. Three, actually: the terms of sale aspect, the legal aspect and the technical aspect. In the first case, American law prevails. Warranties given by terms of sale are worthless if they conflict with the law: secret services such as the US justice system will be able to invoke the latter to access the data in question even if it is against the terms of sale. We must also consider the legal (or even strictly illegal) dimensions that have sometimes allowed the Secret Service to increase the number of wiretapping, both on American soil and abroad, as Edward Snowden has shown. It is in the nature of secret services to circumvent the law for reasons of counter-terrorism or economic intelligence.

It is very difficult, as it stands, to say which French companies are of particular interest to the NSA. Airbus has been the subject of espionage in the past and, broadly speaking, all of our major groups are potentially at risk. In all cases, it must be understood that data stored on the US service is likely to be intercepted, intercepted, used. Therefore, it is up to the users of these services to know the sensitivity of the data they store there. Especially since the NSA is a powerful organization, capable of using sophisticated means to recover this information… with or without the cooperation of the companies in question or the chosen host. Without it, it is always more difficult, but not impossible.

What does this situation say about the way France and its authorities ensure our digital sovereignty?

Let’s start by remembering that most of the big French groups are unaware of the situation. They tend to underestimate the sensitivity and usefulness of their information and therefore do not hesitate to choose a simple solution consisting of using American services instead of French ones. They are often considered more efficient and offer interesting features that these large groups will not have to develop in-house. Many of our companies feel that they do not need to develop IT resources, as long as American companies offer them. At the same time, our data is stored on American (or Chinese, the same logic also applies) servers, which is not without problems. This provides an angle of access to the NSA as well as other relevant intelligence services; not forgetting the American competitors.

CAC 40 companies, as well as some of our management, are well aware of the problem. They sought to obtain sovereign guarantees from the French state… so much so that this is a topic that Bruno Le Maire addressed a few years ago. At that time he spoke of the “Sovereign Cloud”. In fact, it was little more than an American cloud, but it was re-marketed using a legal agreement that was supposed to protect our business. Unfortunately, this is a rather symbolic protection, which does not offer real technical shields and which above all allows French companies to absolve themselves of any responsibility in case of problems. An opportunity, therefore, to continue using the American system while claiming that it has taken the necessary measures. Therefore, we can legitimately talk about the ease with regard to the management of our digital sovereignty, and the CNIL has already made it clear, on the occasion of various files on these issues, that it is not satisfied with our political choices, although it could not say much. However, it must be emphasized that things are moving in the right direction, as evidenced by the Law on SREN, whose provisions on the issue of sovereignty are relatively positive.

What measures should be taken to limit any risk to our sovereignty?

It is necessary to carry out a revaluation of public procurement from French companies. It is a complex project as buyers, public or not, prefer to talk to players of their own size and therefore do not like to deal with SMEs. Their particularly long payment terms lead to discussions with the SME complex, as well as those related to the conclusion of contracts. This is where we have to work, if we want to decide on a real solution: we have to help the small French players to appear, trade, make offers and sell their offers to local players. We must, fundamentally, create the conditions necessary for the growth of our digital players so that they ultimately become comparable to their foreign competitors.