MP Philippe Latombe protests

MP Modem questions the validity of the offer announced for 2024. According to him, the technical and legal terms of the project are not clear with a view to protecting customers against extraterritorial laws.

This is not Philippe Latombe’s first outing against the American clouds. Congressman Modem has already taken a stand against the practice of free credits from US suppliers. “It’s the first shot of heroin. Via free credits, it’s so simple to use their proprietary solutions and so inexpensive that young shoots tend to favor them at the risk of then being subservient to these players. “, he explained to the JDN last February (read the article In the cloud, the trap of free credits). This time, Philippe Latombe is tackling S3NS head-on, the trusted cloud project unveiled on June 30, 2022 by Google and Thales.

“From a legal point of view, are we sure that a joint Thales-Google entity will make it possible to escape extraterritorial laws, and in particular the Cloud Act?

The deputy tabled a question on the subject on Wednesday in the National Assembly for the government. Objective: to obtain a reaction from Bruno Le Maire or Jean-Noël Barrot. He also sent a letter to Guillaume Poupard, director of the National Information Systems Security Agency (Anssi) as well as to Marie-Laure Denis, president of the National Commission for IT and Freedoms (Cnil). A letter, published in its entirety below, in which Philippe Latombe details his argument.

“From a legal point of view, are we sure that a joint Thales-Google entity will make it possible to escape extraterritorial laws, and in particular the Cloud Act?” Asks the deputy in the letter. “There is indeed the risk of an undervaluation of the reality of the sharing of shares between Google and Thales. If Google has de facto control of S3NS, in particular by playing on the number of votes, this will be subject to the Cloud Act.” A regulation which, let us remember, allows the USA to access data hosted by any American actor, regardless of their location, on simple request from the federal supervisory authorities.

Google will be present in the capital of the new company up to 24%. “This is the maximum level defined by Anssi’s SecNumCloud qualification in its latest version published in March 2022”, notes Alexandra Iteanu, lawyer at the Paris bar specializing in digital rights and personal data. A label that S3NS will have to obtain in order to be qualified by Anssi as a trusted cloud. “This qualification also involves data centers established in Europe as well as a company (in charge of the cloud offer, editor’s note) of European law”, adds Alexandra Iteanu. Conditions that S3NS aims to fulfill.

A structure deemed unclear

Another question put on the table by Philippe Latombe: the real ability of Thales to access the source code of the Google platform. “If Google owns the source code and does not provide access to it, does it not de facto control the data passing through its technology. Which, according to the Cloud Act, makes this data dependent on this legislation. The Cnil must answer this question”, insists Philippe Latombe. In this scenario, the Cloud Act would conflict with the SecNumCloud repository which specifies, black on white, that the cloud provider must not have “the practical competence to obtain the data operated through the service”. Finally, Philippe Latombe wonders about the protection against backdoors which could allow federal services to benefit from “diverted access to hosted information”.

MP Modem asks Anssi and Cnil to carry out an in-depth analysis of the legal and technical capacity of S3NS to protect its customers against the Cloud Act.

Do we have a choice?

For Alexandra Iteanu, Google and Thales obviously have every interest in responding transparently to these questions. “American cloud providers capture more than 70% of the market,” recalls the lawyer. “The key point is whether we want to continue to idly hand over our data to companies beyond the reach of our legal system, or whether the right alternative is to sign partnerships with them to hold them accountable. and control them legally, and ultimately achieve a cloud that will be in line with our values ​​and our rights.”

Leave a Comment