Another slap in the face to the French government and its highly controversial “Cloud of Trust” strategy. Is it enough to have a head office in France or in Europe and cut all capital ties to the United States to protect against the Cloud Act, even to sell an offer based on American technologies? No, decides a study carried out by the European office of the American law firm Greenberg Traurig LLP, on behalf of the Ministry of Justice and Security of the Netherlands, and made public on July 26.
The Dutch government wants to know if the Cloud Act, extra-territorial legislation passed in 2018 to legalize the collection of data abroad in the name of protecting the United States, is only used by American entities which is in Europe, as is often presented, or does it not also affect 100% European companies, that is companies whose head office is located in the European Union.
The Cloud Act will apply to companies that sell software in the US
The response of the American firm Greenberg Trauring LTT – which cannot be accused of serving a pro-European agenda – is very clear: ” European entities may be within the scope of the Cloud Act, though [elles] located outside the United States », cut the document to the first page.
Lawyers point out, however, that it is possible for European companies to minimize this risk by establishing a “Chinese wall” in the United States, especially by not employing any American or have any American customers. These may be Trojans that may require action under the Cloud Act.
But according to the authors of the study, even this anti-Cloud Act shield is not enough if the entity uses American technologies. ” Le Cloud Act can access data through contractors/hardware and software vendors, to/from cloud providers”said the report.
However, this is precisely the way Bleu operates, a joint venture between Orange and Capgemini, and S3ns, owned by Thales. Bleu will license software cloud offerings from Microsoft Azure (especially the Office 365 suite), while S3ns will offer those from Google Cloud. These two offers show their own sovereignty: they prove that they are incompatible with the American Cloud Act because the service will be hosted in datacenters located in France, and will be sold by a company under French law , which would be cut off from any capital link to the United States. United.
These precautions, along with other security measures, are sufficient for most businesses. But maybe not for Bleu and S3ns, because Microsoft and Google are for them software providers whose services they market. Contacted by La Tribune, the company Greenberg Trauring LTT also confirmed that it is enough, according to him, to sell American software, even if the company is French, to fall under the Cloud Act.
This reduction seems logical: in the digital economy, data hosting is only a convenience. The value is in the software infrastructure that powers the clouds, as well as the software that uses the data. To justify applying the Cloud Act to a foreign entity like Bleu or S3ns, the United States must demonstrate that it has ” sufficient contact with the United States and for many legal experts, the commercialization of American technologies under license gives them enough reason.
A “Chinese wall” is theoretically possible but extremely complicated and expensive
Since the French government has not requested or made public an in-depth study of the real impact of the Cloud Act on future “reliable cloud” solutions, the conclusions of the Greenberg Trauring report should be taken by one grain of salt.
So La Tribune asked other expert lawyers in digital law to analyze the impact of the Cloud Act on reliable Cloud offers. ” The only possible way for Bleu and S3ns is to divide the offer in such a way that there is no possible access to a person under American jurisdiction., explains Olivier Iteanu, a lawyer specializing in digital law. ” This means that there is no American customer and above all, no American employee in the structure, otherwise the Cloud Act applies. “, he warned.
The lawyer recalled the genesis of the Cloud Act, after the Snowden scandal in 2013 that revealed to the world the extent of mass surveillance operated by the American intelligence services, in the name of their national sovereignty. ” The United States should legalize mass surveillance practices, so that the companies and people who cooperate with them are not subject to legal action after the fact. So they plan a very wide range of actions for the Cloud Act. It is misleading to say that it only applies to American companies abroad and not to domestic companies”.
Sonia Cisse, associate technology law lawyer at Linklaters, says ” share the analysis of the company Greenberg Trauring “in fact that” Trusted Cloud offerings may be subject to the Cloud Act “. He also insisted on the need to establish a ” Great Wall of China to protect themselves as much as possible from possible American incursions.
“In addition to preventing any American, including technical support or data backup, from accessing the platform, a general separation of data should be put in place. This requires a combination of very heavy, complex and very expensive measures: this is a technical and organizational wall in China, involving the management of structures as well as human resources and communication between entities, which must be placed in place and watch over. always”, he refused, while pointing out the “many gray areas” that still remain on the side of the organization of Bleu and S3ns.
The backdoors and FISA law, the other big risks in the offers ” Cloud of Confidence »
If the government, Bleu and S3ns are too light to declare even before making reliable Cloud offers that they will be marked by Anssi – which is not guaranteed – and immune to the Cloud Act despite a deep legal analysis, what about the other two elephants in the room, also expertly ignored: the increased risk of backdoors – spyware infiltrated into the code – and that of another American extraterritorial law, FISA.
So, FISA -for Foreign Intelligence Surveillance Act – applicable only to foreign citizens. This law allows US intelligence agencies to require cloud providers to install permanent devices that can scan all the data they handle outside the United States. This monitoring can be done using deep packet inspection (DPI) hardware, or invisible at the software infrastructure level in the cloud, ie using technology vendors. However, Bleu and S3ns do not necessarily have access to the source code of Microsoft and Google software, which is their most valuable industry secret. And even if they had access to it, they still had to find the back door imposed by the intelligence services.
These backdoors, or backdoors, can also be illegal. This is another big risk, for operators’ data that is important, to use foreign services. However, the software of Microsoft and Google is known to the American intelligence services, and it is easier for them to penetrate the American software that they know than another solution that benefits from the highest level of security.