MP Modem Philippe Latombe sent two letters on July 4, one to the National Agency for the Security of Information Systems (Anssi) and the other to the National Commission for Computing and Liberties (Cnil) , about the “S3NS” offer from Thales and Google Cloud. L’Usine Digitale had access to the content of these letters.
Misuse of terms
He considers that the partners’ use of the term “trusted cloud“is likely to”mislead buyers about the exclusive nature of this offer with regard to the ‘trusted cloud label’‘”. The latter is part of the “Cloud at the center” doctrine presented last year by the government. It provides for the possibility for “hybrid offers” to be compatible with “the trusted cloud”, a label of security which includes compliance with the SecNumCloud repository”. It is Anssi which is responsible for awarding this precious sesame under a strict evaluation grid.
The MP criticizes companies for playing on punctuation: “The Cloud. Of confidence. For France“.”What might appear at first glance as a simple awkwardness or a lack of inspiration, is understood more as an attempt to smoke out, especially when you push the reading a little further.“, he wrote in his letter to Anssi.
Some kind of false advertising?
He also regrets that the communication of the offer is based on a hypothetical element, namely obtaining the “SecNumCloud” label before the second half of 2024. “A food manufacturer has no right to say that he is organic if he is not: “buy my pasta now because it will be organic tomorrow”. No !“, he declares. Contacted by L’Usine Digitale, Thales defended itself by arguing that there was “no ambiguity“.”S3NS will provide (from 2024) an offer targeting the SecNumCloud label for a trusted cloud (…) This offer is built specifically with the aim of obtaining this label“, added the company.
Philippe Latombe raises several questions to which he expects answers from the Cnil and Anssi: “are we sure that a joint Thales-Google entity will make it possible to escape extraterritorial laws, and in particular the Cloud Act?“, “what guarantees are given by Thales on its real ability to audit the source code that will be provided by Google?” and “what protection against backdoors to prevent US services from gaining access to hosted data?.
S3NS will not host classified data
Regarding backdoors, Thales told us that “S3NS does not aim to host classified data (eg Secret, formerly ‘Confidential Defense’), for which the appropriate solutions must meet other requirements”. Furthermore, “a set of security measures, compliant with SecNumCloud requirements and complementary to each other, have been defined – including physical and logical isolation of data, encryption, update control, source code auditing, supervision by probes and a Thales Security Operations Center (SOC) qualified by Anssi, etc.”, he details. Again, only Anssi is able to decide that these measures are sufficient to protect the data hosted by S3NS.
He also asks the Cnil to take into account all the consequences of the invalidation of the Privacy Shield, this text which allowed the transfer of data to the United States. The Court of Justice of the European Union has ruled that US law does not comply with the requirements of the General Data Protection Regulation (GDPR). It is the ability for the American authorities to access the data of European citizens if they are hosted by an American cloud provider (even outside the United States) which was at the heart of the dispute.
After Google Analytics, hybrid offers?
In this regard, “I want to know if hybrid cloud offers are GDPR compliant or not“, declares the deputy citing a recent decision of the Cnil judging that Google Analytics was not because of the risks of data transfer across the Atlantic. “In my opinion, I think the same legal reasoning could apply to the cloud“, he judges.
Same problem for the “Blue” offer from Orange, Microsoft and Capgemini. It should also be certified “SecNumCloud” in 2024, according to the partners. The terms used would nevertheless be less problematic. “They didn’t go to the edge of the limits, says the deputy. There, Thales and Google did what Americans do the most, which is to go to the end of the end of the end of what they thought they could legally do.
The government faced with its responsibilities
In addition to the two letters, the MP asked the government a question (being transcribed) to which L’Usine Digitale has access. He asks Jean-Noël Barrot, newly appointed Minister Delegate in charge of the Digital Transition and Telecommunications, on the S3NS offer by asking questions similar to those asked of the Cnil and the Anssi. In particular, he wishesknow, with regard to the “cloud at the center” doctrine announced more than a year ago, how the government plans to approach this file and the legitimate questions it raises in terms of data protection“. Barely arrived in government, Jean-Noël Barrot – unknown to the tech sector – therefore has his work cut out for him. Will he do better than his predecessor Cédric O?