Bleu, S3ns: why reliable cloud offerings will certainly be subject to the Cloud Law

Bleu, S3ns: why reliable cloud offerings will certainly be subject to the Cloud Law

Another slap in the face for the French government and its highly controversial “Cloud of Trust” strategy. Is it enough to have a headquarters in France or Europe and cut all capital ties with the United States to protect yourself against the Cloud Act, even selling an offering based on American technologies? No, decides a study carried out by the European office of the American law firm Greenberg Traurig LLP, on behalf of the Ministry of Justice and Security of the Netherlands, and made public on July 26.

The Dutch government wanted to know if the Cloud Act, extraterritorial legislation passed in 2018 to legalize data collection abroad in the name of protecting the United States, only applied to US entities present in Europe, as is often the case. , or whether or not it could also affect 100% European companies, that is, companies whose headquarters are located in the European Union.

The Cloud Act may apply to companies that sell US software.

The response of the American firm Greenberg Trauring LTT -which cannot be accused of being at the service of a pro-European agenda- is very clear: European entities may fall within the scope of the Cloud Law, even if [elles] are located outside of the United States », cut the document on the first page.

Lawyers point out, however, that European companies may minimize this risk by establishing a “Chinese wall” with the United States, in particular by not employing Americans or having American clients. These may be Trojans that may warrant action under the Cloud Law.

But according to the study’s authors, even this anti-Cloud Act shield is insufficient if the entity uses US technologies. ” Le Cloud Act can access data via hardware and software contractors/providers, to/from cloud providers”says the report.

Yet this will be precisely how Bleu, a joint venture between Orange and Capgemini, and Thales-owned S3ns, will operate. Bleu will license Microsoft Azure’s cloud software offerings (particularly the Office 365 suite), while S3ns will license Google Cloud’s. These two offers are presented as sovereign: they state that they will be impervious to the American Cloud Act because the service will be hosted in data centers located in France, and will be marketed by a company governed by French law, unrelated to any capital link with the United States. Joined.

These precautions, along with other security measures, are sufficient for most businesses. But probably not for Bleu and S3ns, because Microsoft and Google are for them software providers whose services they market. Contacted by La Tribune, the firm Greenberg Trauring LTT also confirms that it is enough, according to him, to sell American software, even if the company is French, to fall under the Cloud Law.

This deduction seems logical: in the digital economy, data hosting is just a convenience. The value is in the software infrastructure that powers the clouds, as well as the software that uses the data. To justify applying the Cloud Act to a foreign entity such as Bleu or S3ns, the United States must show that it has ” enough contacts with the United States and for many jurists, the commercialization of American technologies under license offers them reason enough.

A “Chinese wall” in theory possible but extremely complex and expensive

Given that the French government has neither requested nor made public an in-depth study on the real impact of the Cloud Act on future “cloud of trust” solutions, the conclusions of the Greenberg Trauring report should be taken with a grain of salt.

For this reason, The Tribune asked other expert digital law attorneys to analyze the impact of the Cloud Act on Trusted Cloud offerings. The only possible way for Bleu and S3ns is to divide the offer in such a way that there is no possible access to a person under US jurisdiction., explains Olivier Iteanu, a lawyer specializing in digital law. ” This means that there can be no American customers and above all not a single American employee in the structure, otherwise the Cloud Law applies. “, he warns.

The lawyer recalls the genesis of the Cloud Act, after the Snowden scandal in 2013 that revealed to the world the scope of mass surveillance operated by US intelligence services, in the name of its national sovereignty. The United States needs to legalize mass surveillance practices, lest companies and people who cooperate with them be subject to legal action after the fact. So they have planned a very wide range of actions for the Law of the Cloud. It is misleading to say that it only applies to US companies abroad and not to local companies.”

Sonia Cisse, associate attorney in technology law at Linklaters, says ” shares the analysis of the firm Greenberg Trauring “in the fact that” Trusted Cloud offerings may be subject to the Cloud Act “. He also insists on the need to erect a ” China wall to protect itself as much as possible from possible American intrusions.

“In addition to preventing any American, even for technical support or data backup, from accessing the platform, full data segregation will need to be implemented. This requires a combination of very heavy, complex and extremely expensive measures: it is a Chinese technical and organizational wall, which involves both the very governance of the structures as well as the human resources and communication between entities, which will have to be put in place and constantly controlled ”, he declines, while pointing out the “many gray areas” that still remain on the side of the organization of Bleu and S3ns.

Backdoors and FISA law, the other great risks of the offers trusted cloud »

If the government, Bleu and S3ns have been very light in stating even before the creation of reliable cloud offerings that they will be labeled by Anssi, which is not guaranteed, and immune from the Cloud Law despite legal analysis In depth, what about the other two elephants in the room, also masterfully ignored: the greater risk of backdoors – spyware infiltrating the code – and that of another US extraterritorial law, FISA.

Thus, FISA -for Foreign Intelligence Surveillance Act – applies only to foreign citizens. This law allows US intelligence agencies to require cloud providers to install permanent devices that can scan all data they handle outside of the United States. This monitoring can be done with deep packet inspection (DPI) hardware, or invisibly at the software infrastructure level in the cloud, i.e. using technology providers. However, Bleu and S3ns should not have access to the source code of Microsoft and Google software, which is their most precious trade secret. And even if they had access to it, they would still have to detect the back door imposed by the intelligence services.

These back doors, or backdoors, can also be illegal. This is the other big risk, to vital carrier data, of using foreign services. However, Microsoft and Google software is well known to US intelligence services, and it is certainly easier for them to break into US software they know than another solution that benefits from the highest levels of security.

Trusted Cloud: “We will offer the highest level of protection against the Law of the Cloud” (Marc Darmon, Thales)