Trusted cloud projects are multiplying and often raise questions. This time it is S3ns, the future cloud between Thales and Google, which alerts MP Philippe Latombe who accuses the project of launching misleading and premature communication.
On the day of the appointment of Jean-Noël Barrot as Minister Delegate for the Digital Transition and Telecommunications, MP Philippe Latombe sent two letters that tease the S3ns project, the future cloud of trust between Thales and Google which should arrive in 2024 according to information from La Tribune.
If S3ns is not the only project of its kind to be built at this very moment, it is the one that would raise the most questions for the MoDem deputy. Indeed, communication around Bleu, the Orange/Capgemini project powered by Microsoft technology, would be less problematic.
The first of the two letters is addressed to the Commission Nationale Informatique et Libertés (CNIL) while the second was intended for the National Agency for the Security of Information Systems (Anssi) so that these two institutions look carefully at the project S3ns.
The objective according to La Tribune would be for them to observe the legal structure of the company as well as its ability to really protect the data of so-called operators of vital importance, who could subscribe to offers from this trusted cloud and who are already invited to take offers from Google before being transferred to S3ns when the service becomes available in 2024.
With these various elements and the misleading communication, Phillipe Latombe believes that the CNIL should also self-seize to rule on the legality of the device with regard to the GDPR and asks Anssi to assess the qualification of trusted cloud given the use of Google technologies.
Is the cloud helped by Americans compatible with the GDPR?
Philippe Latombe wonders above all about the legality of the device with regard to the GDPR:
Are Google Cloud and Microsoft Azure GDPR compatible, even wrapped up in a joint venture under French law? The cloud is the bedrock of the digital economy but no one seems to be asking this crucial question. Since the EU believes that US extraterritorial laws violate GDPR, should life-saving operators be required to use US cloud technologies to house their most sensitive data? Can the French players – Thales with S3ns, Orange and Capgemini with Bleu – really protect this data when in theory they will not have the capacity to audit the source code themselves? We have to stop hiding our faces.
In addition, for the moment, the offers offered by Google and which can then be transferred to S3ns, are not completely free of privacy issues. Google has had servers in France for a few weeks but in third-party datacenters, and they still remain subject to the cloud act. The United States authorities can therefore have access to the data on these servers, which can pose a problem for hosting sensitive data on these so-called trusted clouds.
And there is no guarantee that backdoors will not be installed on the software in question so that the United States can have discreet access. Especially since Thales but also Orange and Capgemini will only have a few hours to check a source code which may have taken months to be developed by Google or Microsoft before putting it online for its French customers.
Concerning the communication around the various projects, Philippe Latombe regrets that transitional offers are already sold, while implying that they would be validated Cloud of confidence gold for the moment this is not always the case. The label will only be awarded when the final service is available.