France is working hard to avoid becoming a digital colony of the US or China. Last month, both the French National Assembly and the French Army Ministry declared that their digital devices would stop using Google as their default search engines. Instead, they will use Qwant, a French and German search engine that prides itself for not tracking its users.
“We have to set the example,” said Florian Bachelier, one of MPs chairing the Assembly’s cybersecurity and digital sovereignty task-force, which was launched in April 2018 to help protect French companies and state agencies from cyberattacks and from the growing dependency on foreign companies. “Security and digital sovereignty are at stake here, which is anything but an issue only for geeks,” Bachelier added.
These days, hearing French politicians taking a bellicose stance on technology is becoming increasingly frequent. Just days before the Qwant decision, France’s secretary of state for digital affairs, Mounir Mahjoubi, had thundered against the United States’ Cloud Act, a new law that would allow the US to access data stored on American companies’ clouds wherever they are located in the world. He said France was already preparing a response with other European states to “weigh in” on the issue.
Although relatively novel, the concept of “digital sovereignty” can be roughly summarised as a country’s push to regain control over their own and their citizens’ data. On the military side, it includes the ability for a state to develop cybersecurity offensive and defensive capabilities without relying on foreign-made technology; on the economic side, it encompasses issues spanning from taxation of big tech to the creation of homegrown startups.
In France, this all started with Edward Snowden. In 2013, when the American whistleblower revealed that the NSA was spying on foreign leaders and had important capability to access data stored on private companies’ clouds, it was a wake up call for French politicians. A senate report that same year fretted that France and the European Union were becoming “digital colonies”, a term that since then has been used by French government officials and analysts to alert about the threat posed by the US and China, on issues of economic, political and technological sovereignty. Recent scandals, including the Cambridge Analytica-Facebook imbroglio, further shook French politicians and public opinion.
“With Cambridge Analytica, politicians realised that digital sovereignty was a significant political issue,” says Julien Nocetti, researcher at the French Institute for International Relations (IFRI). A survey following the scandal showed two thirds of French people did not trust social networks and worried about how their data were being used.
French president Emmanuel Macron has been particularly vocal about reclaiming France’s independence from foreign technology companies – especially on matters of data protection – showing opposition to domineering American and Chinese companies and their government’s policies on digital issues. Most recently, at the Internet Governance Forum, Macron called for stronger rules to preserve citizens’ privacy, safety, and access to the internet.
“If we don’t regulate the internet, the risk is to upset the fundamentals of democracy,” said Macron on November 12. “If we don’t regulate [companies’] relations to data, the rights our citizens have on their own data, their access and sharing – what is the point of democratically elected government?”
To fight the battle over its digital sovereignty, France has first of all turned to regulation. Already in 2008, to protect its own data and concerning its critical national infrastructures, France established a defensive agency, ANSSI. A few years after its creation, ANSSI’s work led to a cybersecurity law on “sensitive national actors”, which was implemented in 2013 and later served as a model for the 2016 European Network and Information Security (NIS) directive. With this law, France established stricter cybersecurity standards for firms and state agencies that are critical to the functioning of the country.
“We made the choice in France to impose cybersecurity on the most critical entities, in order to buy time and better work with them,” says Guillaume Poupard, ANSSI’s director. “We were the first in the world to do it because the French context works well with regulations, it’s a tool at our disposal which is politically more acceptable than in other countries.”
That does not mean that it all worked smoothly: in 2016, the DGSI, one of France’s intelligence agencies, was criticised for using software by American firm Palantir – famously a contractor of the NSA – to handle some of its data. Following that controversy, ANSSI started working with other ministries and French private firms to build an alternative software to Palantir, and develop alternative strategies for clouds – which are often hosted on servers outside of the European Union – to be able to keep data within the European Union and analyse them without fear they could be accessed by foreign companies or states. A French alternative to Palantir, ARTEMIS, has been in the works since 2017, and is expected to have a first version by the end of 2019.
“We need to master some technologies to master our sovereignty,” says Poupard. “We need to develop solutions to be able to handle data at the European level and to not have to depend on other countries.”
But for Poupard, focusing solely on French digital sovereignty would miss the mark. Coordination and cooperation of all European countries could lead to stronger and more efficient solutions, especially given the interdependence of the European Union’s member states. “The good scale, for technological and economic purposes is the European scale,” he says. “We clearly need a strong Europe, and not solely a strong France, or Germany or England.”
France cooperates with European states in multilateral institutions but has also established stronger partnerships through bilateral agreements with Germany and the United Kingdom. According to Poupard, the relation with the UK is strong enough to withstand Brexit.
In 2016, a French official from ANSSI was elected to chair of the executive and management board of ENISA, the European agency in charge of network and information security. The French agency stated the election “underlined France’s commitment to the strengthening of Europe’s cybersecurity”.
While cooperation on cybersecurity might be underway, analysts are more skeptical about France’s progress on other issues related to digital sovereignty, such as protection of national data on extraterritorial clouds, regulation and taxation of American and Chinese technology giants, and economic support and development of digital companies.
“The French discourse today positions itself more or less at the forefront of the European strategy to acquire more digital autonomy. But beyond the communication, little is currently being developed,” says Nocetti. “For example, regarding [US tech giants Google, Apple, Facebook, and Amazon] , France tends to use doublespeak; its public discourse, is critical but in practice, it accommodates [these firms].”
Bernard Benhamou, a former government official and analyst at the Institute for Digital Sovereignty, laments the lack of an digital industrial policy to support the development of the future big players, despite the government’s rhetoric.
“We need to think about digital sovereignty not in a defensive way like it’s often done but by inventing the companies of tomorrow,” he says. “Europe and France are reacting to the situation. Instead, we need to develop industrial and economic policies to create the next tech giants.”
For him, Europe and France need to create alternatives to American and Chinese tech titans, support budding startups that often relocate or get bought by American investors but also invest in growing technologies like artificial intelligence. The issue is the next battlefield for sovereignty since data is critical to its development. China and the US have already understood what’s at stake.
This article was originally published by WIRED UK
