“When we woke up this morning, we already had 10 times more new users than yesterday.” At the end of the line, Thomas Baignères still struggles to believe it. The government suddenly instituted its Olvid application as a means of exchange for its ministers and their teams. According to a circular dated November 22, but revealed Wednesday November 29 by Point, the latter now have until December 8 to install this ultra-secure messaging, and thus no longer chat at work on tablets such as WhatsApp, Telegram, Messenger, or Signal. A massive advertisement for the start-up created in 2018 and which until now claimed only 100,000 users. The Minister Delegate in charge of Digital, Jean-Noël Barrot, already a follower for more than a year, took charge of its promotion on X in person: “It is French, certified, encrypted, does not collect any personal data […]. In December, the entire government will use Olvid, the most secure instant messaging in the world.” While Matignon took the liberty, in passing, in a circular, of castigating its competitors with “loopholes [qui] do not ensure the security of conversations and information shared through them.
The government is logically continuing to secure its trade channels. Other recommended applications include Tchap, designed and managed by the French administration. And his criticisms of messaging hit the mark. Particularly with regard to Telegram, “a nightmare in terms of security”, indicates Thomas Baignères, also a doctor in cryptography. This criticizes the absence in certain conversations of “end-to-end encryption” (the technology making exchanges confidential). He is not the first to be upset, cybersecurity companies like Kaspersky have also raised the problem. First hypocrisy, however: it was the politicians themselves who had popularized its use, echoing the fallacious marketing adopted by the application to seduce them. Telegram subsequently specialized in massive conversation groups, very popular with small terrorist groups or Russian disinformants. It remains a privileged channel of exchange between politicians and journalists.
WhatsApp or Messenger are also not exempt from all criticism. Although the first operates with a solid encryption system, its code is not open source, unlike Olvid, for example, which does not allow independent researchers and observers to know how the application really works. “A whole section of its security features are not activated by default,” adds cybersecurity specialist Olivier Blazy, professor at the Ecole Polytechnique. Marketed by Meta, these tablets are also based on the exploitation of users’ personal data. Disqualifying, for professional and sensitive use.
The Signal case
The criticisms, however, are more unfair when it comes to Signal. Since 2014, the non-profit company has been offering this messaging system, recognized in the industry as very secure. Dubbed by the former NSA Edward Snowden himself, creator of a vigorous security protocol, “Signal has been widely analyzed and put to the test by the academic world”, comments Olivier Blazy, who has personally studied security of the app. The European Commission recommends it. The president of Signal, Meredith Whittaker, a great defender of privacy on the Internet, was annoyed this Thursday on X by the wording chosen by Matignon, evoking “security flaws”, in order to denigrate existing applications. “This claim is not supported by any evidence and is dangerously misleading, especially coming from a government […]. If you want to use a French product, go for it! But don’t spread false information.”
Signal is mainly criticized for its very classic architecture: like all other messaging services, its servers host a centralized contact directory, where the telephone numbers of all users are stored. Personal data, as defined by the GDPR, the European data protection regulation. Olvid obviously has servers, but at its home, only cryptographic keys pass through, “linked to nothing, neither account, nor first name, last name or telephone number”, indicates Thomas Baignères. “On the Internet, a whole bunch of intermediate infrastructures over which we do not always have control can be compromised.” This choice of extreme caution has proven to be fruitful, since Olvid is the only application certified by Anssi, the French cybersecurity watchdog. A guarantee of quality put forward by the government in recent days.
But Olivier Blazy reminds that the certification process is voluntary, and is only valid on the version submitted to this test (that of Olvid already dates from 2020). And that a centralized directory of users – certainly involving an element of risk – has its usefulness. “It’s always better for the government to know who is on the system, especially when you want to promote transparency,” he explains. A directory allows you to suggest contacts, helping the pastille to become more viral. Without a telephone number or synchronization of friends lists, you have to launch manual invitations on Olvid, via a QR code in particular, in order to initiate a conversation with someone. Olvid, for its part, offers private directories – hosted directly within companies – in a paid version. Not very convenient, unlike the general public compromise found by Signal, which is completely free. “Olvid and Signal, in certain use cases, each have their advantages and disadvantages,” says Olivier Blazy. Draw ?
Darmanin against encryption
Olvid readily admits: his system, like Signal or WhatsApp, is not infallible against one of the biggest threats weighing on politicians: spyware, Pegasus being the best known of them. “Anyone who assures you that they protect you 100% is a charlatan,” warns Thomas Baignères. The government makes no secret of it, Olvid has a big advantage above all: that of being French. “I encourage the French to choose French Tech solutions: it is the best way to guarantee our sovereignty,” Minister Jean-Noël Barrot also posted on X. This is perhaps what explains the Executive enthusiasm for security and, in particular, end-to-end encryption. With, once again, a touch of hypocrisy.
Was it not the Minister of the Interior, Gérald Darmanin, who had called in April to “break” the encryption of applications used by the ultra-left, or, in October, expressed the wish to obtain “doors stolen” in encrypted applications for anti-terrorism purposes? “If I am elected, France will launch a major initiative this summer aimed at large Internet groups, so that they accept a procedure for the legal requisition of their encrypted services in the fight against terrorism,” had also declared Emmanuel Macron, during his first presidential campaign, in 2017. “It is not technically possible. Nothing will ever be done”, sweeps away Thomas Baignères. But countries have tried it, such as the United Kingdom, which recently introduced in its major digital security law, Online Safety Bill, a breach in encryption by forcing messaging services to detect illicit messages. And even if this provision will ultimately not be applied, the message sent to the rest of the world remains not very reassuring.
France now has a golden opportunity with Olvid to clarify its positioning. The European Parliament’s Civil Liberties Committee is currently examining a regulation that could call into question encryption in the name of “child protection on the Internet”. A project of “chat control” (message control) denounced by many online rights defense organizations. But, for now, it must be said, not so loudly by the government itself.
.