In June 2013, the revelations of Edward Snowden confirmed the public's suspicions of widespread surveillance networks. Many questions about the true extent of this surveillance remain.
In France, in an atmosphere charged by terrorist threats and attacks, an intelligence bill that opens the door to massive and widespread surveillance of individuals and businesses is being passed by the National Assembly on April 13, 2015. It can become effective as soon as the end of this year, possibly before the end.
The French government's intent may be to support existing practices, and make them legal and acceptable. If that's the case, then it has followed the recommendations of the Digital Liberties Commission of the National Assembly to "(... ) set up a consistent global legal regime, protecting fundamental freedoms for intelligence activities. " According to the Commission, this regime must strike a fair balance between the need for public safety and the right to respect for private life, correspondence, and personal data. The commission challenged several provisions of the law, however.
Among the provisions of the law challenged by the Commission, the "black box" is one that has us most alarmed.
This automatic data analysis device, the installation of which would be mandatory for service providers, is designed to automatically collect data on suspicious activities. The details and scope of such automatic detection and collection are very blurry, and the lack of clarity has survived into the final law.
The mandated surveillance is similar to mass spying by the NSA, intercepting a large portion of Internet traffic looking for "suspicious" behavior according to an algorithm, obviously confidential and therefore a source of much fear. The potential for misuse is high, and the consequences important.
Gandi has always shown its commitment to respect for data privacy, net neutrality, and the right to freedom of expression online. We do this through support of advocacy organizations like the EFF and others, who help ensure that the rights of Internet users are protected.
Our speaking out on this bill is part of this historical tradition, and comes from our desire to inform as many people as possible, so everyone can form their own opinions.
We encourage you to visit the site of sous-surveillance.fr, to speak out about the bill, and let the parliamentarians know your opinions.
It's not over until it's over
Following our publication of a joint press release with the some of the main French hosting companies, we were invited to a meeting on Wednesday, April 15 at the Ministry of the Interior, attended by Minister of the Interior Bernard Cazeneuve, Minister of the Economy, Industry and Digital Affairs Emmanuel Macron, and Minister of State Axelle Lemaire.
We want to let you, our customers, know what we learned at this meeting about the separation of powers, the protection of personal data, and how this law will apply these principles. First, we want to emphasize that this law applies only to data centers based in the country of France. If you choose to host your data on Gandi's systems in our Luxembourg data center, or our US data center, this law will not apply to that data (though other laws will, and in the case of the US, this may also be of concern).
The law itself was presented to us as largely complete, and subject matter experts like ourselves were not consulted beforehand. Our ability to influence it was therefore limited to offering amendments on its application, and in doing so we focused on ways that ensure that Gandi will remain the architect of our network and its servers.
We are working on an infographic showing the various information exchanges, as provided to date in the text of the law. We will publish it here when it is ready.
We have secured the following amendments:
1. We will ensure, as we already do for any request from the authorities, strict respect for the scope defined by the CNCTR (a new National Intelligence Commission): "Operators have the option, as indicated in section L.861-3 of the domestic security law, to determine for themselves whether content will be excluded from this data processing." See the amendment (in French).
2. This will not be a comprehensive, global monitoring system but specific and ad hoc measures, the implementation of which is limited to a well-defined technical scope. The collection devices, classified "Secret Defense", can only be put into operation within the strict framework of the War on Terror.
3. Gandi will be able to ensure that content data are excluded from automated data collection processes. Any request to transmit specific content hosted by Gandi or to identify a specific customer will be subject to common law practices already in place.
4. The emergency procedure ("panic button") is no longer applicable to the data collection aspect of the law, ensuring the consultation of the CNCTR before any implementation of any surveillance measures.
We have always safe-guarded the privacy of our clients' personal data. Now more than ever, we will remain vigilant and continue to keep you informed of developments in this area.
We want to be very clear: we do not agree with the spirit of this law. We hope the way it's applied is one we are able to live with, in a country where the majority of the population simply does not seem to care. Otherwise, it would be with great sadness and total seriousness that we would be forced to take whatever actions we deem necessary, whether that be through legal recourse or through the migration of our resources and infrastructure elsewhere.
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."- Benjamin Franklin