The “Black Box” project proposed by the French government goes, by some aspects, further than what was reproached to the US with the Patriot Act. This measure allowing the tapping, at any moment, of all the traffic of a hosting provider or an Internet service provider in the purpose of looking for potential terrorists seems relatively vain, very poorly targeted and economically counter-productive.

Indeed, the goal seems vain because the targeted people already know how to use anonymous networks such as Tor and VPNs to cypher their connections and make them end in another place. They also already use cyphering algorithms (such as PGP), numerous of which are considered as secure to this day, which will mean interpreting unreadable numeric soup, and not useful information.

Moreover, the recent attacks were perpetrated by individuals who were already known by the Ministry of the Interior; the latter did not need to listen to all the Internet to identify them until now.

contre-espionnageIt seems completely useless to want to identify already known individuals, who communicate in a cyphered way, by analyzing Teraoctets of data every day looking for a signal which probably won’t be there, or at least will be drowned in the immensity of information. All the more as the Law being public, the use of networks, potentially for attacks purposes, will happen somewhere else, in another country or through another network and, then again, in a cyphered way.

In return, the constraints ordered on hosting providers seem excessive as for the violation of international security laws such as PCI/DSS or ISO 2700x, which do not allow the inclusion of external material, not controlled by the hosting provider. This Law will thus make French hosting providers lose most of their certifications and will make them open their networks to third parties, which are often not well secure. It seems here useless to specify that numerous state sites have already been compromised, which will induce even more danger for hosting providers and their clients; risks that it will not control.

 SWEDEN-INTERNET-FACEBOOK-BUSINESS-FILESBesides, and that is the most serious point, clients will simply have their website hosted elsewhere. In a country respecting communication and private life, at our borders. It was already the effect of the Patriot Act at the time, whose range was smaller. No doubt it will destroy a part of our economy, one of the rare still growing, which seems disproportionate, especially to finally get no result.

All the more as the Law does not seem to set up a perimeter to this systematic tapping. If we host no forums, no exchange places, no VoIPs and no blogs, this device will still be decreed. It seems useless since the wanted people would not be able to use any service offered by this type of a hosting provider, but however, the latter will have to install the black box… On the opposite, the use of Skype and other exchange networks uncontrolled by these devices seem common for the people targeted by these measures, and these communication means are hosted abroad (and, there again, cyphered).

l-espionnage-devient-plus-facile-grace-aMany questions remain that will be dealt with by jurists and parliamentarians whose specialty does not necessarily seems related to the architecture of communication networks. Remains, for instance, the definition of the boundaries of this tapping. Will the VPN with our clients also have to be tapped, each with a separate black box? Or will we have to join all these VPNs together in the same place, which would pose a colossal security risk just to save some money and to have only one black box to deploy? Is the IP telephony affected? Are our telephonic conversations also targeted?

Finally, which guarantees will be given against the abuse of this power? And why not let the judges, as it is the case today, arbitrate the legitimacy of a tapping and order it if needed, as the law already allows today? Why would it be the jurists’, Parliamentarians’ and Senators’ responsibility to decide who, when and how? What will guarantee that the political authority in place at a given time will not use it as a weapon against its opponents?

M. Prime Minister, Ladies and Gentlemen the Congressmen and Senators, we cannot emphasize enough that all this, beyond being useless in terms of results, seems to be a very bad direction to move in, regarding the confidentiality to which no one will ever be entitled to again, as well as for the fact that it will kill a part of our economy, one of the only ones still growing.

We thus join other French hosting providers to solemnly ask you to reconsider the project.

Read our other articles about the subject:
– Why the « Intelligence Bill » or « Black Box » project is technically unrealistic
– “Intelligence Bill” or “Black Box” project: another view of the tapping

Philippe Humeau
Philippe Humeau
Philippe co-founded NBS System in 1999. After a focus on cybersecurity, which he never gave up, he discovered a passion for e-commerce from 2008 on. Pentester, CTO, CCO then CEO, Philippe’s multifaceted profile drove him to becoming OT Group’s Marketing and Strategy Director.