Digital sovereignty: recurring attacks on European free software

Picture: Pixabay / CC0

The “Annales des Mines” published this September the number 23 of their series “Digital issues”, entitled “Digital sovereignty: ten years of debates, what next?». Online (PDF of 145 pages), this issue has about twenty authors, whose contributions are arranged in three parts: “The multiple observations of a deficient digital sovereignty”, “The strong links of digital sovereignty” and “Avenues and levers of action”. Dense readings to ponder, in which I point out more particularly a contribution directly related to the themes of this blog: in the first part, Jean-Paul Smets, among others founder of the free software publisher Nexedi, wrote a text, “Digital confidence or autonomy, we must choose” (p. 30 to 38 of the PDF).

“Unfavorable market conditions for free software”

This article is to be read in detail, but to give an idea, here is its summary and some passages:

“Trusted digital technology, the exorbitant role of the National Information Systems security Agency and European regulatory inflation create unfavorable market conditions for many European digital technologies and free software. Together, they are accelerating the adoption in France of American cloud technologies that are not immune to unauthorized access by a third state. They increase the risk of a general outage by promoting centralized cloud offerings that are not very resilient. In terms of cyber risk management, the notion of “transparency” offers an alternative to “trust” to strengthen European industrial autonomy in digital technology on a resilient technological basis immune to unauthorized access by a third state.»

Taking up the criticisms of the French cloud strategy that he has already expressed, Jean-Paul Smets emphasizes that two years after its announcement by Bruno Le Maire in May 2021, “our data hosted on American clouds are not protected, whether at large health operators such as Doctolib which suffers sensitive data leaks or with the Health Data Hub which continues its activity in violation of the General Data Protection Regulation (GDPR)”.

“The key mechanism for excluding public contracts from European technological offers is the “SecNumCloud” qualification issued by the National Information Systems Security Agency (ANSSI). (…) What this qualification favors is above all the centralization of infrastructures and the formalization of procedures: centralization of risk management, supplier approval procedures, background check procedure for candidates for employment, access control procedure for physical facilities, etc. The major French digital companies excel in this field, just like their international counterparts.

This prejudice of the ANSSI is also explained by the omission of the fabric of extremely competitive European SMEs in the field of software and whose main customers are for export. The Grenoble company VATES, publisher of the XCP-NG infrastructure software, offers a French equivalent of VMware, the American proprietary software used in almost all the qualified “SecNumCloud” clouds to date. VATES generates 95% of its turnover from exports. The scikit-learn project, hosted by the INRIA Foundation, is the leader in learning tools, one of the most widely used branches of artificial intelligence. He has among his financers Microsoft, Fujitsu and the Boston Consulting Group.

Together, European SMEs are able to offer competitive, pioneering and complete cloud offerings, from IaaS to PaaS, industrial edge computing and virtualized 5G.”

“SMEs and individual authors mainly”

However, emphasizes Jean-Paul Smets, “Free software, by involving many developers in the creation of a shared work, is one of the most successful forms of industrial development. Free software is created and published in Europe mainly by SMEs and by individual authors, more rarely by non-profit organizations. Their security is based on social mechanisms of shared trust based on mutual recognition between peers and not on bureaucratic audit procedures.»

“This is not the first recent attack on European free solutions,” notes the author, who quotes: “In 2021, the General Directorate of Companies launched a European rapprochement process with a view to constituting important projects of common European interest (PIIEC) endowed with large subsidies. However, it favored the major French integrators and omitted many European providers of cloud infrastructure software. The projects finally validated, led by Google’s partner integrators, favored Google’s free software rather than those of European publishers of equivalent free software. (…)

On January 24, 2023, the interdepartmental Digital directorate (DINUM) organized a meeting to promote proprietary cloud solutions for development teams. However, there is a competitive European offer of free cloud, the promotion of which to administrations is explicitly part of the missions of DINUM in accordance with the law of October 7, 2016 for a digital Republic.»

“Transparency makes the market more fluid”

The article also exposes the case of the Cyber Resilience Act (CRA) proposed in 2022 by the European Commission, currently under development, of which many French and European actors have pointed out the risks that it would pose to the rights holders of free software. “The only escape for the right holder is to sell his software assets to a free software foundation, most often an American one. For the others, the European Commission estimates in its impact study that this regulation will involve a minimum of € 25,000 in administrative costs per software and a 30% increase in development costs, a level far too high to promote the growth of the ecosystem of free software publishers, which the Commission nevertheless recognizes the need to achieve digital independence.»

His conclusion: “While trust produces darkness on the market, transparency fluidizes the market by avoiding the phenomena of concentration, agreement or non-customs barriers. While trust favors American technologies, transparency accelerates the adoption of European digital technology suppliers whose export success remains the best demonstration of their competitive advantages and whose existence is essential to our autonomy.»