Olvid, the secure messaging chosen by the government, already under fire

In order to guarantee France’s digital sovereignty, was the government wrong to promote the French instant messaging solution Olvid? The question arises after the publication of two articles, on December 8, by the online media The Informed, then on December 13 by The chained Duck.

In a circular dated November 22, Matignon asked members of the government and ministerial cabinets to ” deploy [cette application] in replacement of any other » by December 8, “in order to ensure the security of conversations and shared information [sur ce type de plates-formes] ». More popular solutions were targeted, such as Signal or WhatsApp.

Enough to give visibility to this messaging created in 2019 and until now relatively confidential. Especially since a week later, the Secretary of State for Digital, Jean-Noël Barrot, provided after-sales service on X, describing Olvid as “the most secure instant messaging in the world”.

The American AWS cloud

But the argument is partially undermined by the two investigations published in recent days in the press. “Olvid, a French solution with American sauce”, headlined this Wednesday The chained Duck, emphasizing that the application uses the services of the American cloud provider AWS to host its services, which are therefore subject to American extraterritorial laws. A fact that was not hidden. Mention of this can be found in the documentation on the site of Olvid. But this technological choice could have raised eyebrows in an executive who constantly says he wants to favor French or European hosting solutions.

On the occasion of updating the “doctrine for using cloud computing [cloud] by the state “, of May 31, the government thus decreed that the data “of a particular sensitivity” should be “immune from any extra-community regulation”and hosted “by solutions with the SecNumPlus qualification delivered by Anssi [Agence nationale de la sécurité des systèmes d’information] » – which is not the case for AWS. However, in her November circular, the Prime Minister exempted Olvid from this obligation, arguing that the data passing through AWS servers “are end-to-end encrypted” et “deleted as soon as a message is delivered”.

Thomas Baignères, the director of the company and one of its four founders, continues to defend the quality of the service offered by Olvid. Messaging differs from its competitors in that it also secures the confidentiality of the message, encrypted from end to end, but adds an additional layer of authentication of the interlocutors. Thus Olvid does not use a centralized directory – which could suffer a security breach – but offers unique authentication keys to each of its users. The company itself does not have the personal data of its users since they do not need to leave their telephone number or email address to register.

You have 35% of this article left to read. The rest is reserved for subscribers.