Prime Minister of France Élisabeth Borne signed a circular last week requesting all government employees to uninstall foreign communication apps such as Signal, WhatsApp, and Telegram by December 8, 2023, in favor of a French messaging app named 'Olvid.'
The guideline addressed to ministers, secretaries of state, chiefs of staff, and cabinet members proposes that they instead install and use the Olvid app made by a French company.
BleepingComputer discussed the development with French journalists, who clarified that this isn't a ban on using foreign messaging apps but rather a recommendation to switch to locally developed software.
Olvid supports end-to-end encrypted messages, uses a decentralized infrastructure, and doesn't require a phone number or any other personal data for registration. Hence, it is seen as a more trustworthy option that includes all the key features of its more renowned and widely used competitors.
"The main consumer instant messaging applications occupy a growing place in our daily communications. However, these digital tools are not devoid of security vulnerabilities and therefore do not ensure the security of conversations and information shared through them," reads the PM's address, according to Le Point published excerpts.
"To counter the threats that arise from using these applications, the French company Olvid has developed instant messaging which guarantees the protection of its users' data thanks to a decentralized directory and end-to-end message encryption while maintaining the same functionalities as current applications."
Meredith Whittaker, President of Signal, took to Twitter to challenge the vague claims about security vulnerabilities in the app, labeling them unfounded and misleading.
Security comparisons between Olvid and other messaging apps may be rendered moot due to Olvid's unique distinction of having ANSSI (France's national cybersecurity agency) "first-level security certification."
This certification involves a thorough examination of the app's source code by the state's experts, and none of the other mainstream apps mentioned in this post have undergone the stringent evaluation process.
This by itself elevates Olvid's security credentials beyond typical industry benchmarks and practically makes it a sound choice for use in the highest ranks of the French government.
In addition to ANSSI's approval, Olvid has also independently validated the design of its custom cryptographic protocols by cryptography professor Michel Abdalla.
Finally, Olvid's symmetric cryptography is already quantum-resistant, while the project provides guarantees of its readiness to implement similar strength for its public-key cryptography as soon as NIST's public-key algorithms selection process is finalized.
The exact reason behind the decision to suggest the use of Olvid within the French government remains unknown, and as French journalist Emile Marzolf told BleepingComputer, not everyone agrees with the PM's instruction.
Marzolf revealed that during his conversation with the French Digital Department, they expressed dissatisfaction with the directive, finding the promotion of Olvid excessive while also conveying that Signal is an acceptable platform to them.
Previously, in March 2023, the French government followed the example of many other Western countries to ban the use of the TikTok app on state officials' devices over fears of espionage.
Comments
h_b_s - 7 months ago
Nationalistic "not invented here" rhetoric couched in the usual, though admittedly upgraded, disingenuous arguments.
The problem with Signal isn't that it's not secure, it's that the servers and the development team won't play ball with notoriously nosy governments wanting to eavesdrop on users. Signal is open source which means anyone can verify both the implementation and the cryptographic algorithms it uses. They just have no wish, nor funding, to go to every certification group on the planet and kindly ask for a certification that actually can hinder future security patching. (IE: once an implementation is certified, ONLY that implementation is certified, anything changed must be RE-certified).
French citizens should be very cautious here, and check what links there are between their PM's office and the company that owns Olvid, and push to have every single line of code that company deploys both for client and server audited in the same way Signal can be - by other parties than the government agency that passed it for ANSII. After all, if it's really as secure as claimed, the PM and the company should come through with flying colors, right, along with being able to verify the source code released is the same code that's being deployed to clients and servers without any shanegans.
KeiFeR123 - 7 months ago
I like to echo my agreement with HBS here. I would avoid the application that your government is telling you to use. This is probably they struck a deal with Olvid so it will be easier for them to snoop over their own citizens.
Jaybee02 - 7 months ago
I disagree personally, I think its good that government business is conducted on a known and vetted platform and that the government is conducting management of what platforms are used to conduct its business.
There is nothing in this mandate that affects private french citizens conducting their private business and its absolutely not necessary for Signal to have government customers.
IMO such mandates may also encourage people to not use government supplied devices for private tasks, which if I was a french taxpayer, I'd just as happily not pay for.
ThomasMann - 7 months ago
Experience has shown, that a government, that does want to spy on anything the people do or say or think, never existed and never will exist...
Remember... governments spend their money, or rather: spend OUR money, on the most disgusting criminally perverted instruments like Palantir.
The idea, that "our" governments in Europe would do anything different than the chinese, the russain or the american governments is s preposterous joke.
If you trust a government or its words.... you need to see a doctor.
ZeroYourHero - 7 months ago
I wonder if all of these "free" and "open source" apps are really not safe because of pushy governments with lots of money in their pockets to give to quiet developers. For example, Signal. Search for "Can Signal servers be compiled?". The answer that I see is many dead-end threads. "Try this" or Try that" with no follow-ups. If there's a backdoor on the clients it would be in the Signal servers.
h_b_s - 7 months ago
Prove it.
Jaybee02 - 7 months ago
https://github.com/signalapp
You can compile your own client, your own server, and adjust the code in your privately compiled client to only use your private server.
end-to-end encryption means that the encryption happens on clients prior to transmission and the server only sees encrypted data. You can look into the initial key exchanges to see whether you think that process is secure enough, though I'd presume open source projects are probably safer than closed source in that respect.