France is Building Its Own Encrypted Messaging Service To Ease Fears That Foreign Entities Could Spy on Private Conversations

The French government is building its own encrypted messenger service to ease fears that foreign entities could spy on private conversations between top officials, the digital ministry said on Monday. From a report: None of the world's major encrypted messaging apps, including Facebook's WhatsApp and Telegram -- a favorite of President Emmanuel Macron -- are based in France, raising the risk of data breaches at servers outside the country.

About 20 officials and top civil servants are testing the new app which a state-employed developer has designed, a ministry spokeswoman said, with the aim that its use will become mandatory for the whole government by the summer. "We need to find a way to have an encrypted messaging service that is not encrypted by the United States or Russia," the spokeswoman said. "You start thinking about the potential breaches that could happen, as we saw with Facebook, so we should take the lead."

Reinventing the wheel

[grasshoppa]

Why not just audit https://xmpp.org/ [xmpp.org] and call it good?

Re:Reinventing the wheel

[CaptSlaq]

Per TFA, that sounds like what they may have done:

The French government’s encrypted app has been developed on the basis of free-to-use code found on the Internet and could be eventually made available to all citizens, the spokeswoman said. She declined to give the names of either the codes or the messaging service.

Re:

[nine-times]

Yeah, that's the great thing about FOSS, is you don't need to reinvent the wheel. Just take the wheel someone else invented, and make the changes you want.

Still, when they talk about setting up a service, I'm guessing they're not just talking about the software. You can't just audit the code and "call it good". You have to figure out how to deploy it, e.g. what servers are going to run it, and how are you going to make sure the service is resilient and secure.

Re: Reinventing the wheel

[ArmoredDragon]

Meh. We've already seen this movie before. The plot always goes like this in every one of its sequels:

A French president finishes reading an old newspaper from his minitel emulator, and begins resenting out loud about how most of the world doesn't pay enough attention to France anymore. He observes his people always paying attention to and patronizing the latest technology trend coming out of America, who he wants to be better than.

"I've got it!" he mutters in French to himself, "I'll make a better one, and

Re:

[nine-times]

It didn't sound to me like a crazy plot to restore French pride. They're not saying, "We'll reinvent telecommunications!"

It sounds more like the French government saying, "Maybe it's not a good idea for our government communications to be going through services operated in other countries, subject to the laws of other countries, and at the mercy of those countries' intelligence agencies."

Given that there are secure open-source alternatives, it seems like common sense to me.

Re:

[rtb61]

Lets guess the country they will pretend not trust whilst they are actually targeting another country, they definitely do not trust. Weirdness going on at the moment, heads of government operating without the required approval of their legislative bodies against the law (likely because they are being extorted). Everyone is going to go to trust no one mode and this is just the first sign. After software comes locally produced and audited communications hardware, reality is the US has proven time and time aga

Re:

[Maritz]

You sure know how to take an inch and turn it into a light-year, don't ya.

vague

[pD-brane]

code found on the Internet

That sounds very vague.

Just use established, audited tech like PGP and OMEMO, and be upfront about it!

Re:

[dos1]

It's a matter of the client, not the protocol. Conversations, one of the best Android XMPP clients, encrypts by default now.

Conversations rocks

[Kludge]

Conversations, an XMPP client, now has OMEMO encryption built in. You can also use OpenPGP with it.
And it works many different hosting providers. I recently changed the XMPP host for my domain from one provider to another. France could just make certain that they have an XMPP service provider, and bam, they are done. Don't reinvent the wheel.

Re:

[Narcocide]

The primary problem with XMPP adoption as far as I can tell is simply that nobody working on it understands how it works or what it's for, and nobody working on developer's documentation for it does either.

Re:

[angel'o'sphere]

Beccause that is a protocol and neither a service (server) nor an app/application.

Re:

[tomhath]

What's stopping the french government to eavesdrop on the communications used on this app?

Same thing that would stop other governments from eavesdropping - essentially nothing. The encryption will be cracked.

Re:

[Locke2005]

Any encryption can be brute-forced. The only question is, does it take seconds or centuries do it?

Re:

[Locke2005]

We'll have much, much faster computers 100 years from now... given the current rate of technology progression, anything encrypted today will _eventually_ be easily decrypted, although most things won't be worth the expense.

Re:

[angel'o'sphere]

Or several lifetimes of the universe ...

(actually you are "kind of wrong" anyway ... if you don't even have a clue how it was encrypted "brute forcing" takes another dimension)

Re:

[angel'o'sphere]

It is most likely an RSA or DH end to end encryption, so: it can't be craccked with todays math and technology.

Re:

[tomhath]

That's what the Germans said about their Enigma machine. Japanese thought their code was pretty good too.

Re: Think about this....

[c6gunner]

That's what the Germans said about their Enigma machine.

Nonsense. They believed it was reasonably secure, but they knew it had some weaknesses and that the resultant messages could eventually be decrypted given enough manpower dedicated to the task. Which is why they kept making newer, more complex versions of it. Nobody believed that it would take "several lifetimes of the universe" to brute force an enigma message; they were just betting on it taking long enough for the encoded information to be stale and useless.

Even with the weaknesses inherent in the sys

Re:Think about this....

[ctilsie242]

On the other hand, if a government creates a F/OSS app that has been vetted, isn't this a boon for pretty much anyone in the world? The German government is why GNU's Privacy Guard is still being updated, and France already funds VeraCrypt.

Re:

[pnutjam]

I hear they are using matrix and a custom Riot client.

Re:

[GameboyRMH]

LOL no they're going to hold the encryption keys, which just keeps everyone except the French government eavesdropping on the communications. Until the keys are leaked that is.

Re:

[jellomizer]

Not much, but EU in general found the sweet spot to tamper free speech, so there is less dirty laundry being shown.
This has its good and bad. But France being a smaller country (compared to the US, Russia and China) has more to lose from bad PR

Re:

[AHuxley]

This keeps French people safe from the NSA, GCHQ, 5 eyes, Germans.
The crypto will keep both competing nations and support French security forces.

Re:

[giggleloop]

Whereas were it done by a US government contractor, it'd be late, not work as intended and be around 4x over budget.

Re:France

[Oswald McWeany]

They seemed to build their end of the Channel Tunnel in the same length of time as it took the British to do their half. In the mean time you can't get a f---ing tunnel everyone knows needs building that goes 1/20th of the distance in the US because of politics, and it'll cost 10x as much if it ever gets built. So I'd say the French are fine actually with their 30 hour weeks - it seems fewer hours = more productive. Who knew?

I don't know about 30hours vs 40hour workweeks- but there have been studies that show increasing work hours per week does have diminishing returns up until a point where adding more hours does actually result in lower overall productivity.

There have also been studies that show that taking a lot of vacation actually increases productivity over the year than forcing people to go to work 50 weeks a year and only have 2 weeks vacation. America's stingy vacation policy actually negatively impacts productivity. If you want your workers to be more productive over a year- give them 6 weeks off not 2.

Re:

[sconeu]

Chunnel goes under water. No rich people there to say "NIMBY".

Meanwhile, Los Angeles really Really REALLY needs a rail tunnel under the Santa Monica Mountains from the San Fernando Valley to the Westside, but that would go under all the rich people's houses.

Re:

[ShanghaiBill]

So I'd say the French are fine actually with their 30 hour weeks - it seems fewer hours = more productive. Who knew?

Except the French are less productive [wikipedia.org]

Re:

[JackieBrown]

If you work 66% of the hours that a US worker works and gain 10-15% productivity, you are still in the negative.

I do agree that eventually you get demising returns but that involves working much more than 40 hours a week (depending on the job, of course.)

Re:

[phayes]

Sure, as long as what you're calling "enjoying their lives" means watching their kids cycle from unemployment to unpaid trainee to bogus training programs.

Unemployment in France is sky high in the under 25 population and tends to be persistent meaning that those who are affected stay unemployed and through public assistance go on with their lives to have kids that will grow up never seeing their parents ever hold a regular job. One hopes Macron will at least make make progress on solving this after the disa

Re:

[ShanghaiBill]

And yet, they enjoy their life while you're stuck wasting your limited time doing meaningless work.

No. The French are not happier [wikipedia.org].

If you are unemployed, you are not happier because your neighbor works shorter hours.

Unemployment rate in America: 4.1%
Unemployment rate in France: 9.2%

Re:

[godrik]

Ranking 6th in the world in productivity per hour is not bad at all.
In particular, that is much higher than japan, and south korea which are both first world country who work a lot more.

Re:

[angel'o'sphere]

Except your link is not about prosuctivity ...

Re:

[ausekilis]

I expect it to be called "White Flag". Thanks folks, I'll be here all week.

Re:

[ecbpro]

No, it's a white eagle on a white background!

Do top government officials use commercial apps?

[iampiti]

Color me surprised. I supposed that, at least developed countries, would have specialised services for their important personnel to comunicate through.

minitel

[bugs2squash]

Minitel [wikipedia.org] goes secure huh...

This is as it should be

[alispguru]

Anybody - a government, a group, an individual - who wants secure encrypted communications they trust can get them.

If you're just careful, you can download code from trusted sources, spin it up, and run your own servers.

If you're paranoid and have more resources, you can audit the code before using it.

if you're REALLY paranoid, you can go to the theory papers and write your own code.

Governments and law enforcement agencies have to stop dreaming about systems that are secure against everyone except them - that horse left the barn in the 1990's, never to return.

What?

[cascadingstylesheet]

Why are government officials using services like these for "secure" messages anyway? Seriously? Government officials who do this insane thing now are going to be trusted to use some French home brew thing instead? Surely there must be rules they are breaking now by doing this?

Re:

[AHuxley]

Better than trusting the US big brand NSA PRISM networks.

Plus ça change

[Blue Stone]

As if the French security services aren't dogy as all fuck.
Anything they build, their SS will want a sneaky way into.

Re: Reminds me...

[Brockmire]

Having worked with a company that bought a Sequins SDK for a small chunk of change, they pretty much damaged all of our opinions of French companies. What they claimed and what they delivered was vastly different. Support was hot garbage. We've dealt with Poland, Germany, India, China, and Mexico, and everyone was wondering what the fuck is wrong with the French. They're just fucking clueless and arrogant.