Digital vassals? French Government 'exposes citizens' data to US'
30 comments
·July 20, 2025Saline9515
moritzwarhier
Sounds like Germany, and it's not just public services.
I used to work part-time in 1st level IT support in a local hospital when I was younger.
The main "theme" of my superior's work subjects there (2009-2016) was the migration from XP to 7. You heard that right.
And apart from the usual Office- and AD-Lock-In, the most problematic workstations of course were always ones with very specialized software. Virtualization and terminal services were in use, but the whole selling point of Windows was mostly put ad absurdum already, because they needed Windows licenses for dedicated machines running e.g. specialized MRT software, but those weren't even part of the main network anyway. They needed arcane syncing procedures anyway and Windows provided no value whatsoever on these devices. Same for the patient monitoring systems on ICU beds. These were using some "embedded" Windows and were rarely working in a stable way at all, nor way they connected to the networks running AD or the CIS.
CAD and stuff in the office divisions was similar, but with less integration needs (apart from network printing)
What I'm trying to say is: like in many offices, any slight change made users hostile, updates cost obscene amounts of work and money, and Windows didn't provide much more value compared to SAMBA. That is dated experience, I know.
But MS has not shown to be a trustworthy company in any of my work experience so far.
It was impossible to create working solutions without MS, yes, but the reasons for that never seemed to be grounded in actual value provided by an MS-centric software and networking structure.
It was just the one available commercial solution with enough adoption, and MS has been milking their target markets with these strategies for a very long time.
Making themselves "indispensable", even in machines where their software was used to run a terminal server, basically.
Hell, in my town, 3 years ago, they started to replace subway train LED signals with crappy Windows-CE-based software.
The effects are still noticeable... the whole infrastructure is still 80% worse compared to 10 years ago.
You recognize the useless Windows licenses by the occasional Desktop (seriously, google "cologne KVB windows trashcan"....), 90deg-tilted display, and of course 20% of the signage is out of operation on average now.
mananaysiempre
The French state is one thing, the Polytéchnique is another. My impression is the old-school network administrators at French universities are fiercely protective of their de facto right to make technical decisions regarding equipment and software. So this part surprises me.
dataflow
When you say first meeting, is the implication that they were lying about even trying?
crinkly
This is fairly normal. I’ve seen it in every corporate job I’ve had.
Most people seemed to have a retirement clock running and wanted to avoid doing anything they don’t give a crap about until then.
Giving a crap about your job is an outlier.
buckle8017
He outright said their goal was to lie about trying.
stef25
This addiction to Microsoft is everywhere and it's terrible for everyone involved. So many small orgs and NGOs paying through the nose for what can be done for free with Google Docs & Sheets.
sam_lowry_
NGOs pay little compared to businesses, AFAIR.
gunalx
^foss alternatives like onlyoffice, nextcloud...
mr_mitm
Relying on yet another American mega corp instead of Microsoft doesn't seem very wise.
mananaysiempre
Time[1] and time[2] again, the CJEU has ruled that the US stance of noncitizens having no standing on privacy issues is incompatible with EU law. Time[3] and time[4] again, the European Commission has negotiated a functionally identical agreement codified in executive orders and declared it “adequate” until the court could decide otherwise. Not even the Congress explicitly giving[5] the US government powers to compel (among others) EU subsidiaries of US multinationals, regardless of what EU law says, has changed the equation. Now there’s been a presidential election in the US that many in the EU are unhappy about. *Shocked Pikachu*
> [French MP Philippe] Latombe criticised the US-EU Data Privacy Framework (DPF) deal, saying it no longer served EU interests due to the US president’s “impulsive” nature.
Am I wrong to say that there’s something profoundly rotten in that statement with regards to the rule of law?
[1] https://en.wikipedia.org/wiki/Max_Schrems#Schrems_I
[2] https://en.wikipedia.org/wiki/Max_Schrems#Schrems_II
[3] https://en.wikipedia.org/wiki/EU%E2%80%93US_Privacy_Shield
[4] https://en.wikipedia.org/wiki/EU%E2%80%93US_Data_Privacy_Fra...
sunaookami
All you need to know is that the EU Commission sues their own data protection commissioner because he ruled that the usage of MS365 in the Commission is illegal. So the EU Commission happily works together with Microsoft: https://www.heise.de/en/news/Microsoft-365-EU-Commission-tak...
kergonath
> Am I wrong to say that there’s something profoundly rotten in that statement with regards to the rule of law?
Why do you think that? The agreement was negotiated under certain conditions, it’s not really surprising that a change in circumstances would make it unfit for purpose.
hulitu
> Am I wrong to say that there’s something profoundly rotten in that statement with regards to the rule of law?
No. The laws are applied as long as they serve the rulling elite. See GDPR for examples. Or the copyright law for examples at the other end of the pond.
phtrivier
It's interesting that there at least starts to be two opposing camp in the executive (some people in French government start to push for more sovereignty, some EU governments too, some MEPs, etc...)
Of course the rest of the administrations are not there yet, there are contracts to abide to, habits, etc... But there is the start of a general recognition that overdependence on the US is a liability at some level.
Also, it would incredibly more feasible to move IT infrastructure back and have some reign on data, then it would be to recover from our overdependence on China in terms of... Well, in terms of everything physical.
Which means that the first milestone would be to host pour data on "sovereign" data centers... Using East-Asian made hardware.
One thing at a time, I guess ?
afarah1
I don't see enough talk about reducing the amount of data collected in the first place. Even if it's kept within one jurisdiction, it can still be the target of a breach by a local criminal, a foreign spy, or a new government agency... Cameras on every street, cellular antenas on every car, biometrics for everything... It may vary from country to country, but an expansion on citizen data collection (in one area or another) seems commonplace across most governments, and usually with zero opposition in "the real world". And unlike products or platforms that you can chose to not use, there's hardly any escape from those.
ColinWright
Seen here:
https://www-senat-fr.translate.goog/compte-rendu-commissions...
================================================================
Quoting the translation:
Mr. Dany Wattebled , rapporteur . - Mr. Carniaux, as Director of Public and Legal Affairs, you represent Microsoft France before public decision-makers. Can you guarantee before our committee, under oath, that the data of French citizens entrusted to Microsoft via UGAP will never be transmitted, following an injunction from the American government, without the explicit agreement of the French authorities?
Mr. Anton Carniaux . - No, I cannot guarantee that, but, again, it has never happened before.
================================================================
Original:
M. Dany Wattebled, rapporteur. - Monsieur Carniaux, en tant que directeur des affaires publiques et juridiques, vous représentez Microsoft France auprès des décideurs publics. Pouvez-vous garantir devant notre commission, sous serment, que les données des citoyens français confiées à Microsoft via l'Ugap ne seront jamais transmises, à la suite d'une injonction du gouvernement américain, sans l'accord explicite des autorités françaises ?
M. Anton Carniaux. - Non, je ne peux pas le garantir, mais, encore une fois, cela ne s'est encore jamais produit.
================================================================
Thread on Mastodon:
Disposal8433
> Mr. Anton Carniaux . - No, I cannot guarantee that
He's smart, he doesn't want to go to jail. But all the governments and current and/or past administrations are guilty of pretended to be retarded since we all knew for the past 30 years that Microsoft was not to be trusted.
hollowonepl
I many time heard here in Europe not to trust Chinese appliances as these devices do listen to us… is #USA any different?
moffkalast
I think given the NSA's capacity they'll find a way to listen to us regardless which devices we use. But we're certainly going out of our way to make it easy for them.
isodev
I think we need a lot more accessible disclosure on the subject for the public. Even beyond government services, products exposing one to the US should come with a big fat warning.
motohagiography
these seem like solved problems. in canada, many govt depts have procurement rules that state all data must be hosted nationally by a custodian subject to national or even provincial law, and this has been standard for decades. the firm I work for also doesn't use google or microsoft clouds for similar reasons.
the deeper problem is governments are not technology builders and cannot produce tech products because they have no unique ability to deliver anything anyone subject to them actually wants.
SpicyLemonZest
There's simply no option for digital sovereignty other than cultivating a strong domestic software industry. As the source details, much of this exposure is being done with full understanding of the risks and costs.
The article also refers to some report claiming that European solutions are "wrongly judged to be too costly or inefficient". I'd be interested to read it if anyone has a translation. Even for something as basic as word processing software, every case I've seen so for the alternatives quickly lands on "you have to accept rough edges because that's the cost of data sovereignty" - much easier for a hobbyist or politician to say than an IT director charged with making sure your organization runs well.
Saline9515
The French state is working on a google-docs open source alternative: https://docs.numerique.gouv.fr/home/
ajb
The sad part is, both the EU and the UK (which has the same issue) have the capacity to do this as we have enough software engineers. But most software companies end up being bought out by US ones at some point.
stef25
This site has a heavy pro Russian bias, see for example https://brusselssignal.eu/2025/07/europe-still-has-the-power...
Turns out it was founded by an American, who was arrested on suspicion of bias-motivated crimes, second-degree assault and harassment after attacking a reporter in the USA but currently living in Hungary and running some media org there, with ties to the right wing Fidesz party. And he is on paper as being the founded of brusselssignal.eu
His organization received a big loan from an undisclosed source to set up the Brussels organisation and it seems to made up of or advised by a rag tag of European right wing politicians.
The whole thing stinks of Russian meddling in Europe.
Sources https://www.szabadeuropa.hu/a/szazhetvennegy-millios-kolcson...
https://www.companyweb.be/company/0793608171/free-pub/231068...
https://edition.cnn.com/2024/12/28/us/patrick-thomas-egan-ac...
phtrivier
Good catch. The OP article is mostly transcript from a Senate hearing, so the bias is limited.
rdm_blackhole
It's always the same issue.
If you want to move away from <insert US tech giant>, you either need to embrace Linux and open source software which requires the state's employees to learn a new "stack" of applications which means they need to be given appropriate training or you need to have you home grown solutions that are as easy to use as their US counterparts and were developed within the EU by the EU's member countries with the EU's values embedded in them.
The first solution is not going to happen, as Linux is still relatively unknown all things considered and I don't see the French government employees learning how to use this OS and/or the applications running on it by themselves.
Secondly in times of budget cuts like in France currently, the government is not about to rip all the Microsoft products off and replace them with something that would take years to transition to and cost a fortune to implement.
So that leaves the homegrown solution. Unfortunately the work to move off of Microsoft et al should have started 10 years ago but it hasn't. Europe has completely dropped the ball on tech and now it's coming back to bit it in the ass.
The Draghi report from last year was supposed to kick things into gear but we will be lucky to see anything coming through within the next 5 years and by this stage the US tech giants will have entrenched themselves even more in the EU.
I am sorry to say but this is a failure that will resonate for the many decades to come.
luckylion
I doubt that the average employee could tell Linux and Windows apart if you applied a Window-style skin to Linux.
But at least in Germany, I've seen Windows being written into agreements between state governments and trade unions representing clerks and employees. Good luck changing those without a negotiation running 3 years.
ronin-red
[dead]
Having worked for the French state and wrestled a few times with its IT services, I can tell you that the reason for choosing Microsoft isn't cost, or "efficiency".
It's that they only know Microsoft, they don't want to learn something else, and if there's a problem, it's Microsoft's fault, no theirs, so they don't have to deal with their own incompetence.
If you want an anecdote, we were working with SAS, a statistical software which required costly licences (more than a million € for a few dozens of workers). I suggested to switch to R or Python to the top director, who agreed.
First meeting with the service in charge, the chief opens with "ok, we are asked to change, but the goal here is to show that we tried, and found that it's not possible."
I resigned a few months after, as everything was in the same vein.