When the law becomes a political cyber-weapon

Do you know Vade? This Lille-based nugget founded in 2019 secures more than one billion e-mail messages. This record makes it the European leader and number two in the world in its field, and makes it a target for American competition. At least that’s what its managers think, given the legal storm that hit it three years after its successful launch in the United States. In 2017, its main Californian competitor, Proofpoint, filed a complaint against it for breach of trade secrets and infringement. Its case is based on the fact that the French technical director of one of its subsidiaries was hired by the French startup. The Lille-based company, which denies everything, was ordered to pay 13.5 million dollars to the plaintiff in 2021. The bill is high for the startup, and the legal battle is not over. Its leaders assure that the company is not in danger, and that it continues to grow at an unchanged rate. This opinion is shared by the French government, via the French Tech network, and two renowned Parisian investment funds, Tikehau Ace Capital and Auriga Partners. Together, in the spring, they injected 28 million euros of equity into the company, sending a clear message to the market: France supports its nugget.

In the eyes of European experts, Vade’s judicial adventure has all the hallmarks of a very patriotic American justice system. As soon as the case was referred to it, the court promptly investigated it -even though the substance of the case was rather trivial- and handed down a sentence without any nuance, combined with disproportionate penalties. This was enough to discourage the loser from the market, if not eliminate him. After the instrumentalization of the law by the United States, as illustrated by the Alstom affair or the sentencing of major French banks to fines of several billion dollars for complicity in corruption, the economic warfare through law – or “lawfare” -as it is called- is back in the news by targeting the digital economy and cyberspace. What is its purpose? To allow the United States to control data, the black gold of the 21st century, and to preserve the advantage that its policy of supporting the emergence of the Gafam companies, which have a monopoly position in a large part of the world, has given it.

According to the Synergy Research Group, a specialized American marketing analysis firm, the main American cloud providers – Amazon Web Services, Microsoft, Google Cloud – would corner 69% of the European market. However, since the adoption of the Cloud Act in 2018, it is known that the American justice system can force a “US Person” to hand over all its digital data – including when they are subsidiaries with their own legal entity abroad, such as Microsoft France, for example, confirms Aude Géry, a PhD in public law and researcher at the French Institute of Geopolitics at Paris VIII University. The Cloud Act is in itself, the expert adds, legally irreproachable: it is the legitimate political response of the federal government to the refusal of an American company, Microsoft, to communicate data stored on a server in Ireland concerning an American drug trafficker to the Justice Department, in the context of an investigation carried out on American territory. On the other hand, she admits, doubts arise when authorities misuse or question a legal concept – in this case, that of a U.S. subsidiary – to use the law for political purposes. “What is reprehensible is not the strategic use of the law for a specific purpose, but the use that leads to the distortion or even devaluation of the rule. With its draft regulation on artificial intelligence published in 2021, the European Union is also introducing de facto extraterritoriality: any product wanting to enter its market will have to comply with it. It could be accused of this, but it is its most legitimate right.”

Legal and business practitioners partly refute this legal analysis. It is “the story of the tree that hides the forest“, argues Maxime Molkhou, founder of the law firm Nemrod Associés, which specializes in sovereignty issues and cyberspace law; “The doctrine and the American legal corpus have continued to strengthen in the service of a global war of influence“. Historically, he reminds us, lawfare was first “judicial”. As early as 1977, the Foreign Corrupt Practices Act (FCPA) allowed the American justice system to seize data in the context of corruption cases. In 1986, the Store Communication Act (SCA) obliged American Internet Service Providers (ISPs) to communicate data stored on their servers to the Justice Department; the Cloud Act came to fill these gaps. In the meantime, lawfare has been extended to government agencies. The Foreign Intelligence Surveillance Act (FISA) of 1978 was the first “blank check signed to intelligence agencies“, summarizes the lawyer, who was trained in the United States and worked for ten years in the service of large Anglo-Saxon firms. This text legalizes physical and digital network surveillance procedures to capture all data. Then came the adoption of the Patriot Act in 2001. Although it has been amended several times, the scope of this text is still unparalleled in democracies.

After a moment of naivety, Europe has finally become aware of its backwardness, and is no longer being left behind. Its turnaround is evidenced by the adoption of the GDPR in 2016. Offending companies face fines of up to 10% of their global turnover. “The power balance is changing,” experts confirm. This is demonstrated by the complaint filed in March in Brussels by the French host OVH Cloud and others against Microsoft for abuse of dominant position: with its Office software suite competitors’ services are more expensive and operate in degraded mode, their lawyers argue. This procedure directly echoes the two new European directives that will govern the digital economy of the Old Continent from 2023: the Digital Market Act (DMA), which aims to abolish models that neutralize the emergence of any competition, and the Digital Services Act (DSA), which will force the digital giants to comply with the legislation applicable offline. Experts unanimously agree that this legal arsenal will make the domestic market more difficult to penetrate for the Anglo-Saxon giants, who are already openly complaining about it.

The French authorities have also decided to abandon a form of naivety. Recently, they have reformed the laws applicable to dual-use goods and tightened the rules on foreign investment in strategic sectors. This year, they reopened the Itar file, the extraterritorial American regulation officially intended to combat arms trafficking, which in reality Washington uses as a weapon to control exports of military equipment competing with its own industry. In response, Paris passed the 1968 blocking law, which prohibits foreign authorities from accessing the sensitive information of the companies concerned. But this anti-interference measure remained a dead letter because of the imbalance in the balance of power. Thanks to the latest amendments, a company under pressure from the American administration can place itself under the protection of the Strategic Information and Economic Security Service (SISSE), of the Ministry of Economy and Finance, which will then respond to it. The relevance of this measure will be judged by experience.

It is clear that the battle of law in the service of political objectives is moving to the field of standards and norms. The latest example is the new certification that the US Department of Defense will progressively require from all its suppliers: the Cybersecurity Maturity Model Certification (the “CMMC”). This new standard emerged in the wake of the Solar Wind affair, named after the software services company referenced by the major sensitive administrations in the United States, which had been contaminated by a Russian spy virus. The CMMC is a legitimate way to guarantee the American defense against a cyber risk linked to its supply chain, but it also gives it the opportunity to access the information systems of its suppliers… To avoid this risk, French experts from the Direction générale de l’Armement (DGA) suggest that the French government negotiates, within the framework of an interstate agreement, an equivalent procedure applicable to its own nationals. The next debates around standards could soon concern post-quantum encryption, the future holy grail in terms of protection of sensitive digital data.