French Messaging App Olvid Replaces WhatsApp in Government phones

In a note dated November 22, Prime Minister Elisabeth Borne instructed government members to install the French messaging app Olvid. She also requested them to uninstall all other messaging apps not audited by ANSSI (National Agency for the Security of Information Systems) by December 8 at the latest. Is this a wake-up call for the government on cybersecurity issues?

As the digital world is constantly evolving, so are cyberattacks, making security and privacy of communications increasingly urgent. In this context, the French government recently chose to adopt Olvid, a secure French messaging application.

Security and Privacy

The importance of security in messaging applications cannot be underestimated. A security breach can lead to the disclosure of private information, with disastrous consequences for individuals and organizations, especially if the targeted individuals are government members.

The French government has made a strong choice by prohibiting traditional messaging applications like WhatsApp or Telegram for government members in favor of Olvid. This made-in-France messaging application is presented as the "safest instant messaging app in the world" by the Minister Delegate for Digital, Jean-Noël Barrot.

X by Jean-Noël Barrot - It is French, certified by @ANSSI_FR, encrypted, does not collect any personal data. My team and I have been using it since July 2022. In December, the entire government will use @olvid_io, the safest instant messaging app in the world.

Compelling arguments support this application. It was developed in 2019 by two cryptography PhDs, professionals well-placed to understand the security challenges of communication tools.

Security

The application offers end-to-end encrypted messaging. The exchange between users is encrypted using a key that is then destroyed. It is therefore impossible for a third party to decipher it.

Collection of Personal Data

No personal data is required: unlike other messaging applications, Olvid does not require a phone number or email address during registration.

Olvid requires a first name and offers a few optional fields (Last Name, Position, Company)

No centralized directory of users

It is impossible to find users of the application using one's contact list. Users are therefore required to verify the identity of their contacts themselves with a QR code displayed on each user's screen.

IP Addresses of Users

Regarding IP addresses, the application indicates that it "uses" them for its operation without "consulting, collecting, or retaining" them. This can be confusing because an IP address is personal data according to Article 4 of the GDPR (General Data Protection Regulation). The use of personal data consequently involves the processing of personal data.

Certification by ANSSI (National Agency for the Security of Information Systems)

This is the most significant point: Olvid is the only messaging application with a First Level Security Certification (CSPN) issued by ANSSI in 2020. This certification, also called the "ANSSI security visa," attests that a product has successfully undergone a security evaluation.

Controversies

Despite reassuring information about the security level of the application, uncertainties persist. Indeed, while this application has been presented as a 100% French invention, it nevertheless uses AWS (Amazon Cloud Services) cloud.

This information sparked controversy due to the risks of access to data by US authorities under the Cloud Act, a US law adopted in 2018. It forces US companies, regardless of their location, to disclose all electronic data of their users to the US government in the context of a judicial investigation.

Olvid creates no centralized directory of its users, does not collect their IP addresses (identifiers of connected devices) or their connection data, and everything is end-to-end encrypted with the highest-level security encryption algorithms.
Thomas Baignères, CEO of Olvid - AFP

According to the company, these risks are minimal since the personal data of users is not collected, and there is no contact data in the application.

In response to these concerns, a solution for Olvid would be to move its server to France or another country that offers stronger security and confidentiality guarantees.

In the end, the future of Olvid will depend on its ability to address these challenges and maintain the trust of its users. With the right balance between security, privacy and ease of use, Olvid has the potential to become a major player in the field of secure messaging applications. Meanwhile, the application still has a long way to go, with currently 100,000 users compared to 2 billion for WhatsApp.