French provider seizes on Redmond's admission that US law could override local protections:
European cloud provider OVHcloud has long warned about the risks of relying on foreign tech giants for critical infrastructure – especially when it comes to data sovereignty.
Those warnings seemed to gain fresh credibility in June, when Microsoft admitted it could not guarantee that customer data would remain protected from US government access requests.
"They finally told the truth!" says OVHcloud Chief Legal Officer Solange Viegas Dos Reis. "It's not a surprise," she shrugs, "we already knew that." However, "this reply from Microsoft brought kind of a shock for customers, because they suddenly discover that what they have been taught for a while. 'Oh guys, don't worry, it will not apply to you. Don't worry.' It's false! Because, indeed, the data can be communicated."
Anton Carniaux, director of public and legal affairs at Microsoft France, made the admission during a hearing [source in French] in the country. In answer to whether he could guarantee that data on French citizens could not be transmitted to the US government without the explicit agreement of the French authorities, Carniaux replied: "No, I can't guarantee it," but added that the scenario had "never happened before."
[...] The sovereignty problem, however, is difficult to solve. Almost every vendor and commentator appears to have a different idea of what it means. "One of the issues we have is that, as there is no legal definition of sovereignty, everyone has their own idea of what sovereignty is," Viegas Dos Reis says. "It's becoming quite a marketing concept for some."
She states that there are three key concepts: data sovereignty, technical sovereignty, and operational sovereignty.
Data sovereignty is the simplest to define. It involves compliance with the laws where the data resides, rather than the laws of other countries. It also covers the freedom of choice regarding where that data is stored. Additionally, it involves ethics, such as not training LLMs on the data. Finally, it involves keeping the data secure.
"Technical sovereignty," says Viegas Dos Reis, "is about being able, through ensuring interoperability, you can move your data from one provider to another." Data might be being stored with one cloud provider, but processed by another.
"So interoperability, reversibility, it's about the control of the infrastructure – datacenters, of course – but telecommunications network as well. It's about the control of the choice of the provider you have with the supply chain you have.
"So you control your supply chain, and that means that you control the risk. When you have a risk in one part of the supply chain, you must be able to change it to adapt."
And finally, there is operational sovereignty. Who will have access to the data? It is not difficult to imagine support personnel looking at screens of data in another country to diagnose an issue and inadvertently blow a hole in the most carefully made sovereignty plans.
[...] Concerns about the dominance of cloud hyperscalers are not new. However, worries about competition in the era of AI and fears surrounding the unpredictability of the US regime have led many customers – not just in Europe – to take a long, hard look at their dependencies.
"The sovereignty pitch starts rising in a lot of countries," says Viegas Dos Reis, "because there is this fear of, 'OK, if I'm not digitally sovereign, I expose myself as a country, as a company, and as an individual as well. I expose myself to pressure from a third party.
[...] That said, Viegas Dos Reis acknowledges that a migration from the hyperscalers would be "a very long and complex project." After all, it can be costly to leave a hyperscaler, and the services of one provider are not necessarily matched by another.
That said, Viegas Dos Reis notes that a slow migration does appear to be underway, where companies are considering which workloads need to be where. Some can stay in the public cloud. Some might be on-premises. Others might opt for a European cloud provider.
"Each company should have a clear strategy on the management of its data and of its dependencies, and each company should map the data, map the needs," says Viegas Dos Reis.
"And depending on this mapping, they will say, 'OK, with this kind of data, no problem. I can put it in a cloud that is not immune to a territorial regulation, but another kind of data. Oh, my God, if this data falls into the hands of a foreign government or a competitor, I will have big, big problems.'"
Related Stories
Associate professor, David Eaves, writes about the essential role of the commodification of services in digital sovereignty. The questions to ask on the way to digital sovereignty are not as much about owning the stack but about the ability to move workloads. In other words, open standards for protocols, file formats, and more are the prerequisites. The same applies to the software supply chain. However, as we recently discussed here, PHK recently pointed out that Free and Open Source reference implementations would be of great benefit. Associate professor Eaves writes:
There is growing and valid concern among policymakers about tech sovereignty and cloud infrastructure. A handful of American hyperscalers — AWS, Microsoft Azure, Google Cloud — control the digital substrate on which modern economies run. This concentration is compounded by a US government increasingly willing to wield its digital industries as leverage. As French President Emmanuel Macron quipped: "There is no such thing as happy vassalage."
While some countries appear ready to concede market dominance in exchange for improved trade relations, others are exploring massive investments in public sector alternatives to the hyperscalers, advocating that billions, and possibly many many billions, be spent to on sovereign stack plans, and/or positioning local telecoms as alternatives to the hyperscalers.
Ironically, both strategies may increase dependency, limit government agency and increase economic and geopolitical risks — the very problems sovereignty seeks to solve. As Mike Bracken and I wrote earlier this year: "Domination by a local champion, free to extract rents, may be a path to greater autonomy, but it is unlikely to lead to increased competitiveness or greater global influence."
Any realistic path to increased agency will be expensive and take years. To be sustainable, it must focus on commoditizing existing solutions through interoperability and de facto standards that will broaden the market (and enable effective) national champions. This should be our north star and direction of travel. The metric for success should focus on making it as simple as possible to move data and applications across suppliers. Critically, this cannot be achieved by regulation alone, it will also require deft procurement and a willingness to accept de facto as opposed to ideal standards. The good news is governments have done this before. However, to succeed, it will require building the capacity to become market shapers and not market takers — thinking like electricity grids and railway gauges, not digital empires .
The essential role of commodities has been widely known and acknowledged for decades. We are in this situation because key companies and/or monopolies saw that long ago and were allowed to fight so hard all this time against ICT remaining as commodities. Sadly, the discussion about commodification probably peaked in the years just after the infamous Halloween Documents, particularly the first one. Eric S Raymond, author of The Cathedral and the Bazaar and early FOSS developer, published these leaked documents which covered potential strategies relating to M$ fight against free and open source software and, in particular, against Linux back in 1998. In retrospect these documents have turned out to be blueprints, used against FOSS and open standards by other companies as well.
Previously:
(2026) Sorry, Eh
(2026) Poul-Henning Kamp's Feedback to the EU on Digital Sovereignty
(2026) A Post-American, Enshittification-Resistant Internet
(2025) This German State Decides to Save €15 Million Each Year By Kicking Out Microsoft for Open Source
(2025) Why People Keep Flocking to Linux in 2025 (and It's Not Just to Escape Windows)
(2025) Microsoft Can't Guarantee Data Sovereignty – OVHcloud Says 'We Told You So'
(2014) US Offering Cash For Pro-TAFTA/TTIP Propaganda
(Score: 5, Informative) by JoeMerchant on Wednesday September 03 2025, @06:07PM (11 children)
It would seem to me that the only real answer is for a service provider to keep the data themselves. Even if they are "not a data storage expert" they could more easily become one than peel back all the layers of regulation and false assurances.
I am reminded of the "shared well agreement" that applies to our property and our neighbor. If we were to pay the lawyers enough to spell out all the potential eventualities and the proper resolution thereof to the satisfaction of both parties... we could more cheaply, quickly, and easily just provision a new borehole, submersible pump and underground services thereto for both properties. Lawyers and legal resolution of disputes are simply that cost-inefficient.
🌻🌻🌻🌻 [google.com]
(Score: 4, Insightful) by aafcac on Wednesday September 03 2025, @09:10PM (8 children)
I think the issue is that unless the data is kept strictly within the borders by a company that's also located within those borders that it's going to be inherently problematic to ensure that the data doesn't get leaked across borders in response to a subpoena or other legal proceedings. Very few corporate execs are going to be willing to risk prison time over data that's allegedly in a different jurisdiction and a bunch of people aren't going to say no to pressure to leak the information across borders anyways.
Anybody that cares about this sort of stuff should be using a more localized provider that provides their own stuff, or at least is within a jurisdiction that they're comfortable with.
(Score: 4, Interesting) by Whoever on Wednesday September 03 2025, @10:02PM (7 children)
It's not just location of the data.
Imagine that you work for Amazon or Microsoft and you have a customer whose data is stored in their home country, which is in the EU. However, you have the authority within Microsoft or Amazon to access that data. Are you going to refuse a subpoena or a court order issued by a court in the USA to provide some part of that data to US law enforcement? Can you afford the lawyers to keep you out of jail from accusations of contempt of court?
(Score: 3, Informative) by Whoever on Wednesday September 03 2025, @10:05PM
Reading more carefully, I see that you are saying the same as I. My comment is redundant.
(Score: 2) by JoeMerchant on Thursday September 04 2025, @12:24AM (5 children)
If I were the EU vs Amazon, I would demand that Amazon store "sensitive EU data" with EU providers who only provide access to the data owners (via secure cryptographic keys.) Amazon (or any company that can be pressured by foreign governments) should not have any kind of access to sensitive data.
I would also be very specific about what kind of data merits that kind of security, and it shouldn't be much.
🌻🌻🌻🌻 [google.com]
(Score: 5, Insightful) by aafcac on Thursday September 04 2025, @12:38AM (4 children)
Which likely wouldn't be good enough as there'd probably be an NSL style demand to compromise that in ways that can't easily be verified.
(Score: 5, Insightful) by JoeMerchant on Thursday September 04 2025, @02:20AM (3 children)
Which is why anyone with truly "sensitive data" should be storing it themselves, not entrusting it to third+ parties.
🌻🌻🌻🌻 [google.com]
(Score: 3, Interesting) by canopic jug on Thursday September 04 2025, @11:06AM
Which is why anyone with truly "sensitive data" should be storing it themselves, not entrusting it to third+ parties.
Things have changed a lot since the 1990s. Back then you could not even rent out online services, even databases, to any company at any price. It was seen as too much of a breach of confidentiality. Companies simply refused back then to allow that level of surveillance and would, in the case of databases, host CD ROM jukeboxes full of data in house instead.
Now, if you read the licenses from a legal perspective and skip any technical analysis of the services or software, most communications and documents are available to M$ or its designated representatives. That's on top of illicit access provided by the scores of bug doors revealed monthly. With that being the case most government or business protestations about secrecy are merely theatrics.
Money is not free speech. Elections should not be auctions.
(Score: 2) by aafcac on Thursday September 04 2025, @03:14PM (1 child)
No arguments there, but as a practical matter, normal people don't have much of a choice in the matter as there's practically nothing that you can do without sending sensitive data to somebody else. Arguably, the worst of it is email and just general system backups.
(Score: 2) by JoeMerchant on Thursday September 04 2025, @09:50PM
>there's practically nothing that you can do without sending sensitive data to somebody els
There's a fairly significant difference between data at test and data in transit...
As for e-mail, it wasn't so long ago that all e-mail storage was on the local devices, only on the server long enough to deliver it. If you want more secure e-mail you run your own server. Let's not get into the dismal state of PGP deployment.
🌻🌻🌻🌻 [google.com]
(Score: 3, Insightful) by DannyB on Wednesday September 03 2025, @09:22PM (1 child)
I don't think that is a solution. It is not dissolved in water.
Consider service provider X in country Y using Microsoft technology in their data center.
The US government could send Microsoft a secret warrant for data on X's servers in country Y, along with a gag order to keep Microsoft quiet about this.
Microsoft may well have the technical capability to obtain that data and exfiltrate it.
Infinity is clearly an even number since the next higher number is odd.
(Score: 3, Interesting) by JoeMerchant on Thursday September 04 2025, @12:26AM
See above about sensitive data secured by cryptographic keys that only the data owner knows.
Of course, we're still writing down passwords on sticky notes, then taking pictures of those sticky notes and sharing them in "private" Facebook friends' groups, so... there's a long way to go before actual data security practice starts happening.
🌻🌻🌻🌻 [google.com]
(Score: -1, Offtopic) by Anonymous Coward on Wednesday September 03 2025, @06:11PM
We are all subjects of the monarch, right? The majority, or collective being the monarch, that is
(Score: 2) by Frosty Piss on Wednesday September 03 2025, @08:20PM (15 children)
This will almost certainly degenerate into a Microsoft Hatefest, but the truth is that they are presenting a truth that applies very broadly. The countries - mostly in the EU - are not really being realistic about the issue in the modern world of the internet and computing in general. If your data is so precious to you - and certainly certain levels of personal data reach this level - the obvious solution is to not entrust it to multinational corporations that maintain centralized data farms. The EU will find things a little tough if they simply ban everything.
(Score: 2) by aafcac on Wednesday September 03 2025, @09:13PM (6 children)
They are, I think the issue was that they weren't honest about it from the start. The EU has limited ability to do anything about MS, and if MS decided to just stop having anything at all in the EU, there's not a whole lot that the EU would be able to do about it. The EU isn't China, there's only so much they can do in terms of blocking stuff that's located outside of the EU that's still internet accessible from within. I know they like to talk a good game about things like the right to be forgotten, but as a practical matter things like that aren't particularly enforceable outside the EU. And the same goes for basically every other jurisdiction.
(Score: 2) by HiThere on Thursday September 04 2025, @01:25AM (5 children)
I haven't found anything for which I don't have an alternative to Microsoft, except games.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by aafcac on Thursday September 04 2025, @02:07AM
I've got an image database program that doesn't have an acceptable alternative on Linux, and the software to use with my libredrive has been Windows only, although there is a Linux version in development.
That being said, most of the remaining software is games, although I've been pretty impressed with how much progress Valve has made with Steam.
(Score: 3, Interesting) by JoeMerchant on Thursday September 04 2025, @02:22AM (1 child)
What's the ProE or Autodesk Inventor equivalent in Linux. I already use OpenSCAD, and Blender, they're cute and good for their intended purposes, but they are nothing like the "professional" CAD tools.
I use GIMP, and it's good enough in my opinion to substitute for Adobe Photoshop. I pity the Photoshop users who need such features as GIMP doesn't have.
🌻🌻🌻🌻 [google.com]
(Score: 2) by HiThere on Thursday September 04 2025, @02:50AM
Well, I don't do much art. For such as I do, I normally use Inkscape, with Gimp supplying any pixelated images I need. But there are lots of programs I haven't even looked at.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 3, Funny) by jelizondo on Thursday September 04 2025, @03:33AM (1 child)
You forgot the botched Tuesday Patch™, which you can only get from Microsoft!
It might lock-up your computer, delete your files or force you to to a clean installation, you never know and you can't opt out either!
So much fun!
(Score: 3, Interesting) by aafcac on Thursday September 04 2025, @05:18PM
I remember recently having a coworker with an update that automatically started on his windows machine. In the time that it took for that one machine to update, I was able to update my laptop and then remotely update my raspberry pi and Linux desktop. IIRC, I don't think I was even doing them concurrently and it took like 10 minutes faster. In his case, I don't think anything weird even happened, that was just the normal slow updates for Windows.
For my Windows VMs, I use wsus offline update to get all the updates I need for my Windows VMs and download them on Linux. I'll then mount the created ISO into the VM and do the update that way. It's particularly nice if I ever need to do a reinstall as I'll have all that ready to update without having to connect to the net. I can also hold onto those updates and wait a few days whether MS thinks it's wise or not.
(Score: 4, Insightful) by DannyB on Wednesday September 03 2025, @09:31PM
The EU needs to ween themselves off of Microsoft and use and contribute to open source technologies.
A group of nations doing this might really boost open source use.
Infinity is clearly an even number since the next higher number is odd.
(Score: 5, Insightful) by stormreaver on Wednesday September 03 2025, @10:18PM (1 child)
And why shouldn't it? Microsoft has been sleazy for decades, and hasn't gotten anything even remotely close to the amount of hate it deserves.
(Score: 1, Insightful) by Anonymous Coward on Thursday September 04 2025, @09:25AM
If you're a resident in Country A and have control over data in Country B. If Country A comes to you with court orders and/or guns and ask you for the data in Country B, you hand over the data to Country B or you go to prison.
So how many people would refuse and go to prison? Imagine if they put you in prison then they go ask your colleague and your colleague gives them the data (after noticing you are in prison or are "missing").
(Score: 0) by Anonymous Coward on Wednesday September 03 2025, @10:20PM (2 children)
Ban? You reckon that only MS or Amazon have the "magic" to build clouds?
(Score: 2) by HiThere on Thursday September 04 2025, @01:28AM
Network effects are significant. But for mean, avoiding Microsoft was worth the effort.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Thursday September 04 2025, @10:45AM
The EU has to build more of their own stuff so they can issue their own NSLs etc to their own cloud providers etc.
(Score: 4, Insightful) by PiMuNu on Thursday September 04 2025, @06:29AM (1 child)
Just to disagree with your title, it may be perceived as an EU problem today, but I imagine tomorrow the data farms will be pushed to places where energy and labour is cheap. There is a strong correlation between cheap labour (and low energy costs) and authoritarian legislative frameworks, and that impacts USians and other developed nations as well.
(Score: 0) by Anonymous Coward on Thursday September 04 2025, @10:51AM
Sure, but odds are most people in the US are in greater danger from their US government than the Malaysian/Vietnamese/Thai government.
If you work in the DoD or similar then of course you should stick to US-only stuff since you're already deep in it...