← Back to context

Comment by throwawayffffas

9 hours ago

> Carniaux did say that the situation had never arisen.

That's what he would say if the company was under a gag order in the US. So I would take anything they say with a mountain of salt.

10 comments

throwawayffffas

Reply
alwayseasy  7 hours ago

Specifically here, he is under oath in France so an American gag order wouldn't protect him from the French justice system.

This make it less likely he's lying. It could be possible Microsoft France has a "rogue" employee system where a key person only obeys to Microsoft US orders rather than his French boss and French law. Then the boss can swear to the Senate that they're complying.

This is exactly the system the US Congress accused TikTok of having set up.

  • hyghjiyhu  7 hours ago

    If the data center is operated by a "trusted subsidiary" as the article mentions and everyone in key roles is a French citizen with no connection to the US then there is no one to give a gag order.

    In practice the US HQ could mandate a security update that secretly uploads all data to the US but that's a whole other can of worms that I don't think anyone is ready to open.

    • dathinab  6 hours ago

      the data center which runs software written and controlled by the US companies and likely has a 24/7 software related support team which is distributed across the world....

      in a modern cloud dater center you don't need someone physically plugging a USB stick in a server, you just need a back door in a cloud software stack many times the size then any modern operating system which often even involves custom firmware for very low level components and where the attacker has the capabilities to convince your CPU vendor to help them...

      1 reply →

    • fsckboy  2 hours ago

      >In practice the US HQ could mandate a security update that secretly uploads all data to the US but that's a whole other can of worms that I don't think anyone is ready to open.

      incredibly ambiguous/unsatisfying sentence. if this french hearing is concerned about french data security, then asking a question about your "in practice" is exactly a can of worms the french would like to open.

  • throwawayffffas  1 hour ago

    > This make it less likely he's lying. It could be possible Microsoft France has a "rogue" employee system where a key person only obeys to Microsoft US orders rather than his French boss and French law. Then the boss can swear to the Senate that they're complying.

    It's also possible that US employees had access to French servers without anyone in France knowing.

  • jacquesm  4 hours ago

    Less likely doesn't say much though. He may have simply weighed the chances of the French government ever finding out that he lied.

    > It could be possible Microsoft France has a "rogue" employee system where a key person only obeys to Microsoft US orders rather than his French boss and French law.

    I would think that is not just a possibility, but a certainty.

  • MengerSponge  6 hours ago

    > This is exactly the system the US Congress accused TikTok of having set up.

    "Every accusation is a confession" remains undefeated

  • dathinab  6 hours ago

    Until this happened MS was still going around trying to convince lawyers to use their Cloud and telling them that there is no issue.

    Including certain contractual "standard"(1) agreements which would make some of their higher management _personally_ liable for undue data access even under Cloud act from the US!!!

    (1) As in standard agreements for providers which store lawyer data, including highly sensitive details about ongoing cases etc.

    So you can't really trust MS anymore at all, even if personal liability (e.g. lying under oath) is at stack. And the max ceiling for the penalties for lying under oath seem less then what you can run into in the previous mentioned case...

    You also have to look a bit closer at what it even means if "the french MS CEO swears they are complying" it means he doesn't know about non compliance and did tell his employees to comply and hired someone to verify it etc.

    But the US doesn't need the French CEO to know, they just need to gain access to the French/EU server through US employees, which given that most of the infra software is written in the US and international admin teams for 24/7 support is really not that hard...

    And even if you want to sue the French CEO after a breach/he (hypothetically) lied he would just say he didn't because he also was lied too leading to an endless goose chase and "upsi" by now the French CEO somehow is living in the US.

    And that is if you ever learn about it happening, but thanks to the US having pretty bad gag orders/secret court stuff the chance for that is very low.

    So from my POV it looks like MS has knowingly and systematically lying and deceiving customer, including such with highly sensitive data, and EU governments about how "safe" the data is even if it lead to personal legal liabilities of management.

    And I mind to remember that AWS was giving similar guarantees they most most likely can't hold, but I'm not fully sure. Idk. about Google.

    Oh and if you hope that the whole Sovereign Cloud things will help, it wont. It's a huge mage pretend theater moving millions over millions into the hands of US cloud providers while not providing a realistic solutions to the problem it is supposed to solve and neglecting local competition which actually could make a difference, smh.

    • impossiblefork  6 hours ago

      The max penalty for things like this is actually life inprisonment though. If you, to aid a foreign power without authorization gather certain types of information, it's espionage.

      There wouldn't be any lawsuit. If you do this kind of things you get arrested, get a trial and then you are in prison forever.