The announcement sounded like a true “cry of independence” in the corridors of Paris: the Prime Minister ordered the government to abandon WhatsApp and Signal in favor of Olvid, a messaging app presented as “native.” The stated goal was clear: protect state secrets from the long reach of foreign intelligence agencies.
However, a bitter irony quickly emerged: Olvid’s core — its server infrastructure — beats within Amazon Web Services (AWS), an American giant.
For the general public, this seems like a simple technical hosting issue. But for architects of sovereign cybersecurity and those tracking data geopolitics, it is a primary political vulnerability.
Extraterritoriality and Conflict of Sovereignties
By relying on Amazon’s infrastructure, Olvid automatically enters the orbit of the US CLOUD Act.
The legal analysis of this case reveals a scenario of jurisdictional insecurity that simply adopting a national “app” does not resolve. The tipping point lies in the concept of “control” versus “localization.”
The CLOUD Act radically changed the legal paradigm by stipulating that the physical location of the server does not matter. The service provider’s (here, AWS) obligation to cooperate stems solely from its jurisdictional tie to the US. Thus, Washington can demand data from companies under its jurisdiction, even when that data is physically stored on European soil.
Legally, this creates a frontal conflict with the General Data Protection Regulation (GDPR). The Court of Justice of the European Union (through the famous Schrems I and II rulings) has already established that US surveillance laws do not offer a level of protection equivalent to Europe’s, as they are not limited to what is “strictly necessary.”
Digital sovereignty is not an attribute of software, but a property of the integrity of the chain of custody.
The Spectre of FISA and the False Promise of Encryption
Worse still, this dependence on American infrastructure places this data under the shadow of the Foreign Intelligence Surveillance Act (FISA), which authorizes electronic surveillance for “foreign intelligence” purposes targeting individuals located outside the US.
Faced with these threats, Olvid asserts that its end-to-end encryption constitutes a sufficient shield. From a privacy engineering perspective, this defense is dangerously partial.
The recent rejection of backdoors by the French National Assembly shows legislative resistance to vulnerability by design. Yet, even if the content of a message is encrypted, AWS’s centralized infrastructure exposes metadata. Knowing who is talking to whom, when, how often, and from where is often much more valuable to foreign intelligence than the message content itself.
Encryption protects the text, but the centralized server betrays the network of contacts.
The Real Danger Is Yet to Come
As long as European infrastructure relies on entities subject to extraterritorial statutes, the legal security of our communications will remain purely temporary and illusory.
National security in the 21st century requires much more than good legislative intentions or superficial software shields: it demands total infrastructure and hardware independence. Because while intercepting this metadata and encrypted packets seems harmless today, it actually feeds the most devastating threat of the next decade: the strategy of “Harvest now, decrypt later”.
A state secret intercepted today is nothing but a mathematical time bomb.
(Read the rest of our analysis in Part 2: The Time Bomb and the Zero-Knowledge Imperative)