French concern about Chinese Alibaba cloud for Paris 2024
published : 3 Dec 2021 at 10:45
PARIS - Chinese e-commerce leader Alibaba Group's role as a "worldwide partner" of the Paris 2024 Olympic Games has sparked a behind-the-scenes battle to prevent it from hosting and accessing sensitive data.
"There is a fight," Guillaume Poupard, director general of the National Agency for the Security of Information Systems (ANSSI) said earlier, before adding that it was "complicated".
"We are battling away and explaining that for security reasons, including personal data, this is not possible," he added, declining to give more details.
Alibaba, a symbol of China's success in the digital economy but now in the sights of the Chinese authorities, is one of the IOC's 13 "worldwide partners".
The partnership dates back to the PyeongChang Winter Olympics in 2018. The prospect that the company will host several critical applications in its cloud is raising eyebrows in the secretive world of French IT security, which clings to digital sovereignty as a standard.
What exactly is the problem?
One example cited by sources familiar with the case suggests that the personal and contact details of the tens of thousands of people who are accredited for the Games will be housed in the Alibaba cloud.
These would include data from the authorities, such as the police, which is a tough one for the French Interior Ministry to swallow.
In mid-September, during a round table organised by the European circle of information systems security, the national coordinator of security for the 2024 Olympic and Paralympic Games, Ziad Khoury, did not elaborate on the subject but spoke of "exchanges in the coming days".
"It's a fairly complicated subject," said Khoury who answers to the interior minister.
"We will have to go deeper into it very quickly with the Olympic world, to see a little how we can operate with all the constraints."
There has not been a word since. Nothing about these "exchanges", nor the extent of the "fight" that Anssi spoke off a month later.
"Yes there is an Alibaba problem," admits a ministerial adviser, but the state is reluctant to say more.
The French Digital Affairs Ministry talks of an interministerial delegation meeting with the Olympics but does not want to talk about it for the moment.
The Paris 2024 organising committee (COJO) told AFP that "with regard to the collection, processing and hosting of accredited data, the work is still in progress and is the subject of specific discussions with the authorities".
- 'State pressure' -
Alibaba also hosts the organising committee's applications, including its website, although this does not extend to ticketing.
"The Games ticket office, for its part, will be operated by a European specialist which won the public tender," said the organising committee.
For Alain Bouille, general delegate of Cesin, which brings together IT security managers, "the authorities are more obsessed with the number of potential cyber-attacks than with Alibaba sponsorship".
But he did not hold back on the warning and compared Alibaba with the big five US tech giants Google, Apple, Facebook, Amazon and Microsoft, collectively dubbed GAFAM.
"With the Americans and GAFAM, we manage to do things but with the Chinese, there is no agreement," he said.
"If we give data to Alibaba, we know that the Chinese government can have access to it."
The organising committee insists that all data will be protected by the EU's General Data Protection Regulation (GDPR) and that "all data will be hosted in Europe".
It has just appointed a data protection officer to ensure proper compliance with these regulations, and says it is "uncompromising" on the subject.
But will this be enough?
"The GDPR does not guarantee the sovereignty of data," said Bouille.
One expert has suggested that French group Atos, also a sponsor of the IOC, "can provide tools", an idea supported by Bouille.
"We can imagine that everything that is strategic could be the responsibility of Atos," he said.
This delicate subject with all of its geopolitical ramifications has yet to be settled. The French Data Protection Agency told AFP it was not yet involved.
Alibaba declined to comment on AFP's questions.
For the moment, it looks as though the Paris 2024 organisers have their hands tied.
"It's very complicated for an organising committee to dismiss an IOC partner," the committee's deputy director of security Thomas Collomb said in mid-September. "Unless there is very strong state pressure."