It was one of the flagship measures of the 2019 Military Programming Law (LPM) and if Anssi welcomed this possibility, it was not to the liking of defenders of internet freedom. La Quadrature du Net, the FDN federation and Franciliens.net lodged an appeal the same year against the implementing decrees relating to article 34 of the LPM 2019. This article provides that operators can implement detection probes on their telecommunications networks and, where applicable, authorizes Anssi to ask operators to search for certain technical markers in the event of a threat to information systems.
For La Quadrature du Net, this provision was an extension of the agency’s “net surveillance powers”. In a blog post dated 2019, La Quadrature expressed its grievances with regard to this article: the association denounced a confused text on its objectives, which did not offer an exact definition of “technical markers” or “threats ”Covered by these devices. In addition, the Quadrature underlined the lack of effective control of these measures: the law provides that this role be devolved to Arcep, but the Quadrature considers that the law does not provide for any measure allowing Arcep to effectively exercise this role. control. Finally, La Quadrature also considers that the people affected by this surveillance have no means of contesting these measures, even if they prove to be unfounded. Arguments that prompted the three associations to seize the Council of State and ask it to cancel the application decrees framing the installation of these probes.
For the Council of State, that is not enough
But that was not enough to convince the Council of State: in a decision published in the official journal on December 30, it considered that the objections raised by the three associations were unfounded. On the question of threats and technical markers, the Council of State thus refers to the definitions provided for by the Post and Electronic Communications Code: markers are thus the “technical elements characteristic of a computer attack operating mode, allowing detect malicious activity or identify a threat ”while threats are defined as“ any identified occurrence of the state of a network indicating a possible violation of information security policy or failure of security measures. security or even a situation unknown until now and which could relate to information security ”.
The Council of State also considers that Arcep does indeed have sufficient powers to monitor the application of these provisions: here too, the postal and electronic communications code specifies, according to the Council of State, the information that must be transmitted to Arcep to enable it to exercise its control, and the authority has the power of recommendation or injunction to act in the event of Anssi excess. The Council of State also recalls that the CNIL has the power to supervise the detection systems implemented by virtue of this text. Finally, he considers that “the contested provisions in no way constitute an obstacle to the exercise by the persons concerned or the operators of common law remedies”.
Anssi and the operators will therefore be able to continue to deploy detection probes without worrying about a possible court decision that would prevent them from doing so. In 2020, the director of the agency had thus announced that these devices had been deployed in an experimental phase during the year 2019, and ensured that the collaboration with telecommunications operators was going very well on this subject. But since then, no more information on this collaboration nor on its results.