French government launches in-house developed messaging service, Tchap

INTRODUCTION

The Tchap project created a new open source encrypted communication tool for French public agents in order to improve information dissemination and ensure the security of the French government communication network.

At present, only agents of the central administration can create an account on Tchap, but the code source of the application is available for anyone under an open source license. Gradually, its use will be extended to all members of the French administrations, including regional and local administrations. According to Jérôme Ploquin, Tchap Project Manager at the Interministerial Directorate for Digital Affairs (DINUM), the French administration wanted to “deploy a messaging service which is secure and contains the professional features adapted to the work of a professional organisation or a public administration”.

POLICY CONTEXT

Public policy regarding open source software

Since the 2010s, France has developed a detailed open source policy in order to promote the development and use of open source software within the French central and local public administrations. The Ayrault Circular of 19 September 2012 defines the general orientations for the use of open source software in the public administration. According to the document, open source software must be considered equal to other solutions. Customers would also avoid a high price for the products. In 2016, the French Parliament adopted a law for a digital republic (in French Loi pour une République numérique) which strengthens the opening of public data. In 2017, the French government published a decree which establishes the list of open source licenses that public administrations can use. More recently, in May 2018, the French administration published its ‘Contribution Policy for Free Software of the State’ (in French Politique de contribution de l’Etat aux logiciels libres). This policy fosters the use of open source software in the administration by defining guidelines for public agents seeking to contribute to open source solutions created by third parties and to the publication of new software.

Within the French administration, open source policy is developed and implemented by the DINUM, and more specifically by the Etalab division which is in charge of the coordination, development and implementation of the French strategy regarding data. The DINUM also created the ‘Blue Hats’ movement, gathering open source software experts both within and outside the administration to inform and help administrative bodies develop and use open source software solutions. In 2019, the DINUM launched an open source repository which references and gives access to the list of software source codes published by French public administrations. French public administrations are encouraged to publish the source codes of the software used. The data collection of the codes is carried out using a software which was developed in-house by Antoine Augusti and the web application has been developed by the free software officer for DINUM, Bastien Guerry.

Digital sovereignty

The question of digital sovereignty was at the heart of the development and implementation of the Tchap service. DINUM shared with OSOR that the French administration initially wanted to create an alternative to the American solution WhatsApp and the Russian solution Telegram. Since end of the 2000s, the topic of digital sovereignty has been rather controversial in France. In 2009, the French Minister of Interior Michèle Alliot-Marie stressed the importance of state sovereignty and application of the rule of law in the digital space during a seminar on digital sovereignty. In May 2019, the French Senate create an investigative committee on digital sovereignty. The committee published a report on 1 October 2019 with five recommendations to the French government:

1. Definition of a National Digital Strategy;
2. Preparation of a law on digital sovereignty;
3. Protecting personal data, as well as strategic data;
4. Drafting sector-specific regulations on digital issues, both at the national and EU levels; and
5. Share France’s positions on digital sovereignty in international institutions and foster innovation.

When developing the Tchap service, DINUM aligned with the principles of digital sovereignty by opting for the centralisation of data storage via in-house servers.

TECHNOLOGY SOLUTION

The choice of open source

The Tchap messaging service is powered by the open source solution Riot Matrix, created by the privately funded start-up New Vector. The choice to use open source software was the result of a successful benchmark analysis of various software solutions, evaluating criteria such as price, technological features and security guarantees. During his interview with the OSOR team, Jérôme Ploquin underlined several points that helped to convince the French administration to choose the Matrix solution:

• Alternative business model: Most proprietary software companies have user-based pricing systems. Thus, such a system would have been quite costly if it were to be used by 4 million French public agents. Open source software was deemed to be a more cost-efficient business model for the French public administration.
• Security guarantee: The French National Agency for Information Systems Security (ANSSI) gave the greenlight for the adoption of an open source solution, arguing that a proprietary software would offer no additional security guarantee. Open source software would allow different actors to work on identifying and fixing vulnerabilities in the software security system.
• Flexibility: The choice of the Riot Matrix solution allowed the DINUM to tailor the messaging system according to the needs of the French public administration.

“Thanks to this new French solution, the Government shows its capacity to work in agile mode to meet its concrete needs while using open source tools and limiting development costs. The sharing of information in a secure way is essential to the work of the cabinets, but also for a more fluid dialogue between the administrative bodies”, stated Mounir Mahjoubi, Secretary of State to the Prime Minister for Digital in a press statement.

Once the DINUM opted for the Riot Matrix solution, the decision was made to optimise its usage through the development of an open source strategy. Each line of code written by the French public services has been added to the community repository, except for some specific items such as the visual elements (colours, Tchap logo) or specific functions that are part of another separate public repository. The DINUM also tried to convince its private sector partners to follow their lead and contribute to the community source code.

The Riot Matrix solution

Riot provided the infrastructure for the newly developed communication network and Matrix worked as a communication protocol ensuring the interoperability of the solution as a whole. Furthermore, the use of Matrix allows for a better personalisation of Tchap and opens further possibilities for continuous development.

This potential adaptability of Tchap allowed the DINUM to take users’ feedback into account. In September 2019, the DINUM invited Tchap users to brainstorm potential improvements for the project at an Open Lab. The DINUM also revealed that a survey was launched mid-February 2020 to ask users for further feedback.

Solution features

During the development of the Tchap messaging service, the DINUM focused on user-friendliness and the availability of professional features in order to create a viable alternative to existing commercial applications. Tchap offers a wide range of services to its users:

• Simultaneous usage on multiple devices (e.g. professional phone, personal phone, laptop), which is not permitted via WhatsApp;
• Creation of individual and group chats;
• Creation of public and private discussion rooms;
• Possibility to invite guests who are external to the French public administration.

Data security

The decision of the French government to develop Tchap was taken in light of data security concerns relating to existing messaging services which were already being used in an informal manner by French administrative agents.

The Riot Matrix solution allows the end-to-end encryption of messages. The app also ensures user ID control and allows administrators to suspend accounts.

Tchap is deployed on an OpenStack cloud. Data storage is centralised, and the server infrastructure is internal. According to the DINUM, the expansion of the Tchap user base to additional French regions and departments will not affect the centralisation of data storage.

TCHAP IMPLEMENTATION PROCESS

Timeline

• End of 2017: The Tchap project was developed in an agile manner, mirroring the French administration’s experience with State-run start-ups and the General Interest Entrepreneurship programme.
• March 2018: Release of the first prototype for testing by the agents of the DINUM.
• July 2018: First testing of the Tchap solution among high-level users (ministers. Cabinet members, directors…). Based on the feedback, the DINUM intensified its work on user experience and security issues.
• April 2019: After satisfactory results, the project was opened to all agents of the central administration, representing a potential user base of 2 million people.
• October 2019: Opening of the Tchap service to external users with limited features upon receipt of an invitation from French public agents.
• February 2020: Testing phase of the Tchap service in local administrations, increasing the potential user base to 4 million people.

In February 2020, the Tchap service had 80,000 users in the French public administration. The DINUM soon expects that there will be 100,000 users, with Tchap reporting between 50 and 80 new user registrations every day. Among those users, between 50% and 60% regularly use Tchap. According to the DINUM, this utilisation rate is similar to those registered with commercial messaging services.

Next steps of the Tchap project development

In the near future, the DINUM plans to work on the interoperability of Tchap to allow users to connect the application with other applications such as Slack or email systems. The choice of the Matrix open-source solution allows a better personalisation of the service and gives more possibilities for continuous development. Riot Matrix’s communication protocol can act as a bridge between the messaging service and external tools such as IRC, XMPP, Slack, Gitter or Twitter. Furthermore, the possibility of implementing bots in the ‘Tchap discussion rooms’ to post messages is also being studied.

Furthermore, the DINUM collaborates with the Matrix team to explore the possibility of connecting several Matrix-based messaging services. Will it announce a future collaboration with other European countries? This would take Tchap to the next level and would allow other European public administrations to benefit from the platform.

LESSONS LEARNT

Within hours of its announcement, the Tchap service was the target of a hack due a vulnerability in the registration portal. However, the DINUM and the New Vector team reacted swiftly, suspending the service and rectifying the situation within hours. After this rough start, the DINUM decided to collaborate with white hackers by paying them to find vulnerabilities in the system and help fix them.

The Tchap service became popular rather quickly and its user target grew bigger than expected. Within a year, the Tchap service was extended to the entire central administration, as well as local administrations on an experimental basis. Potentially, the Tchap service could be used by 4 million users, instead of the 2 million users originally planned.

 

Scope: France