{"id":14170,"date":"2026-05-15T01:01:00","date_gmt":"2026-05-15T05:01:00","guid":{"rendered":"https:\/\/www.both.org\/?p=14170"},"modified":"2026-05-10T07:59:11","modified_gmt":"2026-05-10T11:59:11","slug":"digital-sovereignty","status":"publish","type":"post","link":"https:\/\/www.both.org\/?p=14170","title":{"rendered":"Digital sovereignty"},"content":{"rendered":"
\r\n
\r\n \r\n <\/i>\r\n <\/a>\r\n <\/span>\r\n<\/div><\/div>\n

Nearly the entire globe runs operating systems developed by just a few corporations located on the west coast of the USA. Most hardware is made and assembled in China. And a lot of computing has moved into a “cloud” network owned by just a few companies in Silicon Valley. In 2018, the USA established the CLOUD Act<\/a>, mandating that a US technology company must provide the US government access to all data stored on its servers, regardless of the location of the server. That means a government, company, or person using Microsoft or Google or Amazon services for data processing and storage is also granting the US government to access that data.<\/p>\n\n\n\n

This situation is rightly starting to make a lot of people nervous.<\/p>\n\n\n\n

The good news is that this isn’t exactly a new problem. Cyber-security experts have been aware of these indelicate points of failure for a very long time. In fact, open source software has thrived, in part, for this very reason. Open source programmers and systems administrators observed long ago that you can’t compile the code for the default operating systems being shipped on computers because the source code is a privately held asset of a corporation. A corporation is subject to the laws, and often the influences, of the government granting it the authority to conduct business. In short, the very ability of the world’s population to compute using digital processing was, for a long time, entirely based on the trust and reliability of just a few companies in just a few countries.<\/p>\n\n\n\n

For the most part, given that we’re still computing today, the reliability has withstood the test of some time.
If nothing else, the companies generating tools for computing have mostly been able to continue producing and selling those goods. When it comes to trust, however, the same has literally never been true.<\/p>\n\n\n\n

There is no such thing as trusted computing<\/h2>\n\n\n\n

It used to be taken for granted that when a company is big and important enough, it’s trustworthy because it would presumably be detrimental to its business to be anything else. That lasted until people started noticing that many big companies in digital technology were abusing the privilege of being a provider of technology that everyone in the world had to use to conduct basic everyday business. Companies track your use of tech and then “personalise” sales strategies for you, and that’s so widely accepted now that it’s hard to remember a time when it was an expectation that a computer was just an appliance. At one time, everything you did on your computer was a transaction solely between you and your computer. There was no record of your transaction on someone’s server, much less a customer profile on you, justified only by the fact that you paid for the device.<\/p>\n\n\n\n

Now that it’s generally accepted that companies still own the device you paid for, there’s been a gradual shift toward considering what data a company can rightfully harvest about you. The European Union’s General Data Protection Regulation (GDPR) has made it official, applicable at least to the big “above board” corporations, that there’s a limit to what personal data companies may gather and retain about you. It’s a good law to have on the books, but you might also look at it as a warning. If we’ve gotten to this point (and we have) then there’s no longer even a pretense of good will or trust. Corporations have asserted a right to own their [sometimes unwilling] customers, and it’s taking a multi-national economic force to push back.<\/p>\n\n\n\n

Zero trust<\/h2>\n\n\n\n

Again, there’s good news. The security principles of zero trust<\/em> dictate that secure technology must not be based on trust. It must be assumed that every point of contact is potentially unauthorised, and so all data must be encrypted and all rights to access must be verified and authenticated. It may sound extreme, but it’s largely how the physical world operates, too. An apartment building has a lock on its front door to keep unauthorised visitors out of the hallways, but each individual apartment within the building also has a lock on its door. Many companies use name badges and ID cards as a way to prove at a glance, or sometimes the swipe of a digital key fob, that someone in the building is meant to be in the building.<\/p>\n\n\n\n

Zero trust may sound paranoid or even sad, but it exists to protect both sides of the equation. The fate of data you own is up to you, and only you. Should someone besides you have access to it, then even an accident could ruin the day for you and them. For example, a university friend once wanted to write a school paper on my computer (back then, not everyone had a computer!) The next day, I sat down at my computer only to discover that my friend had accidentally saved his paper over mine (I had a backup, it didn’t matter).
<\/p>\n\n\n\n

Maybe he coincidentally chose the same exact file name as mine and then clicked through the warning message. Or maybe he’d clicked on my document to populate the name field, and forgot to change the file name. Or maybe he opened my paper as an easy way to get the office application launched and then forgot to create a new document for his own work.<\/p>\n\n\n\n


Whatever happened, he didn’t do it on purpose, it was an accident, but whose fault was it, really?
Was it his for making a mistake on my computer, or was it mine for not creating a guest account for him where the “blast radius” of his mistakes would be minimal? I argued the latter then, and still do now.
We don’t control mistakes (that’s why they’re called mistakes) any more than we control intentional bad behaviour of bad actors, but preventative design is fully within our purview.<\/p>\n\n\n\n

Zero trust in open source software and hardware<\/h2>\n\n\n\n

From the beginning of the free software and open source movement, it’s been a priority that you don’t have to trust any company or organisation providing a service to you. Any time you want to have a look at the source code of software, or the specifications of open hardware, you have instant access to it. You don’t have to be a country or a government to take advantage of open source, but you should encourage your own government to adopt open source (and to hire people to implement it correctly).<\/p>\n\n\n\n

Tech sovereignty refers to the idea that individuals, organisations, and governments must be able to withstand a loss of trust, supply, or support of technology. Your way of life, your business, and your country shouldn’t fall apart because a company decides your computer isn’t good enough to run its operating system. The same must be true should a company inject spyware into the OS installed on your computer, or seize data you have stored on its cloud.<\/p>\n\n\n\n

Technical and data sovereignty is becoming a vital concern ethically and financially and functionally.
There’s no more illusion that there are a few good companies providing the world with a handful of solutions that are obfuscated by the laws of “intellectual property” but nevertheless subject to the whims of third parties. Individuals and organisations have open source tools now to compute independently and privately, but it only works if you choose to use it.<\/p>\n","protected":false},"excerpt":{"rendered":"

Nearly the entire globe runs operating systems developed by just a few corporations located on the west coast<\/p>\n","protected":false},"author":31,"featured_media":14171,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_lmt_disableupdate":"","_lmt_disable":"","footnotes":""},"categories":[357,974,5,158,75],"tags":[975,108,261],"class_list":["post-14170","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud","category-digital-sovereignty","category-linux","category-open-source","category-security","tag-digital-sovereignty","tag-open-source","tag-security"],"modified_by":"David Both","_links":{"self":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/14170","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/users\/31"}],"replies":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14170"}],"version-history":[{"count":1,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/14170\/revisions"}],"predecessor-version":[{"id":14172,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/14170\/revisions\/14172"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/media\/14171"}],"wp:attachment":[{"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14170"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14170"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14170"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}